Rake, or 5 typical Asterisk configuration errors

The article is aimed at novice Asterisk users, who, nevertheless,

have knowledge of the work of computer networks at the CCNA level and who studied the basics of IP telephony without specialized courses.





1. You did not disable anonymous calls and used the default context for the numbering plan.

')

Problem

By default, Asterisk includes anonymous calls so that you can call from anywhere in the world directly, specifying the number @ your domain as the destination of the call and relying on the work of the DNS. This is a very useful feature, but it can play a bad joke with you if you use the default context for the main numbering. It turns out that anyone who sends a request to the telephone_number @ your_domain will be able to call at your expense at a long distance, for example.



Decision

The first rule to follow is always: do not use the default context for numbering. Remember

context default only for anonymous calls from the Internet, consider it as the most untrusted of all. If you do not plan to receive anonymous calls, be sure to turn them off.

sip.conf [general] allowguest=no 

2. You respond differently to the registration request with the correct username and invalid password and to the request with a non-existent username.



Problem

There are enough people on the Internet who want to call for someone else's account, so you need to make their lives as difficult as possible. Asterisk, by default (until recently, but suddenly you do not have a fresh version), responds differently to attempts to register with the wrong user name and the correct name, but the wrong password. Hence, it becomes possible for an attacker to find out the existing names of subscribers and already purposefully select passwords for them.



Decision

 sip.conf [general] alwaysauthreject = yes 

3. You do not use ACLs and / or dynamic access restrictions.



Since, despite the efforts made in the last paragraph, it is still possible to find a password, in all cases where possible, you should use the access control rules (acl)

 sip.conf [my_user] deny=0.0.0.0/0 permit=172.16.0.0/12 ;  ,     

There are cases when it is impossible to use acl - the subscriber can be registered from an arbitrary network. In this case, it is necessary to use dynamic blocking tools, for example, fail2ban is a utility for processing Asterisk logs in order to detect and block addresses from which many failed attempts were made.



4. In terms of numbering, you missed _ and are surprised that calls do not go



Quite a simple mistake, but often found among beginners.



Wrong

 [citycalls] exten => XXXXXX,1,Dial(DAHDI/g1/${EXTEN}) 

Right

 [citycalls] exten => _XXXXXX,1,Dial(DAHDI/g1/${EXTEN}) 

In the first case, you did not specify a template, but a call to the number XXXXXX (X-X-X-X-X). Just do not forget that the templates are set to _



5. You use nat and the sound goes in one direction only.



The topic of work of Asterisk and subscribers, between which in different configurations there is a translation of addresses is so extensive that it is beyond the scope of this article, but I will still give some useful tips:

1. If there is no sound, take a piece of paper and draw a picture of how traffic flows (not only SIP, but also RTP) between clients. Already at this step you can understand a lot, especially if you know how NAT works.
2. If clients are potentially behind nat, do not let them reinvite (canreinvite = no in the corresponding section of sip.conf) and set directmedia = nonat if you do not need to pass all traffic through Asterisk, which may be necessary to record conversations.
3. Choose one thing - nat support in Asterisk or SIP support in your OS firewall: in Windows ISA Server, SIP support included in parallel with nat support in Asterisk gives no sound at all, so if you cannot influence the OS, set nat = no to relevant sections of sip.conf
4. Remember that in addition to traffic on port 5060 / udp, audio data is transmitted via the RTP protocol via udp ports, the range of which is specified in rtp.conf (default 100005) -20000)
5. If nothing helps, turn on debug in Asterisk and use tcpdump - this will allow you to see where requests and audio traffic go, and understanding the problem is 90% of its solution.

Good luck in mastering Asterisk!