Kamailio v5.3 and MySQL 8

As installed on Ubuntu 19.10, Kamailio v5.3 will not work out of the box with MySQL 8 due to changes in the way in which users are created and privileges granted between MySQL 5.x and 8.

To fix this, edit /usr/lib/x86_64-linux-gnu/kamailio/kamctl/kamdbctl.mysql as follows:

# diff /usr/lib/x86_64-linux-gnu/kamailio/kamctl/kamdbctl.mysql.orig  /usr/lib/x86_64-linux-gnu/kamailio/kamctl/kamdbctl.mysql
163,164c163,166
<       sql_query "" "GRANT ALL PRIVILEGES ON $1.* TO '${DBRWUSER}'@'$DBHOST' IDENTIFIED BY '$DBRWPW';
<               GRANT SELECT ON $1.* TO '${DBROUSER}'@'$DBHOST' IDENTIFIED BY '$DBROPW';"
---
>       sql_query "" "CREATE USER '$DBRWUSER'@'$DBHOST' IDENTIFIED BY '$DBRWPW';
>                     CREATE USER '$DBROUSER'@'$DBHOST' IDENTIFIED BY '$DBROPW';
>               GRANT ALL PRIVILEGES ON $1.* TO '${DBRWUSER}'@'$DBHOST';
>               GRANT SELECT ON $1.* TO '${DBROUSER}'@'$DBHOST';"
172,173c174,177
<               sql_query "" "GRANT ALL PRIVILEGES ON $1.* TO '$DBRWUSER'@'localhost' IDENTIFIED  BY '$DBRWPW';
<                       GRANT SELECT ON $1.* TO '$DBROUSER'@'localhost' IDENTIFIED BY '$DBROPW';"
---
>               sql_query "" "CREATE USER '$DBRWUSER'@'localhost' IDENTIFIED BY '$DBRWPW';
>                               CREATE USER '$DBROUSER'@'localhost' IDENTIFIED BY '$DBROPW';
>                       GRANT ALL PRIVILEGES ON $1.* TO '$DBRWUSER'@'localhost';
>                       GRANT SELECT ON $1.* TO '$DBROUSER'@'localhost';"
181,182c185,188
<               sql_query "" "GRANT ALL PRIVILEGES ON $1.* TO '$DBRWUSER'@'$DBACCESSHOST' IDENTIFIED  BY '$DBRWPW';
<                       GRANT SELECT ON $1.* TO '$DBROUSER'@'$DBACCESSHOST' IDENTIFIED BY '$DBROPW';"
---
>               sql_query "" "CREATE USER '$DBRWUSER'@'$DBACCESSHOST' IDENTIFIED BY '$DBRWPW';
>                             CREATE USER '$DBROUSER'@'$DBACCESSHOST' IDENTIFIED BY '$DBROPW';
>                       GRANT ALL PRIVILEGES ON $1.* TO '$DBRWUSER'@'$DBACCESSHOST';
>                       GRANT SELECT ON $1.* TO '$DBROUSER'@'$DBACCESSHOST';"

The above worked fine for me but do note:

  • Make sure the database and users do not already exist on the database (or delete them if they do).
  • Use a different username for the read-only and read-write users.
  • MySQL 8 has a bug so issue FLUSH PRIVILEGES if you have trouble manually removing a user.

Monitoring Asterisk via SNMP (with OSS_SNMP)

Over on the company blog, we just announced that we committed a complete Asterisk MIB implementation to OSS_SNMP in addition to a proof of concept Asterisk wallboard to NOCtools which includes active channels, uptime, version information and more.

Full details are on the company post but here’s a snippet of how easy it is to query Asterisk over SNMP:

 $host = new \OSS_SNMP\SNMP( $asteriskIP, $community );
 echo "Asterisk version: " . $host->useAsterisk()->version();
 echo "Active calls: " . $host->useAsterisk()->callsActive();
 echo "Calls processed: " . $host->useAsterisk()->callsProcessed();

And here’s a screenshot of the proof of concept Asterisk wallboard:

[NOCtools Asterisk Wallboard]
NOCtools – Asterisk Wallboard

Asterisk with SS7 via Wanpipe, Dahdi and libss7 – with ISUP SAM support

A howto on installing Asterisk with SS7 supported via libss7 on Sangoma hardware along with support for ISUP SAM messages.

After much head banging in bringing up an SS7 link with SAM support, I am documented what worked here.

Firstly, what is SAM support? One end of an SS7 link initialises a new call by sending an Initial Address Message (IAM). All SS7 software stacks support this and usually it’s enough. One case where it’s not enough is when one wants to address a phone number with more than the E.164 standard max length of 16  (usually to pass additional information tacked on the start, end of or even replacing an A or B number). In this scenario, SS7 uses a Subsequent Address Message (SAM) to send the additional digits. Most / all mainstream Asterisk SS7 software stacks do not support this.

The platform and software used is as follows:

  • Ubuntu 10.04 LTS standard CLI install;
  • dahdi-linux-complete-2.4.0 from the archives (direct link);
  • a patched version of libss7 supporting SAM via SVN (see below);
  • a patched version of chan-dahdi via SVN (see below);
  • Asterisk 1.6.0.28 from the archives (direct link);
  • Asterisk Addons 1.6.0.6 from the archives (direct link);
  • Sangoma Wanpipe 3.5.24 (direct link).

Yes, I know some of the above are obsolete. Unfortunately it’s what’s required for everything to play nicely together. And, guess what, it works!

Before You Start

Ensure you have all the necessary packages for building the packages:

apt-get install build-essential libnewt-dev subversion    \
   libsqlite3-dev libsnmp-dev bison libtool flex          \
   autoconf2.13 libmysqlclient-dev

You can assume the working directory is /usr/local/src in the following.

Installing dahdi-linux-complete

Download and extract dahdi-linux-complete into /usr/local/src. Then, in the same directory, create some symbolic links:

ln -s dahdi-linux-complete-2.4.0+2.4.0/linux dahdi-linux
ln -s dahdi-linux-complete-2.4.0+2.4.0/tools dahdi-tools

Now build dahdi-linux:

cd dahdi-linux
make
make install

Now move onto dahdi-tools:

cd dahdi-tools
./configure
make menuconfig # (and select tools or accept defaults)
make
make install
make config

Installing libss7

There is a patched version of Digium’s libss7 referred to as Attila’s libss7 available via SVN. Download and install it:

svn co https://observer.router.hu/repos_pub/libss7/trunk alibss7
cd alibss7
make
make install

Installing Asterisk

Download and extract the Asterisk 1.6.0.28 package reference above.

cd asterisk-1.6.0.28

Now this next bit is very important and easy to miss – you also need a patched version of chan_dahdi.c that is compatible with the patched version of libss7. This is also available from SVN:

svn co https://observer.router.hu/repos_pub/chan_dahdi/trunk achan_dahdi

Then copy it to your Asterisk source:

cp achan_dahdi/chan_dahdi.c asterisk-1.6.0.28/channels/chan_dahdi.c

Now continue with the Asterisk installation:

./configure
make menuconfig
make
make install
make samples
make config

Install Asterisk Addons (optional)

Download and unpack the above referenced add ons package and build and install:

cd asterisk-addons-1.6.0.6
./configure
make menuconfig
make
make install
make samples

Sangoma Wanpipe

I’m using one of Sangoma’s E1 / T1 interface cards and so I need Wanpipe also. I’m using version 3.5.24 and preceed as follows after unpacking:

cd wanpipe-3.5.24./Setup install

During the install, follow these prompts:

  • select option 2 => Asterisk/Dahdi Support;
  • enter path /usr/local/src/dahdi-linux (for Zaptel path prompt);
  • select defaults for everything else;
  • you DO want to install start-up scripts;
  • you DO to configure wanpipe devices for DAHDI;
  • you DO want to generate /etc/asterisk/chan_dahdi.conf and:
    • select E1 / T1 as appropriate;
    • select line framing and encoding;
    • choose clock source;
    • select Zaptel/Dahdi – PRI CPE as signalling;
    • select National ISDN 2 as switch type;
    • do not enable hardware DTMF detection;
    • use all channels;
    • select dial plan context as appropriate;
  • and continue for other ports as necessary;
  • finally, choose Save cfg: Stop Asterisk & Wanpipe now
  • you would like wanrouter to start on system boot;
  • and you would like to execute ‘dahdi_cfg’ each time wanrouter starts.

Configuration Steps

We now need to set various options in Wanpipe, Dahdi and Asterisk for SS7 as it’s PRI/ISDN by default.

Edit all /etc/wanpipe/wanpipeX.conf files as necessary and change:

 TDMV_DCHAN              = 16

to

TDMV_DCHAN              = 0

Now edit /etc/dahdi/system.conf and change (for example):

span=1,1,0,ccs,hdb3,crc4
bchan=1-15,17-31
echocanceller=mg2,1-15,17-31
hardhdlc=16

to

span=1,1,0,ccs,hdb3,crc4
bchan=2-31
echocanceller=mg2,2-31
mtp2=1

which of course assumes signalling is on channel 1. If you have voice only links, you might need something like:

span=1,0,0,ccs,hdb3,crc4bchan=1-31
echocanceller=mg2,2-31

Lastly, we need to configure Asterisk. Replace lines such as:

;Sangoma A102 port 1 [slot:4 bus:5 span:1]
switchtype=national
context=from-pstn
group=0
echocancel=yes
signalling=pri_cpe
channel =>1-15,17-31

with an appropriate configuration. Mine follows below with some edits and some important notes at the end:

;Sangoma A102 port 1 [slot:4 bus:5 span:1]
switchtype=national
context=from-pstn
group=0
echocancel=yes

signaling=ss7
ss7type=itu
ss7_called_nai=dynamic
ss7_calling_nai=dynamic
ss7_internationalprefix=00
ss7_nationalprefix=0
ss7_subscriberprefix=
ss7_unknownprefix=
linkset=1
pointcode=1
adjpointcode=2
defaultdpc=3
networkindicator=national_spare
cicbeginswith=2
channel=2-31
sigchan=1
  • Set pointcode, adjpointcode and defaultdpc as appropriate;
  • set networkindicator as appropriate and ensure it matches the other end (you can see what you’re being sent and what you’re sending via ss7 debug;
  • cicsbeginwith is normally 1 but the telco on my end are starting at 2 – this was groping in the dark diagnostics and issues such as no audio, CICs not in service when both sides claim they are, etc may point to misaligned CICs;
  • make sure you have configured from-pstn or the appropriate context in yourextensions.conf.

Confirming Your Link Is Up

Now start wanrouter (/etc/init.d/wanrouter start); dahdi (/etc/init.d/dahdi start); and Asterisk (/etc/init.d/asterisk start). You should see your link come up via logs available with the dmesg command. Launch the Asterisk console and check the status of your links:

ast-deg1-1*CLI> ss7 show cics 1
  CIC   DPC  DAHDI        STATE   BLOCKING
    2    3      2         Idle
    3    3      3         Idle
    4    3      4         Idle
    5    3      5         Idle
    6    3      6         Idle
    7    3      7         Idle
    8    3      8         Idle
    9    3      9         Idle
   10    3     10         Idle
   11    3     11         Idle
   12    3     12         Idle
   13    3     13         Idle
   14    3     14         Idle
   15    3     15         Idle
   16    3     16         Idle
   17    3     17         Idle
   18    3     18         Idle
   19    3     19         Idle
   20    3     20         Idle
   21    3     21         Idle
   22    3     22         Idle
   23    3     23         Idle
   24    3     24         Idle
   25    3     25         Idle
   26    3     26         Idle
   27    3     27         Idle
   28    3     28         Idle
   29    3     29         Idle
   30    3     30         Idle
   31    3     31         Idle

You should now be okay to make test calls.

Do You Need Professional Support / Consultancy?

While I will try to respond to comments and questions on this blog, I don’t have the time to provide one on one assistance pro-bono. Professional consultancy on Asterisk and SS7 is available worldwide through my company, Open Solutions with contact details here.

References

For posterity, I have added Domjan Attila patched libss7 and chan_dahdi to GitHub:

Asterisk SIP Brute Force Attacks on the Rise

See my article on the company blog for a discussion on this, and a how to on using Fail2ban to help stop these attacks.

SIP Brute Force Attacks on the Increase

On our own Asterisk PBX server for our office and on some customer boxes with open SIP ports, we have seen a dramatic rise in brute force SIP attacks.

They all follow a very common pattern – just over 41,000 login attempts on common extensions such as 200, 201, 202, etc. We were even asked to provide some consultancy about two weeks ago for a company using an Asterisk PBX who saw strange (irregular) calls to African countries.

They were one example of such a brute force attack succeeding because of a common mistake:

  1. an open SIP port with:
  2. common extensions with:
  3. a bad password.

(1) is often unavoidable. (2) can be mitigated by not using the predictable three of four digit extension as the username. (3) is inexcusable. We’ve even seen entries such as extension 201, username 201, password 201. The password should always be a random string mixing alphanumeric characters. A good recipe for generating these passwords is to use openssl as follows:

openssl rand -base64 12

Users should never be allowed to choose their own and dictionary words should not be chosen. The brute force attack tried >41k common passwords.

Preventing or Mitigating These Attacks

You can mitigate against these attacks by putting external SIP users into dedicated contexts which limit the kinds of calls they can make (internal only, local and national, etc); ask for a PIN for international calls; limit time and cost; etc.

However, the above might be a lot of work when simply blocking users after a number of failed attempts can be much easier and more effective. Fail2ban is a tool which can scan log files like /var/log/asterisk/full and firewall IP addresses that makes too many failed authentication attempts.

See VoIP-Info.org for generic instructions or below for a quick recipe to get it running on Debian Lenny.

Quick Install for Fail2ban with Asterisk SIP on Debian Lenny

  1. apt-get install fail2ban
  2. Create a file called /etc/fail2ban/filter.d/asterisk.conf with the following (thanks to this page):
  3. Put the following in /etc/fail2ban/jail.local:
  4. Edit /etc/asterisk/logger.conf such that the date format under [general]reads:
    dateformat=%F %T
  5. Also in /etc/asterisk/logger.conf, ensure full logging is enable with a line such as the following under [logfiles]:
    full => notice,warning,error,debug,verbose
  6. Resart / reload Asterisk
  7. Start Fail2ban: /etc/init.d/fail2ban startand check:
    • Fail2ban’s log at /etc/log/fail2ban.logfor:
      INFO   Jail 'asterisk-iptables' started
    • The output of iptables --list -vfor something like:
      Chain fail2ban-ASTERISK (1 references)
       pkts bytes target     prot opt in     out     source               destination
        227 28683 RETURN     all  --  any    any     anywhere             anywhere

You should now receive emails (assuming you replaced the example addresses above with your own and your MTA is correctly configured) when Fail2ban starts or stops and when a host is blocked.

chan_ss7, pcap files and 64bit machines

UPDATE: April 29th 2008

Anders Baekgaard of Dicea ApS (current chan_ss7 maintainers) recommends the following alternative patch. Please note that mtp3d.c will also need to be patched in the same way:

--- chan_ss7.c~ 2008-04-03 09:23:56.000000000 +0200
+++ chan_ss7.c  2008-04-29 08:29:20.000000000 +0200
@@ -249,11 +249,12 @@

 static void dump_pcap(FILE *f, struct mtp_event *event)
 {
+  unsigned int sec  = event->dump.stamp.tv_sec;
   unsigned int usec  = event->dump.stamp.tv_usec - 
     (event->dump.stamp.tv_usec % 1000) +
     event->dump.slinkno*2 + /* encode link number in usecs */
     event->dump.out /* encode direction in/out */;

-  fwrite(&event->dump.stamp.tv_sec, sizeof(event->dump.stamp.tv_sec), 1, f);
+  fwrite(&sec, sizeof(sec), 1, f);
   fwrite(&usec, sizeof(usec), 1, f);
   fwrite(&event->len, sizeof(event->len), 1, f); /* number of bytes of packet in file */
   fwrite(&event->len, sizeof(event->len), 1, f); /* actual length of packet */

END UPDATE: April 29th 2008

A quickie for the Google trolls:

While trying to debug some SS7 Nature of Address (NAI) indication issues, I needed to use chan_ss7’s ‘dump’ feature from the Asterisk CLI. It worked fine but the resultant pcap files always failed with messages like:

# tshark -r /tmp/now
tshark: "/tmp/now" appears to be damaged or corrupt.
(pcap: File has 409000-byte packet, bigger than maximum of 65535)

After much digging about and head-against-wall banging, I discovered the issue
is with the packet header in the pcap file. It’s defined by its spec to be:

typedef struct pcaprec_hdr_s {
        guint32 ts_sec;         /* timestamp seconds */
        guint32 ts_usec;        /* timestamp microseconds */
        guint32 incl_len;       /* number of octets of packet saved in file */
        guint32 orig_len;       /* actual length of packet */
} pcaprec_hdr_t;

chan_ss7 uses the timeval struct defined by system headers to represent ts_sec and ts_usec. But, on 64bit machines (certainly mine), these values are defined as unsigned long rather than unsigned int (presumably as a step to get over the ‘year 2038 bug’). Hence the packet header is all wrong.

An easy solution is the following patch in mtp.h:

77a78,90
> /*
>  * The packet header in the pcap file (used for the CLI command 'dump') is 
defined so has to
>  * have the two time components as unsigned ints. However, on 64bit 
machines, the system
>  * timeval struct may use unsigned long. As such, we use a custom version 
here:
>  */
> struct _32bit_timeval
> {
>   unsigned int tv_sec;            /* Seconds.  */
>   unsigned int tv_usec;      /* Microseconds.  */
> };
>
>
>
125c138
<       struct timeval stamp;        /* Timestamp */
---
>       struct _32bit_timeval stamp;        /* Timestamp */

There may be a better way – but this works.

This relates to chan_ss7-1.0.0 from http://www.dicea.dk/company/downloads and I have let them know also. It’s also a known issue for the Wireshark developers (although I did not investigate in detail to see what their resolution was for the future). See the following thread from 1999:

Nagios Plugin to Check the Status of PRI Lines in Asterisk

I have a number of Asterisk implementations that I keep an eye on that have multiple PRI connections. Knowing if and when they ever go down has the obvious benefits of alerting me to a problem in near real time. But besides that, it allows my customers and I to verify SLAs, track and log issues, etc.

To this end, I have written a Nagios plugin which queries Asterisk’s manager interface and executes the pri show spans CLI command (this is Asterisk 1.4 by the way). The script then parses the output to ascertain whether a PRI is up or not.

The actual code to connect to the manager interface and execute the query is simply:

if( ( $astsock = fsockopen( $host, $port, $errno, $errstr, $timeout ) ) === false )
{
    echo "Could not connect to Asterisk manager: $errstr";
    exit( STATUS_CRITICAL );
}

fputs( $astsock, "Action: Login\r\n");
fputs( $astsock, "UserName: $username\r\n");
fputs( $astsock, "Secret: $password\r\n\r\n"); 

fputs( $astsock, "Action: Command\r\n");
fputs( $astsock, "Command: pri show spans\r\n\r\n");

fputs( $astsock, "Action: Logoff\r\n\r\n");

while( !feof( $astsock ) )
{
    $asttext .= fread( $astsock, 8192 );
}

fclose( $astsock );

if( strpos( $asttext, "Authentication failed" ) !== false )
{
    echo "Asterisk manager authentication failed.";
    exit( STATUS_CRITICAL );
}

This plugin is hard coded to English and expects to find Provisioned, Up, Active for a good PRI. For example, the Asterisk implementations that support the pri show spans command that I have access to return one of:

  • PRI span 1/0: Provisioned, In Alarm, Down, Active
  • PRI span 3/0: Provisioned, Up, Active
  • PRI span 2/0: Up, Active

I’m actually running a slightly older version of Nagios at the moment, version 1.3. To integrate the plugin, first add the following command definition to an appropriate existing or new file under /etc/nagios-plugings/config/:

define command{
        command_name    check_asterisk_pri
        command_line    /usr/lib/nagios/plugins/check_asterisk_pri.php \\
             -H $HOSTADDRESS$ -U $ARG1$ -P $ARG2$ -w $ARG3$ \\
             -c $ARG4$ -n $ARG5$
}

where $ARG1$ is the Asterisk manager username and $ARG2$ is the password. $ARG3$ and $ARG4$ are the warning and critical thresholds respectively whereby if the number of available PRIs reaches one of these values, the appropriate error condition will be set. Lastly, $ARG5$ is the number of PRIs the plugin shouldexpect to find.

NB: the command_line line above is split for readability but it should all be on the one line.

Now create a test for a host in an appropriate file in /etc/nagios/config/:

define service{
        use                             core-service
        host_name                       hostname.domain.ie
        service_description             Asterisk PRIs
        check_command                   check_asterisk_pri!user!pass!2!1!4
}

Ensure that your Nagios server has permissions to access the Asterisk server via TCP on the Asterisk manager port (5038 by default). If on a public network, this should be done via stunnel or a VPN for security reasons.

Lastly, you’ll need a user with the appropriate permissions and host allow statements in your Asterisk configuration (/etc/asterisk/manager.conf):

[username]
secret = password
deny=0.0.0.0/0.0.0.0
permit=1.2.3.4/255.255.255.255
read = command
write = command

The next version may include support for BRI and Zap FXO ports also. I also plan on a Cacti plug in to show the channels on each PRI (up – on a call, down, etc). In any case, updates will be posted here.

The plug in can be download from: http://www.opensolutions.ie/misc/check_asterisk_pri.php.txt

UPDATED 20/03/2012: Aterisk 1.8.9 takes out the word “Provisioned” in “pri show spans”. Thanks to Shane O’Cain.

Sangoma Inconsistancies with Latest Zaptel-1.4

I’m on a tight deadline and the last thing I need right now is kernel/Asterisk/Zaptel/Sangoma issues… This post may just help someone else save some time:

When running Sangoma’s Setup script from their wanpipe-2.3.4-7 release, the following error occurs when it tries to patch the latest zaptel (version 1.4 checked from SVN revision 2399):

Enable TDMV DCHAN Native HDLC Support & Patch Zaptel ? (y/n) y

Did NOT find the seached str:chan->writen\[chan->inwritebuf\] = amnt;
search_and_replace(zaptel-base.c) failed

Applying the following diff to Setup should solve the problem:

1c1
< #!/bin/sh
---
> #!/bin/bash
6128c6128
< ZAPTEL_C_SEARCH_STR="chan->writen\[chan->inwritebuf\] = amnt;"
---
> ZAPTEL_C_SEARCH_STR="chan->writen\[res\] = amnt;"
6134c6134
<                       chan->writen[chan->inwritebuf] = amnt;"
---
>                       chan->writen[res] = amnt;"

The change from sh to bash was to overcome the following error:

./Setup: 1014: Syntax error: Bad substitution

Finally, it looks like Sangoma’s current wanpipe will not work with linux-2.6.20.x:

/usr/src/wanpipe/kdrvtmp/sdla_xilinx.c:636:62: error: macro "INIT_WORK" passed 3 arguments, but takes just 2
/usr/src/wanpipe/kdrvtmp/sdla_xilinx.c: In function ‘wp_xilinx_init’:
/usr/src/wanpipe/kdrvtmp/sdla_xilinx.c:636: error: ‘INIT_WORK’ undeclared (first use in this function)
/usr/src/wanpipe/kdrvtmp/sdla_xilinx.c:636: error: (Each undeclared identifier is reported only once
/usr/src/wanpipe/kdrvtmp/sdla_xilinx.c:636: error: for each function it appears in.)

It works fine with linux-2.6.19.x.

I have let Sangoma’s support team know of these issues so hopefully they’ll be resolved before anyone has to actually use this post.

SNMP Polling Cisco AS5300’s for E1 Channel Usage (with Cacti)

This post is as much a reference for myself as it is for others. I had a need today to start graphing E1/PRI channel usage on some Cisco AS5300’s. The current priority is a simple graphical representation of the actual usage:

AS5300 E1 Channels in Use

Hopefully at some point over the next couple of weeks I may expand this to other more interesting information such as average call duration, etc that can be useful to diagnosing issues almost as they happen.

The Cacti XML can be found here and I just posted the same to Cacti’s own forums here.

The CISCO-POP-MGMT-MIB provides the MIBs for this information and the ones I specifically used (for my AS5300 which are all identical with 4 E1/PRI ports) are cpmDS1ActiveDS0s.0.x (or .1.3.6.1.4.1.9.10.19.1.1.9.1.3.0.x). Replace x with the appropriate port number (0-3) as required.

Explore the available information yourself with:

$ snmpwalk -Os -c <community> <host> .1.3.6.1.4.1.9.10.19