FreePBX voicemail hacks

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

This article was originally posted in January, 2011 and may contain outdated information.

Motel Phone
Image by Andreas_MB via Flickr

A few things you should know about FreePBX voicemail:

• If you are not receiving voicemail notifications (stutter dial tone, message waiting indication on certain phones, etc.) there are two things to check.  One is to go into /etc/asterisk/vm_general.inc and see if there is a line of the form ;pollmailboxes=yes — if it is commented out (semicolon in front), uncomment it by removing the semicolon.  The other is to go to the /var/spool/asterisk/voicemail directory and make sure that you have directories there called default and device, and that one is symlinked to the other (generally default is the “real” directory and device is the symlink). If the device directory is missing, make sure you’re in the voicemail directory and do this:  ln -s default device

• If you have users in different time zones, you can have the voicemail “envelope” information say the correct time by creating a [zonemessages] context at the end of /etc/asterisk/vm_general.inc (in later versions of FreePBX you can also enter these in the Timezone Definitions section of the Voicemail Admin module) — here’s a simple one showing the four major time zones in the continental United States (I know this is not complete, it’s just an example):

[zonemessages] eastern=America/New_York|'vm-received' Q 'digits/at' IMp
central=America/Chicago|'vm-received' Q 'digits/at' IMp
mountain=America/Denver|'vm-received' Q 'digits/at' IMp
pacific=America/Los_Angeles|'vm-received' Q 'digits/at' IMp

Then, on each extension setup page in FreePBX, find the Voicemail & Directory section, and under that the VM Options.  In the VM Options add a tz= option for each user (for example, tz=eastern), using one of the zones you defined under [zonemessages] in /etc/asterisk/vm_general.inc.  Note that multiple options in VM Options must be separated by the | (vertical bar) character (not that you’re likely to have multiple options, but I mention it just in case).

• If your system is not used in a large office, or some other location where not all users can be trusted, you can disable the requirement to enter a PIN when using *97 to pickup voicemail for your own extension.  To do that, add the following context to /etc/asterisk/extensions_custom.conf:

NOTE: This is the original code for older versions of FreePBX:

[custom-voicemail-retrieve] exten => s,1,Answer
exten => s,n,Wait(1)
exten => s,n,Macro(user-callerid,)
exten => s,n,Macro(get-vmcontext,${CALLERID(num)})
exten => s,n,VoiceMailMain(${CALLERID(num)}@${VMCONTEXT},s)
exten => s,n,Macro(hangupcall,)
exten => h,1,Macro(hangupcall,)

In newer versions of FreePBX (probably 2.9 and later) use this instead:

[custom-voicemail-retrieve] exten => s,1,Answer
exten => s,n,Wait(1)
exten => s,n,Macro(user-callerid,)
exten => s,n,Macro(get-vmcontext,${AMPUSER})
exten => s,n(check),Set(VMBOXEXISTSSTATUS=${IF(${MAILBOX_EXISTS(${AMPUSER}@${VMCONTEXT})}?SUCCESS:FAILED)})
exten => s,n,GotoIf($["${VMBOXEXISTSSTATUS}" = "SUCCESS"]?mbexist)
exten => s,n,VoiceMailMain()
exten => s,n,GotoIf($["${IVR_RETVM}" = "RETURN" & "${IVR_CONTEXT}" != ""]?playret)
exten => s,n,Macro(hangupcall,)
exten => s,check+101(mbexist),VoiceMailMain(${AMPUSER}@${VMCONTEXT},s)
exten => s,n,GotoIf($["${IVR_RETVM}" = "RETURN" & "${IVR_CONTEXT}" != ""]?playret)
exten => s,n,Macro(hangupcall,)
exten => s,n(playret),Playback(beep&you-will-be-transfered-menu&silence/1)
exten => s,n,Goto(${IVR_CONTEXT},return,1)
exten => h,1,Macro(hangupcall,)

Then do the following in FreePBX’s GUI (do these steps in the order shown):

Go to Feature Codes and under Voicemail, disable “My Voicemail” (*97) using the dropdown, then Submit Changes.

Go to Custom Destinations (under the Tools tab) and create a new Custom Destination:  custom-voicemail-retrieve,s,1 — then Submit Changes.

Go to Misc. Applications and add a new Misc. Application. Make the feature code *97 and the destination the Custom Destination you created in the previous step, then Submit Changes.

Finally do an “orange bar reload” in FreePBX. Now when your users dial *97, it will assume they are authorized to pick up the voicemail for the extension they’re calling from. Obviously, this is probably not a good idea in any kind of office setting.

Got any other FreePBX voicemail hacks you like?

How to install Midnight Commander under Mac OS X (the easiest way?)

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. We have used the information here to install Midnight Commander 4.8.10 under OS X 10.9 (Mavericks) and also to install Midnight Commander 4.8.12 under MacOS 10.13 (High Sierra) and in both cases it was a quick and painless install, and works great!
Midnight Commander
Image by mcastellani via Flickr

Over the many months that this blog has been available, one of the most consistently popular posts has been, How to install Midnight Commander under Mac OS X (the easy way, using Rudix). Unfortunately, at the article notes, the developer of Rudix changed his package and while you can still use Rudix to install Midnight Commander on your Mac, it’s not quite as straightforward an installation as it once was.

This morning I received a comment from reader LouiSe on that article, that read as follows:

What do you think about an up2date universal binary installer package? … http://louise.hu/poet/tag/mc/

Well, if it works I think it’s a great idea, but I don’t have the time to fully test it and since I’m still running Leopard, I have no way to test it under Snow Leopard.  So I’ll just throw it out there and say that if any of you would like to test it (at your own risk, of course) and see how well it works for you, I’d appreciate it if you’d leave a comment.  For the time being, be as careful as you might be with any software from an unknown source.  But if you’re daring enough to give it a try, this might indeed be the easiest way to get the latest version of Midnight Commander onto your Mac.

Since Midnight Commander is free and available for virtually all versions of Linux, learning to use it now will put you a step ahead for the day when you get sick of being seen as a cash cow by Apple, and are ready to move on to a computer that runs Linux.  Ubuntu Linux in particular has finally matured to the point that it is actually usable by non-geeky types, and the vast majority of the software in the Linux world is still free.  I like free software, and I don’t like watching the “spinning beach ball of death” on my Mac Mini, so unless someone gives me a newer one as a gift or something (not likely), the Mac Mini I’m using now is probably going to be the last Mac I will ever own.

Disaster recovery with MondoRescue

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
The Great Desktop Fire
Image by mattbraga via Flickr

Many of us face the problem of having a server that we know we should backup frequently, but we don’t do it because it’s either too difficult to figure out how, or the backup solutions offered don’t actually restore the entire system if it crashes, so we figure, “why bother?”  If your system crashes, the thing you really need is a way to restore the entire system from some recent point in time.

Well, here’s one possible solution for you, assuming your server runs some form of Linux, and it’s from the fine folks at Sunshine Networks in Brisbane, Australia. I refer you to their article:

Disaster Recovery with Elastix 2.0

Now, don’t let the title throw you – there’s nothing Elastix-specific in this article.  The instructions should work with just about anything running under the CentOS operating system, and with minor tweaks to the installation process, under other versions of Linux.  What this software is supposed to do is give you an ISO file that can be burned to CD’s or DVD’s, or stored on a network share on another machine.  If the worst happens, you fix the hardware problems and then reinstall from the ISO file, and the way it’s supposed to work is that you get back to exactly where you were at the time of the last backup.  Now, I haven’t personally ever had to attempt a restore, but apparently others have and consider this a great piece of software. Obviously, I’m not making any guarantees, but it’s got to be better than no backup at all, right?

EDIT: Since I originally wrote this article, I’ve actually had the opportunity to use MondoRescue to restore a failed system (in this particular case, one that runs on a virtual machine). To say it worked great is an understatement. You just boot from the .iso file and it installs EVERYTHING back as it was. The only issue I had was that it couldn’t communicate with the network because the name of the network adapter was apparently different on the original and new systems — once I reconfigured the network settings to select a valid adapter (eth0, for example) it appeared to work just as it had on the day of the backup. And the restore process was surprisingly fast (much faster than the original installation, in fact)! Of course I cannot guarantee it will work that well for you, but I was blown away by the speed of the restoration, and I’m not that easily impressed!

I must also note that the article on the original Sunshine Networks site seems to have disappeared, so I changed the link to point to an archived copy on the Wayback Machine. However, in case that fails at some point, here is how I installed MondoRescue. Their instructions gave three different ways to do it, and I used this one, which (with perhaps a change in the file used) should work on any Red Hat or Centos based system (this was noted as “Tested on Elastix 2.0 32-bit” — if you are running something else, don’t just follow these instructions because you may need a different file):

cd /root/
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm
rpm -Uhv rpmforge-release-0.5.1-1.el5.rf.i386.rpm
yum install mondo

after mondo installed correctly, you should disable the RPMForge repository, just to be on the safe side :
nano /etc/yum.repos.d/rpmforge.repo
change “enabled = 1” to “enabled = 0”

(They used vi to edit the repository; I changed it to nano. Use whichever text editor you like).

However, the file shown here is probably NOT the right one for your system. So, first go to http://packages.sw.be/rpmforge-release/ and read the descriptions for each file, and be careful to select the right one for your system, and substitute that filename in the two lines where it is used above.

After installation, you can start the program by running /usr/sbin/mondoarchive, which will bring up a GUI (of sorts). The original article notes that:

your full iso will ( under default settings ) be created in the following directory :
/var/cache/mondo/mondorescue-1.iso
there is a small recovery CD here :
/var/cache/mindi/mondorescue.iso

END OF EDIT.

The article has you use the mondoarchive GUI to make the backups (well, they actually say mondorescue, but when I downloaded the software the program was called mondoarchive), and that’s fine to start with.  But eventually, you’re going to want to automate the process so you can use it in a cron job to do unattended scheduled backups on a regular basis.  I have this running on one machine and send copies of the backups to another, like this (cut and paste from this article to get the full lines without wrapping) :

#!/bin/bash
mondoarchive -OVi -d "/var/cache/mondo" -E "/asterisk_backup" -N -9 -G -s 4G
ssh myaccount@server2.net rm /home/myaccount/server1backup/mondo/mondorescue-1-old.iso
ssh myaccount@server2.net mv /home/myaccount/server1backup/mondo/mondorescue-1.iso /home/myaccount/server1backup/mondo/mondorescue-1-old.iso
scp /var/cache/mondo/mondorescue-1.iso myaccount@server2.net:~/server1backup/mondo
ssh myaccount@server2.net rm /home/myaccount/server1backup/mindi/mondorescue-old.iso
ssh myaccount@server2.net mv /home/myaccount/server1backup/mindi/mondorescue.iso /home/myaccount/server1backup/mindi/mondorescue-old.iso
scp /var/cache/mindi/mondorescue.iso myaccount@server2.net:~/server1backup/mindi

The first line calls the mondoarchive program to create the backup – the -E argument excludes any directories you don’t wish to back up (I have a directory of backups made using another method that I didn’t want backed up) and you can read about the other arguments in the documentation (also see the full HOWTO).  The remaining lines connect to the external server and delete the oldest backups, rename the previous backup, and then copy the new backups over.  To do it the way I’ve done it here, you must have ssh access to the other server and you must be able to connect without using a password, using public/private key authentication.  You may also have to log into the remote server and create the directories (/home/myaccount/server1backup/mindi/ and /home/myaccount/server1backup/mindi/ in this example – obviously you can call the directories whatever you wish, it’s entirely up to you).

There is, of course, more than one way to remove the pelt from a deceased feline, and you’ll probably have your own method for moving the files to another server.  In some situations it appears that MondoRescue could do it for you (look at the n option), but it doesn’t include a provision to remove the oldest file and rename the previous one (not that I could see, anyway), so that’s why I did it in a shell script.

The folks at Sunshine Networks have several other great how-tos – you might want to give them a look! And for more useful information on MondoRescue, particularly how to perform a restore, see Configure IT Quick: Use Mondo Rescue to back up Linux servers (but please realize that article was written in 2003, and the install has apparently been made less complicated since then, so don’t use their installation instructions).

Related Articles:
How to Clone/Backup Linux Systems Using – Mondo Rescue Disaster Recovery Tool (TecMint.com)
Redo Backup and Recovery Tool to Backup and Restore Linux Systems (TecMint.com)

Asterisk 1.8.x and FreePBX users: How to NOT answer Google Voice calls UNTIL the called extension answers

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

EDIT (May, 2018): FreePBX and Asterisk users that wish to continue using Google Voice after Google drops XMPP support should go here: How to use Google Voice with FreePBX and Asterisk without using XMPP or buying new hardware.

This article was originally published in December, 2010 and may contain out-of-date information.

Many folks are experimenting with Asterisk 1.8.x and Google Voice.  In most cases the way it’s set up is that when a Google Voice call arrives, Asterisk answers the call, then sends a touch-tone digit “1” to Google Voice to answer the call, then proceeds to ring the destination extension.  This is necessary because when you configure Google Voice to use a Gtalk destination, they require you to press “1” to accept the call, even if you’ve configured Google Voice not to require that.  I don’t know if this is a bug in Google Voice or if they did it that way deliberately for some reason, but answering the call and accepting it upon arrival at the PBX has a few unintended side effects:

  • If your callers pay for long distance by the minute, they get charged from the moment the called extension begins ringing – even if you never answer the call.
  • You can’t use Google Voice’s Voicemail, nor their transcription service, because you’ve already answered the call.
  • Callers may hear a confusing double ringing tone at the start of ringing — one ring from Google Voice and the rest from Asterisk.

On the other hand, there are some advantages to doing it that way:

  • Because you’ve answered the call, you can let the extension ring as long as you like before sending it to voicemail, and Google Voice won’t snatch it away in 25 seconds and send it to their voicemail.
  • You can use Asterisk’s voicemail, if that’s what you prefer.

For those who’d prefer to let Google Voice handle their voicemail, or who object to making callers pay to listen to up to 25 seconds of ringing, there is a way to not answer the call and send the touch tone “1” until  after the destination extension has actually picked up the call.  If you are using plain vanilla Asterisk, all you have to do is make sure your Dial() command contains two additional options.  Consider this example line of Asterisk dialplan:

exten => gvoicein,n,Dial(SIP/1004,35,rTWtwaD(:1))

The important part here is the aD(:1) — the other options can be whatever you’d normally use, if any, but it’s the aD(:1) that does the magic. Now at this point, if you’re a FreePBX user you may be wondering how on earth you can modify the Dial() string, since the code that generates it is buried deep within the bowels of FreePBX. Fortunately, there is a way. Consider the following piece of code that might be used in extensions_custom.conf to bring in Google Voice calls:

[googlein]
exten => _[0-9a-z].,1,Noop(Incoming Google Voice call for ${EXTEN})
exten => _[0-9a-z].,n,Set(CALLERID(name)=${CUT(CALLERID(name),@,1)})
exten => _[0-9a-z].,n,GotoIf($["${CALLERID(name):0:2}" != "+1"]?notrim)
exten => _[0-9a-z].,n,Set(CALLERID(name)=${CALLERID(name):2})
exten => _[0-9a-z].,n(notrim),Set(CALLERID(number)=${CALLERID(name)})
exten => _[0-9a-z].,n,Wait(1)
exten => _[0-9a-z].,n,Answer
exten => _[0-9a-z].,n,Wait(1)
exten => _[0-9a-z].,n,SendDTMF(1)
exten => _[0-9a-z].,n,Goto(from-trunk,gv-incoming-${CUT(EXTEN,@,1)},1)
exten => h,1,Macro(hangupcall,)

With this context you’d use gv-incoming-username (where username is the part of the associated gmail address before the @) as the DID in your inbound route — a DID doesn’t have to be numeric even if FreePBX whines about it, and the advantage is you only need one context to handle incoming calls for all your Google Voice accounts.  This particular context is slightly modified from one found in the PBX in a Flash forum, but note that it contains these four lines that wait ONE second, answer the call, wait ONE second (you do NOT have to wait two seconds, despite what any other article may say, and in fact the one second wait might be unnecessary), and then send the touch tone digit 1:

exten => _[0-9a-z].,n,Wait(1)
exten => _[0-9a-z].,n,Answer
exten => _[0-9a-z].,n,Wait(1)
exten => _[0-9a-z].,n,SendDTMF(1)

You will find those four lines, or some variation on them (sometimes just the last three), in just about every published method for using Google Voice with Asterisk and FreePBX.  But, in FreePBX at least, you can replace them with this:

exten => _[0-9a-z].,n,Set(DIAL_OPTIONS=${DIAL_OPTIONS}aD(:1))

This slides the aD(:1) into the options that will be used with the Dial command, so when the extension answers, the call will be answered and then the touch tone “1” will be immediately sent to Google Voice, and then the audio between Google Voice and the called extension will be bridged as usual.

Unfortunately, or maybe fortunately depending on your point of view, it appears that if the call should go to Asterisk’s voicemail, the call will not be answered and the DTMF 1 will never be sent.  This means that if, for whatever reason, you don’t answer the incoming call, after 25 seconds it will go to Google’s voicemail.  There are doubtless ways around that (and if anyone’s truly interested, leave a comment and I’ll suggest a way that may work, that involves routing the incoming call to a ring group first) but I suspect that the majority of people who want to do this will be doing it because they want to use Gmail’s voicemail.

I’ve tested this and it works for me, though I would not use it on a regular basis because I prefer Asterisk’s voicemail.  If it doesn’t work for you for some reason, the only suggestion I can offer is adding a w before the :1, so the added options look like aD(w:1) – that will add a one-half second delay before the “1” is sent, and more than likely it won’t help one bit, but may cause callers to not hear your “hello” or other greeting.  But, you can try it and see — at least one user has reported it to be necessary.  If that doesn’t work, I probably won’t be able to help you but if you leave a comment, maybe someone else can.

And, should anyone from Google Voice read this, it would be really helpful if you’d do two things:

  1. Give us a way to disable Google Voice’s voicemail so we don’t have to resort to hacks like this to discourage callers from leaving a message there.
  2. Fix the bug (or “feature”) so that when we turn off call screening, it’s off for ALL destinations, including Gtalk!

Link: Interesting security technique for Asterisk and FreePBX users (may work with other SIP-based PBX’s also)

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

This article was originally posted in November, 2010.

NOTE: For some reason WordPress absolutely hates it when I try to edit this post, and turns links and other things into piles of steaming poo.  If things don’t look right here please e-mail me or leave a comment and I’ll check it out.  WordPress, I KNOW how I want my articles to look, why can’t you just leave them alone?

One problem faced by some SIP-based VoIP PBX administrators is the issue of security when you have external extensions (that is, extensions located anywhere in the world that’s not a part of your local network). You want to allow those extensions (the ones you’ve authorized) to connect to your system, but you prefer to keep everyone else out, and preferably not even tip them off that there’s a PBX there. The idea is, if the bad guys that would like to break into PBX’s don’t even realize that there is a PBX at your IP address, they won’t waste any time trying to crack into your system.

There have been other suggestions for how to handle this but many of them require your users to take some additional action(s) that they would not normally have to take, and users hate having to lift a finger to do anything to enhance their security. Which brings us to a rather clever technique that doesn’t require user to do anything other than use their phones as they normally would. It might be a tiny bit of a pain to set up initially, but the results may be worth it. I would call this medium level security because if someone is sniffing your packets, this alone may not keep them out, but most of the lowlifes that try to break into PBX’s don’t actually have sufficient access to sniff your packet stream (and also, they’d have to know the exact technique you’re using to be able to crack this). So without further ado…

Secure your VoIP server with the SunshineNetworks knock

(As of October 24, 2012, the above link appears to be DEAD — see the edit at the end of this article)

Note that while the article recommends changing the SIP port to something other than 5060, their basic technique (the “knock”) should still work even if you feel you need to stay on 5060. My only fear about changing the SIP port would be the possibility of losing communications with VoIP providers and with other systems I legitimately send/receive voice traffic to/from. They’re probably going to keep using 5060 even if I don’t. EDIT: My concern here may be unfounded — note the comment below from Alex of Sunshine Networks, who said that “changing the SIP port is quite safe. Your SIP server will send this SIP port along in it’s first SIP invite registration to the VoIP provider. So unless your VoIP provider is actively blocking out anything else than port 5060, it should work fine. We use this technique with 3 different major SIP providers in Australia and never had problems. So far we haven’t seen any unintended consequences.”

I haven’t personally tested this, so if you do, please consider leaving a comment to let me know how it worked for you. The two things I wonder are, do these rules survive a reboot, and can you have more than one secret phrase that would let people in (in case you want to use a different one for each external extension)? EDIT: Those questions are also addressed in Alex’s comment below. Also, those of you running PBX in a Flash should take note of Ward Mundy’s comment about changing an entry in /etc/sysconfig/iptables in this thread. In that same thread, there appears a method to view the “knock” each extension is currently sending — just do “sip debug” from the Asterisk CLI for an hour or so (long enough for all your endpoints to register, after which you can use “sip no debug” to turn it off), then run this at the Linux command prompt (not from the CLI!):

grep "From: " /var/log/asterisk/full|cut -f1 --delimiter=; | sort -u

For each of your remote extensions, you’ll see a line that looks something like this:

From: The Knock <sip:234@nn.nn.nn.nn>

“The Knock” may or may not be enclosed in quotation marks, but it apparently doesn’t matter (you don’t include them in the iptables rules). If you haven’t used a specific “knock”, it could be the actual user’s name, if you set that up when you first set up the endpoint. Anyway, I’d suggest running this BEFORE you actually implement the iptables rules, so you know ahead of time what each endpoint is sending.

EDIT (Added January 8, 2012): I am now using a slight variation on this technique on one of the systems I administer. Without going into too many specifics, I will just note that some SIP devices and VoIP adapters actually already send a unique string that you can use as a “knock” – you do not have to configure a new one, you just need to find out what the device is already sending and use that. For example, let’s say you have an VoIP device connecting to your Asterisk server as extension 234. All you have to do is go to the Asterisk CLI (NOT the Linux command prompt) and enter this:

sip set debug peer 234

(Replace 234 with the actual extension number). Now, assuming that the device is connecting to your server, you will start to see SIP packets scroll across your screen. Within a few minutes you should see one like this (IP addresses have been xx’ed out):

<--- SIP read from UDP:xx.xx.xx.xx:5061 --->

REGISTER sip:xx.xx.xx.xx:5060 SIP/2.0
Call-ID: e10700c2@xx.xx.xx.xx
Content-Length: 0
CSeq: 56790 REGISTER
From: <sip:234@xx.xx.xx.xx>;tag=SP8f427e45f1e19cb24
Max-Forwards: 70
To: <sip:234@xx.xx.xx.xx>
Via: SIP/2.0/UDP xx.xx.xx.xx:5061;branch=z4b9hGK-4f0473a8;rport
Authorization: DIGEST algorithm=MD5,nonce=”37cd169d”,realm=”asterisk”,response=”a726bfed5db321a7bc967b997b5157c2″,uri=”sip:xx.xx.xx.xx:5060″,username=”234″
User-Agent: xxxxxx/xxxxxx-x.x.x.x
Contact: <sip:234@xx.xx.xx.xx:5061>;expires=60;+sip.instance=”<urn:uuid:nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn>”
Allow: ACK,BYE,CANCEL,INFO,INVITE,NOTIFY,OPTIONS,REFER
Supported: replaces

<————->

If you don’t see this you may need to increase the debug level. After you see a packet like this, you can turn off sip debugging:

sip set debug off

The string you are looking for is in the Contact: string above (the nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn is replaced by a unique string). So, where in the instructions for the “knock” they show a sample string such as:

iptables -I door 1 -p udp --dport 5060 -m string --string "mysecretpass" --algo bm -m recent --set --name portisnowopen

I would change the --dport parameter to 5060:5061 (since an VoIP adapter sometimes uses port 5061 for the second service provider — for an device that allows up to fours service providers, use 5060:5063) and the --string parameter to “<urn:uuid:nnnnnnnn-nnnn-nnnn-nnnn-nnnnnnnnnnnn>”, but using the actual string sent by the device, of course. I know the Sunshine Network people recommend using something other than port 5060 but I just can’t bring myself to go quite that far, and even their examples show 5060.

Some other SIP-compliant devices also send unique strings in their REGISTER packets. One that does NOT do so, as far as I am aware, is the venerable Linksys PAP2. And I also do not believe that any of the Sipura line of devices send such a unique string.

Naturally, if an intruder KNOWS you are using that technique, they could try a brute-force attack on the unique string. So I recommend only using this with “uncommon” extension numbers (not 200 or 1000, for example) and with a VERY strong secret/password on the SIP connection. But it is another line of defense against would-be intruders!

EDIT (Added October 24, 2012): The original article, and most of the original site for that matter, seems to have gone offline. While I’m not going to repost the original article here without permission, I will give you a few more details and a couple of excerpts. First, they advised that you change the SIP port to something other than 5060 – they suggested using something in the range 20001 through 49000, though I am not sure why. They uses port 34122 in their examples, and noted that if you are running PBX software that has a “SIP Settings” module, if your find a setting for “Bind Port”, that would be the one to change. Of course if you do this, you then have to change the SIP port on ALL your SIP-based phones and VoIP adapters.

With regard to the “knock” itself, they said this:

Technical information :
… Technically, our knock consists of a secret passphrase which is sent together with the first SIP packet from the phone to the server. SIP packets are text files, very much readable like http packets are. The SIP headers in a REGISTER invite packet have a lot of information, and one of those headers is called the “Display Name”. This display name is used only internally in your Asterisk server and has no other use, so we figured we could fill in anything and the Asterisk functionality would still work fine. We decided to use it as a port knock password.

How does it work :
The Asterisk administrator sets up a simple iptables rule. The iptables rule checks for a secret phrase inside packets sent to the SIP port ( 5060 by default, 34122 after having changed it ). Unless it finds this secret phrase, it will drop the packets to this port. All the remote phone has to do is fill in the “User Name” SIP property on his SIP phone with the secret phrase, and he will be able to connect.

What you then needed to do was to go to into your Asterisk server and from a Linux command prompt, issue the following command:

iptables -N door

Then for EACH “knock” string you want to use, you would do this from the command prompt (note this is only one line, and note that 34122 is the example port and “mykn0ckstr1ng” is an example “knock”):

iptables -I door 1 -p udp –dport 34122 -m string –string “mykn0ckstr1ng” –algo bm -m recent –set –name portisnowopen

If you have anyone that needs to register with your server but cannot send the “knock”, but is at a fixed IP address, you’d add a line like this for each instance (again the port and ip address would probably need to be changed, and note that an entire subnet can be specified as in this example — just leave off the /24 if it’s a single ip address):

iptables -A INPUT -p udp –dport 34122 –source 10.10.1.0/24 -j ACCEPT

Then you would enter these three lines, but again using the correct port rather than 34122. In the first line you see the number 4000 — that is amount of time in seconds that the port will be open, and should be greater than 3600 because that’s the default registration timeout for many sip phones and VoIP adapters. The original article notes that you could use 86400, which is a full day:

iptables -A INPUT -p udp –dport 34122 -m recent –rcheck –seconds 4000 –name portisnowopen -j ACCEPT
iptables -A INPUT -p udp –dport 34122 -j door
iptables -A INPUT -p udp –dport 34122 -j DROP

And finally, to make iptables use these rules, you’d enter:

service iptables save

The original Sunshine Networks article notes that…

This code keeps port 34122 closed ( DROP ) unless someone has opened the door ( door ) in which case they are allowed to pass the door for a little more than 1 hour ( 4000 seconds ). Each time the phone re-registers , the SIP secret pass header is sent, and the door is reopened for 4000 seconds. Since the default SIP reregistration time on many phones is 3600, the 4000 seconds will make sure that as long as the phone is connected to the SIP server, or needs to be connected, the dynamic firewall rule is always active.

Once you have done this, if you configure the Display Name or User Name setting with the “knock” string, it should be able to get through your firewall. Any phone that doesn’t have this string won’t. Of course you can always make the “knock” something that a phone already sends (in a SIP register packet), as noted in the previous edit, and then you don’t have to reconfigure the phone at all. If a phone or device tries to connect without sending the “knock”, the firewall won’t allow it (assuming you haven’t previously created some other rule that allows the traffic to pass) and the connection will fail, or at least that is how it’s supposed to work (I make no guarantees because I didn’t come up with this).

If you enter the command cat /proc/net/ipt_recent/portisnowopen you will get a list of IP addresses that have successfully used the “knock” to connect. Remember that after you implement this, it can take up to an hour for a device to attempt to reconnect.

If anyone ever spots the original article back online, please let me know and I’ll remove this edit. I’d rather you get the information direct from the original source anyway, and the short excerpts I have provided here don’t give the complete overview that the original article provided.

EDIT (February 23, 2014): It appears that there is an archived copy of that original article on the Wayback Machine, although we do not know if it is the most recent edit of that article prior to the site disappearing.

Link: Using IP tables to secure Linux server against common TCP hack attempts

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

This article was originally published in November, 2010.

Iptables
Image by Jordan W via Flickr

I’m not entirely certain of the original source of this article — I found it on one site, but a quick search reveals that the original source is most likely this site, but I may be wrong. The author of that article says he took some of the info in that article (looks like more than “some” from where I sit) from this article: How to: Linux Iptables block common attacks

Related articles found on that site are Using iptables to secure a Linux based Asterisk installation against hack attempts and Securing Asterisk – Fail2Ban (and that latter article looks suspiciously similar to this one: Fail2Ban (with iptables) And Asterisk).

I don’t know how valid or useful any of this is, but if you are running iptables on your system (if you’re not sure enter iptables -V on the command line — it should show you the version of iptables that is installed, if it is installed) then you might want to check these articles out.  And if you find an earlier source for any of these, let me know and I’ll include the links.  I know that in the technical community sometimes information gets copied around, but would it kill you guys to give attribution and a link to the original source when you are lifting information (or even raw text) from someone else’s article?

How to change the format of the time and date in Ubuntu’s clock applet

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. Also this article is obsolete since recent Ubuntu versions now use the Gnome desktop, and to change the way the date and time are displayed in Gnome you would use a Gnome shell extension such as Panel Date Format (here’s How to install Gnome Shell Extensions on Ubuntu 20.04 Focal Fossa Linux Desktop). Then, if using the Panel Date Format extension, to set the format of the date and time you use a dconf command from the Linux terminal, for example:

dconf write /org/gnome/shell/extensions/panel-date-format/format "'%A, %B %e, %Y  %l:%M:%S %p %Z'"

This is a quick-and-dirty post because it took me a long time to find this but in the end it was simple to do.  Note the graphic below – this is the top menu bar (part of it anyway) and the gconf-editor, which you can get to by entering the program name in a terminal window (in later versions of Ubuntu this appears to have been replaced by dconf Editor, which you may need to first install from the Ubuntu Software Center, then use the second screenshot below).  The important parts are highlighted.  First note the time display in the top menu bar, then note the highlighted settings that were changed to make it that way:

Screenshot of top menu bar and gconf-editor program

When in the gconf-editor, you need to go to /apps/panel/applets/clock_screen0/prefs and then change the custom_format and format parameters as shown (double-click on a parameter name to change the value). The original information was found in this thread.

Note this was done in Ubuntu Karmic, and may or may not be applicable to some newer versions. In more recent versions of Ubuntu that use dconf Editor, this is where the settings are:

Screenshot of dconf Editor program in Ubuntu 12.04

When in the dconf Editor, you need to go to /com/canonical/indicator/appmenu/datetime and then change the custom-time-format and time-format parameters as shown (double-click on a parameter name to change the value — time-format is not highlighted in this screenshot, but you do need to change it to custom).

My custom (time) format string is:

%A, %B %e, %Y  %l:%M:%S %p %Z

If the seconds don’t change (that is, if they always stay at 00) then scroll down (if necessary) in the prefs list and make sure the show_seconds or show-seconds box is checked.

If you don’t like my format and want to create your own, you can find the codes for the various parts of the date format here.

Note that if you are using the XFCE desktop, you need only right-click on the time, select “Properties” from the dropdown, and when the Clock Options come up, select “Custom Format” from the dropdown and then enter your custom format in the text box just below the dropdown.

How to stop people from leaving messages in your Google Voice voicemail box

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

One irritating thing about Google Voice is their voicemail – they must be really proud of it, because they give you no way to turn it off (at least not that I can find), and worse yet, they don’t even let you pick the timeout before your Google Voice calls go to voicemail.  If people actually had to pay for their service I’m sure they’d get boatloads of complaints, but since it’s free and since Google doesn’t seem to care much what users think, we are stuck with their voicemail whether we want it or not. However, there are some situations where you really don’t want to have to check Google’s voicemail, so how do you discourage people from leaving a message?

The answer is simple, and probably 99.9% effective: Change your greeting to a busy signal! Most people, and even most automated calling equipment, will hang up after receiving a busy signal, and will not leave a message (and if anyone does, it’s probably a stupid robo-caller that you can safely ignore).

So how do you change your greeting in Google Voice? Glad you asked…

To start with, download this audio file (right-click on the link and save it to your hard drive). It is 24 seconds of North American busy signal, followed by the DTMF # button (the latter is needed to signal the end of the greeting).

Now, what you have to do is go to your Google Voice settings, Voicemail & Text tab, and in the Voicemail Greeting section click on “Use phone to record a new greeting.” I suggest you try this once or twice just to get the hang of how it works (you can delete any recording you make on the same page). Note that once you’ve recorded your first greeting, the button will change to say just “Record new.”

Google Voice - Location of "Record New Greeting" button

Now, the obvious thing to do here is to hold the phone up to your computer’s speaker and play the audio file after Google calls you to record the greeting. If you’re careful about your volume levels it might work, but I don’t recommend it.

A better method is to temporarily redirect your Google Voice callback so that it comes to a softphone on your computer, preferably one that has the ability to select audio inputs and outputs.  How to do that is left as an exercise for the reader, but I can tell you that the free version of Zopier will allow you to select inputs. You’ll also need an audio program that can play back .wav files and allows you to select outputs (an example for the Mac would be Vox), and depending on your computer, you may need a third piece of software that allows you to redirect the output of one program to the input of another (for example, on a Mac you can use Soundflower). On a Mac you’d go into the audio player preferences, set the output to go to the redirection software, then set the softphone to get its audio input from the redirection software.

Vox audio player output settings
Zoiper softphone audio input settings

After doing this, get Google Voice to call your softphone, answer the call and immediately click “play” on the audio player software (into which you will have pre-loaded the audio file) and if all goes well it will play the file and at the end, after the DTMF # tone is played, Google Voice should play back the file, and ask you to accept it or try again. If you hear some ringing tone in the playback prior to the busy signal, just click “2” on Zoiper’s touch-tone keypad to try again (when you are given that option) and then as soon as you hear the beep, click “play” again. When it’s right, click the “1” on Zopier’s touch tone keypad when given the option. You can confirm that this is set as the default from the Google Voice page mentioned above. Also, note that by using the Google Voice “Groups” feature, you can play this “greeting” only to certain callers, if for some reason you want some people to actually be able to leave you voicemail in your Google Voice voicemail box.

I know that Zoiper is cross-platform and can be used under all major operating systems, and I’m pretty sure there are audio redirection programs available for Windows and Linux, though I don’t know what they are called offhand (if you do, please feel free to leave a comment, provided the software you suggest is free to use — I’m not going to promote any commercial software for this purpose because I’m pretty sure there is free software available, and in any case, it may even be possible to achieve this function from the Windows sound control panel, but it’s been so long since I’ve tried to do anything like this in Windows that I don’t remember how it’s done, I just know it’s possible).

Related Link:
Proof of concept: Automatically transfer Google Voice voicemail to Asterisk voicemail

Link: Using FreeSWITCH to add Google Voice to Asterisk

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

EDIT (2018): This article is extremely out-of-date and in no way useful today, and will probably be removed from this site at some point in the future. You might find this article more useful: How to use Google Voice with FreePBX and Asterisk without using XMPP or buying new hardware.

For those of you using Asterisk, Bill over at the PSU VoIP blog has come up with a way to interface Asterisk with Google Voice, by co-installing FreeSWITCH (which also supports Google Voice).  Turns out that Asterisk and FreeSWITCH can co-exist on the same server, though you do have to change the configuration a bit so they don’t compete for the same ports.  Anyway, Bill has come up with a how-to on adding Google Voice integration to current versions of Asterisk, so if that interests you, head on over and have a look:

Using FreeSWITCH to add Google Voice to Asterisk

The bonus is that once you get FreeSWITCH installed you can play around with it and look at some of its other features, if you are so inclined. Of course, the Asterisk folks could backport the Google Voice support to previous versions and make it unnecessary to do things like this, but I’m not holding my breath.

EDIT (January 26, 2012): The Google Voice channel drivers in Asterisk 1.8 have become unreliable enough (in my personal opinion, anyway) that I just used the technique shown in this article, and I must say that it works a LOT better than Asterisk 1.8’s Google Voice support.  I also added some comments to that article (probably too many!) that among other things show how I got it working for multiple Google Voice accounts.  So I would now recommend using this method to bridge Asterisk to Google Voice in preference to using Asterisk 1.8’s native channel drivers (unless you are very short on memory and/or storage space) — it just works, and calls connect faster.  Read the article AND the comments under it first, so you’ll know what to expect, and do be aware that it takes a relatively LONG time to compile and install FreeSWITCH (compared to Asterisk).  At points during the installation it may look like it’s stuck in an endless loop, but it really isn’t. Just go away and take a walk outside or something, and come back in a while and it should be done.

How to forward a call if a remote extension is unreachable in FreePBX 2.x

 

Important
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.

DISCLAIMER AND WARNING: This article contains EXPERIMENTAL code. DO NOT USE IT IN A PRODUCTION ENVIRONMENT until you have thoroughly tested it AND MODIFIED IT to meet your needs. It is guaranteed to NOT work (at least not in a way that will be useful to you) if you simply copy and paste it, and even if you read and follow the instructions below I don’t guarantee a thing (Asterisk can be funny, sometimes code that runs fine on one system will not on another). Anyway, you are NOT allowed to use this code unless you are willing to take ALL responsibility for modifying and testing it to make sure it will work in your situation. If you use this code and in some way it winds up not working and costing you money, don’t come after me because I’m warning you now that might happen, and it’s the risk you alone assume if you attempt to use this code!

FreePBX and Asterisk allow you to call forward a call on a busy or no-answer condition (as well as unconditionally), but there is no provision for specific forwarding if an extension (presumably an offsite one) is unreachable over the Internet. It is possible to do this, although in Asterisk 1.4 it’s not at all elegant. Some commercial VoIP providers offer a feature similar to this, calling it “Failover”, “Network Unavailable Forward” or just “Unavailable Forward”, “Network Availability Number ®” (Vonage trademarked that one!), or some similar name, but FreePBX and Asterisk do not offer similar functionality — there is no “Call Forwarding Unreachable” setting.  However, with a bit of work and a minimal amount of dialplan creation, you can emulate this feature.

Here’s an example that may work in many situations (as written it works with SIP extensions only, but maybe you can modify it slightly if you need to use it with IAX2 extensions or some other type):

First, if you are still using Asterisk 1.4 or earlier, add the following code to etc/asterisk/extensions_custom.conf:

[custom-unreachable-test] exten => _X!,1,Noop(Testing for unreachable extension ${EXTEN})
exten => _X!,n,TrySystem(asterisk -rx "sip show peers" | grep ^${EXTEN}/${EXTEN}[[:space:]] > /tmp/${EXTEN}.flag)
exten => _X!,n,ReadFile(reachable=/tmp/${EXTEN}.flag,1)
exten => _X!,n,GotoIf($["${LEN(${reachable})}" = "0"]?extoffline)
exten => _X!,n,Noop(Extension ${EXTEN} is reachable - sending to *${EXTEN} voice mailbox)
exten => _X!,n,Goto(from-internal,*${EXTEN},1)
exten => _X!,n(extoffline),Noop(Extension ${EXTEN} is NOT reachable)
;This is where you enter special forwarding conditionals for each unreachable extension
exten => _X!,n,GotoIf($["${EXTEN}" = "1101"]?from-internal,18005558355,1)
;This is the fallover (voicemail) destination in case no special destination is specified
exten => _X!,n,Noop(WARNING - no unreachable destination specified for extension ${EXTEN} - trying to send to voicemail)
exten => _X!,n,Goto(from-internal,*${EXTEN},1)

If you are using Asterisk 1.6 or later then use this instead:

[custom-unreachable-test] exten => _X!,1,Noop(Testing for unreachable extension ${EXTEN})
exten => _X!,n,Set(reachable=${SHELL(asterisk -rx "sip show peers" | grep ^${EXTEN}/${EXTEN}[[:space:]])})
exten => _X!,n,GotoIf($["${LEN(${reachable})}" = "0"]?extoffline)
exten => _X!,n,Noop(Extension ${EXTEN} is reachable - sending to *${EXTEN} voice mailbox)
;This is where you enter special forwarding conditionals for each unreachable extension
exten => _X!,n,GotoIf($["${EXTEN}" = "1101"]?from-internal,18005558355,1)
;This is the fallover (voicemail) destination in case no special destination is specified
exten => _X!,n,Noop(WARNING - no unreachable destination specified for extension ${EXTEN} - trying to send to voicemail)
exten => _X!,n,Goto(from-internal,*${EXTEN},1)

In both of the above examples, change the number 1101 to match an actual extension number on your system and change the 18005558355 to the actual number you want to send calls to (note this could be another extension on your system, including a custom extension or a ring group). Duplicate the line containing those values for each extension you may want to forward, changing those two vales in each line appropriately (also see the comment section for another possible approach).

The above code assumes that if an extension is reachable, but is busy or does not answer, you want the call to go to voicemail (* + the original extension number — obviously, this would be easy to change if that’s an incorrect assumption). However, if the extension is unreachable, you want to reroute it to the user’s cell phone or some other number. In the above example, if extension 1101 receives a call and is unreachable, it would be forwarded to TellMe at 1-800-555-TELL (18005558355) – obviously not practical in a real-world situation, but it’s just an example. Again, note you have to duplicate that line in the code for each extension that might be forwarded in this way.

In order to make this work, you need to go into the FreePBX Tools menu and select “Custom Destinations”, then add a new custom destination. The destination must be custom-unreachable-test,${EXTEN},1 and the description can be anything you want (I suggest “Unreachable Extension Test” or something similar).

For each extension you wish to use this with, you must have qualify=yes (or set qualify to a valid numeric value) in the extension settings.

Finally, for each extension you want to use this with, create a Follow-Me (or edit any existing one) for that extension. You can leave the defaults as they are (or change them if you want – maybe you want to change the Ring Time, for example) but the one thing you must change is the Destination if no answer. Change that to the Custom Destination that you just created. Also, don’t forget to add the line in extensions_custom.conf to actually do something with calls to that extension when the extension is unreachable.

The reason I say this code is not elegant is because it relies on a kludge. It does a “sip show peers”, then looks for the pattern ${EXTEN}/${EXTEN} (e.g. 1101/1101) at the start of a line, which on most systems indicates the extension is connected. This may not be the case if you are using what is known as “deviceanduser” mode (which you probably aren’t unless you’re running a call center) so in that case you may need to use a different pattern match, for example:

exten => _X!,n,TrySystem(asterisk -rx "sip show peers" | grep ^${EXTEN}[[:space:]] | grep OK > /tmp/${EXTEN}.flag)

The result of the system call will be written to the file /tmp/1101.flag (or a similar file with a different extension number) and will either contain the full line from “sip show peers” (if the device or phone is reachable) or nothing (it will be an empty file). So in the next line we read the file in (actually just one character) and test the length – if it’s zero, then that’s when we do the unreachable processing. If it’s non-zero, we send the call to voicemail. EDIT: In Asterisk 1.6 and later there’s no need to create a temporary file.

I’m not saying this is the best way to do this, or the only way to do it, but it is a way that seems to work in VERY limited testing (at least on a system running Asterisk 1.4.35 and FreePBX 2.5).

This was inspired by a thread I saw on the PBX in a Flash forum, which also notes that there may be an even better way to do this in Asterisk 1.8, but since I don’t have it and VERY few FreePBX users are running 1.8 at this time, I’m not even going to touch that one.

EDIT: I did a VERY limited test of this (and made one change in the above code as a result) on an Asterisk 1.8 system running F—PBX 2.8. There are now two code sections above, one for those running Asterisk 1.4 or earlier, and one for those running Asterisk 1.6 or later (only tested with Asterisk 1.8). And before you try that “even better way” mentioned in the last paragraph, note that “Having chan_sip set HASH(SIP_CAUSE,) on the channel carries a significant performance penalty because of the usage of the MASTER_CHANNEL() dialplan function” and that Digium has “decided to disable this feature by default in future 1.8 versions” (see this page for more information). So, probably best to stick with the method shown here, if you can get it to work for you.