image source:: http://www.chanakyadetective.com/software-investigation.html
Here’s a simple script we wrote to check real-time calls and historical data of n minutes in CDR for suspicious activities based on a number pattern and length. We find this utmost useful especially when your servers are exposed to public to check against hack attempts, abuses or checking matching numbers to “catch” and report. The current action sends email, of course, you can build more functions as you please and run them at each EXIT code in the script appropriately doing stuff like seen in the script for sending email. You need the local mailer program, called mail to be able to send emails from CLI already for the email function to work, otherwise, it may just output via CLI.
This script has been tested on Debian, FreePBX 2.11 and Asterisk 11. It should work on most regular platforms as well as distros. I’ve tested on Nagios Core, NagiosXI, Icinga, Icinga2.0.
This script basically does the following;
- Its all bash, so should be quite compatible with many systems
- It checks the CDR for n minutes of past records also set by flags
- It checks asterisk current channels for external numbers only
- It combines both results as a “total” value to evaluate with the given parameters
- Uses filters based on the dst column on your CDR to match that you specify during execution (the parameters), this can be prefixes or whole numbers, and as many patterns as you want to check on a single run.
- You can set the flag to check the prefix and the number of digits which is same or greater so that you won’t catch local calls, normally international calls have higher number of called digits, I.e. > 10
- To automatically check or do it almost real-time, you can use cron on your server locally (It can also work with Nagios too, however, this guide does not cover configuring on Nagios,you need to set the flag NAGIOSMODE=YES). If you set Nagiosmode, it will not independently send out email and instead your Nagios server will decide what to do according to what you’ve set it to.
- Be sure to change NAGIOSMODE, SYSADMINEMAIL,EMAILSUBJECT,USER,PASS and if needed, db port,db database name,db table name, and db server & also location of your binaries (find them by typing whereis asterisk and whereis mysql and whereis curl)
- In some distro (FreePBX distro) the MySQL has no password (yeah, i know!), so in this case, leave the PASS=”” will suffice.
- */15 * * * * /usr/local/bin/checkintl.sh -w 3 -c 10 -i 60 -p 00:6,900:6 2>&1 | /usr/bin/logger –i -t ASTIOSALERTS
- Be sure to set the following inside the script (edit it)
EMAILSUBJECT="HOST $MYHOST INTERNATIONAL CALLS ALERT"
- If using Nagios, just set the flag NAGIOSMODE=YES
/usr/local/bin/checkintl.sh -w 3 -c 10 -i 60 -p 00:10,900:10
In the above example, it will
-w 3 – Warn when both CDR and running channel defined patters is equal to or greater than 3
-c 10 – Throw critical alert when both CDR and running channel defined patters is equal to or greater than 10
-i 60 – Check CDR for a total time of 60 minutes (note, time on server needs to be accurate for this to work properly)
-p 00:6,900:6 – This means, check for pattern 00 and 900 in the dst fields. If it exist, check length of >= 6 digits at minimum on both cases, in this example
No calls/threshold not hit like above
With a warning out which sends email when NAGISOMODE=NO. Also, if critical , it will send out emails like above.
In Nagios mode, it will show up just like this above in CLI and in Nagios itself, it will look like this
As usual, do give us feedback if find bugs and/or improvements/suggestions. Do give it a try and comment please if you found something helpful for others to note on your findings. Thanks and happy weekend.