iTalk SIP trunks on Asterisk stop working

Forums › VoIP › iTalk SIP trunks on Asterisk stop working - other SIP trunks OK

1 | 2 | 3 | 4 | 5

5 posts

Wannabe Geek

#863021 21-Jul-2013 14:33

Cheers.
Have put qualify=no in peer setting for trunk & it stopped the useless traffic.
I only presume that was the correct thing to do .

Barry

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#863027 21-Jul-2013 14:46

BarryP: Cheers.
Have put qualify=no in peer setting for trunk & it stopped the useless traffic.
I only presume that was the correct thing to do .

Barry

You obviously just need to be aware of the implications of this. Based on that comment I'm not sure if fully are.

Your PBX should be behind a secure firewall and should not have port 5060 exposed to the internet. Qualify sends a SIP OPTIONS query which not only lets Asterisk know if the peer is available, this also performs a major role in allowing your PBX to work behind a NAT firewall by keeping a NAT pinhole open. if this IP doesn't exist in the NAT table then unitiated inbound UDP traffic (ie an inbound VoIP call) will potentially be blocked.

BarryP

5 posts

Wannabe Geek

#863035 21-Jul-2013 15:04

Hi,
I am behind DD-WRT & I
Am Forwarding 5060 & 12000..20000 to FREEPBX .
I also have some other Ports being redirected to 5060.
If I don't open 5060 to the big wide world , My mobile won't be able to register when outside my network.

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#863041 21-Jul-2013 15:11

but unless you know what your doing with restrictions from external IP's and SIP you leave yourself wide open to being hacked, the amount of people we have seen getting hacked because their system was hacked from the external big bad world is scary, and basically its because unfortunately people do not properly know how to secure their freeware PABX systems,

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#863043 21-Jul-2013 15:13

I'm not going to lecture you on security other than to say you should never have port 5060 open unless you fully understand the risks. Without appropiate security in place it's not a matter of if you'll have your system compromised, but when.

BarryP

5 posts

Wannabe Geek

#863055 21-Jul-2013 15:33

eek .. Dual warnings in a matter of minutes.
I Obviously want to keep the versatility of what I have .
IP based restrictions can't work for me.
I have just done search & found this.
http://highsecurity.blogspot.co.nz/2012/05/freepbx-and-asterisk-basic-security.html
Will have a look thru it & see how I stack up.
If there is another recommended document .. please share the link

BarryP

5 posts

Wannabe Geek

#863126 21-Jul-2013 17:45

Well...
Thanks Again for the Heads up ..
I went thru the security stuff & didn't score very well !
I've remedied a number basic security things like passwords.

Also got Fail2Ban running.
Half an hour later .. got an email of the first Banned IP 176.31.103.97 (France)

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#863141 21-Jul-2013 18:13

If you're wanting remote access use a VPN.. My other suggestion of a SBC will clearly be beyond your budget!

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#863144 21-Jul-2013 18:16

BarryP: Well...
Thanks Again for the Heads up ..
I went thru the security stuff & didn't score very well !
I've remedied a number basic security things like passwords.

Also got Fail2Ban running.
Half an hour later .. got an email of the first Banned IP 176.31.103.97 (France)

If you didn't have something basic like fail2ban already in place you could easily expect to see a few hundred IP's blocked per week until the bots stop attacking your system.

Z-master

13 posts

Geek

#863330 22-Jul-2013 07:13

damn, shame I didn't see this thread several days ago.

I got this E-mail back from Slingshot last night:

Other customers using Asterisk have had similar problems recently that have been fixed by updating the following setting:

fromdomain=hlz.italk.co.nz

So see if updating this fixes your issue, and if it doesn't then please email again to let me know and further troubleshooting will need to be carried out.

So at least they are giving out good advice. Just a shame there wasn't any warning/notification, I spent hours trying to get it working. I did an update on RasPBX around the same time as this issue appeared, so (incorrectly) assumed that was at fault, even though I didn't see any notes mentioning this fault.

maverick

3594 posts

Uber Geek

Trusted

WorldxChange

#863336 22-Jul-2013 07:35

lol good advice... so it looks like italk need to come to Geekzone to find the solution to the problem they don't know they have .... seems something quite funny and wrong with that

Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well

https://www.facebook.com/wxccommunications

paul21019

19 posts

Geek

#863351 22-Jul-2013 08:59

Thanks everybody , especially Maverick and Rabsoft, I came in the morning , made the change to the host and bingo - we are back in action.

I only changed the host as per Rabsofts suggestion to the IP , should I put in the "fromdomain=akl.italk.co.nz" as well?

Now would be a good time to get the perfect peer details for future use - this is what I have:

type=friend
secret={secret}
username=649974xxxx
fromuser=649974xxxx
host=203.184.16.2
dtmfmode=rfc2833
insecure=very
nat=yes
canreinvite=no
disallow=all
allow=ulaw&alaw
qualify=yes

649974xxxx:{secret}@203.184.16.2

Once again if I had listened to the Italk CSR , my system would be in pieces and a complete rebuild needed, only apathy saved me.

PDE

jnawk

176 posts

Master Geek

#863364 22-Jul-2013 09:38

I only changed the host as per Rabsofts suggestion to the IP , should I put in the "fromdomain=akl.italk.co.nz" as well?

You should not use the IP address, because you are then vulnerable to potential sudden failure if slingshot make another change.
Put in the fromdomain, and set host back to akl.italk.co.nz, and you'll be right as rain.

jnawk

176 posts

Master Geek

#863366 22-Jul-2013 09:39

maverick: lol good advice... so it looks like italk need to come to Geekzone to find the solution to the problem they don't know they have .... seems something quite funny and wrong with that

They should give me a month free, for all my efforts. And they should also give a month free to all their customers I've ended up retaining for them by finding the solution for them.

paul21019

19 posts

Geek

#863454 22-Jul-2013 11:39

Correction...

If I use fromdomain=akl.italk.co.nz and change the host and register string to match, I can only make outgoing call, incoming goes to busy.

So i have changed my host to host=203.184.16.2 ( as per Rabsofts original ) , remarked fromdomain out and put on the ip adddress in the register string, this works both ways but the delay into my trunks in noticeable but it works fine, my main line goes to an IVR - I am not sure if this is creating the delay or not.

Anyone have any ideas? ( I can live with it, but it would be nice to get rid of the delay)

PDE

1 | 2 | 3 | 4 | 5