Category Archives: VoIP

IAX2 Realtime

In this post I´m going to configure Asterisk iax2 extensions in realtime mode. In this way we don’t have to reload our Asterisk when We have to do any change in our extensions configuration.

1. Configuring extconfig.conf


iaxusers => mysql,asterisk,iax_users

iaxpeers => mysql,asterisk,iax_users

2. Creating table

We are going to create the iax table in our asterisk database

CREATE TABLE iax_users (name varchar(30) primary key NOT NULL, username varchar(30), type varchar(6) NOT NULL, secret varchar(50), md5secret varchar(32), dbsecret varchar(100), notransfer varchar(10), inkeys varchar(100), outkey varchar(100), auth varchar(100), accountcode varchar(100), amaflags varchar(100), callerid varchar(100), context varchar(100), defaultip varchar(15), host varchar(31) NOT NULL default 'dynamic', language char(5), mailbox varchar(50), deny varchar(95), permit varchar(95), qualify varchar(4), disallow varchar(100), allow varchar(100), ipaddr varchar(15), port integer default 0, regseconds integer default 0  );

After this, we have to reload Asterisk to apply the changes.

3. Creating users

We can create users trough MySQL CLI (tricky) or doing it with MySQL graphical tools (the best option).

Example in CLI mode:

INSERT INTO `iax_users` (`id`, `name`, `username`, `type`, `secret`, `md5secret`, `dbsecret`, `notransfer`, `inkeys`, `outkey`, `auth`, `accountcode`, `amaflags`, `callerid`, `context`, `defaultip`, `host`, `language`, `mailbox`, `deny`, `permit`, `qualify`, `disallow`, `allow`, `ipaddr`, `port`, `regseconds`) VALUES (1, ‘1000’, ‘1000’, ‘friend’, ‘1000’, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ‘Javi’, ‘u-moviles’, NULL, ‘dynamic’, NULL,, NULL, NULL, ‘yes’, ‘all’, ‘gsm’, NULL, 0, 0);

Graphical Mode:

This is the link to download Mysql Gui tools:

It’s not necessary to post a example about create user with MySQL GUI because is very easy to manage tables and add new users.

You’ve to connect to asterisk database trough MySQL Query Browser app, edit iax_users table and insert the same data as in the previous example:

name (1000), username (1000), type (friend), secret(1000), callerid(javi), context(u-moviles), host(dynamic), disallow(all), allow(gsm)

The other fields are optional although I also use the ‘mailbox’ field:

`md5secret`, `dbsecret`, `notransfer`, `inkeys`, `outkey`, `auth`,`accountcode`, `amaflags`, `defaultip`,`language`, `mailbox`, `deny`, `permit` `ipaddr`, `port`, `regseconds`.

In the next Asterisk articles, I´ll post about SIP realtime, voicemail realtime and Microsoft Exchange calendar integration.

That’ s all!


Asterisk & OSSEC Part.II

In this post I’m going to explain how to define rules, decoders and active response in OSSEC server to prevent attacks in our Asterisk.

This is a schema of how OSSEC handles every events received.

More information of OSSEC:


Firstly I’m going to config decoders. Default, there are some decoders of Asterisk for SIP protocol and I’ve added decoders for IAX protocol. At this moment I’m working to add more decoders for SIP, IAX, etc.

/var/ossec/etc# vim decoder.xml (in green my adds)

<!– Asterisk logs–>
<decoder name=”asterisk”>

<decoder name=”asterisk-hijacking”>
<prematch>^WARNING[\d+]: \S+ in \S+: Don’t know </prematch>
<regex offset=”after_prematch”>^\S+ how to respond via ‘(\w+/\d.\d/\w+)'</regex>

<decoder name=”asterisk-denied”>
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
<regex offset=”after_prematch”>^(\S+) failed for ‘(\d+.\d+.\d+.\d+)'</regex>

<decoder name=”asterisk-denied2″>
<prematch>Registration from </prematch>
<regex offset=”after_prematch”>failed for ‘(\d+.\d+.\d+.\d+)'</regex>

<decoder name=”asterisk-iax-enumeration”>
<prematch>^NOTICE[\d+]: \S+ in \S+: No registration for peer </prematch>
<regex offset=”after_prematch”>^'(\S+)’ \(\S+ (\d+.\d+.\d+.\d+)\)</regex>
<order>user, srcip</order>

<decoder name=”asterisk-iax-authentication-denied”>
<prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
<regex offset=”after_prematch”>^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex>
<order>srcip, user</order>


Secondly, We have to set rules:

/var/ossec/rules# vim asterisk_rules.xml (in

<!– Asterisk Log messages –>
<group name=”syslog,asterisk,”>
<rule id=”6200″ level=”0″>
<description>Asterisk messages grouped.</description>

<rule id=”6201″ level=”1″>
<description>Asterisk notice messages grouped.</description>

<rule id=”6202″ level=”3″>
<description>Asterisk warning message.</description>

<rule id=”6203″ level=”3″>
<description>Asterisk error message.</description>

<rule id=”6210″ level=”5″>
<match>Wrong password</match>
<description>Login session failed.</description>

<rule id=”6211″ level=”5″>
<match>Username/auth name mismatch</match>
<description>Login session failed (invalid user).</description>

<rule id=”6212″ level=”5″>
<match>No matching peer found</match>
<description>Login session failed (invalid extension).</description>

<rule id=”6250″ level=”10″ frequency=”6″ timeframe=”300″>
<same_source_ip />
<description>Multiple failed logins (user enumeration in process).</description>

<rule id=”6251″ level=”10″ frequency=”6″ timeframe=”300″>
<same_source_ip />
<description>Multiple failed logins.</description>


<rule id=”6252″ level=”10″ frequency=”6″ timeframe=”300″>
<same_source_ip />
<description>Extension enumeration.</description>

<rule id=”100007″ level=”5″>
<match>No registration for peer</match>
<description>Login session failed (invalid iax user).</description>


<rule id=”100008″ level=”10″ frequency=”3″ timeframe=”300″>
<same_source_ip />
<description>Extension IAX Enumeration.</description>

<rule id=”100009″ level=”5″>
<match>Don’t know how to respond via</match>
<description>Possible Registration Hijacking.</description>

<rule id=”100010″ level=”5″>
<match>failed MD5 authentication</match>
<description>IAX peer Wrong Password.</description>

<rule id=”100011″ level=”10″ frequency=”3″ timeframe=”300″>
<same_source_ip />
<description>Multiple failed logins.</description>

</group> <!– ASTERISK –>

more information about rules :


Now we are going to define active response to protect our Asterisk.

vim /var/ossec/ossec.conf.



We have defined an active response against extension enumeration attacks. When OSSEC detect this attack it’ll send to Asterisk a script (iptables rule).

You can see different active responses in /var/ossec/active-response/bin/ directory.


We’ve already configured our system and now We are going to test it.

1.- Search server with SIP port open: python

| | Asterisk PBX |

2.- We’ve discovered one server with SIP port opened. Now We are going to search extensions available.

python -e0000-9999

Without protection of Ossec We can detect available extensions in our Asterisk
| Extension | Authentication |
| 4999      | reqauth        |

If We configure our Asterisk with this tutorial, this is the result of extensions scan.

sudo python -e0000-9999
WARNING:root:found nothing
ERROR:TakeASip:socket error: timed out

Logs in our Ossec /var/ossec/alerts/logs/alerts.log:

** Alert 1274262205.108674992: mail  – syslog,asterisk,
2010 May 19 11:43:25 (asterisk)>/var/log/messages
Rule: 6252 (level 10) -> ‘Extension enumeration.’
Src IP:
User: (none)
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”361″<sip:361@>’ failed for ‘’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”360″<sip:360@>’ failed for ‘’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”359″<sip:359@>’ failed for ‘’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”358″<sip:358@>’ failed for ‘’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”357″<sip:357@>’ failed for ‘’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”356″<sip:356@>’ failed for ‘’ – No matching peer found
May 19 11:42:17 asterisk asterisk[5200]: NOTICE[14808]: chan_sip.c:15889 in handle_request_register: Registration from ‘”355″<sip:355@>’ failed for ‘’ – No matching peer found

To check that Ossec has sent command to our Asterisk you can check active-response log (/var/ossec/logs/active-responses.log) or cheking in the ip tables rules of Asterisk

iptables in our Asterisk:

root@asterisk:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       0    —       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       0    —       anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If you have any questions or need help, post here.

Asterisk CDR in MySQL

Install Mysql Server and MysqlClient

apt-get install php5-mysql mysql-client-5.0 mysql-client libmysqlclient15-dev mysql-server mysql-common

Install Asterisk-Addons

cd /usr/src


tar xvzf asterisk-addons-1.4.9.tar.gz

cd asterisk-addons*


make menuselect


–> 1. Applications
[*] 1. app_addon_sql_mysql
–> 2. Call Detail Recording
[*] 1. cdr_addon_mysql

make && make install

Create Database

mysql -u root -p


ON asterisk.*
TO asterisk@localhost
IDENTIFIED BY ‘yourpassword’;

USE asterisk;

`calldate` datetime NOT NULL default ‘0000-00-00 00:00:00’,
`clid` varchar(80) NOT NULL default ”,
`src` varchar(80) NOT NULL default ”,
`dst` varchar(80) NOT NULL default ”,
`dcontext` varchar(80) NOT NULL default ”,
`channel` varchar(80) NOT NULL default ”,
`dstchannel` varchar(80) NOT NULL default ”,
`lastapp` varchar(80) NOT NULL default ”,
`lastdata` varchar(80) NOT NULL default ”,
`duration` int(11) NOT NULL default ‘0’,
`billsec` int(11) NOT NULL default ‘0’,
`disposition` varchar(45) NOT NULL default ”,
`amaflags` int(11) NOT NULL default ‘0’,
`accountcode` varchar(20) NOT NULL default ”,
`userfield` varchar(255) NOT NULL default ”

ALTER TABLE `cdr` ADD `uniqueid` VARCHAR(32) NOT NULL default ”;
ALTER TABLE `cdr` ADD INDEX ( `calldate` );
ALTER TABLE `cdr` ADD INDEX ( `dst` );
ALTER TABLE `cdr` ADD INDEX ( `accountcode` );

Configure Asterisk CDR Mysql

vim /etc/asterisk/cdr.conf



vim /etc/asterisk/cdr_mysql.conf


vim /etc/asterisk/modules.conf

load =>

Restarting Asterisk

asterisk -r

CLI> restart when convenient

CLI > asterisk -r

CLI > cdr mysql status
Connected to asterisk@localhost, port 3306 using table cdr for 1 minutes, 28 seconds.
Wrote 0 records since last restart.

This it all..

Asterisk VoIP Security

I leave here a link to the webinar on security in asterisk that took place last Friday. The speakers were an FBI agent, an expert from VOIPSA and two employee of the company Digium.

very interesting ..

Provisioning Linksys SPA922

When I started in the world of Asterisk, one of the important things to deploy a VoIP network is the segmentation of the network VLANs to separate voice and data. When I started two years ago, only knew two options:

– Use different network but this implies duplicate the number of the switches (much money and in my opinion unprofessional).
– Use VLAN’s to separate the networks. This option is better although requires much administrative work whenever there is change a site computer or telephone.

I was investigating the way this is done automatically and it seems that something went.

Here I leave an example implementation.

In this scenario We are going to configure a system to provisioning Linksys Phones (SPA922). Firts We have to configure our network LAN with 2 vlans (or more) to separate the data and voice network. We have used Cisco Switches (Catalyst 2960 and 3750).


The IP range ov Vlans are this:

Vlan 1 -> data network ->
Vlan 2 -> voice network ->

We need to have two DHCP servers, one in each vlan. In the vlan 1 we have configured one DHCP server (Windows 2003 Server) which will be the principal DHCP server. This is the configuration:

003 Router
006 DNS Servers
015 DNS Domain Name
044 WINS/NBNS Servers
046 WINS/NBNS Node Type 0x8
066 Boot Server Host Name (TFTP Server)

In the other Vlan (voIP), we have Asterisk server with DHCP server and TFTP Server. These are the configs:

apt-get install dhcpd

/etc/dhcp3# vim dhcpd.conf

subnet netmask
option domain-name-servers;
option routers;
option subnet-mask;
option broadcast-address;
option tftp-server-name "";
default-lease-time 600;
max-lease-time 7200;


apt-get install atftpd

/etc/default# vim atftpd

OPTIONS="--daemon --port 69 --tftpd-timeout 300 --retry-timeout 5 --mcast-port 1758 --mcast-addr --mcast-ttl 1 --maxthread 100 --verbose=5 /tftpboot"

The tftp server configuration file indicates that the config are int tftpboot directory where we have configured the general config file for all phones and the especific config files to the phones too.

/etc/tftpboot# vim spa922.cfg


<Profile_Rule ua="na">/spa922-MAC/spa922-$MA.cfg</Profile_Rule>

<!-- SYSTEM -->
<Primary_NTP_Server ua="na"></Primary_NTP_Server>
<Time_Zone ua="na">GMT+01:00</Time_Zone>

<!-- TIMERS -->
<Interdigit_Long_Timer ua="na">25</Interdigit_Long_Timer>

<!-- SIP -->

<Use_Auth_ID_1_ ua="na">No</Use_Auth_ID_1_>

<Dial_Plan_1_ ua="na">([1345]xxxS0|6xxxxxxxxS0|9xxxxxxxxS0|xx.)</Dial_Plan_1_>
<Enable_IP_Dialing_1_ ua="na">No</Enable_IP_Dialing_1_>

<Enable_VLAN ua="rw"> yes </Enable_VLAN>
<VLAN_ID ua="rw"> 2 </VLAN_ID>


Debian “Etch” + Asterisk + Asterisk-Addons + Zaptel + Libpri + mISDN + Asterisk-GUI

This Howto is to install Asterisk on a fresh Debian “Etch” system.
After download a netinstall image of Debian 4.0r1 and configure localization, language, partitions and so on, in the final steps, debian should now be asking you what packages you want installed.

Choose base system only.

After finish installation and first reboot, login with root and:

aptitude update
aptitude upgrade


aptitude install ssh ntp

From here, the next steps were done from a ssh session with putty client.

Compiling New Custom Kernel *** Optional ***

aptitude install kernel-package libncurses5-dev fakeroot wget bzip2 build-essential

cd /usr/src


tar xjf linux-2.6.*

ln -s /usr/src/linux- /usr/src/linux

cd /usr/src/linux

Copy the current kernel configuration to /usr/src/linux

make clean && make mrproper

cp /boot/config-`uname -r` ./.config

make menuconfig

In the configuration menu, we select “Load alternate configuration…” and choose the config file that we have copy in the /usr/src/linux directory. /usr/src/linux/.config

We are going to modify some parameters in the kernel configuration:

In the subsection “Processor type and features” we check:

“Enable IRQ balancing” is disabled
“Timer frequency” change the value 250 Hz by 1000 Hz.
“High Resolution Timer Option” and “HPET Timer Support” as built-in.
For users with NVidia SATA drives unchek “Paravirtualization Support”.

And under “Library Routines” subsection, “CONFIG_CRC_CCITT” must be enabled.

When we had made this changes we save the configuration and exit.

Building the new .deb kernel and headers packages :

make-kpkg clean
fakeroot make-kpkg –initrd –append-to-version=-custom kernel_image kernel_headers

After the compilation will be two .deb packages under directory /usr/src/

Install the new packages.

cd /usr/src
dpkg -i linux-image-
dpkg -i linux-headers-


Test the new kernel is loaded.

uname -a

The output must be something similar to “Linux asterisk

*** Finish *** Optional *** Compiling Custom Kernel

Go for dependencies…

aptitude install build-essential libcurl3-dev libvorbis-dev libspeex-dev unixodbc unixodbc-dev libiksemel-dev flex xsltproc

aptitude install linux-headers-`uname -r` g++ libncurses5-dev libnewt-dev libusb-dev subversion git-core

Downloading and untarring…

cd /usr/src


tar xvzf asterisk-1.4-current.tar.gz && tar xvzf zaptel-1.4-current.tar.gz && tar xvzf libpri-1.4-current.tar.gz && tar xvzf mISDN.tar.gz && tar xvzf mISDNuser.tar.gz && tar xvzf asterisk-addons-1.4.5.tar.gz

Installing Zaptel

cd /usr/src/zaptel-1.4*
./install_prereq test
./install_prereq install

make install
make config
modprobe ztdummy

Installing Libpri

cd /usr/src/libpri-1.4*
make && make install

Installing mISDN

Note: The current version (1.1.7) not compile with the last kernel ( The ( is tested that works.

cd /usr/src/mISDN
make install
cd /usr/src/mISDNuser/
make && make install


mISDN scan
mISDN config

This creates the file /etc/mISDN.conf which you should review and/or edit.

vi /etc/mISDN.conf

If everything looks good, going to start mISDN

mISDN start

and check everything is right,


Running on startup…

/usr/sbin/update-rc.d mISDN defaults 15 30

Installing Asterisk

cd /usr/src/asterisk-1.4*

The next step is not mandatory. For install core and extra sounds in different languages:

make menuselect

select the core-sounds you would like to play and extra sounds. Exit with “x” to save.

make install
make samples
make config
asterisk -vvvc
stop now
echo “ztdummy” >> /etc/modules

Note: If you make a mistake and/or fail compilation, you need to run:

make clean then ./configure and make install again.

Going to reboot for test the system startup is correct.


asterisk -r

Install Asterisk-Addons

cd /usr/src/asterisk-addons*

./configure && make && make install

make samples

Install Asterisk-GUI

If you have asterisk config files (no new install), backup it…

cp -r /etc/asterisk /etc/asterisk.bak

Download and install Asterisk-GUI

cd /usr/src
svn checkout asterisk-gui
cd /usr/src/asterisk-gui
./configure && make && make install
make samples

Some tweaks to configuration files…

cat << EOF >/etc/asterisk/http.conf

cat << EOF >/etc/asterisk/manager.conf
displaysystemname = yes
enabled = yes
webenabled = yes
port = 5038
;httptimeout = 60
bindaddr =

secret = admin
read = system,call,log,verbose,command,agent,config
write = system,call,log,verbose,command,agent,config

Checking configuration…

make checkconfig

asterisk -r

Try, configure and enjoy your new system… with admin/admin login or your setup config…


%d bloggers like this: