community.riocities.com

Configure Asterisk as a SIP proxy for the carrier 3

Introduction

This HOWTO cover how to setup Asterisk so you can use any SIP phone to connect to the VoIP service provided by the carrier 3 in Sweden.

3 has blocked clients with the use of the User Agent header in the SIP protocol.

This howto will show you how to configure Asterisk to register to the SIP server at 3 and setup an account for your SIP client to connect to.

Prerequisites

  • Asterisk Server
  • Subscription to the service 3Switch provided by the carrier 3

Configuration of Asterisk

The following files shall be edited

  • /etc/asterisk/sip.conf
  • /etc/asterisk/extensions.conf
  • /etc/asterisk/users.conf

/etc/asterisk/users.conf

[general]
fullname = New User
userbase = 6000
hasvoicemail = yes
vmsecret = 1234
hassip = yes
hasiax = no
hash323 = no
hasmanager = no
callwaiting = yes
threewaycalling = yes
callwaitingcallerid = yes
transfer = yes
canpark = yes
cancallforward = yes
callreturn = yes
callgroup = 1
pickupgroup = 1
nat = yes

[46712345678]
fullname = John Doe
email = john.doe@noname.local
secret = THE_USERS_PASSWORD_IN_ASTERISK
callwaiting = yes
host = dynamic
nat = yes
transport = udp,tcp
context = 46712345678-out

/etc/asterisk/extensions.conf

[general]
static=yes
writeprotect=yes
clearglobalvars=no

[globals]

[from_three]
exten => 46712345678,1,Dial(SIP/${EXTEN},45, Ttr)

[46712345678-out]
exten => _!.,1,Dial(SIP/${EXTEN}@46712345678-three,30,r)

/etc/asterisk/sip.conf

[general]
context=public                  
allowguest=no                   
allowoverlap=no                 
bindaddr=0.0.0.0
tcpenable=yes
tcpbindaddr=0.0.0.0
transport=udp
defaultexpiry=700

useragent=3Switch-Phone-1.0.4-SE/Windows-XP

register => tcp://46712345678:THE_USERS_PASSWORD_AT_THREE@voip.tre.se/46712345678

[46712345678-three]
type = peer
transport = tcp
secret = THE_USERS_PASSWORD_IN_ASTERISK
username = 46712345678
host = voip.tre.se
fromuser = 46712345678
fromdomain = voip.tre.se
canreinvite = no
insecure = invite,port
qualify = yes
nat = no 
context = from_three

Script to make sure Asterisk is always registered to 3

/usr/local/bin/superwise-asterisk.sh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
#!/bin/sh
#

log="/var/log/supervise-asterisk.log"
sipstat="$(asterisk -x "sip show registry" | head -n -1 | tail -n +2)"

if echo "$sipstat" | awk '{print $5}' | fgrep -qv Registered ; then
        asterisk -x "sip reload" >> "$log" 2>&1
        echo "Reloaded SIP `date`" >> "$log"
fi

chmod u+x /usr/local/bin/superwise-asterisk.sh

Install it in the crontab with crontab -e

* * * * * /usr/local/bin/supervise-asterisk.sh

Fail2Ban (Optional)

Please Note that using Fail2Ban makes the asterisk server more vulnerable to DoS if you allow incoming UDP traffic on port 5060.

Install and configure fail2ban

apt-get install fail2ban

Create configurations files:
/etc/fail2ban/filter.d/asterisk-immediate.conf

cat > /etc/fail2ban/filter.d/asterisk-immediate.conf << EOF
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

# *** All lines below should start with NOTICE
#     Some lines have been wrapped due to space requirements for
#     the book. All new lines should start with NOTICE.
#
failregex = NOTICE.* .*Call from '' \(<HOST>:.*\) to extension '.*' rejected because extension not found in context.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
EOF

/etc/fail2ban/filter.d/asterisk-immediate.conf

cat > /etc/fail2ban/filter.d/asterisk.conf << EOF
[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf


[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

# *** All lines below should start with NOTICE
#     Some lines have been wrapped due to space requirements for
#     the book. All new lines should start with NOTICE.
#
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch
            NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
            NOTICE.* .*Call from '' \(<HOST>:.*\) to extension '.*' rejected because extension not found in context.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
EOF

/etc/fail2bin/jail.conf

cat >> /etc/fail2ban/jail.conf << EOF
[asterisk-iptables]

enabled  = true
filter   = asterisk
protocol = all
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/asterisk/messages
maxretry = 5
bantime = 259200

[asterisk-immediate]

enabled  = true
filter   = asterisk-immediate
protocol = all
port     = all
banaction = iptables-allports
port     = anyport
logpath  = /var/log/asterisk/messages
maxretry = 0
bantime = -1
EOF

Published

Author

magnus

Category

VoIP

Tags