What Is IVR ?


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What Is IVR ?

  1. 1. Asterisk Stability & Security with kingasterisk Protect your investment www.kingasterisk.com Skype : kingasterisk
  2. 2. Introduction  What if the server goes down ?  What if someone hacks into your 8 e1 asterisk server and makes calls to inmarsat ?  Inmarsat : 5 euro / min. In 24 hours, on 8 e1s  1728000 euro
  3. 3. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk Security  Asterisk Monitoring
  4. 4. Asterisk Performance Update  Updates since Astricon 2004: - Smaller memory footprint - Less file descriptors used - Memory leaks found / removed - Less RTP ports opened - Codec optimizations (especially Speex) - Hardware echo canceller - FastAGI - Realtime - Remote MOH - ds3000 / te411p - Channel walk optimization
  5. 5. Astertest Testlab
  6. 6. Astertest Cables
  7. 7. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
  8. 8. Asterisk Stability  Hardware reliability  Software stability
  9. 9. Asterisk Stability – Hardware Reliability  What is the cost of having no PBX service for your company ?  What if you are an ISP and your customers can’t dial out ?
  10. 10. Asterisk Stability – Hardware Reliability  What if you experience: - power outage ? - a broken HD ? - a broken Zaptel card ? - a broken server ? - no Internet connectivity ?
  11. 11. Asterisk Stability – Hardware Reliability  Power outage:  Traditional phones are self powered. Solution: use a UPS to power the (PoE) phones, the switches, PBX, modem, router,…  If you have a low power PBX, the phone system could run for hours on a small UPS.  Don’t use Ethernet over power for mission critical phone lines.
  12. 12. Asterisk Stability – Hardware Reliability  A broken HD ?  Use raid > 0  SCSI has a bigger mean time to failure.  Flashdisks, realtime, netboot, live CD’s.
  13. 13. Asterisk Stability – Hardware Reliability  A broken Zaptel card or a broken server ?  Make sure you have a replacement, (maybe even hot standby) with all the modules you need, jumpers already set,…
  14. 14. Asterisk Stability – Hardware Reliability  No Internet connectivity ?  Spare router / modem / switch ?  Failover Internet connection ?  Failover to / from PSTN ?
  15. 15. Label all cables!!
  16. 16. Asterisk Stability / Quality Updates Software related since Astricon ‘04  Real CVS-stable / CVS-head (Thanks Russell!)  Major cleanups / code audits.  New h323 channel coming (chan_ooh323)  Packet Loss Concealment  IAX2 / SIP jitter buffer (mantis 3854)  A lot of libpri, chan_sip, chan_h323 changes for    better compatibility / stability. DUNDi (easier load balancing with round robin DNS) OSP Kernel 2.6.11.x
  17. 17. Changes in hardware reliability  New Zaptel hardware (te411p, te4xxp, TDM, IAXy2, …).  New drivers with a lot of bug fixes and optimizations.  End of life for x100p and Tormenta cards.  Hardware echo cancellers -> lower CPU load -> more calls it can handle before asterisk turns unstable.
  18. 18. * reliability / stability recommendations  Use decent but not exotic hardware  Put Zaptel on a different PCI-bus than Nics and      video cards. Read tutorials on interrupts, APIC and other common problems. Load test your setup Design a failover system Noload unused modules Use recent firmware Zaptel cards
  19. 19. * reliability / stability recommendations  Use a stable Asterisk version.  Take a common OS -> Linux.  Test software upgrades in a test lab.  Stay away from experimental Asterisk modules -> h323, skinny.  Don’t patch production Asterisk servers.  Keep your old Asterisk binaries after an upgrade for easy restore of known working versions.
  20. 20. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
  21. 21. Asterisk server monitoring  NAGIOS   http://karlsbakk.net/asterisk/  http://megaglobal.net/docs/asterisk/html/asteri  Argus: http://argus.tcp4me.com/  SNMP: http://www.faino.it/en/asterisk.html
  22. 22. Overview  Asterisk Performance Update  Asterisk Stability  Asterisk server monitoring  Asterisk Security
  23. 23. Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
  24. 24. Asterisk Configuration Stupidity  Dial plan security  SIP.conf  IAX2.conf  Manager.conf  Billing problems
  25. 25. Dial plan security  - Extension hopping  - CallerID based protections  - _.  - Demo context  - User access to the dial plan  - Be careful with the default context  - Limit simultaneous calls
  26. 26. Extension hopping  User can reach ANY extension in the current context: [internal] exten => intro,1,Background(question); exten => 1,spanish,Goto(Spanish) exten => 2,english,Goto(English) exten => _XX.,1,Dial(ZAP/g1/${EXTEN});
  27. 27. CallerID based protection exten => _X.,1,GotoIf($[“$ {CALLERIDNUM}”=“32134”?3); exten => _X.,2,Hangup(); exten => _X.,3,Dial(${EXTEN});  When not explicitly defined for each user/channel in zapata.conf, sip.conf, iax.conf, the user can choose his own CallerID!
  28. 28. Inappropriate use of _.  _. Would match EVERYTHING! (also fax, hang up, invalid, timeout,….) Example: exten => _.,1,Playback(blah); exten => _.,2,Hangup;  Causing a FAST LOOP. (changed in CVS-head)
  29. 29. demo context  Not a real security risk  But… Someone might play with your system and use up your bandwidth, make prank calls to Digium, make Mark Spencer very unhappy and cause him to introduce you to a very big shotgun…
  30. 30. User access to the dialplan  - AMP and other GUI’s might allow the ISP’s user to change a dial plan in his own context. E.g.: hosted PBX’s  - Goto / GotoIf / dial(Local/…) -> context hopping.  - System -> could do anything
  31. 31. Default context  Example: [default] Include outgoing; Include internal; OH OH OH, guest calls will go to the default context!!!!!
  32. 32. Context usage:  A call has two legs, the used context is the context defined for that user/channel in the config file for that protocol. E.g: - Zap to sip call: context set in zapata.conf is used - SIP to IAX2 call: context in sip.conf is used
  33. 33. Context usage:  In sip.conf, zapata.conf, iax2.conf… A default context is defined, if there is no specific context setting for this channel or user, than the default context is used!
  34. 34. Limit simultaneous calls  Sometimes you don’t want a user to make multiple simultaneous calls.  E.g.: prepay / calling cards Solution: setgroup, checkgroup (don’t trust incominglimit.) exten => s,1,SetGroup(${CALLERIDNUM}) exten => s,2,CheckGroup(1) Only good if the CallerID cannot be spoofed !!!! Consider using accountcode for this.
  35. 35. Sip.conf               Default context Bindport, bindhost, bindip [username] vs username= Permit, deny, mask Insecure=yes, very, no User vs peer vs friend Allowguest Autocreatepeer Pedantic Ospauth Realm Md5secret User authentication logic Username= vs [username]
  36. 36. Bindport, bindhost,bindip  If you only use sip for internal calls, don’t put bindip= but limit it to the internal IP.  Changing the bindport to a non 5060 port might save you from portscan sweeps for this port.
  37. 37. Permit, deny, mask  Disallow everything, then allow per user the allowed hosts or ranges. (Multiple are allowed.)
  38. 38. SIP.conf – insecure option Insecure = …  No: the default, always ask for authentication  Yes: To match a peer based by IP address only    and not peer. Insecure=very ; allows registered hosts to call without re-authenticating, by ip address Insecure=port; we don’t care if the portnumber is different than when they registered Insecure=invite; every invite is accepted.
  39. 39. User vs Peer vs Friend in SIP  USER: never registers only makes calls  PEER: can register + can make calls. [user1] type=user [user1] type=peer Is allowed and the same as type=friend if the other parameters are identical!!!
  40. 40. Allowguest =…  True: unauthenticated users will arrive in the default context as defined in sip.conf  False: unauthenticated users will get a permission denied error message.  OSP: to allow guest access for voip traffic coming from an OSP server.
  41. 41. autocreatepeer  The autocreatepeer option allows, if set to Yes, any SIP UA to register with your Asterisk PBX as a peer. This peer's settings will be based on global options. The peer's name will be based on the user part of the Contact: header field's URL.  This is of course a very high security risk if you haven't got control of access to your server. © Olle
  42. 42. Pedantic  Defaults to pedantic=no  If enabled, this might allow a denial of service by sending a lot of invites, causing a lot of (slow) DNS lookups.
  43. 43. Realm  Realm=Asterisk; Realm for digest authentication ; Defaults to “Asterisk" ; Realms MUST be globally unique according to RFC 3261 ; Set this to your host name or domain name
  44. 44. How is authentication done?  chan_sip.c: /* Whoever came up with the authentication section of SIP can suck my %*!#$ for not putting an example in the spec of just what it is you're doing a hash on. */
  45. 45. How is authentication done?  Look at FROM header in SIP message for the username: -> browse sip.conf for a type=user with that username If found -> check the md5 If not found, -> browse sip.conf for a type=peer with that username -> browse sip.conf for an (registered) IP where the request is coming from if insecure=very, no more checks are done if insecure=port, if they are willing to authenticate, even if they are calling from a different port than they registered with. (used for NAT not using the same port number every time). otherwise, check the md5 + allow/deny.   If no peer found ? do we allow guest access (allowguest=true ?) Yes? OK, allow send it to the default context, if not reject.
  46. 46. Secret vs md5secret  With SIP all passwords are md5 encrypted when sending the packets, but are stored in plaintext in sip.conf  [user]  Secret=blabla
  47. 47. Secret vs md5secret  echo - n "<user>:<realm>:<secret>" | md5sum  E.g.: echo -n "user:asterisk:blabla" | md5sum e1b588233e4bc8645cc0da24d8cb848d [user] md5secret=e1b588233e4bc8645cc0da24d8cb848d
  48. 48. Username= vs [username]  [username] is for authentication a client connecting to asterisk. Username=… is to have your asterisk server authenticate to another SIP server.
  49. 49. Iax.conf  auth=plaintext,md5,rsa  User authentication logic  Default context  [username] vs username=  Permit, deny, mask  Bindport, bindhost, bindip  User vs peer vs friend
  50. 50. iax.conf - auth  Plaintext: passes are sent in plaintext  Md5: encrypt the password with md5  RSA: use public key / private key – uses AES.
  51. 51. User vs Peer vs friend  USER: can only accept calls  PEER: can only make calls  FRIEND: can do both [user1] type=user [user1] type=peer Is allowed!!!
  52. 52. How is authentication done?  In iax2: (cvs-head!!) Pseudocode: Is username supplied ? -> yes -> matched against iax.conf users starting bottom to top. user found ? -> yes : is IP in allowed / disallowed list ? yes –> does password match ? yes -> does requested context match a context=… line? -> no -> is a password given ? -> yes : Asterisk will look bottom to top for a user with this password, -> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted. -> no: Asterisk will look bottom to top for a user without password. -> if the context matches, or there is no context specified, and the host is in the allowed lists (allow / deny) then the call is accepted.
  53. 53.  Add a last entry in iax.conf with no password to force nosecret access into a specific context.  If you use realtime, don’t have any user without a password and without permit/deny.
  54. 54. Manager.conf [general] enabled = yes port = 5038 bindaddr = [zoa] secret = blabla deny= permit= permit= read = system,call,log,verbose,command,agent,user write = system,call,log,verbose,command,agent,user
  55. 55. Manager.conf  No encryption is used, even the password is sent in plaintext.  Don’t enable it on a public IP.  Use http://www.stunnel.org/  Watch out with management programs with direct interface to the manager.  Limit the privileges per user (especially the system!!!).
  56. 56. Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
  57. 57. Asterisk Hardening            Asterisk as non-root user Asterisk in CHROOT Asterisk in a JAIL Asterisk with limited read / write permissions ZAPTEL kernel modules Asterisk firewalling / shaping / NAT Tty9 Linux hardening Remote logging Tripwire Limit running system processes
  58. 58. Asterisk as non root user adduser --system --home /var/lib/asterisk --no-create-home Asterisk chown -r asterisk:asterisk /var/lib/asterisk chown -r asterisk:asterisk /var/log/asterisk chown -r asterisk:asterisk /var/run/asterisk chown -r asterisk:asterisk /var/spool/asterisk chown -r asterisk:asterisk /dev/zap chown -r root:asterisk /etc/asterisk chmod -r u=rwX,g=rX,o= /var/lib/asterisk chmod -r u=rwX,g=rX,o= /var/log/asterisk chmod -r u=rwX,g=rX,o= /var/run/asterisk chmod -r u=rwX,g=rX,o= /var/spool/asterisk chmod -r u=rwX,g=rX,o= /dev/zap chmod -r u=rwX,g=rX,o= /etc/asterisk chown asterisk /dev/tty9 su asterisk -c /usr/sbin/safe_asterisk or Asterisk -U asterisk -G asterisk
  59. 59. Asterisk with limited read / write permissions  Asterisk has no write permissions for its config files and is running as non root ?  In the unlikely event of someone breaking in through Asterisk, your dial plan is still vulnerable through the CLI or the manager.
  60. 60. Asterisk in chroot  Changes the root directory visible to asterisk to e.g. /foo/bar  Pretty useless if asterisk is running as root and perl or gcc is available.
  61. 61. Asterisk in a jail  Changes the root   directory visible to Asterisk. Limits the commands / programs any user in this jail can execute to a list you specify. Expansion of chroot.
  62. 62. Zaptel kernel modules  Zaptel is module only, cannot be put into the kernel.  Hackers like to hide in a module, they can backdoor a module, compile it, load it in memory and remove all traces on the disk.  You could have the kernel check an md5 for the  Zaptel modules. I think Matt Frederickson compiled them in the kernel before.
  63. 63. Firewalling / shaping / NAT  Block everything except the ports you really want. (5060, 4569, …)  RTP ports are a big pita (see rtp.conf) Sidenote: you might want to check your ISP is not blocking anything in the range defined in RTP.conf
  64. 64. Limit access to tty9  safe_asterisk opens a console on tty9. This does not require a password and will provide a root shell to anyone passing by. (by using !command on the CLI).  Remove the offending line, or don’t use safe_asterisk
  65. 65. Linux Hardening  GRsec (2.6.x)  Openwall (2.4.x)  Remove all unneeded things.
  66. 66. Remote logging  Remote syslog  Put Asterisk log files (and other log files on a remote server).
  67. 67. Tripwire  Make hashes of all the important files on the server and check them for changes you didn’t do.
  68. 68. Limit server processes  An Asterisk server should be only: - OS + ASTERISK. No database No APACHE No PHP (If you really need those, and don’t have enough servers, don’t put them on a public IP and firewall them!!!!)
  69. 69. Asterisk Security  Asterisk Configuration stupidity  Asterisk hardening  Privacy protection
  70. 70. Asterisk privacy  Encryption  Monitoring  CallerID spoofing  CallingPRES
  71. 71. Call Encryption - SIP  SRTP -> method to encrypt voice packets.  TLS -> method to encrypt signaling packets. Both are not yet supported by asterisk. Bounty on voip-info.org.
  72. 72. Call Encryption – IAX2  30/12/2004 2:07 Modified Files: chan_iax2.c iax2-parser.c iax2-parser.h iax2.h Log Message: Minor IAX2 fixes, add incomplete-but-verybasically-functional IAX2 encryption. It would support any type of encryption you like. -> Doesn’t work yet.
  73. 73. Call Encryption – General solution  Send you packets through a VPN or tunnel.  Use only UDP tunnels to avoid delays. Known to work: IPSEC, VTUN, OPENVPN.
  74. 74. Call Encryption – Tunnel solution Advantage, CPU expensive encryption can happen on dedicated machine.  Disadvantage: doesn’t work on hardphones or ATA’s without adding an extra server in front of them.
  75. 75. Monitoring  ZapBarge  ChanSpy  Monitor Thank you Very Much......!!! For More Information www.kingasterisk.com