VoIP Mailing List Archives

[byrnejb at harte-lyne.ca]

We have a FreePBX-12 / Asterisk-12 setup that supports about 24
extensions, most internal Snom870s but six or so external (Jitsi-2..
we use TLS and SRTP everywhere on our side of the fence. The server
host is a dedicated atom(tm) box using the FreePBX distro (CentOS-6.x)
and is up-to-date. Registrations require very long random passwords
and registrable devices are further restricted by netblock filters.
We have the usual firewall and fail2ban intrusion prevention and
detection set-ups in place.

Our connection to the rest of the world is via PSTN.

We do our own DNS, both forward and reverse. We have NAPTR and SRV
RRs for SIP and SIPS.

That is the environment. Now for the questions.

Can I safely configure FreePBX/Asterisk to allow people to call us
directly via SIP? In other words, sip://something@harte-lyne.ca would
reach us and ring internally as if someone had called our main office
number via PSTN. Does it make sense to do so?

I am not talking about routing our main number through a SIP trunk
provider. We will remain on PSTN for the foreseeable future. But I
am curious as to whether or not it it worthwhile to allow others who
have the capability to simply call us via SIP rather than over PSTN.
And if we do allow it what are the caveats and how does one actually
configure Asterisk to do it?

I have read a number of blogs, sections of the Definitive Asterisk
book and mailing list archived posts respecting anonymous SIP calls.
But I have to say these leave me rather more confused than informed.
Virtually all sources advise against accepting any anonymous incoming
SIP calls whatsoever. The few that do not absolutely advise against
do not give much guidance in how to handle incoming calls. And
frankly, I have only a dim idea how an incoming SIP call should be
handled from a theoretical point of view.

Any guidance would be welcome.


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[mdupuis at ocg.ca]

You have to consider whether you really want "anonymous" calls, or you just want to enable SIP calls from trusted companies/partners. The latter means setting up routes to these companies and (ideally) registration between peers.

If you really want anonymous calls, then you will have to setup your dialplan with a guest/anonymous context for the calls to drop into. Once they arrive in that context you can route them anywhere else in your dialplan based on rules you setup. To help understand how this works, set verbose up to 10 in the Asterisk CLI and then call into your PBX using a SIP phone (without registration) . You'll quickly see how it works.

The bigger concern here is security. Hackers will have a field day with an unsecured SIP connection. You will want to add some security on and around your Asterisk server. Take a look at http://www.voip-info.org/wiki/view/Asterisk+security for suggestions.

To be conservative, assume someone WILL find a hole in your dialplan and attempt to commit fraud (i.e. rack up charges on your phone system). You will want to add security to your asterisk server which detects this fraud and disconnects the callers. There's a great video of an Astricon attendee explaining how callers racked up $100,000 in charges in one weekend.

________________________________________
From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of James B. Byrne <byrnejb@harte-lyne.ca>
Sent: Thursday, March 26, 2015 9:24 PM
To: Asterisk Users List
Subject: [asterisk-users] Anonymous SIP calls

We have a FreePBX-12 / Asterisk-12 setup that supports about 24
extensions, most internal Snom870s but six or so external (Jitsi-2..
we use TLS and SRTP everywhere on our side of the fence. The server
host is a dedicated atom(tm) box using the FreePBX distro (CentOS-6.x)
and is up-to-date. Registrations require very long random passwords
and registrable devices are further restricted by netblock filters.
We have the usual firewall and fail2ban intrusion prevention and
detection set-ups in place.

Our connection to the rest of the world is via PSTN.

We do our own DNS, both forward and reverse. We have NAPTR and SRV
RRs for SIP and SIPS.

That is the environment. Now for the questions.

Can I safely configure FreePBX/Asterisk to allow people to call us
directly via SIP? In other words, sip://something@harte-lyne.ca would
reach us and ring internally as if someone had called our main office
number via PSTN. Does it make sense to do so?

I am not talking about routing our main number through a SIP trunk
provider. We will remain on PSTN for the foreseeable future. But I
am curious as to whether or not it it worthwhile to allow others who
have the capability to simply call us via SIP rather than over PSTN.
And if we do allow it what are the caveats and how does one actually
configure Asterisk to do it?

I have read a number of blogs, sections of the Definitive Asterisk
book and mailing list archived posts respecting anonymous SIP calls.
But I have to say these leave me rather more confused than informed.
Virtually all sources advise against accepting any anonymous incoming
SIP calls whatsoever. The few that do not absolutely advise against
do not give much guidance in how to handle incoming calls. And
frankly, I have only a dim idea how an incoming SIP call should be
handled from a theoretical point of view.

Any guidance would be welcome.


--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[byrnejb at harte-lyne.ca]

On Thu, March 26, 2015 22:29, Michelle Dupuis wrote:

[mdupuis at ocg.ca]

To answer your first question, what you refer to as the PSTN is also quite dangerous. There is a lot of fraud going on over analog lines - usually hackers try to find an outside line by calling in to a PBX and trying lots of digits. or, in some cases fooling a naive user to forward them to an outside line (claiming to be Bell), etc. As for VoIP, even a beginner can try 100000 PBX's with 100000 dialout codes in a matter of hours. So because it's easier it becomes more popular. (There was a an article in the Globe and Mail a few years ago about this - one Toronto company lost a lot of money because someone called in saying it was Bell Canada and their receptionist forward the technician to a "diagnostic number"...which was 9XXXXX and surprise they got an outside line). Since' you're in Hamilton I figure this might ring a bell...

A lot of the value from what you refer to as the PSTN is really just a bridging point, and a massive directory (i.e. phone numbers). But their role is changing and someday they may be little more than the equivalent of root DNS servers. But for now they are still the major interconnect for ITSP's to legacy/TDM customers.

As for security and using fail2ban, I hope you read this:
http://forums.asterisk.org/viewtopic.php?p=159984
Fail2ban is not really security...but it's certainly better than nothing.

What you might be missing is that VoIP is the wild west of fraud. It's easy, and there are lots of holes in SIP, Asterisk, FreePBX, etc! Do a search on FreePBX security flaws and you'll find that hackers discovered a massive hole last summer exposing systems to toll fraud. This is big business for hackers and a single breach can earn them $10,000 to $100,000 (or more) -not bad for 1 day of work, and you the SIP customer are on the hook for that bill. Major ITSP are not likely to forgive your bill just because you got hacked. It's your responsibility to secure your system. And if you haven't you might get a whopper of a bill.

There are working groups, industry groups, etc. dedicated to VoIP security. They exist for a reason - this is a HUGE problem. It's easy to get over confident and a mistep in security can cost you your job and your company a small fortune.


________________________________________
From: James B. Byrne <byrnejb@harte-lyne.ca>
Sent: Friday, March 27, 2015 4:03 PM
To: Michelle Dupuis
Cc: Asterisk Users List; byrnejb@harte-lyne.ca
Subject: RE: [asterisk-users] Anonymous SIP calls

On Thu, March 26, 2015 22:29, Michelle Dupuis wrote:

[bferrell at baywinds.org]

James,

I'm a systems and telecom professional with experience going back more than thirty years, to the days of teletype, current loop, POTS (2600hz signalling anyone?) and echo
cancellation via analog level control and hybrid balance.

Your read of the intent of the VOIP/SIP design correctly. The intent WAS to make making connections between endpoints as easy as using a browser.

Unfortunately, setting up ALL of the infrastructure, not JUST the registration/switching points (Asterisk/Kamailiao/Freeswitch), can be quite daunting... In general, simple DNS is
beyond most and the necessary specialized (and they aren't That SPECIAL) SRV records make most systems admins run for the hills these days.

When we see a statement regarding consideration of allowing anonymous calls, we seeing someone who is (rightly) concerned about fraudulent use of an expensive resource... PSTN
interconnect. In the intended vision, that would be a "don't care" scenario, because the PSTN interconnect wouldn't exist, but it does and it's billed by it's use making it expensive.

In theory, E164 would have take up closer to that ideal. Asterisk has hooks and connections to use it and it's own, competing directory mechanism, DUNDi. Let's make special note
of a word I used in that last sentence... Competing. Is DUNDi better? I don't know and I'm fairly certain I just touched off a debate on the topic. But I do know that when
things start competing/contending, people do a few things:

1.) They take sides and fragment things
2.) The sit on the sidelines and wait for things to settle out

In my experience, this has a tendency to bring things to a halt.

Add to this, most of this tech is really, really only useful to businesses. I give my skills to people who need it (Family, friends my old gray haired mother-in-law). Businesses
are in the business of making money and if they want the use of my skills, they get to pay me. No one I know will perform this type of thing for free for a business and we all
compete for the limited pool of resource that business is willing to offer. What I have to offer is the "tricks of the trade" I've garnered over a lifetime career. There was a
time when systems admins freely swapped these tips, tricks and techniques (for the best example see the old Novell Users FAQ). As I mentioned before, we who know how to install
and maintain VOIP systems are now competing and the dollars come hard, so there seems (at least in the areana of VOIP) less willingness to do this. Oddly, VOIP seems to be more
cut throat that any other sector of IT.

Just my experience and I'm sticking to it... and wishing it weren't so and that unicorns really existed.



On 03/27/2015 01:03 PM, James B. Byrne wrote:

[asterisk at lists.mino...]

On 27/3/15 8:03 pm, James B. Byrne wrote:

[j.halifax2 at seznam.cz]

Hi James,

Fortunately, your theory about common "run for dollars" is false with many contra-examples.


jh

---------- Původní zpráva ----------
Od: Bruce Ferrell <bferrell@baywinds.org>
Komu: asterisk-users@lists.digium.com
Datum: 28. 3. 2015 0:17:54
Předmět: Re: [asterisk-users] Anonymous SIP calls

[cloos at jhcloos.com]

Some of us do allow sip from the internet, but just like for smtp email
protections are in order.

I point my SRV records at dedicated sip proxies (I use kamailio) which
check the INVITEd sip uri the same way my MXs check the SMTP Evelope-To
addresses, and only allow INVITEs through to authorized destinations.

And when those INVITEs make it to asterisk/freeswitch or the like, the
dialplan is generally not direct to phone(s), but via an IVR.

As an example, calling my email address via sip goes to an Asterisk
FollowMe instance.

I also provide my clients with dedicated sip addresses which avoid the
protections.

But the vast majority of the INVITEs coming to my public sip proxies are
fraud attempts. My primary sip proxy has blocked over 32k fraudulent
INVITEs over the last six months. And about one OPTIONS sip:100@... per
hour by something calling itself "friendly-scanner".

Then again, the number of invalid sip INVITEs per public sip destination
are fewer than the number of spam/virus type SMTP attempts per unit time.

And all of the telemarking fraud I have had to deal with have come via
pstn dids, not via direct sip.

A half-gig virtual works fine for such a sip proxy.

You may also want to look into getting an ISN number, check out
http://freenum.org/ for the details.

-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users