Jump to: navigation, search

Asterisk Configuration in SECN

Introduction

The VT SECN firmware provides an Asterisk server on devices that have sufficient memory. This facility allows users to make phone calls using MeshPotato devices that have hardware telephony support, SIP telephones, Softphones and upstream SIP/VoIP providers.

Basic configuration of the Asterisk server is supported in the SECN Configuration web interface.

      • CAUTION: There are considerable security risks associated with the configuration of an Asterisk device, particularly in relation to unauthorised use of external 'paid for' SIP/VoIP accounts.

Before using such facilities in conjunction with SECN firmware, you must ensure that system security is adequate for your situation.

      • Security is our concern, but your responsibility.


In the VT SECN firmware, the Asterisk dial plan is controlled by two main files:

   /etc/asterisk/extensions.conf   
 and
   /etc/asterisk/sip.conf

These two static files are augmented by #include files which are generated dynamically by the SECN Configuration web interface, or customised by the user, to allow user configuration of the system.


The following is a brief explanation of how the SECN dial plan operates.


References:

    http://www.asteriskdocs.org/
    https://wiki.asterisk.org/wiki/display/AST/Dialplan
    http://kb.smartvox.co.uk/category/asterisk/security-asterisk/

The extensions.conf File

This static file defines how incoming and outgoing calls are handled.

The [general] section contains parameters that apply unless specifically defined otherwise in subsequent sections.

The [default] section contains no rules. All rules are explicitly defined in the [incoming] and [outgoing] sections. This is a security measure to help prevent unwanted use of the system.

As this file is static, a user may modify it as required. To prevent unwanted interaction with the SECN configuration interface, a user may comment out the '#include potato.extensions.conf' statement and place required code in the custom include file.

The [incoming] Section

The [incoming] section contains rules for the following:

  • Incoming Echo test on the default extension 's'.

Dialing e.g. ECHO 123 (3246 123) will cause Asterisk at the .123 node to echo incoming audio as a test.

  • Other incoming calls on the default 's' extension are routed to the MP device.
  • Incoming calls to Softphone extensions (300 -> 399) are routed to the SIP softphone extension.
  • Incoming calls to extension 4000 are routed to the MP device.
; /etc/asterisk/extensions.conf

[general]
static=yes
writeprotect=no
clearglobalvars=no

[globals]

[default]

[incoming]
; Incoming echo test
exten => s,1,Set(MYALERT=${SIP_HEADER(Alert-Info)})
exten => s,n,NoOp(${MYALERT})
exten => s,n,GotoIf($["${MYALERT}" != "Echo"]?dial)
exten => s,n,Answer()
exten => s,n,Playback(echo-test)
exten => s,n,Echo()
exten => s,n,Hangup()

exten => s,n,Dial(MP/1)  

; Send incoming calls to softphone devices at exten 300->399
exten => _3XX,1,Dial(SIP/softph\${EXTEN})

; Send incoming calls to MP with FXS
exten => 4000,1,Dial(MP/1) 

The [outgoing] Section

The [outgoing] section contains rules for the following:

  • Local Echo Test.

Dialing ECHO (3246) will cause Asterisk on the local device to echo audio as a test.

  • Full IP Dialing.

Dialing the IP address of the required MP device (with '*' characters in lieu of '.' characters).

  • Remote Echo Test.

Dialing ECHO* (3246*) followed by the IP address of the required MP device (as above) will cause the remote Asterisk to echo audio as a test.

  • Calls to external SIP host and Softphone devices.

See below for explanation of the include file used for this function.

  • Abbreviated Dialling

Using the last octet of the IP address of an MP device. See below for explanation of the include file used for this function.

[outgoing]

; Local echo test
; ---------------
exten => _3246,1,Answer()
exten => _3246,n,Playback(echo-test)
exten => _3246,n,Echo() 
exten => _3246,n,Hangup()

; Full IP dialing, e.g. 10*130*1*144*
;-------------------------------------
; Dialled calls e.g. dial 10*130*1*144
exten => _X*.,1,Set(OCTETS=${EXTEN})
exten => _X*.,n,Set(IP=${CUT(OCTETS,*,1)}.${CUT(OCTETS,*,2)}.${CUT(OCTETS,*,3)}.${CUT(OCTETS,*,4)})
exten => _X*.,n,Dial(SIP/4000@${IP})
exten => _XX*.,1,Set(OCTETS=${EXTEN})
exten => _XX*.,n,Set(IP=${CUT(OCTETS,*,1)}.${CUT(OCTETS,*,2)}.${CUT(OCTETS,*,3)}.${CUT(OCTETS,*,4)})
exten => _XX*.,n,Dial(SIP/4000@${IP})
exten => _XXX*.,1,Set(OCTETS=${EXTEN})
exten => _XXX*.,n,Set(IP=${CUT(OCTETS,*,1)}.${CUT(OCTETS,*,2)}.${CUT(OCTETS,*,3)}.${CUT(OCTETS,*,4)})
exten => _XXX*.,n,Dial(SIP/4000@${IP})

; Remote echo test e.g. dial 3246*10*130*1*144
exten => _3246*X*.,1,Set(OCTETS=${EXTEN})
exten => _3246*X*.,n,Set(IP=${CUT(OCTETS,*,2)}.${CUT(OCTETS,*,3)}.${CUT(OCTETS,*,4)}.${CUT(OCTETS,*,5)})
exten => _3246*X*.,n,SIPAddHeader(Alert-Info: Echo)
exten => _3246*X*.,n,Dial(SIP/s@${IP})
exten => _3246*XX*.,1,Set(OCTETS=${EXTEN})
exten => _3246*XX*.,n,Set(IP=${CUT(OCTETS,*,2)}.${CUT(OCTETS,*,3)}.${CUT(OCTETS,*,4)}.${CUT(OCTETS,*,5)})
exten => _3246*XX*.,n,SIPAddHeader(Alert-Info: Echo)
exten => _3246*XX*.,n,Dial(SIP/s@${IP})
exten => _3246*XXX*.,1,Set(OCTETS=${EXTEN})
exten => _3246*XXX*.,n,Set(IP=${CUT(OCTETS,*,2)}.${CUT(OCTETS,*,3)}.${CUT(OCTETS,*,4)}.${CUT(OCTETS,*,5)})
exten => _3246*XXX*.,n,SIPAddHeader(Alert-Info: Echo)
exten => _3246*XXX*.,n,Dial(SIP/s@${IP})

; Calls to external SIP host and Softphone devices.
; This file is generated by the SECN web interface /etc/init.d/config_secn
#include "potato.extensions.conf"
#include "custom.extensions.conf"

; Abbreviated Dialing
; This file is generated by the script /bin/generate-extension.sh
#include "lastoctet.extensions.conf"


The potato.extensions.conf File

This include file contains the following rules:

  • Calls to an external SIP host.

Numbers dialed with the (default) '#' character followed by the required phone number are routed to an external SIP host defined in the [sipaccount] section of the sip.conf file. This rule may be disabled by the SECN configuration interface if SIP host calling is not enabled.

  • Calls to Softphones.

Numbers dialed in the range 300 -> 399 will be routed to SIP softphone devices defined in the sofphone.sip.conf file. This rule takes two forms depending on whether the node is configured as a Softphone Master or Client.

Softphone Client mode is only used on MP/FXS devices in order to allow them to call Softphone devices on the network. Only one of these rules can be active at any time.

These rules are enabled, and the IP address of the Softphone Master device is configured by the SECN configuration interface as required.

; /etc/asterisk/potato.extensions.conf
; This file is generated by the SECN web interface /etc/init.d/config_secn

; Make calls using a SIP host [sipaccount] 
; Dial # for access, and then required number string
exten => _#.,1,Dial(SIP/${EXTEN:1}@sipaccount,120,r)

; Make calls to Softphone extensions 
; Only one of the following lines is active at any time.
; For the Master device
exten => _3XX,1,Dial(SIP/softph${EXTEN})
; For the Client device
;exten => _3XX,1,Dial(SIP/${EXTEN}@10.130.1.252, 120, r)


The lastoctet.extensions.conf File

This include file containing the following rules:

  • Abbreviated Dialing

Calls made to MP devices on the network using just the last octet of the IP address of the MP, using 1, 2 or 3 digits.

  • Remote Echo Test (Abbr Dialing)

Dialing ECHO (2346) followed by the last octet of the required node will cause Asterisk on that node to echo incoming audio as a test.

; This file is generated by the script /bin/generate-extension.sh

exten => _X,1,Dial(SIP/4000@10.130.1.${EXTEN})
exten => _XX,1,Dial(SIP/4000@10.130.1.${EXTEN})
exten => _XXX,1,Dial(SIP/4000@10.130.1.${EXTEN})

; Remote Echo test 
exten => _3246X,1,SIPAddHeader(Alert-Info: Echo)
exten => _3246X,n,Dial(SIP/s@10.130.1.${EXTEN:4})
exten => _3246XX,1,SIPAddHeader(Alert-Info: Echo)
exten => _3246XX,n,Dial(SIP/s@10.130.1.${EXTEN:4})
exten => _3246XXX,1,SIPAddHeader(Alert-Info: Echo)
exten => _3246XXX,n,Dial(SIP/s@10.130.1.${EXTEN:4})

The sip.conf File

This is a static file which contains the [general] section and #include statements for additional configuration files generated by the SECN configuration interface and by a user for customisation.

The [general] section sets a default 'incoming' context so that calls are handled as per the [incoming] section in extensions.conf.

As this file is static, a user may modify it as required. To prevent unwanted interaction with the SECN configuration interface, a user may comment out the '#include potato.sip.conf' statement and place required code in the custom include file.

; /etc/asterisk/sip.conf

[general]
context=incoming
;allowguest=no		; Allow or reject guest calls (default is yes)
allowoverlap=no
bindport=5060
bindaddr=0.0.0.0
srvlookup=no
qualify=5000
alwaysauthreject=yes	; Reject user/password attempts
;nat=no                 ; Default is yes
jbenable = yes          ; Enables the use of a jitterbuffer 

#include "potato.sip.conf"
#include "custom.sip.conf"    ; User defined file


The potato.sip.conf File

This file is automatically generated by the SECN user interface and is comprised of three different sections:

  • NAT and SIP Registration

This section is an extension of the [general] section of the sip.conf file and contains settings for Asterisk NAT and for registering to an external SIP host.

The NAT settings are enabled if selected in the SECN configuration interface and contain the local IP address and the external IP address which are populated from the SECN configuration interface.

The SIP host registration settings contain the defaultuser, password and Internet address of the SIP host, all of which are populated from the SECN configuration interface.

  • SIP Account Details

The second section is the [sipaccount] section which contains settings for the account at the SIP host. Various parts of these settings are populated from the SECN configuration interface.

  • Softphone Account Definitions

The third section is the #include statement for the softphone.sip.conf file which contains details of softphone accounts which are registered with the local Asterisk instance. This statement may be disabled if softphone support is not enabled in the SECN configuration interface.


; /etc/asterisk/potato.sip.conf
; This file is generated by the SECN web interface /etc/init.d/config_secn

; Configure for NAT if required
;localnet=10.130.1.20/255.255.255.0                     
;externip=0.0.0.0 

; Register to VoIP Provider
register => myuser:mypassword@sip.mysiphost.com

[sipaccount]
host=sip.mysiphost.com
secret=mypassword
defaultuser=myuser
fromuser=myuser
fromdomain=sip.mysiphost.com

insecure=port,invite
type=friend
disallow=all
allow=$CODEC1,$CODEC2,$CODEC3
dtmfmod=rfc2833
qualify=yes
canreinvite=no
context=incoming
alwaysauthreject=yes

; Softphone support include file
#include "softphone.sip.conf"


The softphone.sip.conf File

This file contains a section (e.g. [softph300]) for each softphone account which is registered with the local instance of Asterisk. Parameters common to all accounts are contained in an include file (softph.inc). Parameters unique to each account (e.g. password) are populated by the SECN configuration interface.

Following is a sample file showing two accounts, 300 and 301.

Softphones may have extension numbers in the range 300 -> 399.


; softphone.sip.conf
; This file is generated by the SECN web interface

[softph](!)
; Template of settings
type=friend
context=outgoing
host=dynamic
disallow=all
allow=ulaw
dtmfmode=rfc2833
qualify=yes
canreinvite=yes
alwaysauthreject=yes
mailbox=null


[softph300](softph)
secret=mypassword300

[softph301](softph)
secret=mypassword301


The logger.conf File

This file defines how Asterisk logging is performed, either to local files or to a syslog server.

Logging is important in order to monitor the operation of Asterisk, particularly in relation to potential security breaches.

However on an embedded device, the memory available for logging is limited.

In SECN firmware, the default logging to the '/var/log/asterisk/messages' file is disabled in order to prevent log growth consuming excessive memory.

This facility may be temporarily enabled by un-commenting the relevant line in the file as shown below.

For long term monitoring it is preferable to configure a syslog server and enable logging to syslog as shown below.

Messages are still sent to the Asterisk console so that a user can observe them in real time by invoking the console with a command like:

    # asterisk -vvvvrdddd

Following is an extract from the logger.conf file used.


[general]

[logfiles]
;
; Format is "filename" and then "levels" of debugging to be included:
;    debug
;    notice
;    warning
;    error

console => notice,warning,error

; SECN firmware: Uncomment the following line to create log file
; /var/log/asterisk/messages if required.
; Be aware of memory limitations when creating log files.
;messages => notice,warning,error

;syslog keyword : This special keyword logs to syslog facility
;syslog.local0 => notice,warning,error