Install Fail2ban in Asterisk (Centos)

Installing Fail2ban in centos
1.yum install fail2ban
If your CentOS doesn't find the package, please execute the following command and then try again.
2.rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
3.yum install python iptables
or
wget http://downloads.sourceforge.net/project/fail2ban/fail2ban-stable/fail2ban-0.8.4/fail2ban-0.8.4.tar.bz2?use_mirror=transact

tar -xf fail2ban-0.8.4.tar.bz2

cd fail2ban-0.8.4

python setup.py install

cp files/redhat-initd /etc/init.d/fail2ban

chkconfig --add fail2ban

chkconfig fail2ban on

Once installing the Fail2ban  create asteirsk.conf file under the fail2ban directory

4.  vi /etc/fail2ban/filter.d/asterisk.conf

and copy and paste the below

# ===================
# /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
#
# $Revision: 250 $
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf
[Definition]
#_daemon = asterisk
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
#The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias
#for
# (?:::f{4,6}:)?(?PS+)
# Values: TEXT
#

failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
            Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
            NOTICE.* <HOST> failed to authenticate as '.*'$
            NOTICE.* .*: No registration for peer '.*' (from <HOST>)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')


# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# ===================
Add the [asterisk-iptables] section to your /etc/fail2ban/jail.conf file :
# /etc/fail2ban/jail.conf
#====================



5 .  Save and exit the file
6.   vi /etc/fail2ban/jail.conf
      go to the last line of theis file and paste the below lines there

[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=ASTERISK, protocol=all]
sendmail-whois[name=ASTERISK,
dest=youremailaddress@somewhere.com, sender=fail2ban@somewhere.com]
logpath = /var/log/asterisk/full
maxretry = 5
bantime = 600
#====================


7. Also in /etc/fail2ban/jail.conf file you want to add your own IP address range ( ours is192.168.1.0 ) :
ignoreip = 127.0.0.1 192.168.1.0/24

8.  make the fail2ban to start at startup
     chkconfig fail2ban on
9.  start the fail2ban now
    /etc/init.d/fail2ban start
10 . now check whether the fail2ban is installed properly to detect the attacks
       iptables -L –v
      You should see "fail2ban-ASTERISK" in your iptables output.

11. now try to register a extension from outside with wrong password or worng extension and run the iptables command to see the blocked ip addresses

Configuring Digium cards with Asterisk , goautodial , vicidial , vicidialnow , freepbx

How to configure the Digium PRI cards in Asterisk or vicidial or Goautodial or vicidialnow or Freepbx

• If you are using the precompiled iso of asteirsk software like ( trixbox , elastix , pbxinaflash , goautodial , vicibox,)  then the Dhadi driver will be by default installed , if not you need to install the dahdi driver manually.(installation of dahdi explained at last of this doc)

steps to configure the Digium cards

• First you need to check whether card is in E1 or T1 mode.
• Take card outside and check for the E1/T1 changeover jumper in the card, if your PRI line is E1 then you need close the jumper , if T1 then it should be open. then insert the card into the server.

• Access your asterisk server via  ssh  , putty will be good tool to connect the server remotely via ssh
• First you need to check whether the card is  recognised   by the your server 

1.  type  lspci  this will output pci boards connected in the server , if digium card is  recognised   it  shows output as below     0e:08.0 Ethernet controller: Digium, Inc. Wildcard TE121 single-span T1/E1/J1 card (PCI-Express) (rev 11)    

• Once the card is  recognised , follow the below steps

1. type  dahdi_genconf  -vvvvvvv    -this will auto install configure the digium card  driver and conf files

• [root@localhost ~]# dahdi_genconf -vvvvvv
• Default parameters from /etc/dahdi/genconf_parameters
• Generating /etc/dahdi/system.conf
• Generating /etc/asterisk/dahdi-channels.conf

2. Type  dahdi_cfg  -vvvv     - this outputs the channels if it configured properly

[root@mrlpriprimary ~]# dahdi_cfg -vvvv
DAHDI Tools Version - 2.4.1
DAHDI Version: 2.4.1.2
Echo Canceller(s): MG2
Configuration
======================
SPAN 1: CCS/HDB3 Build-out: 0 db (CSU)/0-133 feet (DSX-1)
31 channels to configure.
Channel 01: Clear channel (Default) (Echo Canceler: mg2) (Slaves: 01)
Channel 02: Clear channel (Default) (Echo Canceler: mg2) (Slaves: 02)
Channel 03: Clear channel (Default) (Echo Canceler: mg2) (Slaves: 03)
...........................................................................................................
Channel 30: Clear channel (Default) (Echo Canceler: mg2) (Slaves: 30)
Channel 31: Clear channel (Default) (Echo Canceler: mg2) (Slaves: 31)

3. Now configuration is done, some small changes to be done to enable the channels in the asterisk

•    go to   vi  /etc/asterisk/chan_dahdi.conf
•    go to last line of the file by pressing shift+g
•    then add this line    #include dahdi-channels.conf
•     save and exit the file.

4. Now go to asterisk cli  and type module reload chand_dahdi.so   or restart the server.

5. if the PRI line is up you can see green lights on the card.

6. if it shows RED light then either your pri is down or the pri cable not connected properly.

7. by default the digium cards configured with group 0 or 11 , so in your dialplan you need to mention g0

8. so you need write dialplan as 

    exten => _X.,Dial(DAHDI/g0/${EXTEN},,)
   "if goautodial/vicidial/vicibox  use the below dialplan in carrier or custome dialplan"
    exten => _9XXXXX.,1,AGI(agi://127.0.0.1:4577/call_log)
    exten => _9XXXXX.,2,Dial(DAHDI/g0/${EXTEN:1},,TtoR)
    exten => _9XXXXX.,3,Hangup

8a. if your using freepbx based pbx then no need to above line , just you need to add g0 in the DAHDI identifier under trunk (add new dahdi trunk)

9. And the default incomming context will the from-pstn

Installing the DAHDI driver
a. you need to install libpri if you use pri lines
b. go to http://www.asterisk.org/downloads and download the latest libpri
c. as of writing this blog 1.4.12 is latest
d. wget http://downloads.asterisk.org/pub/telephony/libpri/releases/libpri-1.4.12.tar.gz
c. tar -xvzf  libpri-1.4.12.tar.gz
d. cd libpri-1.4.12
e. make
d. make install
e. now you need to install dahdi.

1.go to http://www.asterisk.org/downloads and download the latest dahdi

as of writting this blog its 2.6.1 so

2. wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/releases/dahdi-linux-complete-2.6.1+2.6.1.tar.gz

3. tar -xvzf  dahdi-linux-complete-2.6.1+2.6.1.tar.gz

4. cd dahdi-linux-complete-2.6.1+2.6.1.

5. make all

6. make install

7. make config.

once done follow the above steps to configure your card.

Time synchronization Error , Vicidial ,Goautodial

Time synchronization Error in vicidial goautodial

there is a problem of time synchronization in your system .please contact administrator

The major cause for the time sync error are

1. The vicidial based system is using  MeetMe conference , These MeetMe Conference Bridge requires a timing resources like  Dahdi or Zaptel.  if they are not loaded poperly then time sync error occurs
2. wrong System timing . different timing in server and agent systems
3. wrong time set for DB time , PHP time , server Time
4. Not updated the New server ip for the vicidial /goautodial 

-------------------------------------------------------------------------------------------

Troubleshoot 1:

type  "mysqlcheck -u root -pvicidialnow --auto-repair --check --optimize --all-databases"

 once finishes the repair of the MYSQL
 reboot the server and chec.


Troubleshoot 2:

MeetMe Conference dahdi issue

• make sure the dahdi/zaptel driver is installed properly

If you are not using any telephony cards then you need to use the dummy drivers

type:   modprobe dahdi_dummy

          dahdi_cfg -vvvvv

          asterisk  -vvvvvr

          module unload chan_dahdi.so

          module load chan_dahdi.so

• Now login as agent and check whether the problem arises
• For those using asterisk telephone cards like digium , sangoma ,allo use the below links 
• Digium Sangoma

-------------------------------------------------------------------------------------------

Troubleshoot 3:

wrong server time

check the server time ,

type  date  in the linux console ,  it will display the current server time.  if the server time and timezone is wrong follow the below commands to change it.

• rm /etc/localtime
• ln -sf /usr/share/zoneinfo/Asia/Kolkata /etc/localtime
• rdate -s time-a.nist.gov
• chkconfig ntpd on
• ntpdate pool.ntp.org
• /etc/init.d/ntpd start

-------------------------------------------------------------------------------------------

Troubleshoot 3:

Check the db time php time from the vicidail report section

          if the time is different for all the three then follow the above trouble shoot and reboot the server.

-------------------------------------------------------------------------------------------

Troubleshoot 4:

If you have changed your server ip, dont forget to run the ip update script.

type the below command to update

/usr/share/astguiclient/ADMIN_update_server_ip.pl

and follow the onscreen steps , once done reboot the server and login as agent and check .

-------------------------------------------------------------------------------------------

Troubleshoot 5

If you have very big setup of vicidial , then Dahdi_dummy will not be sufficient to provide time source , so you can use the Sangoma voice time sync USB stick

Link:http://wiki.sangoma.com/sangoma-wanpipe-voicetime

-------------------------------------------------------------------------------------------

For Support

gtalk:sweetravinder

skypeid:sweetravinder | sweetravinder@gmail.com