Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
SSH IT ZOMBIE
Apr 19, 2003
No more blinkies! Yay!


College Slice

I won't pretend to know a lot about telephony, I could recognize a PBX if I saw one. I know what Asterisk is, and have used SIP service for my personal home phone for a multitude of years flip-flopping between SIP ATAs and Software phones.

I'll occasionally grow out the OP as needed, if there is interest.

Zoom 5801 ATA

Used this at home for a number of years.
An analog telephone adapter lets you use a a regular phone, the kind you'd see at Walmart, PSTN\POTS\RJ11\analog phone with SIP service. This adapter works OK, but I've found that if the internet ever drops for whatever reason it doesn't reconnect to the SIP service and it has to be power cycled, not so great. I have not used it in a while, might be OK now.

Avaya\Nortel 1220

There's a smattering of these all over the office, some newer models. I think they can work with SIP provided an extra software license, but typically they use Avaya's CS.

CS1000

Pretty sure this is a PBX. It looks pretty old. It probably is pretty old, but it seems to be stable, we very rarely have phone issues. It's what we have in our data center. Our telephony team\phone warlocks provide me a T1 line, 24 channels, to a SIP gateway I have attached to a RightFax server. I installed\maintain RightFax, which is the extent of my involvement anything phone related.

Plantronics CS50-USB


Wireless Headset, normally works with a hardware phone, but works fine attached to a PC running SIP phone software. It's comfortable, really comfortable, and lightweight. It's also pretty old I think. It makes you sound like you're on an analog phone if you try to use it with any type of HD audio, which is one of the reasons why I wanted to post a thread. Any recommendations for single ear, wireless, lightweight, comfortable headsets, that actually have good audio quality, can be used for HD audio?


Software
https://jitsi.org - Windows\Mac\Linux - this is what I use lately, pretty good.
http://www.ekiga.org - Linux\Mac\Windows

Providers
http://www.callcentric.com - Very affordably priced. Cheap DIDs. Very reliable in my experience. They also have setup instructions for a multitude of devices. I use them for my home phone. They don't support video nor higher def audio codecs, though!
Gizmo5 - I used to use them back in the day. Looks like Google bought them out and it became Google Voice. I was going to post a mediocre review, does Google Voice properly support using SIP clients? Or is Google Voice another pet project Google will eventually kill off?

SSH IT ZOMBIE fucked around with this message at 20:28 on Apr 27, 2015

Adbot
ADBOT LOVES YOU

Super-NintendoUser
Jan 16, 2004

COWABUNGERDER COMPADRES


Soiled Meat

I'm a DCAP (DIGIUM CERTIFIED ASTERISK PROFESSIONAL). I don't work with Asterisk any more, but I'm pretty good with it, if any one needs any Asterisk help please feel free to ask.

dpkg chopra
Jun 9, 2007

Fast Food Fight



Grimey Drawer

SIR FAT JONY IVES posted:

I'm a DCAP (DIGIUM CERTIFIED ASTERISK PROFESSIONAL). I don't work with Asterisk any more, but I'm pretty good with it, if any one needs any Asterisk help please feel free to ask.

Perfect timing. I've never messed around with Asterisk but I'm thinking of maybe using it to replace our 2009 PBX-IP. It would just need to serve 5-8 IP phones most of which are going to be in the LAN and any remote phone would probably connect via VPN.

Would running Asterisk on a VM be feasible for this or am I going to want to claw my eyes out trying to configure it?

Do you recommend any particular Asterisk implementation?

sanchez
Feb 26, 2003


We've been using freepbx on a hosted VM for years, runs like clockwork unless our local ISP is having issues. Phones are all polycom 335 or random aastra models, I'd reccomend the polycoms. All access to it is over VPN tunnel or whitelisted static IP, leaving asterisk open to the internet seems to lead to enough hack/abuse attempts to peg the CPU on the VM.

sanchez fucked around with this message at 20:23 on Apr 30, 2015

dpkg chopra
Jun 9, 2007

Fast Food Fight



Grimey Drawer

sanchez posted:

We've been using freepbx on a hosted VM for years, runs like clockwork unless our local ISP is having issues. Phones are all polycom 335 or random aastra models, I'd reccomend the polycoms. All access to it is over VPN tunnel or whitelisted static IP, leaving asterisk open to the internet seems to lead to enough hack/abuse attempts to peg the CPU on the VM.

Yeah it's amazing how many horror stories you hear about people leaving their PBX exposed to the internet and finding out that it's been used as a call-center in some random chinese province to the tune of thousands of dollars of international calls.

You'd think by now SIP providers would've learned to implement some basic fraudulent activity algorithms so they can shut down the connection when something like this happens.

One thing I've never quite understood, is forwarding ports 5060-5070 necessary for the PBX to establish a connection to the SIP provider?

theperminator
Sep 16, 2009

by Smythe


Fun Shoe

sanchez posted:

We've been using freepbx on a hosted VM for years, runs like clockwork unless our local ISP is having issues. Phones are all polycom 335 or random aastra models, I'd reccomend the polycoms. All access to it is over VPN tunnel or whitelisted static IP, leaving asterisk open to the internet seems to lead to enough hack/abuse attempts to peg the CPU on the VM.

Yep same here, FreePBX + Polycom Soundpoint IP 331's with an IPSec tunnel to our office and VPNs for remote workers. never had an issue and it's really easy to manage.
Would recommend

fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb

theperminator posted:

Yep same here, FreePBX + Polycom Soundpoint IP 331's with an IPSec tunnel to our office and VPNs for remote workers. never had an issue and it's really easy to manage.
Would recommend

Just don't use the 331's in conference rooms, the speakerphone & mic is dogshit. The IP 6000's work great for conference rooms though (I would hope so for a loving $500 phone)

adorai
Nov 2, 2002

10/27/04 Never forget

Grimey Drawer

Ur Getting Fatter posted:

One thing I've never quite understood, is forwarding ports 5060-5070 necessary for the PBX to establish a connection to the SIP provider?
No it is not.

I have multiple connections to multiple providers, all of them originate from me and are simply natted out my firewalls.

wolrah
May 8, 2006
what?


Hello all, I'm just coming up on 10 years working for a hosted VoIP provider. First five years on Broadworks, last five on Asterisk, and we're currently testing Freeswitch. Glad to answer any questions I can.


Ur Getting Fatter posted:

Would running Asterisk on a VM be feasible for this or am I going to want to claw my eyes out trying to configure it?
Timing can be an issue when passing media through Asterisk (most normal configurations) in fully virtualized environments. It's not as big of a deal now with hardware virtualization support in everything, but it's still a potential concern depending on your platform. Container-based systems on the other hand work pretty well, I have a few instances of Asterisk on OpenVZ and have never had problems caused by it.

sanchez posted:

leaving asterisk open to the internet seems to lead to enough hack/abuse attempts to peg the CPU on the VM.
If you can't lock things down this tightly, for example users on DHCP home connections and such, Fail2Ban is really easy to get working with Asterisk.

Ur Getting Fatter posted:

One thing I've never quite understood, is forwarding ports 5060-5070 necessary for the PBX to establish a connection to the SIP provider?
Not necessary unless one end or the other is bad at dealing with NAT. An in-house PBX that is only used by in-house phones should not require any special firewall configuration. If external phones are involved then whatever port they connect in on will need to be forwarded. That does not necessarily have to be 5060, and I'd generally recommend that it not be if you can easily configure your phones to use an alternative. Changing the port is definitely security by obscurity, but obscurity is all you need to hide from most port scanners.

fletcher posted:

Just don't use the 331's in conference rooms, the speakerphone & mic is dogshit. The IP 6000's work great for conference rooms though (I would hope so for a loving $500 phone)
It's always funny to watch people realize why we insisted that they should get an actual conference room phone for their conference rooms. A desk phone with a speakerphone that picked up sound from every direction would be pretty terrible. The Polycoms do some nifty DSP stuff with their multiple mics to focus on the person talking, plus the G.722 codec ("HD Voice", which the 331s do not support) is so much better than G.711 if your PBX supports it.

wolrah fucked around with this message at 20:19 on May 3, 2015

SSH IT ZOMBIE
Apr 19, 2003
No more blinkies! Yay!


College Slice

wolrah posted:

Hello all, I'm just coming up on 10 years working for a hosted VoIP provider. First five years on Broadworks, last five on Asterisk, and we're currently testing Freeswitch. Glad to answer any questions I can.

Out of sheer curiosity, do most VoIP providers for their own service purchase SIP trunking from a larger VoIP provider\telco? Or do they have like PRIs attached to their own SIP gateways and interface with the PSTN in-house like that?

dpkg chopra
Jun 9, 2007

Fast Food Fight



Grimey Drawer

wolrah posted:

Timing can be an issue when passing media through Asterisk (most normal configurations) in fully virtualized environments. It's not as big of a deal now with hardware virtualization support in everything, but it's still a potential concern depending on your platform. Container-based systems on the other hand work pretty well, I have a few instances of Asterisk on OpenVZ and have never had problems caused by it.

Thanks for the answer! What do you mean by "container-based systems"?

wolrah
May 8, 2006
what?


SSH IT ZOMBIE posted:

Out of sheer curiosity, do most VoIP providers for their own service purchase SIP trunking from a larger VoIP provider\telco? Or do they have like PRIs attached to their own SIP gateways and interface with the PSTN in-house like that?

It varies. I don't know how large the average provider is so I can't really speak to "most", but here's my personal experience. We started as a wholesale provider where we bought the service and softswitch space from the same provider, basically doing sales and tier 1-2 support on our end. Now we run our own softswitches but we're not large enough to justify dealing with the big telcos so we get our dialtone from a variety of middle-man providers who then connect us to the big names.

It's SIP the whole way to the PSTN in most cases. If it's going to another VoIP system there's a reasonable chance it never touches the PSTN, lots of providers are interconnected in various ways. If the ones you're connected to are cooperative you can do some neat things you can't do on the PSTN, like wideband codecs or even video.

Ur Getting Fatter posted:

Thanks for the answer! What do you mean by "container-based systems"?

LXC, OpenVZ (Virtuozzo), and the like which don't actually virtualize an entire computer but instead provide what's effectively another instance of the host OS running as a user process in the host. It's less isolated, but a lot lighter weight as well so it's really nice if you need a lot of mostly identical virtual environments. The big catch here is that you don't get any choice in kernels, whatever the host runs is what you run. This means that a Linux host can't run any guests other than Linux for example, though you can get most distros going as long as they don't depend on specific kernels. Lots of things that relate to hardware will also be unchangeable, even to your "root" user, for example the system clock comes to mind.

wolrah fucked around with this message at 04:10 on May 5, 2015

invision
Mar 2, 2009

I DIDN'T GET ENOUGH RAPE LAST TIME, MAY I HAVE SOME MORE?


This is probably as close to a job-related thread as I'll find, so Major US Wireless Carrier Switch Tech checking in.

Ask me about MME, MGW, DACS, RNC, BSC, BTS, LSM, MML, SS7, DIAMETER, T1-OC999999, and how much I hate Reflection as a terminal emulator.

adorai
Nov 2, 2002

10/27/04 Never forget

Grimey Drawer

Is there any down side to disabling http and allowing only https on my Cisco 79xx phone in a cucm environment?

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE


SSH IT ZOMBIE posted:

Out of sheer curiosity, do most VoIP providers for their own service purchase SIP trunking from a larger VoIP provider\telco? Or do they have like PRIs attached to their own SIP gateways and interface with the PSTN in-house like that?

Smart ones will unbundle their inbound/DID purchase from their termination purchase. Having several carriers for termination and a rudimentary LCR will save money at fairly small traffic volumes.

I've built a CLEC and an ITSP, been in the industry for almost 10 years now. So I can handle questions about the facilities based carrier side of things as well as the SIP trunking provider side of things.

I'd imagine this is a long shot, but has anyone used Intelequent (fka Neutral Tandem)'s access tandem service? I'm going out there Thursday for a dog and pony show and we may home some of our LRNs behind them instead of the ILECs. SIP handoff for access tandem service is so attractive.

FatCow fucked around with this message at 03:27 on May 6, 2015

Bohemian Cowabunga
Mar 24, 2008



I am a Lync 2013 server administrator for a medium sized company with full enterprise voice and external SIP trunking for our PSTN needs.
I dont really touch the SIP side all that much but can be helpful with any questions regarding Lync administration/troubleshooting and/or delicious powershelling.

Super-NintendoUser
Jan 16, 2004

COWABUNGERDER COMPADRES


Soiled Meat

Bohemian Cowabunga posted:

I am a Lync 2013 server administrator

How much do you drink per day?

Bohemian Cowabunga
Mar 24, 2008



SIR FAT JONY IVES posted:

How much do you drink per day?

Dont mention the war :suicide:

Super-NintendoUser
Jan 16, 2004

COWABUNGERDER COMPADRES


Soiled Meat

Bohemian Cowabunga posted:

Dont mention the war :suicide:

One of my absolute favorite IT stories is from when I was in an airport shuttle from the airport in Seattle. A guy gets on the shuttle and stands next to me, he's wearing an OCS shirt. I ask him if he worked for Microsoft, and if he was a developer for Lync, he says he used to be, but when HP decided to use Lync MS just sort of gave him to them, so now all he does is manage HP's Lync installation, but he used to be a developer for the platform. He asked if I was a Lync admin, I mentioned that I was working on a big roll out with a customer now. He looked me in the eyes, and said "I'm really sorry, I really am." Then we both looked down at our feet in silence until the bus stop.

Bohemian Cowabunga
Mar 24, 2008



Hahaha, yeah that says alot. Wanna simultaneously slap the guy and buy him a beer.
Heres to them fixing major bugs and annoying quirks that have been present in the product for years in ~~ Skype For Business ~~ they wont

wolrah
May 8, 2006
what?


FatCow posted:

Smart ones will unbundle their inbound/DID purchase from their termination purchase. Having several carriers for termination and a rudimentary LCR will save money at fairly small traffic volumes.

Very true. When we were on the platform where we had to buy the service from the host we got absolutely :a2m: on outbound. At the start it was all Level3 in and out so we justified it to ourselves as being expensive but good, then the host decided they wanted to sell to Comcast and started doing LCR to anyone who'd sell them termination to boost their profit margins at a massive impact to service quality. They did reinvites and had us talking directly to the termination provider so it made it pretty easy to see what was happening and start making plans to GTFO.

Related tip: Never let a service provider find out you're leaving until you're ready to move. Getting a letter on Wednesday that says your service will cease on Friday and having to move 1500 extensions across 100 or so customers in 48 hours is an insane experience. The entire company should have been sponsored by Five Hour Energy for the next week, we went through enough of it.

Super-NintendoUser
Jan 16, 2004

COWABUNGERDER COMPADRES


Soiled Meat

Bohemian Cowabunga posted:

Hahaha, yeah that says alot. Wanna simultaneously slap the guy and buy him a beer.
Heres to them fixing major bugs and annoying quirks that have been present in the product for years in ~~ Skype For Business ~~ they wont

My experience with Lync was really bad, since I had a customer, maybe 100 users, tell me they want to deploy Lync 2010. I had never done that before, but I told my boss (I was a consultant) and he said "good, just figure it out and charge them per hour." I asked if we could farm it out and I was told no. So I got a bunch of books on Lync, and spent a week reading them and setting up some VMs to learn it. The worst part was that I kept finding out you need to buy more things to get more functions. You need Lync, then a Lync Front End Server, then a TMG server, etc. It was bad because I kept having to tell my manager, and then the customer, that we needed to buy more licenses and servers (they refused to virtualize anything). They were getting increasingly upset at me (both my manager and the customer) since I was sinking so much time and money into it. But I knew nothing about it, so what else was I supposed to do? Finally I had it 90% working, except the mobile client, and I begged my manager to let me hire out and get a couple hours with someone that could help.

He agreed, and eventually I got a guy to remote in and check it out. Turns out my SSL Cert was incorrect, fixed that, and it all worked fine.

Then I got it working with Asterisk, which was also a nightmare.

EDIT:

My advice for anyone working with Asterisk and SIP:

Learn to use Wireshark, and learn to read a SIP trace. Figure out how to do tcpdump on your server and just snatch a few minutes of calls and decode it. Get really familiar with what a good SIP session looks like. And then do weird things, like hang up one end, while leaving the other end up, be silent on a call for a minute, dropping a call from the console, unplugging a phone in the middle of a call, etc, and see what it does.

My biggest problem in the world of Asterisk is providers that don't know how to troubleshoot their SIP trunks, because their people don't get what SIP packets look like and should do. If I have calls drop after a minute, and I clearly see your server send me a GOODBYE, then clearly something is odd on your end.

When users complain about "calls sounding bad", which they will, learn to calmly and politely ask them to explain specifically what happened. Echo? Feedback? Static? Did you both hear it, or just one side? Was the all inbound/outbound? What DID specifically did the caller dial to get in, what did you dial out? For users that were really problematic, but I couldn't figure out what the problem was, I would get them a little notebook and leave it next to their phone and ask them to write down as soon as there was a problem, all the details, so I could get a really good handle on it.

Next is to learn how to handle carriers. I was forever calling Broadview or Paetec about a PRI having issues, and they'd say "oh, it looks fine from here." So I'd unplug the cable from the smart jack or power off the IAD and say "does it look good now?" and if they said "sure, I don't see any change," I'd immediately ask for their manager since there's no way you are doing anything. This guaranteed me results. Also keep detailed call records of problem calls, since most carriers can only access the last 24 hours of call records to see what happened.

If we are in a anecdote mood, I have several stories about crazy clients with VOIP problems making me want to kill myself.

One that comes to mind is after a roll out of Aastra 57i's to a client, a guy called in complaining his phone wouldn't stop ringing. He had called on his cell phone so I could hear it. Sure enough his phone is just ringing over and over. But the volume is modulating, quiet, loud, quiet, loud. He's furious. I'm stumped, but I ask him "sorry, but this is a stupid question but are you just hitting the volume up and down keys over and over?

And he says "YES THATS THE PROBLEM WHEN I HIT THEM THE PHONE RINGS"

He's furious, so I tell him those are volume keys, so stop pressing them and it will stop ringing.

He does, it gets quiet, and he's says "that's nonsense" and hangs up.

Super-NintendoUser fucked around with this message at 14:31 on May 6, 2015

wolrah
May 8, 2006
what?


SIR FAT JONY IVES posted:

EDIT:

My advice for anyone working with Asterisk and SIP:

This is a very good post. SIP is a largely plaintext protocol like HTTP (in fact if you're familiar with HTTP you'll feel right at home with authentication and response codes) so it's pretty close to human readable as-is, but Wireshark's decoders make quick work of the rest and let you easily filter down to what you're looking for. It's also quite true that the providers are often useless to solve their own problems unless you're prepared to provide captures and occasionally back them up with RFCs to prove they're doing it wrong.

quote:

One that comes to mind is after a roll out of Aastra 57i's to a client, a guy called in complaining his phone wouldn't stop ringing. He had called on his cell phone so I could hear it. Sure enough his phone is just ringing over and over. But the volume is modulating, quiet, loud, quiet, loud. He's furious. I'm stumped, but I ask him "sorry, but this is a stupid question but are you just hitting the volume up and down keys over and over?

And he says "YES THATS THE PROBLEM WHEN I HIT THEM THE PHONE RINGS"

He's furious, so I tell him those are volume keys, so stop pressing them and it will stop ringing.

He does, it gets quiet, and he's says "that's nonsense" and hangs up.

I have had literally the same conversation with people before. How they never manage to put two and two together is mind-boggling.

BaseballPCHiker
Jan 16, 2006



I'm going to have to help oversee a VOIP rollout for my current company of about 200 users in our central office and another 200 scattered all over the country. I have little to no telephony experience besides being on the periphery of a Lync 2013 rollout that did not go smoothly at all. So far I'm trying to just figure out precisely what the company needs and wants, how many concurrent calls we would plan to have at peak, and building in redundancy. Redundancy more than anything is important to this company. The POTS system we have has been rock solid but is old and out of support. We cant get new parts for it so it's definitely time to move on.

dpkg chopra
Jun 9, 2007

Fast Food Fight



Grimey Drawer

SIR FAT JONY IVES posted:

If we are in a anecdote mood, I have several stories about crazy clients with VOIP problems making me want to kill myself.

Please do.

Thanks Ants
May 21, 2004

#essereFerrari




Can anyone recommend a decent UK Broadcloud reseller aimed at SMB clients? I want to use Polycom VVX handsets and for some insane reason this company of like 30 people wants hot desking to work :wtc:

fletcher
Jun 27, 2003

ken park is my favorite movie

Cybernetic Crumb

At work they are trying out a new conference room setup with zoom.us, an iPad, and a Logitech cc3000e. It seems pretty slick so far, the audio on the Logitech sounds great.

madsushi
Apr 19, 2009

#essereFerrari


I spent several years working with ShoreTel (and have whatever their certs are) if anyone has any questions. I am sorry to say that I am the guy that just stripped the heads off of spare CAT5 cables and punched them down in your demarc instead of getting actual phone wire.

Thanks Ants
May 21, 2004

#essereFerrari




fletcher posted:

At work they are trying out a new conference room setup with zoom.us, an iPad, and a Logitech cc3000e. It seems pretty slick so far, the audio on the Logitech sounds great.

In a discussion about this in another thread the Lifesize Icon Flex was mentioned, which looks like a decent step up from the Logitech but keeping a non-insane price point.

dpkg chopra
Jun 9, 2007

Fast Food Fight



Grimey Drawer

So is there any way to have a secure SIP communication or is SIP inherently weak?

If not SIP, what's the closes thing to a secure protocol for voice comms?

wolrah
May 8, 2006
what?


madsushi posted:

I am sorry to say that I am the guy that just stripped the heads off of spare CAT5 cables and punched them down in your demarc instead of getting actual phone wire.

Wait, is there something wrong with that? I always figured Cat5 is basically high quality phone cable when used like that.

Ur Getting Fatter posted:

So is there any way to have a secure SIP communication or is SIP inherently weak?

If not SIP, what's the closes thing to a secure protocol for voice comms?

What kind of threats are you concerned about? SIP certainly isn't inherently insecure, but it is really easy to configure some SIP devices to operate in insecure ways.

FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE


Ur Getting Fatter posted:

So is there any way to have a secure SIP communication or is SIP inherently weak?

If not SIP, what's the closes thing to a secure protocol for voice comms?

SIP can be sent over TLS. If the SIP is encrypted the RTP can be encrypted as well.

Keep in mind nothing is encrypted once you get past the customer/provider relationship. All carriers hand off plaintext to each other.

dpkg chopra
Jun 9, 2007

Fast Food Fight



Grimey Drawer

wolrah posted:

Wait, is there something wrong with that? I always figured Cat5 is basically high quality phone cable when used like that.


What kind of threats are you concerned about? SIP certainly isn't inherently insecure, but it is really easy to configure some SIP devices to operate in insecure ways.

I don't know, I imagine that there's three possible attack vectors:

1) Malware at a Router/PBX level. Nothing you can do about this, if you're infected and something is scanning your packets before they leave your network then you're hosed short of tunnelling all your traffic per-device via a VPN.

2) Someone is intercepting your traffic after it leaves your network but before it gets to your provider. Like at the DSLAM, for example.

3) Someone is intercepting your traffic at the VOIP provider, maybe even the VOIP provider itself.

Scenario 1) comes down to how secure your own network is, so I'm interested if there's any way to protect yourself against scenarios 2) and 3).

Edit: this sounds like I'm worried the NSA is spying me or something. I'm not (or, more accurately, I have no doubts that if the NSA wanted to listen in on my conversations they could), I'm just curious about this at a theoretical level.

dpkg chopra fucked around with this message at 16:44 on May 7, 2015

wolrah
May 8, 2006
what?


Your #1 and #2 concerns can be mitigated by using standard encryption technologies. SIP over TLS plus Secure RTP will get you encryption from any modern endpoint to any modern PBX.

#3, there's nothing you can do there except trust your provider or run your own. Wherever you interface with the PSTN is going to be in the clear no matter what, but if you're running your own box(es) you can do secure direct SIP links to anyone else you feel the need to have protected conversations with.

Super-NintendoUser
Jan 16, 2004

COWABUNGERDER COMPADRES


Soiled Meat

One of the biggest insecurities of SIP is just a pretty simple brute force attack.

Essentially, when a malicious SIP attack happens, the attacker first brute forces extension numbers, so he starts at 100, then 101, 102, etc. Most SIP servers will respond "invalid extension" for ones that don't exist, but then when they hit a valid extension, the SIP server responds "Ok, whats the password word?" Then they know they have a valid username, and can brute force the extension password.

You can configure the server to respond "invalid extension" or not respond at all to an invalid extension, if they don't have the right password in the initial AUTH that way the attacker never gets through step 1 of brute forcing a valid username

HOWEVER

All this is mitigated if you install FAIL2BAN. If you don't have that on your Asterisk box DO IT NOW. This daemon will troll log files of everything, not just SIP, for failed authentications. You point it to a log file, tell it what the failures look like in the log, and then it will count the occurrences of that string, and if it hits a threshold, usually five or six, it'll automatically add a IPTables rule to block that IP Address.

Go, install it now, I'll wait.

The law is written in such a way that the end user, not the Telco that gives them the SIP service, is responsible for their security. So if someone hacks your box (which will be attempted) and makes a million international calls outbound, YOU are responsible for the charges. So secure your system.

Bohemian Cowabunga
Mar 24, 2008



We are talking with a software house that might develop some application that you can call into and punch some numbers.
VoiceXML was mentioned, anyone that have experience with that?

wolrah
May 8, 2006
what?


SIR FAT JONY IVES posted:

All this is mitigated if you install FAIL2BAN. If you don't have that on your Asterisk box DO IT NOW.

Can't repeat this enough. Just looking at one of my servers Fail2Ban has blocked over 3000 different attacks today. It's like having bullet-proof glass in that it won't stop everything but it'll stop a lot.

Something that can reduce this significantly is moving your SIP port off of 5060. This is sort of "security through obscurity" but in the case of bulk scanners obscurity often works. If you're doing config file based provisioning rather than manually programming phones it's no extra work for anyone and only the shittiest of endpoints will have problems with it.


Another potential vulnerability (which is in no way specific to VoIP but can scale a lot larger a lot easier in a VoIP environment) can occur if your system allows users to forward their calls from voicemail. A user with a DID and international calling privileges + a weak password + no per-user call limit = hope you like paying for calls to Derpistan. We had a few big ones like that when we were on Broadsoft, but when we changed to Asterisk we realized there were only a half dozen or so legitimate users of that feature so we just told them it was no longer available.


edit: Also a lot of SIP servers support randomly auto-generating passwords that are usually long hex strings. If your platform can do this, use it. Fail2Ban might not get a chance to do its job if you have a common extension (as noted the scanners often start at 1000) and the password is weak. Alphanumeric "extensions" also help, but these are not commonly used since direct SIP calling has never caught on and they end up having to map to a number for most people to use anyways.

wolrah fucked around with this message at 19:22 on May 7, 2015

Super-NintendoUser
Jan 16, 2004

COWABUNGERDER COMPADRES


Soiled Meat

Bohemian Cowabunga posted:

We are talking with a software house that might develop some application that you can call into and punch some numbers.
VoiceXML was mentioned, anyone that have experience with that?

Asterisk is what most people would use. I've configured a lot of asterisk systems people can call into and punch numbers. It can do pretty much anything you'd ever way. This is a double edged sword, since it does EVERYTHING, so it's hard to define exactly what you want.

Super-NintendoUser
Jan 16, 2004

COWABUNGERDER COMPADRES


Soiled Meat

wolrah posted:

edit: Also a lot of SIP servers support randomly auto-generating passwords that are usually long hex strings. If your platform can do this, use it. Fail2Ban might not get a chance to do its job if you have a common extension (as noted the scanners often start at 1000) and the password is weak. Alphanumeric "extensions" also help, but these are not commonly used since direct SIP calling has never caught on and they end up having to map to a number for most people to use anyways.

Wait, so PASSWORD=extension isn't a good idea? What if the extension is a three digit number. That's 999 possible options. How can a computer possible hack that?

Adbot
ADBOT LOVES YOU

n0tqu1tesane
May 7, 2003

She was rubbing her ass all over my hands. They don't just do that for everyone.

Grimey Drawer

Oh, hey, an IPT thread.

I should finish my CCNP Voice/CCNP Collaboration this week, and have been working with CUCM for almost 8 years now.

Asterisk has interested me for a while, just never had any opportunity to mess with it.

  • Locked thread