Forum thread: User-specific Caller ID/whitelist/blacklist in Asterisk/FreePBX

Occasionally I see a forum thread that contains enough interesting material that it could be the start of an article, but because it’s stretched through a number of posts, I can only link to the thread. And also, because I’m not the author of any of the original posts, I can’t just copy and paste without possibly violating someone’s copyright. This is one such thread, which discusses the possibility of creating user-specific whitelists or blacklists, or Caller ID name lookup sources in FreePBX or Asterisk. The Caller ID name lookup would be most useful to Google Voice users, since Google Voice doesn’t provide a Caller ID name on incoming calls, just a number. Since there is no way that a user can add or change such listings in the FreePBX interface at present, the trick seems to be to use Google Contacts as the user’s web interface, and then import the data from the user’s Google Contacts list into the Asterisk database at periodic intervals using a cron job.

The interesting thing about this is that it appears that users can have their own individual lists, since each user would apparently have their own Google Contacts, which means that a user could blacklist a caller without blacklisting that caller for all users on the system. It may be a bit tricky to figure out what’s being done from the posts shown, but still it looks like a possibly interesting technique.

Even though FreePBX 12 now offers a contact list in the User Control Panel, there are limitations on how it can be used. What is discussed in this thread apparently does not share those limitations, but does have the limitation that any changes made will not be seen by Asterisk until the next time the Google Contacts database is imported into Asterisk’s database, which is done using some downloadable software, a python script, and a cron job.

Thread here:
User-specific Caller ID/whitelist/blacklist in Asterisk/FreePBX (DSLReports.com)

Stop SOME SipVicious attacks from reaching your Asterisk, FreeSwitch, YATE, etc. PBX server

This tip was posted by user “infotek” on the FreePBX site but applies to all software PBX systems that use the iptables firewall. “infotek” wrote:

By default the SipVicious scanner uses the ua : “friendly-scanner”. To block this ua, you can have iptables search the packet for that text.

add the following line to /etc/sysconfig/iptables

-A INPUT -p udp -m udp –dport 5060 -m string –string “friendly-scanner” –algo bm –to 500 -j DROP

Now the thing to keep in mind about this is that it only works if you know the string that will be sent as the user agent, and some hackers using SipVicious may take the trouble to change that default string, but some protection is better than none.  However this same technique can be used to block any attack that constantly sends the same string as the user agent, if you know what that string contains.

For those that use Webmin to manage iptables, here are the settings to use.  This should come BEFORE any other rules applicable to port 5060 – I made it the very first rule on the page “Incoming packets (INPUT) – Only applies to packets addressed to this host“:

Rule comment: Stop SipVicious
Action to take: Drop
Network protocol: Equals UDP
Destination TCP or UDP port: Equals Port(s) 5060
Additional IPtables modules: string
Additional parameters: –string “friendly-scanner” –algo bm –to 500

All other settings on the Webmin “Add Rule” page should be left at the default value (usually <ignored>).

To stop the hackers clever enough to change the default user agent string, consider also using this technique.

Link: Quick trick for Missing Forwards calls to Google Chat Option in Google Voice Account

Forwards calls to Google Chat is an important option for people who are using Google Voice as free VOIP solution. In order to able to receive calling, forwards calls to Google Chat option must be activated so the VOIP adapter can acts as a Google Chat to receive calling, eg: OBi Devices. Without that, the phone will never ring when people call your Google Voice number.

If the Google Voice Account was newly set up, in default the “Forwards calls to Google Chat” option is inactivated. Google didn’t provide any selectable option for adding the option to Google Voice.

google-6502530000

Here is how you can add Google Chat to the “Forwards calls to” list.

Full article here:
Quick trick for Missing Forwards calls to Google Chat Option in Google Voice Account (ALL4OS)

How to set up an alternate SIP port (other than 5060) using Webmin

One problem that some VoIP users are experiencing these days is that they have trouble connecting to their home Asterisk, FreeSWITCH, YATE, or other software PBX server, but only when using certain ISP’s.  One suspicion is that certain ISP’s that offer their own VoIP or traditional landline service attempt to mess with packets using the common SIP port 5060, hoping customers will think that VoIP is unreliable and will subscribe to the company’s overpriced offering instead (see this thread at BroadbandReports.com).

There are various ways to enable an alternate SIP port on the server (in addition to the usual port 5060) but if you are using Webmin to manage your firewall, here’s an easy way, in just three steps:

Step 1:

If you use Webmin to manage your firewall, then you already know how to get to the Linux Firewall page.  So go there and select the Network Address Translation (nat) table in the dropdown at the top of the page.  Then when the page changes, click the topmost Add Rule button (in the Packets before routing (PREROUTING) section):

SIP Port Forwarding 1

Step 2:

Now you should see this page. The items you need to change are indicated by the red ovals.  The Destination TCP or UDP port is set to 7654 in this example, but don’t use that.  Pick your own unique port; just make sure that it’s not used by anything else on the server already.  And yes, you really do put the alternate SIP port you want to use in the Destination setting; it may not make intuitive sense but that’s just how it is.  Avoid using ports in the range 10000 through 20000 because those are used for RTP traffic, and avoid ports below 1024 because those are protected ports that are reserved by the system.  There are also other ports you should avoid (those used by other software on your system) but if you don’t know how to find ports in use on your system, a bit of time with a search engine will lead you to several pages that show you how to detect already active ports.  It can vary a bit depending on your operating system, and it’s beyond the scope of this article.

SIP traffic is UDP only, not TCP (there may be rare exceptions but most software PBX’s use UDP by default).  If by some very odd chance you are using TCP for SIP traffic (why?!?) then you will need to specify that under the Network Protocol item.  Also, note that the incoming interface is set to eth0 in this example – Webmin will usually show the correct one by default, but you want to select the interface used by incoming SIP traffic if you happen to have more than one.  Don’t forget to click Save when you’re finished.

SIP Port Forwarding 2

Step 3:

After you have saved the page you should be back at the page you came from, and it should now show your new forwarding rule.  If it does, just click Apply Configuration at the bottom of the page to make it active:

SIP Port Forwarding 3One other thing you might need to to is add a rule on the main Linux Firewall page allowing incoming traffic on your selected alternate port, if you have a restrictive firewall that blocks most traffic by default.  Try it first without doing that, but if your clients can’t connect on the alternate port, just be aware that you may need to do that before they will be able to connect.  For more security, you can enable access to your SIP ports only from specific IP addresses, if your remote clients are at fixed IP addresses.

Now you should be able to change the port number on your SIP endpoints from the default 5060 to your alternate port.  Of course I can’t guarantee it will always work, but if you try it and suddenly find that your SIP connections become far more reliable, you might want to leave a comment, and mention the ISP that you suspect might be messing with SIP traffic.

By the way, if you are NOT using Webmin to manage your firewall, and have iptables installed, then all you should need to do is enter these two lines from a command prompt (replace 7654 with your chosen alternate port).  But I strongly caution you NOT to do this if you are using Webmin to manage your firewall:

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 7654 -j REDIRECT --to-ports 5060
/etc/init.d/iptables save

How to receive incoming Callcentric calls in FreePBX without creating multiple trunks

Just some notes on how to set up a Callcentric trunk in FreePBX and receive incoming calls without the need to create multiple trunks. This overcomes a limitation in Asterisk that is discussed in several other places (use a search engine if you really want to know).

Trunk settings:

When setting up the trunk use the following in the PEER details (change the highlighted parts):

type=peer
secret=password
qualify=yes
insecure=port,invite
host=callcentric.com
fromuser=1777XXXXXXX
fromdomain=callcentric.com
disallowed_methods=UPDATE
disallow=all
directmedia=no
defaultuser=1777XXXXXXX
videosupport=no
context=custom-from-callcentric
allow=ulaw

And don’t forget to use a Register String (replace YYYYYYYYYY with your DID):

1777XXXXXXX:password@callcentric.com/YYYYYYYYYY

EDIT: Instead of using custom-from-callcentric as the context, in recent versions of FreePBX you can use from-pstn-toheader instead, and then skip the next step (the addition of the custom-from-callcentric context to extensions_custom.conf) entirely!

Add context to etc/asterisk/extensions_custom.conf:

In etc/asterisk/extensions_custom.conf add this context:

[custom-from-callcentric]
exten => _X!,1,Noop(Incoming Callcentric call)
exten => _X!,n,Set(CCDID=${CUT(CUT(SIP_HEADER(To),@,1),:,2)})
exten => _X!,n,Set(CDR(did)=${CCDID:1})
exten => _X!,n,Goto(from-pstn,${CCDID:1},1)
exten => h,1,Macro(hangupcall,)

Copy context to extensions_override_freepbx.conf and modify it:

Open etc/asterisk/extensions.conf in a text editor such as nano, and find the [from-sip-external] context. It will probably look like this, or something very close:

;-------------------------------------------------------------------------------
; from-sip-external
;
; This context is the default SIP context unless otherwise changed in the SIP
; Settings module or other sip configuration locations. This context is hit by
; either anonymous SIP calls or mis-configured SIP trunks when the incoming call
; can not be matched with a SIP section.
;
[from-sip-external]
exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)
exten => s,1,GotoIf($["${SIPLANG}"!=""]?setlanguage:checkanon)
exten => s,n(setlanguage),Set(CHANNEL(language)=${SIPLANG})
exten => s,n(checkanon),GotoIf($["${ALLOW_SIP_ANON}"!="yes"]?noanonymous)
exten => s,n,Goto(from-trunk,${DID},1)
exten => s,n(noanonymous),Set(TIMEOUT(absolute)=15)
exten => s,n,Log(WARNING,"Rejecting unknown SIP connection from ${CHANNEL(recvip)}")
exten => s,n,Answer
exten => s,n,Wait(2)
exten => s,n,Playback(ss-noservice)
exten => s,n,Playtones(congestion)
exten => s,n,Congestion(5)
exten => h,1,Hangup
exten => i,1,Hangup
exten => t,1,Hangup
;-------------------------------------------------------------------------------

Copy the entire context into etc/asterisk/extensions_override_freepbx.conf (without changing any other contexts that may already be there) and make the highlighted changes shown below. Don’t forget to replace the line number in the line that ends with “?checklang:noanonymous)” or things may break. EDIT: Replace custom-from-callcentric with from-pstn-toheader if you did not create the custom-from-callcentric context above:

;-------------------------------------------------------------------------------
; from-sip-external
;
; This context is the default SIP context unless otherwise changed in the SIP
; Settings module or other sip configuration locations. This context is hit by
; either anonymous SIP calls or mis-configured SIP trunks when the incoming call
; can not be matched with a SIP section.
;
[from-sip-external]
exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)
; Next 2 lines required to avoid adding 20 or so additional trunks just to receive CallCentric calls
exten => s,1,Set(FROM_DOMAIN=${CUT(CUT(SIP_HEADER(TO),@,2),>,1)})
exten => s,n,GotoIf($[${FROM_DOMAIN}=ss.callcentric.com]?custom-from-callcentric,${DID},1)
exten => s,n,GotoIf($["${SIPLANG}"!=""]?setlanguage:checkanon)
exten => s,n(setlanguage),Set(CHANNEL(language)=${SIPLANG})
exten => s,n(checkanon),GotoIf($["${ALLOW_SIP_ANON}"!="yes"]?noanonymous)
exten => s,n,Goto(from-trunk,${DID},1)
exten => s,n(noanonymous),Set(TIMEOUT(absolute)=15)
exten => s,n,Log(WARNING,"Rejecting unknown SIP connection from ${CHANNEL(recvip)}")
exten => s,n,Answer
exten => s,n,Wait(2)
exten => s,n,Playback(ss-noservice)
exten => s,n,Playtones(congestion)
exten => s,n,Congestion(5)
exten => h,1,Hangup
exten => i,1,Hangup
exten => t,1,Hangup
;-------------------------------------------------------------------------------

Note that every time you do a FreePBX upgrade you should open etc/asterisk/extensions.conf and make sure that the [from-sip-external] context has not been changed by the FreePBX upgrade. If it has, then you should make sure those changes get copied into the replacement context in etc/asterisk/extensions_override_freepbx.conf.

We’ve seen similar instructions that are more complicated than this (with regard to the added lines in the [from-sip-external] context) but we’ve been using this for a while and have found that it’s all you need – we’ve not seen any incoming Callcentric calls that have failed to be handled properly since we started using this.

How to receive incoming faxes in the FreePBX Distro for free, without spending $150

Important
This article is a guest post. We may not be able to answer questions about this article.

Here is how to receive incoming faxes in the FreePBX Distro without spending $150 on their FaxPro module (which IMHO is severely overpriced, given that several other distros offer a comparable faxing solution for free, including Elastix and Incredible PBX, though I do not necessarily recommend either of those distributions for various reasons). It may be possible to do outbound faxing by installing Hylafax+ and AvantFax. (EDIT: If you read Russian, you could try following the instructions in this article – hint: Google Translate is your friend – but please do a full backup of your system first and be careful, because installing AvantFax in particular may overwrite a portion of your FreePBX GUI!).

If you only have the need to send an occasional outgoing fax, you can use FaxZero, which allows you to send up to three free faxes a day, with up to three pages in each fax. But, here is how you can easily receive incoming faxes in the FreePBX Distro.

First, create a new Virtual Extension:

Create Virtual ExtensionClick Submit.  When the next page appears, give the virtual extension a name and an extension number:

Virtual FAX Extension Settings 1Now you must Submit the page and reload it, otherwise the fax settings will not appear. Now on that same page, fill in the fax settings. The Fax Email is the email address at which you wish to receive your faxes. I suggest using a PDF file as the output format:

Virtual FAX Extension Settings 2Now Submit the page again.

EDIT FOR FREEPBX 14 AND NEWER VERSION USERS: The above is only partially correct for FreePBX 14.  In that version, you must have the User Management module installed.  Start out by creating a new Virtual Extension as shown above.  Under the General tab, enter the User Extension and the Display Name, and make sure that in the User Manager Settings, Link to a Default User is set to Create New User.  Under the Advanced tab, set Call Waiting to Disable. Click Submit.  Go to User Management (under the Admin menu) and under Users find the newly created FAX user and click the edit button. Click the FAX tab and set Enabled to Yes, and Attachment Format to whatever you want (I suggest PDF).  Then click the User Details tab and fill in the Email Address, and click Submit.  Now continue on with the instructions below.

Next, create an Inbound Route using your FAX number as the DID Number. This can be any number coming into your system that is dedicated to FAX usage. In my experience, even a Google Voice number will work fine for this purpose most of the time. Do NOT set “Detect Faxes” to YES unless for some reason you want to use a single DID for both voice and FAX. If you can get a separate free DID just for receiving faxes, that’s far better than sharing a DID for both purposes. Instead, at the bottom of the page under “Set Destination”, select “Fax Recipient” from the dropdown and then the FAX extension you created:

Set Fax RecipientSubmit that page.  Finally, you need to set an outgoing email address.  Go to Settings and select Fax Configuration, then on the Fax Options page, fill in an Outgoing Email address (sender address) for faxes sent by your system. After doing that, go to the bottom of the page and click Submit, and only then should you go up and click the bright red Apply Config button.  Don’t forget to Submit all your pages after making any changes or you’ll need to do them over!

Set outgoing fax email addressNow you can have someone try sending you a test fax. They should send it to your DID and the call should be answered with FAX tones and after the fax is completed, it should automatically be sent to your specified email address (the one you chose when setting up the virtual extension) as a PDF attachment. If it doesn’t arrive in a reasonable time, check your spam or trash folders. Some email providers (Google, I am looking at you) seem to think that any incoming fax is a spam message. You may need to tell your email provider that such messages are “not spam”, or add the email address of your system as an “approved sender” or something like that. If you don’t find the fax in either your inbox, or your spam or trash mailboxes, it may be that your system is not properly configured to send email. That is another topic entirely and is beyond the scope of this article.

Note that the above has been tested on a recent version of the FreePBX Distro, but your experience may vary depending, on which version of the Distro you are using.

Black Friday deal on Vestalink VoIP (internet phone) service

Got an email today saying that from now through November 30 you can save 40% on all Vestalink service plans, if you use the promo code: blackfriday

Since Vestalink is one of the lower-priced VoIP providers anyway, this might be a particularly good deal for those looking for inexpensive VoIP service for yourself or a family member.

This comes with the standard caveat that although I am passing this along, I cannot make any guarantees about this company or the services they offer, so read all the terms and conditions and decide for yourself whether you feel that this is a service worth trying.

Vestalink (don’t forget to use the promo code blackfriday)!

Link: Raspberry Pi B+ with Asterisk and chan_dongle on Arch Linux

It is possible to build a small unexpensive box for making and receiving GSM calls and SMS. … When travelling outside the country, it is interesting to be reachable and be able to perform outgoing calls through VoIP without paying roaming fees. A Raspberry Pi can be transformed into a cheap VoIP box that routes VoIP/GSM calls in both sides (outgoing and incoming calls) as well as SMS.

Full article here:
Raspberry Pi B+ with Asterisk and chan_dongle on Arch Linux (AdeledA)

Security alert for users of the FreePBX Distro

We do not normally provide security alerts but since we have several articles on this site dealing with tweaks to Asterisk and FreePBX, we thought we would just pass this along. If you are a FreePBX Distro user, go read this thread and this security notice now. You should particularly do this if you are noticing high CPU usage.

The problem is that there is an exploit in the FreePBX Distro caused by a piece of software that turns itself on when installed. Some users want it, but many have never heard of it and don’t use it, so it should be turned off by default. One side effect of this software is that it has given attackers a way to install and run bitcoin mining software on affected PBX’s, which can degrade performance and increase power consumption. It’s a simple fix to keep this from happening, so do it now!

If you used the information from the article, “A possible way to thwart SIP hack attempts on your Asterisk (or other) PBX server”, please read this

If you took the advice in the article, A possible way to thwart SIP hack attempts on your Asterisk (or other) PBX server, please be aware that an important note has been added:

IMPORTANT: Be sure to have a separate iptables rule (higher on the list than those above) that allows connections to port 5060 from devices on your local network. Otherwise, you may find that new extensions that you are adding for the first time will not register with your Asterisk server, or that after a system reboot, none of your local extensions will register!

Please take heed of that note, or you may be one power failure or reboot away from discovering that none of your local extensions are able to register with your PBX server.