In the Article by Gerardo Barajas Puente, author of Elastix Unified Communications Server Cookbook, we will discuss some topics regarding security in our Elastix Unified Communications System. We will share some recommendations to ensure our system’s availability, privacy, and correct performance. Attackers’ objectives may vary from damaging data, to data stealing, to telephonic fraud, to denial of service. This list is intended to minimize any type of attack, but remember that there are no definitive arguments about security; it is a constantly changing subject with new types of attacks, challenges, and opportunities.
(For more resources related to this topic, see here.)
The recipes covered in this article are as follows:
- Using Elastix’s embedded firewall
- Using the Security Advanced Settings menu to enable security features
- Recording and monitoring calls
- Recording MeetMe rooms (conference rooms)
- Recording queues’ calls
- Monitoring recordings
- Upgrading our Elastix system
- Generating system backups
- Restoring a backup from one server to another
Using Elastix’s embedded firewall
Iptables is one of the most powerful tools of Linux’s kernel. It is used largely in servers and devices worldwide. Elastix’s security module incorporates iptables’ main features into its webGUI in order to secure our Unified Communications Server. This module is available in the Security | Firewall menu. In this module’s main screen, we can check the status of the firewall (Activated or Deactivated). We will also notice the status of each rule of the firewall with the following information:
- Order: This column represents the order in which rules will be applied
- Traffic: The rule will be applied to any ingoing or outgoing packet
- Target: This option allows, rejects, or drops a packet
- Interface: This represents the network interface on which the rule will be used
- Source Address: The firewall will search for this IP source address and apply the rule.
- Destination Address: We can apply a firewall rule if the destination address is matched
- Protocol: We can apply a rule depending on the IP protocol of the packet (TCP, UDP, ICMP, and so on)
- Details: In this column, the details or comments regarding this rule may appear in order to remind us of why this rule is being applied
By default, when the firewall is applied, Elastix will allow the traffic from any device to use the ports that belong to the Unified Communications Services. The next image shows the state of the firewall.
We can review this information in the Define Ports section as shown in the next image:
In this section, we can delete, define a new rule (or port), or search for a specific port. If we click on the View link, we will be redirected to the editing page for the selected rule as shown in the next picture. This is helpful whenever we would like to change the details of a rule.
How to do it…
- To add a new rule, click on the Define Port link and add the following information as shown in the next image:
- Name: Name for this port.
- Protocol: We can choose the IP protocol to use. The options are as follows: TCP, ICMP, IP, and UDP.
- Port: We can enter a single port or a range of ports. To enter a port we just enter the port number in the first text field before the “:” character. If we’d like to enter a range, we must use the two text areas. The first one is for the first port of the range, and the second one is for the last port of the range.
- Comment: We can enter a comment for this port.
- The next image shows the creation of a new port for GSM-Solution. This solution will use the TCP protocol from port 5000 to 5002.
- Having our ports defined, we proceed to activate the firewall by clicking on Save.
- As soon as the firewall service is activated, we will see the status of every rule. A message will be displayed, informing us that the service has been activated.
- When the service has been started, we will be able to edit, eliminate or change the execution order of a certain rule or rules.
- To add a new rule, click on the New Rule button (as shown in the next picture) and we will be redirected to a new web page.
- The information we need to enter is as follows:
- Traffic: This option sets the rule for incoming (INPUT), outgoing (OUTPUT), or redirecting (FORWARD) packets.
- Interface IN: This is the interface used for the rule. All the available network interfaces will be listed. The options ANY and LOOPBACK are also available
- Source Address: We can apply a rule for any specified IP address. For example, we can block all the incoming traffic from the IP address 192.168.1.1. It is important to specify its netmask.
- Destination Address: This is the destination IP address for the rule. It is important to specify its netmask.
- Protocol: We can choose the protocol we would like to filter or forward. The options are TCP, UDP, ICMP, IP, and STATE.
- Source Port: In this section, we can choose any option previously configured in the Port Definition section for the source port.
- Destination Port: Here, we can select any option previously configured in the Port Definition section for the source port.
- Target: This is the action to perform for any packet that matches any of the conditions set in the previous fields
- The next image shows the application of a new firewall’s rule based on the ports we defined previously:
We can also check the user’s activity by using the Audit menu. This module can be found in the Security menu. To enhance our system’s security we also recommend using Elastix’s internal Port Knocking feature.
Using the Security Advanced Settings menu to enable security features
The Advanced Settings option will allow us to perform the following actions:
- Enable or disable direct access to FreePBX’s webGUI.
- Enable or disable anonymous SIP calls.
- Change the database and web administration password for FreePBX.
How to do it…
- Click on the Security | Advanced Settings menu and these options are shown as in the next screenshot.
Recording and monitoring calls
Whenever we have the need for recording the calls that pass through our system, Elastix, and taking advantage of FreePBX’s and Asterisk’s features. In this section, we will show the configuration steps to record the following types of calls:
- Extension’s inbound and outbound calls
- MeetMe rooms (conference rooms)
- Queues
Getting ready…
- Go to PBX | PBX Configuration | General Settings.
- In the section called Dialing Options, add the values w and W to the Asterisk Dial command options and the Asterisk Outbound Dial command options. These values will allow the users to start recording after pressing *1. The next screenshot shows this configuration.
- The next step is to set the options from the Call Recording section as follows:
- Extension recording override: Disabled. If enabled, this option will ignore all automatic recording settings for all extensions.
- Call recording format: We can choose the audio format that the recording files will have. We recommend the wav49 format because it is compact and the voice is understandable despite the audio quality. Here is a brief description for the audio file format:
- WAV: This is the most popular good quality recording format, but its size will increase by 1 MB per minute.
- WAV49: This format results from a GSM codec recording under the WAV encapsulation making the recording file smaller: 100 KB per minute. Its quality is similar to that of a mobile phone call.
- ULAW/ALAW: This is the native codec (G.711) used between TELCOS and users, but the file size is very large (1 MB per minute).
- SLN: SLN means SLINEAR format, which is Asterisk’s native format. It is an 8-kHz, 16-bit signer linear raw format.
- GSM: This format is used for recording calls by using the GSM codec. The recording file size will be increased at a rate of 100 KB per minute.
- Recording location: We leave this option blank. This option specifies the folder where our recordings will be stored. By default, our system is configured to record calls in the /var/spool/asterisk/monitor folder.
- Run after record: We also leave this option blank. This is for running a script after a recording has been done.
For more information about audio formats, visit: http://www.voip-info.org/wiki/view/Convert+WAV+audio+files+for+use+in+Asterisk
- Apply the changes. All these options are shown in the next screenshot:
How to do it…
- To record all the calls that are generated or received from or to extensions go to the extension’s details in the module: PBX | PBX Configuration.
- We have to click on the desired extension we would like to activate its call recording. In the Recording Options section, we have two options:
- Record Incoming
- Record Outgoing
- Depending on the type of recording, select from one of the following options:
- On Demand: In this option, the user must press *1 during a call to start recording it. This option only lasts for the current call. When this call is terminated, if the user wants to record another, the digits *1 must be pressed again. If *1 is pressed during a call that is being recorded, the recording will be stopped.
- Always: All the calls will be recorded automatically.
- Never: This option disables all call recording.
- These options are shown in the next image.
Recording MeetMe rooms
If we need to record the calls that go to a conference room, Elastix allows us to do this. This feature is very helpful whenever we need to remember the topics discussed in a conference.
How to do it…
- To record the calls of a conference room, enable it at the conference’s details. These details are found in the menu: PBX | PBX Configuration | Conferences.
- Click on the conference we would like to record and set the Record Conference option to Yes.
- Save and apply the changes.
- These steps are shown in the next image.
Recording queues’ calls
Most of the time, the calls that arrive in a queue must be recorded for quality and security purposes. In this recipe, we will show how to enable this feature.
How to do it…
- Go to PBX | PBX Configuration | Queues.
- Click on a queue to record its calls.
- Search for the Call Recording option.
- Select the recording format to use (wav49, wav, gsm).
- Save and apply the changes.
- The following image shows the configuration of this feature.
Monitoring recordings
Now that we know how to record calls, we will show how to retrieve them in order to listen them.
How to do it…
- To visualize the recorded calls, go to PBX | Monitoring.
- In this menu, we will be able to see the recordings stored in our system. The displayed columns are as follows:
- Date: Date of call
- Time: Time of call
- Source: Source of call (may be an internal or external number)
- Destination: Destination of call (may be an internal or external number)
- Duration: Duration of call
- Type: Incoming or outgoing
- Message: This column sets the Listen and Download links to enable you to listen or download the recording files.
- To listen to a recording, just click on the Message link and a new window will popup in your web browser. This window will have the options to playback the selected recording. It is important to enable our web browser to reproduce audio.
- To download a recording, we click on the Download link.
- To delete a recording or group of recordings, just select them and click on the Delete button.
- To search for a recording or set of recordings, we can do it by date, source, destination, or type, by clicking on the Show Filter button.
- If click on the Download button, we can download the search or report of the recording files in any of the following formats: CSV, Excel, or Text.
- It is very important to regularly check the Hard Disk status to prevent it from getting full of recording files and therefore have insufficient space to allow the main services work efficiently.
Encrypting voice calls
In Elastix/Asterisk, the SIP calls can be encrypted in two ways: encrypting the SIP protocol signaling and encrypting the RTP voice flow. To encrypt the SIP protocol signal, we will use the Transport Layer Security (TLS) protocol.
How to do it…
- Create security keys and certificates. For this example, we will store our keys and certificates in the /etc/asterisk/keys folder.
- To create this folder, enter the mkdir /etc/asterisk/keys command.
- Change the owner of the folder from the user root to the user asterisk: chown asterisk:asterisk /etc/asterisk/keys
- Generate the keys and certificates by going to the following folder:
cd /usr/share/doc/asterisk-1.8.20.0/contrib/scripts/ ./ast_tls_cert -C 10.20.30.70 -O "Our Company" -d /etc/asterisk/keys
Where the options are as follows:
- -C is used to set the host (DNS name) or IP address of our Elastix server.
- -O is the organizational name or description.
- -d is the folder where keys will be stored.
- Generate a pair of keys for a pair of extensions (extension 7002 and extension 7003, for example):
- For extension 7002:
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.20.31.107 -O "Elastix Company" -d /etc/asterisk/keys -o 7002
- And for extension 7003
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.20.31.106 -O "Elastix Company" -d /etc/asterisk/keys -o 7003
where:
- –m client: This option sets the program to create a client certificate.
- –c /etc/asterisk/keys/ca.crt: This option specifies the Certificate Authority to use (our IP-PBX).
- -k /etc/asterisk/keys/ca.key: Provides the key file to the *.crt file.
- -C: This option defines the hostname or IP address of our SIP device.
- -O: This option defines the organizational name (same as above).
- -d: This option specifies the directory where the keys and certificates will be stored.
- -o: This is the name of the key and certificate we are creating.
When creating the client’s keys and certificates, we must enter the same password set when creating the server’s certificates.
- For extension 7002:
- Configure the IP-PBX to support TLS by editing the sip_general_custom.conf file located in the /etc/asterisk/ folder.
- Add the following lines:
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1 tlsdontverifyserver=yes
- These lines are in charge of enabling the TLS support in our IP-PBX. They also specify the folder where the certificates and the keys are stored and set the ciphering option and client method to use.
- Add the line transport=tls to the extensions we would like to use TLS in the sip_custom.conf file located at /etc/asterisk/. This file should look like:
[7002](+) encryption=yes transport=tls [7003](+) encryption=yes transport=tls
- Reload the SIP module in the Asterisk service. This can be done by using the command: asterisk -rx ‘sip reload’
- Configure our TLS-supporting IP phones. This configuration varies from model to model. It is important to mention that the port used for TLS and SIP is port 5061; therefore, our devices must use TCP/UDP port 5061. After our devices are registered and we can call each other, we can be sure this configuration is working.
- If we issue the command asterisk -rx ‘sip show peer 7003’, we will see that the encryption is enabled. At this point, we’ve just enabled the encryption at the SIP signaling level. With this, we can block any unauthorized user depending on which port the media (voice or/and video) is being transported or steal a username or password or eavesdrop a conversation.
- Now, we will proceed to enable the audio/video (RTP) encryption. This term is also known as Secure Real Time Protocol (SRTP). To do this, we only enable on the SIP peers the encryption=yes option.
- The screenshot after this shows an SRTP call between peers 7002 and 7003. This information can be displayed with the command: asterisk -rx ‘sip show channel [the SIP channel of our call]
- The line RTP/SAVP informs us that the call is secure, and the call in the softphone shows an icon with the form of a lock confirming that the call is secure.
- The following screenshot shows the icon of a lock, informing us that the current call is secured through SRTP:
We can have the SRTP enabled without enabling TLS, and we can even activate TLS support between SIP trunks and our Elastix system.
There is more…
- To enable the IAX encryption in our extensions and IAX trunks, add the following line to their configuration file (/etc/asterisk/iax_general_ custom.conf): encryption=aes128
- Reload the IAX module with the command: iax2 reload
- If we would like to see the encryption in action, configure the debug output in the logger.conf file and issue the following CLI commands:
CLI> set debug 1 Core debug is at least 1 CLI> iax2 debug IAX2 Debugging Enabled
Generating system backups
Generating system backups is a very important activity that helps us to restore our system in case of an emergency or failure. The success of our Elastix platform depends on how quickly we can restore our system. In this recipe, we will cover the generation of backups.
How to do it…
- To perform a backup on our Elastix UCS, go to the System | Backup/Restore menu.
- When entering this module, the first screen that we will see shows all the backup files available and stored in our system, the date they have been created, and the possibility to restore any of them.
- If we click on any of them, we can download it on to our laptop, tablet, or any device that will allow us to perform a full backup restore, in the event of a disaster.
The next screenshot shows the list of backups available on a system.
- If we select a backup file from the main view, we can delete it by clicking on the Delete button.
- To create a backup, click on the Perform a Backup button.
- Select what modules (with their options) will be saved.
- Click on the Process button to start the backup process on our Elastix box.
- When done, a message will be displayed informing us that the process has been completed successfully.
- We can automate this process by clicking on Set Automatic Backup after selecting this option when this process will be started: Daily, Weekly, or Monthly.
Restoring a backup from one server to another
If we have a backup file, we can copy it to another recently installed Elastix Unified Communications Server, if we’d like to restore it. For example, Server A is a production server, but we’d like to use a brand new server with more resources (Server B).
How to do it…
- After having Elastix installed in Server B, perform a backup, irrespective of whether there is no configuration in it and create a backup in Server A as well.
- Then, we copy the backup (*.tar file) from Server A to Server B with the console command (being in Server A’s console):
scp /var/www/backup/back-up-file.tar root@ip-address-of-server-b:/var/www/backup/
- Log into Server B’s console and change the ownership of the backup file with
the command:chown asterisk:asterisk /var/www/backup/back-up-file.tar
- Restore the copied backup in Server B by using the System | Backup/Restore menu. When this process is being done, Elastix’s webGUI will alert us of a restoring process being performed and it will show if there is any software difference between the backup and our current system.
We recommend the use of the same Admin and Root passwords and the same telephony hardware in both servers. After this operation is done, we have to make sure that all configurations are working on the new server, before going on production.
There is more…
If we click on the FTP Backup option, we can drag and drop any selected backup to upload it to a remote FTP server or we can download it locally. We only need to set up the correct data to log us into the remote FTP server. The data to enter are as follows:
- Server FTP: IP address or domain name of the remote FTP server
- Port: FTP port
- User: User
- Password: Password
- Path Server FTP: Folder or directory to store the backup
The next screenshot shows the FTP-Backup menu and options:
Although securing systems is a very important and sometimes difficult area that requires a high level of knowledge, in this article, we discussed the most common but effective tasks that should be done in order to keep your Elastix Unified Communications System healthy and secure.
Summary
The main objective of this article is to give you all the necessary tools to configure and support an Elastix Unified Communications Server. We will look at these tools through Cookbook recipes, just follow the steps to get an Elastix System up and running.
Although a good Linux and Asterisk background is required, this article is structured to help you grow from a beginner to an advanced user.
Resources for Article:
Further resources on this subject:
- Lync 2013 Hybrid and Lync Online [article]
- Creating an Apache JMeter™ test workbench [article]
- Innovation of Communication and Information Technologies [article]