Configuring Fail2Ban for Asterisk

On the test I will use Asterisk 13.1.0 and Fail2Ban 0.9.3-1 installed in Ubuntu Server 16.04.1 LTS.

Install Fail2Ban as I wrote in this article – Installing and Configuring Fail2ban

Open the configuration file Asterisk responsible for logging events in /var/log/asterisk/messages:

sudo nano /etc/asterisk/logger.conf

Add security to messages:

messages => notice,warning,error,security

Restart the asterisk logging system:

sudo asterisk -rvv
logger reload
quit

Add the Asterisk configuration file to the directory with the Fail2Ban configuration, thus activating the monitoring of its logs:

sudo nano /etc/fail2ban/jail.d/asterisk.conf

where 86400 in seconds = 24 hours, that is, the attacker will be blocked for a day.

[asterisk]
enabled = true
bantime = 86400

Or, change the file /etc/fail2ban/jail.conf where [asterisk-tcp] and [asterisk-udp] are false to true.

Restart fail2ban for the new configuration file to load:

sudo fail2ban-client reload

Let’s check the work:

sudo fail2ban-client status asterisk

Done, now Fail2Ban will block IP addresses from which the passwords to Asterisk accounts are not correctly entered.

Sending Asterisk voicemail to multiple emails

Let’s say the voice mail is configured as I described in the article – Setting up voicemail in Asterisk.
There is the following context:

[voicemailcontext]
207 => 1111,Username,test@example.com,,attach=yes|tz=ua|delete=yes

If you want to send a voice message to several email addresses, then instead of test@example.com, for example, testmail:

[voicemailcontext]
207 => 1111,Username,testmail,,attach=yes|tz=ua|delete=yes

Then open the /etc/aliases file in a text editor:

sudo nano /etc/aliases

And let’s specify aliases for testmail:

testmail: support@example.net,user@example.net

Done, Asterisk will send a message to testmail, and it will be automatically forwarded to the specified addresses.

See also:
Redirecting mail for the root user

Setting up voicemail in Asterisk

For example, I’ll set up voice mail for SIP number 207.
Voice messages will be sent to the email using Postfix.
How to install it I described in this article – Installing and Configuring Postfix.

For starters, let’s point out the following in the context of SIP 207 (usually in /etc/asterisk/sip.conf):

mailbox=207@voicemailcontext

Next, configure the configuration of voice mail in the file /etc/asterisk/voicemail.conf:

[general]
; Format of audio files
format=wav49|gsm|wav
; From whom to send letters with notifications
serveremail=noreply@example.com
; Whether to attach to an audio file
attach=yes
; The maximum number of messages (standard 100, maximum 9999)
maxmsg=100
; Maximum message time in seconds
maxsecs=120
; Maximum greeting time in seconds
maxgreet=60
; Number of seconds of silence before recording is complete
maxsilence=10
; Threshold sensitivity to silence, the lower the sensitivity, the value from 0 to 256, standard 128
silencethreshold=128
; Maximum number of failed connection attempts
maxlogins=3
; Automatically move the listened messages to the "Old" folder. The default is on.
moveheard=yes
; The encoding of messages, the standard ISO-8859-1, with it my part of the text was displayed incorrectly, so it's better to specify UTF-8
charset=UTF-8
; Skip the line "[PBX]:" from the message header
pbxskip=yes
; The text of the line "From:"
fromstring=VoiceMail
; Letter subject
emailsubject=New voice message ${VM_MSGNUM} in the mailbox ${VM_MAILBOX}
; The contents of the letter
emailbody=Dear ${VM_NAME}:\n\n\tYou received a new voice message in length ${VM_DUR} under the number (number ${VM_MSGNUM})\nin the mailbox ${VM_MAILBOX} from ${VM_CALLERID}, at ${VM_DATE}. \n\t
; Date format
emaildateformat=%A, %d %B %Y в %H:%M:%S
pagerdateformat=%T %D
; Standard program for sending mail
mailcmd=/usr/sbin/sendmail -t

[zonemessages]
ru=Europe/Moscow|'vm-received' q 'digits/at' H 'hours' M 'minutes'
ua=Europe/Kiev|'vm-received' q 'digits/at' H 'hours' M 'minutes'

; We will write the context parameters voicemailcontext, 1111 - voice mail password (you can not specify), Username - user name, test@example.com - which address to send voice messages, after the comma you can specify one more, at the end of the option
[voicemailcontext]
207 => 1111,Username,test@example.com,,attach=yes|tz=ua|delete=yes

By the way, if you do not specify “delete=yes”, when the maxmsg limit is reached, the answering machine will say a greeting, and then the text that the subscriber’s voice box is full and do not save the message, or send it to the email. In this case, you need to call the voicemail number and delete the messages. If “delete=yes” is specified, the messages are not stored on the server, they do not come to the voice mailbox, but only sent to the email, in this case the maxmsg limit does not work and the overflow is not possible.

Now, in the configuration of the dial plan /etc/asterisk/extensions.conf in the main context, add the number by calling to which you can listen to the mail:

exten => 500,1,Log(NOTICE, Dialing out from ${CALLERID(all)} to VoiceMail (500))
exten => 500,n,VoiceMailMain(0${CALLERID(num)}@voicemailcontext,s)
exten => 500,n, Hangup

And add the VoiceMail line to the dialing context of the number 207 (after which, if the number is not answered or not on the network, voice mail will work), for example:

[207]
exten => 207,1,Dial(SIP/207,30)
exten => 207,n,Answer
exten => 207,n,VoiceMail(207@voicemailcontext)

Finally we connect to the Asterisk console, reload the configuration, see the list of voice mailboxes and letters:

asterisk -rvv
sip reload
voicemail reload
dialplan reload
voicemail show users
exit

The recorded messages are stored in the directory /var/spool/asterisk/voicemail/
Sound files are stored in /usr/share/asterisk/sounds

See also:
Sending Asterisk voicemail to multiple emails
Solving the error in Asterisk “File vm-newn does not exist in any format”
How to convert audio files to ulaw, alaw, gsm, g722, etc. for Asterisk

Asterisk time based routing

Here is an example of routing calls over time in Asterisk.
Assume that the /etc/asterisk/extensions.conf file has a configured context for the trunk with the following parameters:

[Trunk_2]
exten => s,1,DIAL(SIP/6004&SIP/6003,19)
exten => s,2,Hangup()

And to resolve the time calls to different phones, we will point out for the context of this trunk only nested contexts:

[Trunk_2]
include => daytime,8:00-18:00,mon-sat,*,*
include => nighttime,18:00-8:00,mon-sun,*,*
include => sunday,8:00-22:00,sun,*,*

In fact, daytime, nighttime, sunday are only the names of contexts for which the time is written in the context of [Trunk_2], they can be called anything.

And then in these separate contexts we will already add the necessary extensions.
That is, in the afternoon:

[daytime]
exten => s,1,DIAL(SIP/6004&SIP/6003,19)
exten => s,2,Hangup()

At night:

[nighttime]
exten => s,1,DIAL(SIP/6002,19)
exten => s,2,Hangup()

And on Sunday:

[sunday]
exten => s,1,DIAL(SIP/6002,19)
exten => s,2,Hangup()

You can also, for example, create a holiday context with holidays:

include => holiday,*,*,1,jan
include => holiday,*,*,8,mar

etc.

For those who want to paint more in detail by day, I’ll give you a list of days in English:
mon – Monday
tue – Tuesday
wed – Wednesday
thu – Thursday
fri – Friday
sat – Saturday
sun – Sunday

Similarly, up to three letters and names of months are shortened.

Configuring Automatic Calls in Asterisk

Asterisk can automatically make a call if you put a .call file in the (default) /var/spool/asterisk/outgoing/ directory. If the date of the file change is greater than the current one, the call will be made on or after this time.

For automatic calls, the pbx_spool.so module must be loaded, it must be registered in modules.conf or autoload=yes must be specified.

Continue reading Configuring Automatic Calls in Asterisk

Asterisk warning “leave_voicemail: No more messages possible”

I noticed the following error on one of the servers:

WARNING[21992][C-00000b27]: app_voicemail.c:6559 leave_voicemail: No more messages possible

It turned out that the mailbox was full of voice messages and they ceased to exist, in response the caller was informed “The subscriber’s voice box is full”.

To solve this problem there are several options:

1) Delete the messages in the voice mailbox by calling the voice mail number.

2) Increase the value of maxmsg in the voicemail.conf file, thereby increasing the maximum number of messages in the mailbox, but again it may be full. After the changes in the voicemail.conf file, you need to apply them:

sudo asterisk -rvv
voicemail reload
quit

3) In the context of the voice mailbox, add delete=yes, for example:

[voicemailcontext]
207 => 1111,Username,test@example.com,,attach=yes|tz=ua|delete=yes

In this case, voice messages will be sent to e-mail, and they will be immediately deleted from the server, that is, they can not be listened to by calling to the voice mail number and accordingly the mailbox will never be full. I consider this option the best.

See also:
Setting up voicemail in Asterisk

IPTables rules for Asterisk

To allow SIP connection in IPTables, add rules (the first for connections, the second for voice traffic):

sudo iptables -A INPUT -p udp -m udp --dport 5060 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

To allow connections from a specific address only, instead of the rules above, we indicate (where 192.168.1.50 is a trusted IP address):

sudo iptables -A INPUT -p udp -m udp -s 192.168.1.50 --dport 5060 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp -s 192.168.1.50 --dport 10000:20000 -j ACCEPT

Similarly, for each IP, either directly for the subnet, for example:

sudo iptables -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 5060 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 10000:20000 -j ACCEPT

To remove a rule, we’ll specify the same command, replacing -A with -D, for example:

sudo iptables -D INPUT -p udp -m udp -s 192.168.1.0/24 --dport 5060 -j ACCEPT
sudo iptables -D INPUT -p udp -m udp -s 192.168.1.0/24 --dport 10000:20000 -j ACCEPT

To view the list of rules, use the command:

sudo iptables -nvL

See also my article:
Configuring IPTables

Adding SIP clients to Asterisk

SIP clients in Asterisk are specified in the sip.conf file, so open it for example in the nano text editor (Ctrl+X to exit the editor, y or n to save or discard changes):

sudo nano /etc/asterisk/sip.conf

First we specify the following parameter, forbidding anonymous calls:

allowguest=no

Now at the very end of the file, add the client:

[6000]
type=friend
secret=PASSWORD
nat=no
host=dynamic
dtmfmode=rfc2833
disallow=all
allow=ulaw
context=sip-dialout
callerid=6000
deny=0.0.0.0/0
permit=192.168.0.10/32

Briefly describe the parameters that I indicated:
type – type of client, can be user (authentication by password), peer (identification by host address), fried (either by password or by host).
secret – user password.
nat=no – indicates that the client may be behind NAT, see my article about this – Solution to the Asterisk problem – no sound when calling via NAT.
host=dynamic – there is no client binding to the host address.
dtmfmode=rfc2833 – method of transmitting dtmf dialing tones.
disallow=all – ban all codecs.
allow=ulaw – Let’s solve only the ulaw codec.
context=sip-dialout — the name of the dialplan (it is described in extensions.conf)
callerid=6000 – customer’s internal phone number.
deny=0.0.0.0/0 – we forbid connection from all IP addresses.
permit=192.168.0.10/32 – we only allow connection from the specified IP address.

After adding the client, we will connect to Asterisk and update the sip configuration:

sudo asterisk -r
sip reload

To see the list of clients you can use the command:

sip show users

To exit the Asterisk console, type:

quit

Now it is already possible to connect the added client to the Asterisk server using for example the X-Lite, Zoiper or VoIP phone program, but there is nowhere to call, so we will add the second client to sip.conf for the test:

[6001]
type=friend
secret=PASSWORD
nat=no
host=dynamic 
dtmfmode=rfc2833
disallow=all
allow=ulaw
context=sip-dialout
callerid=6001
deny=0.0.0.0/0
permit=192.168.0.10/32

Open the extensions.conf file in the editor:

sudo nano /etc/asterisk/extensions.conf

And we will indicate the following lines at the end of it, so that users can call each other:

[sip-dialout]
exten => 6000,1,Dial(SIP/6000)
exten => 6001,1,Dial(SIP/6001)

Restart Asterisk to apply the changes:

sudo service asterisk restart

Done, we added two users and they can call each other.

See also:
Adding a SIP client to FreePBX

Adding a SIP client to FreePBX

To add a SIP client to FreePBX, open the menu “Applications” – “Extensions“, choose for example “Generic CHAN SIP Device” and we indicate the main parameters:

User Extension: 6000 (SIP number)
Display Name: Operator (any name to display)
Secret: PASSWORD
and click “Submit“.

Done, SIP is added, it can already be registered at the specified number and password.

How to add SIP in the configuration file I described in this article – Adding SIP clients to Asterisk

Installing Asterisk + FreePBX

Today I will install Asterisk on Ubuntu Server 14.04 LTS and FreePBX 12 as a management interface.

So, switch directly to the root user:

sudo -i

Let’s check if there are updates for the system and install them:

apt-get update
apt-get upgrade

Install the necessary components:

apt-get install build-essential linux-headers-`uname -r` apache2 mysql-server mysql-client bison flex php5 php5-curl php5-cli php5-mysql php-pear php-db php5-gd curl sox libncurses5-dev libssl-dev libmysqlclient-dev mpg123 libxml2-dev libnewt-dev sqlite3 libsqlite3-dev pkg-config automake libtool autoconf git subversion unixodbc-dev uuid uuid-dev libasound2-dev libogg-dev libvorbis-dev libcurl4-openssl-dev libical-dev libneon27-dev libsrtp0-dev libspandsp-dev libiksemel-dev libiksemel-utils libiksemel3

Restart the system:

reboot

Again, switch to the root user and install PearDB (the latest version can be viewed on the site http://pear.php.net/package/DB/download):

sudo -i
pear uninstall db
pear channel-update pear.php.net
pear install -Z db-1.7.14
pear list

You can update everything with the command:

pear upgrade-all

We compile and install Lame (this mp3 codec, it can also be installed automatically using the sudo apt-get install lame command):

cd /usr/src
wget https://sourceforge.net/projects/lame/files/lame/3.99/lame-3.99.5.tar.gz
tar zxvf lame-3.99.5.tar.gz
cd lame-3.99.5
./configure
make
make install

We compile and install DAHDI (the driver for the boards, it can also be installed automatically using the sudo apt-get install dahdi command):

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz
tar xvfz dahdi-linux-complete-current.tar.gz
rm -f dahdi-linux-complete-current.tar.gz
cd dahdi-linux-complete-*
make all
make install
make config

We will compile and install LibPRI (the necessary library can also be installed via apt-get install libpri1.4):

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/libpri/libpri-current.tar.gz
tar xvfz libpri-current.tar.gz
cd /usr/src/libpri-*
make
make install

We compile and install PJSIP (required library):

cd /usr/src
wget http://www.pjsip.org/release/2.4.5/pjproject-2.4.5.tar.bz2
tar -xjvf pjproject-2.4.5.tar.bz2
cd pjproject-2.4.5
CFLAGS='-DPJ_HAS_IPV6=1' ./configure --prefix=/usr --enable-shared --disable-sound --disable-resample --disable-video --disable-opencore-amr
make dep
make
make install

We will compile and install jansson:

cd /usr/src
git clone https://github.com/akheron/jansson.git
cd jansson
autoreconf -i
./configure
make
make install

Let’s see what new version of Asterisk is on the official website http://downloads.asterisk.org/pub/telephony/asterisk/, I took the last asterisk-13, compiled and installed it:

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar xvfz asterisk-13-current.tar.gz
cd asterisk-*
./configure
contrib/scripts/get_mp3_source.sh
make menuselect

To support mp3, we’ll include the module ‘format_mp3’, note also that it is connected with mysql, in Core Sound Packages we note the support of Russian files, in Extra Sound Packages we will select additional sound files and choose “Save & Exit”.

We continue the installation:

make
make install
make config
ldconfig

Let’s see the new version of FreePBX on the official site https://www.freepbx.org/ and download it:

cd /usr/src
wget http://mirror.freepbx.org/freepbx-12.0.43.tgz
tar zxvf freepbx-*.tgz
cd /usr/src/freepbx

Create an Asterisk user and set the permissions:

useradd -m asterisk
chown asterisk. /var/run/asterisk
chown -R asterisk. /etc/asterisk
chown -R asterisk. /var/{lib,log,spool}/asterisk
chown -R asterisk. /usr/lib/asterisk

Let’s change some settings in the Apache2 configuration file:

sed -i 's/\(^upload_max_filesize = \).*/\120M/' /etc/php5/apache2/php.ini
sed -ie 's/\;date\.timezone\ \=/date\.timezone\ \=\ "Europe\/Kiev"/g' /etc/php5/apache2/php.ini
cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf_orig
sed -i 's/^\(User\|Group\).*/\1 asterisk/' /etc/apache2/apache2.conf
sed -i 's/AllowOverride None/AllowOverride All/'  /etc/apache2/apache2.conf
service apache2 restart

Create MySQL databases:

mysqladmin -u root -p create asterisk
mysqladmin -u root -p create asteriskcdrdb

Create a user and password for accessing MySQL databases:

mysql -u root -p -e "GRANT ALL PRIVILEGES ON asterisk.* TO asterisk@localhost IDENTIFIED BY 'PASSWORD';"
mysql -u root -p -e "GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asterisk@localhost IDENTIFIED BY 'PASSWORD';"
mysql -u root -p -e "flush privileges;"

Run Asterisk and install FreePBX:

cd /usr/src/freepbx
./start_asterisk start
./install_amp --installdb --username=asterisk --password=ПАРОЛЬ

For FreePBX, you need to activate the mod_rewrite module in apache2:

a2enmod rewrite
service apache2 restart

Connect to the Asterisk console with the command:

asterisk -vvr

In the browser typing IP server should open the panel FreePBX.

I have a security notification in the FreePBX panel, so check the permissions on the files and restart the amportal:

amportal chown
amportal a ma refreshsignatures
amportal a reload

Also it is desirable to update the versions of modules in the admin menu – module admin.

The owner of http files should be asterisk, if suddenly the rights are violated, you can return them with the command:

chown -R asterisk:asterisk /var/www/html/

This completes the installation, followed by configuration, but this is already in another article.