O’RourkeTech Synology Silver Certified

Synology Network Attached Storage (PRNewsFoto/Synology America Corp.)

Synology Network Attached Storage (PRNewsFoto/Synology America Corp.)

It’s important to us to always provide the best solutions to our clients. After trying all of the major players in the small business network storage space, there was no denying that Synology was the cream of the crop. We are proud to announce that we are now both Synology authorized re-sellers as well as Synology Silver Certified.

If you don’t know what a Network Attached Storage is, at it’s core I’ts a hard drive that is attached to your network instead of directly to your computer. Synology’s offerings use redundant disks for better reliability and have a ton of great features. You can back up your windows or apple computer to them as well as store your important files directly on the device and have it back up your data to the cloud as well. The list of features is too long to mention here in fact. If you feel yo need more storage or a more reliable place to backup your data, let us know. We’ll design a solution that meets your needs and budget

Synology Silver

Firewall

VoIP Security: Configuring the Elastix Firewall GUI

So you’ve got your Asterisk based Elastix system up and running and you are able to make and receive calls. Its probably safe to assume you have a static public IP address,  and a NAT router/firewall forwarding SIP traffic on port 5060 to your server and RTP traffic on a range of ports forwarded to your server as well. Your setup may vary, and I’ll assume that you have the knowledge to get the traffic to your server.

The good news is that your setup works, the bad news is that your VoIP server is probably still exposed to hackers who are (NO JOKE) actively trying to access your server. SIP is a very high value target for hackers and people are constantly scanning the internet for open connections on port 5060. When they find one the first thing they usually do is to try and brute force attack common extensions and get access to the server.

You will get notifications in your log like this one that show someone is trying to break in:

Screen shot 2014-01-02 at 10.44.06 AM

I am sure you were smart and set up very strong passwords for your extensions, but to be even safer it is a good idea to block inbound SIP traffic from non-trusted IP ranges.

The Elastix GUI interface allows you to control your server’s firewall settings by taking control of IPTables which is Linux’s software based firewall. If you choose to use the Elastix Firewall GUI, it is best to just use it and not rely on hand-coded IPTables rules.

The first thing to do is go to the Security Tab on the Elastix Admin.

Screen shot 2014-01-02 at 11.37.35 AM

The first thing open should be the Firewall settings and you need to specify to turn the Elastix Firewall on. At this point Elastix Firewall is controlling your IPTables and any hand coded settings you have made are nullified so you need to set up your firewall settings in the Elastix Firewall GUI exclusively.

Note that if you have services that are running on ports not covered by the default rules, like for example Webmin, they will cease to function until you allow them.

The default settings for the Elastix Firewall are pretty much useless for security purposes, just letting any traffic from anywhere into the serve.  You need to know how they work to configure them, they are numbered and are processed in order. You should not modify the First rule or the last three as they are critical to the system. Rule 1 allows local loopback traffic in the last three rules also allow the system to function.

For an in-depth look at how these rules and the Elastix Firewall GUI work check out This Guide that will help with most everything covered here except the final configuration.

If the only thing you are running on your system is Elastix/Asterisk and your VOIP provider has given you the IP addresses of their servers from where you can expect incoming traffic, you need to create a rule for each IP address and move it up anywhere above the last three rules. You should click the new rule button and add the IP address of the first server with the CIDR of /32 (One address allowed)

Screen shot 2014-01-02 at 11.54.07 AM

Then move the rule up using the up and down buttons next to the service number, anywhere above the last three rules will work. Make a new rule for each valid server IP address from your SIP trunk provider. Your SIP provider may give you a range of expected RTP IP addresses as well, and you can set up those addresses for RTP in a similar fashion. My SIP trunk provider only provides them for SIP connections so I have to leave RTP open.

Now go ahead and edit the Firewall rules for the services that you do use to include only the IP ranges you want to allow to access them, For example edit the incoming SIP rule to your local network to allow for LAN devices to connect. Edit the SSH rule to be your personal workstation or your local LAN.

Now use the Lightbulb icon to deactivate any services you do not use.

At the end of the day your firewall should look similar to this:

Screen shot 2014-01-02 at 12.07.20 PM

The rules basically say:

  1. Loopback traffic is OK
  2. Traffic from 37.75.0.0 /16 on any protocol is Blocked (Region was trying to break in often)
  3. Traffic from my LAN is allowed on SSH
  4. Traffic from Provider SIP IP 1 on UDP:5060 is allowed
  5. Traffic from Provider SIP IP 2 on UDP:5060 is allowed
  6. Traffic from Provider SIP IP on UDP:5060 is allowed
  7. Traffic from Provider SIP IP on UDP:5060 is allowed
  8. Traffic from my LAN on UDP:5060 is allowed
  9. Traffic from my LAN on HTTPS is allowed
  10. Traffic from my lan on Dell Openmanage is allowed
  11. Traffic from any address on RTP is allowed

To set up rule 10 or a similar rule for a non-standard service/port you need to go to define ports and add a new port for your service then add a firewall rule to allow the service for the appropriate IP ranges.

All the rules below are disabled with the yellow light bulb except the final three system rules.

Screen shot 2014-01-02 at 10.40.24 AM

Now you have a more-secure Elastix system, using the Elastix Firewall GUI.

A word to the wise, should you break your ability to access the Elastix admin via HTTPS with the Elastix Firewall GUI, you need to SSH or locally access the system and type:

SUDO service iptables stop

Then go ahead and log in via the admin panel, change the offending rule and then go back in via SSH or local access and type:

SUDO service iptables start

Asterisk Adventure – The Prelude

I am going back pretty far into the past, but I want to tell the story here.

Work has been using the same phone system for about a million years. The main part of it is an old Siemens Analog PBX that used to be interfaced with a PRI and has since been converted by the Provider From Hell (PRF – a lot more on that later) to use an Adtran SIP>PRI Gateway to utilize a SIP trunk to varying success over a T1 line to the office.

The problems with this system are myriad.

• Unreliable call quality

• Regular crashes of the PBX requiring a hard reboot

• Intermittent Trunk to PSTN routing problems that result in fast busy when dialing

Trying to diagnose the issues are compounded by the fact that we are using ancient equipment with a million points of failure and the PRF is very hard to deal with in getting a straight answer about anything. I will concede that my users are also incredibly hard to deal with in that they seem to have unlimited free time in their complaining schedule, but there accurate notation of errors schedule is completely booked.

All this is a nightmare, and considering when this all started, I knew basically nothing about telecom and VoIP other than that carried voice over IP, hence the name, I was highly reticent to involve myself at all in the process.

It finally came to pass that the difficult users and the PFH built up enough hatred towards one another that they needed to divorce, and hey, I handle IT right, it should totally be your job to fix all this.

Now it was the time to embark on a project to hopefully achieve all of the stated goals:

• Provide relatively reliable phone service

• Save a bunch of money

• Be able to handle everything but the data link and trunk in house.

If you are still reading this and don’t know what VoIP or a SIP trunk are, VoIP stands for Voice over Internet Protocol, which takes standard phone communication and directs a lot of it over the internet, rather than the PSTN (Public Switched Telephone Network) and in the process saves money in a lot of cases. Also since it works over IP, Techies like myself have an easier time working with it because we are already familiar with IP.

A SIP trunk is a service that takes SIP (Session Initiated Protocol) communications (the most popular way to transmit VoIP) and connects them to the PSTN if necessary so that Internet calls can become “real” calls and go over the phone network and ring your grandma’s old-school phone line.