Re: [asterisk-users] E-911

2017-03-02 Thread James Cloos 
There are a few services available, in addition to the offerings from
(some? most?) upstreams.

I'm aware of http://www.bulkvs.com/e911.html

It is probably the most affordable option if your upstream does not
offer it.

I use their origination and termination services, but have not needed to
try their e911.  They only charge $0.72/month/number for e911.

(The way e911 works each number which may be used as callerid for 911
calls must have an address added to the e911 database.  You then need
to arrange to use a/the number corresponding to the address where the
emergency is as the userpart in the SIP From: header.)

-JimC
-- 
James Cloos  OpenPGP: 0x997A9F17ED7DAEA6


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] E-911

2017-03-02 Thread Doug Lytle 
>>> On Mar 2, 2017, at 12:33 PM, Jeff LaCoursiere j...@jeff.net wrote:


>>> Can anyone point me in a direction to start implementation of E-911 
>>> services?  Is this just something my upstream should supply, or can I 
>>> connect to something on my own?


For me, it was a pay for option from my upstream provider.

Doug


-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] E-911

2017-03-02 Thread Jeff LaCoursiere 
Apologies if this is considered off-topic; I suspect the information 
might benefit a portion of the list.


Can anyone point me in a direction to start implementation of E-911 
services?  Is this just something my upstream should supply, or can I 
connect to something on my own?


Thanks,

--
Jeff LaCoursiere
312 962 5250 desk
815 546 6599 cell


--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

[asterisk-users] Packetization does not work on PJSIP

2017-03-02 Thread Saint Michael 
I need to raise my ptime to 60 on my codecs for outbound calls. To that
effect, I add on the endpoint
disallow=all
allow=ulaw:60

and also

 use_avpf   : false
 use_ptime  : true

But the invites always leave with ptime:20.
It used to work fine in the old SIP channel.
What am I doing wrong?
-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-02 Thread Patrick Laimbock 

On 02-03-17 13:52, Bryant Zimmerman wrote:

John V

Are you using pjsip? We are have several test servers and  I just
checked my /etc/fail2ban/filter.d/asterisk.conf and it is not updated
for pjsip implementations.  Looking at the security log files and the
regex I noticed that some items are being banned but others are not due
to changes in the messages for pjsip.
Anyone got an updated asterisk.conf for fail2ban.


The latest upstream version of asterisk.conf can be found here:

https://github.com/fail2ban/fail2ban/blob/0.10/config/filter.d/asterisk.conf

This commit mentions improved pjsip support:

https://github.com/fail2ban/fail2ban/commit/f85fb45b29768f687546ba25f805977cf00b6e43

HTH,
Patrick



--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
 https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-02 Thread Bryant Zimmerman 
John V

 Are you using pjsip? We are have several test servers and  I just checked my 
/etc/fail2ban/filter.d/asterisk.conf and it is not updated for pjsip 
implementations.  Looking at the security log files and the regex I noticed 
that some items are being banned but others are not due to changes in the 
messages for pjsip.
 Anyone got an updated asterisk.conf for fail2ban.

 Bryant



 From: "Telium Technical Support" 
Sent: Wednesday, March 1, 2017 9:54 PM
To: "Asterisk Users Mailing List - Non-Commercial Discussion" 

Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1

If this is a small site, I recommend you download the free version of SecAst 
(www.telium.ca) and replace fail2ban.  SecAst does NOT use the log file, or 
regexes, to match etc.instead it talks to Asterisk through the AMI to extract 
security information.  Messing with regexes is a losing battle, and the lag in 
reading logs can allow an attacker 100+ registration attempts before fail2ban 
even does anything (assuming the IP is exposed in the Asterisk log).



If this is a large install then post in the commercial list for more 
information.



-Raj-



From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Tech Support
Sent: Wednesday, March 1, 2017 2:37 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion' 

Subject: Re: [asterisk-users] fail2ban Asterisk 13.13.1



It's possible that you need to increase the value of 'findtime' to 
something greater than 300 secs. You also may want to set "timestamp = yes" in 
asterisk.conf so each line in the CLI will be time stamped. Time stamping it 
will be the definitive determination on whether or not the 'findtime' is the 
culprit.

Regards;

John V.



From: asterisk-users-boun...@lists.digium.com 
[mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Motty Cruz
Sent: Wednesday, March 01, 2017 01:29 PM
To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
Subject: [asterisk-users] fail2ban Asterisk 13.13.1



Hello, fail2ban does not ban offending IP.



NOTICE[29784] chan_sip.c: Registration from 
'"user3"' failed for 'offending-IP:53417' - Wrong 
password

NOTICE[29784] chan_sip.c: Registration from 
'"user3"' failed for 'offending-IP:53911' - Wrong 
password





# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 300



[asterisk-iptables]

enable = true

port = 5060,5061

filter   = asterisk

action   = iptables-allports[name=ASTERISK, protocol=all]

  sendmail[name=ASTERISK, dest=mo...@email.com, 
sender=fail2...@asterisk-ip.com]

#action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", 
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]

   %(banaction)s[name=%(__name__)s-udp, port="%(port)s", 
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

   %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]

logpath  = /var/log/asterisk/messages

maxretry = 3

findtime  = 300

bantime  = -1





in filter.d

asterisk.conf

failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed 
for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching 
peer found|Not a local domain|Device does not match ACL|Peer is not supposed to 
register|ACL error \(permit/deny\)|Not a local domain)$

^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) 
to extension '[^']*' rejected because extension not found in context

^%(__prefix_line)s%(log_prefix)s Host  failed to authenticate 
as '[^']*'$

^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' 
\(from \)$

^%(__prefix_line)s%(log_prefix)s Host  failed MD5 
authentication for '[^']*' \([^)]+\)$

^%(__prefix_line)s%(log_prefix)s Failed to authenticate 
(user|device) [^@]+@\S*$

^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$

^%(__prefix_line)s%(log_prefix)s 
SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$

^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection 
from "$

^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' 
failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint 
found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$



failregex = NOTICE.* .*: Registration

Re: [asterisk-users] fail2ban Asterisk 13.13.1

2017-03-02 Thread Julie M 
On Thursday 02 Mar 2017, Telium Technical Support wrote:
> If this is a small site, I recommend you download the free version of
> SecAst (www.telium.ca  ) and replace fail2ban. 
> SecAst does NOT use the log file, or regexes, to match etc.instead it
> talks to Asterisk through the AMI to extract security information. 
> Messing with regexes is a losing battle, and the lag in reading logs can
> allow an attacker 100+ registration attempts before fail2ban even does
> anything (assuming the IP is exposed in the Asterisk log).

I would recommend exactly the opposite.  If you install proprietary, binary-
only software on your system, you have no way to verify its integrity.  This 
is no throwaway portable device, it is the heart of your business's telephone 
system.  Do not go compromising its security by installing software that can't 
be independently verified.  

Ask yourself two questions:  (1)  Would you eat a cake that did not have the 
ingredients listed on the box?  And  (2)  why would the manufacturer *not* 
tell you what ingredients they were using -- unless they suspected that if you 
knew for sure what was actually in the cake, you might not be so inclined to 
eat it after all?


-- 
Julie

Note:  Originating address only accepts e-mail from list!  If replying off-
list, change address to asterisk1list at earthshod dot co dot uk .

-- 
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
  https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users