Category Archives: Linux

O’RourkeTech Synology Silver Certified

Synology Network Attached Storage (PRNewsFoto/Synology America Corp.)

Synology Network Attached Storage (PRNewsFoto/Synology America Corp.)

It’s important to us to always provide the best solutions to our clients. After trying all of the major players in the small business network storage space, there was no denying that Synology was the cream of the crop. We are proud to announce that we are now both Synology authorized re-sellers as well as Synology Silver Certified.

If you don’t know what a Network Attached Storage is, at it’s core I’ts a hard drive that is attached to your network instead of directly to your computer. Synology’s offerings use redundant disks for better reliability and have a ton of great features. You can back up your windows or apple computer to them as well as store your important files directly on the device and have it back up your data to the cloud as well. The list of features is too long to mention here in fact. If you feel yo need more storage or a more reliable place to backup your data, let us know. We’ll design a solution that meets your needs and budget

Synology Silver

Asterisk Failover – Switch to Second ISP Script

I wanted to make a script to make my failover to a secondary ISP easy and fast if my dedicated WAN link for VoIP went down and I needed to route traffic through my data WAN link in a hurry.

Lets assume the following:

  1. You have a secondary IP connection that you use exclusively for voip traffic.
  2. You have a NAT Router/Firewall for each WAN link plugged into your main switch, and use one as a gateway for data and the other for VoIP but you have SIP and RTP forwarded to the Asterisk Server from both NAT/Firewalls.
  3. Your SIP Provider supports failover to a Secondary IP and you have configured the failover to your secondary data WAN
  4. Both WAN Connections have a static IP address
  5. You only have one asterisk server

I know this is super specific, but you may get some use out of this script in other similar scenarios. You need to do a bit of setup in order for this to work. The script will switch between configuration files and restart associated services. The files affected are:

/etc/asterisk/sip_nat.conf
/etc/sysconfig/network
/etc/resolv.conf

Assuming your system is currently set up for your VoIP ISP, lets assume its AT&T, and your data WAN is Time Warner Cable, you want to make a config file for each ISP as follows:

# cp /etc/asterisk/sip_nat.conf /etc/asterisk/sip_nat.att
# cp /etc/asterisk/sip_nat.conf /etc/asterisk/sip_nat.twc
# cp /etc/sysconfig/network /etc/sysconfig/network.att
# cp /etc/sysconfig/network /etc/sysconfig/network.twc
# cp /etc/resolv.conf /etc/resolv.att
# cp /etc/resolv.conf /etc/resolv.twc

now edit all of the .twc files in your text editor of choice and change the settings needed.

in sip_nat you need to change the external ip to the static ip address for your data WAN, in network, you need to change the gateway to the local IP of the NAT router/firewall for the data WAN and in resolv.conf you need to change the DNS servers if you are using the router or your ISP’s DNS servers. If you are using a third party like google or openDNS you don’t need to change the values.

So now you have two alternative versions of the configuration files, one for ISP att and one for ISP twc.

now just make the shell script.

# nano /usr/local/bin ispswitch.sh
#/bin/bash
#Change Gateway to config based on argument
cp /etc/sysconfig/network.$1 /etc/sysconfig/network
#Change DNS Server to Arg Config
cp /etc/resolv.$1 /etc/resolv.conf
#Restart Networking
/sbin/service network restart
#Change SIP-NAT to arg config
cp /etc/asterisk/sip_nat.$1 /etc/asterisk/sip_nat.conf
#Restart Asterisk
asterisk -rx "restart now"
# sudo chmod +x ispswitch.sh

Now you have a shell script that will switch between the sets of config files when you feed it the three letter file extension as follows:

# ./usr/local/bin/ispswitch.sh att

Will switch to the ATT configuration files. If you feed the argument “twc” it will switch to those files.

Obviously this is not something you want to do or test while people are on the phone, but it will get the job done. The scenario would go that your VoIP data link goes down, your VoIP provider tries to route the calls to the backup IP address and it will start to ring through on the backup IP (but with one way audio due to the gateway and improper sip_nat.conf settings) you then quickly run this script and switch the settings while you fix the primary WAN connection.

 

Firewall

VoIP Security: Configuring the Elastix Firewall GUI

So you’ve got your Asterisk based Elastix system up and running and you are able to make and receive calls. Its probably safe to assume you have a static public IP address,  and a NAT router/firewall forwarding SIP traffic on port 5060 to your server and RTP traffic on a range of ports forwarded to your server as well. Your setup may vary, and I’ll assume that you have the knowledge to get the traffic to your server.

The good news is that your setup works, the bad news is that your VoIP server is probably still exposed to hackers who are (NO JOKE) actively trying to access your server. SIP is a very high value target for hackers and people are constantly scanning the internet for open connections on port 5060. When they find one the first thing they usually do is to try and brute force attack common extensions and get access to the server.

You will get notifications in your log like this one that show someone is trying to break in:

Screen shot 2014-01-02 at 10.44.06 AM

I am sure you were smart and set up very strong passwords for your extensions, but to be even safer it is a good idea to block inbound SIP traffic from non-trusted IP ranges.

The Elastix GUI interface allows you to control your server’s firewall settings by taking control of IPTables which is Linux’s software based firewall. If you choose to use the Elastix Firewall GUI, it is best to just use it and not rely on hand-coded IPTables rules.

The first thing to do is go to the Security Tab on the Elastix Admin.

Screen shot 2014-01-02 at 11.37.35 AM

The first thing open should be the Firewall settings and you need to specify to turn the Elastix Firewall on. At this point Elastix Firewall is controlling your IPTables and any hand coded settings you have made are nullified so you need to set up your firewall settings in the Elastix Firewall GUI exclusively.

Note that if you have services that are running on ports not covered by the default rules, like for example Webmin, they will cease to function until you allow them.

The default settings for the Elastix Firewall are pretty much useless for security purposes, just letting any traffic from anywhere into the serve.  You need to know how they work to configure them, they are numbered and are processed in order. You should not modify the First rule or the last three as they are critical to the system. Rule 1 allows local loopback traffic in the last three rules also allow the system to function.

For an in-depth look at how these rules and the Elastix Firewall GUI work check out This Guide that will help with most everything covered here except the final configuration.

If the only thing you are running on your system is Elastix/Asterisk and your VOIP provider has given you the IP addresses of their servers from where you can expect incoming traffic, you need to create a rule for each IP address and move it up anywhere above the last three rules. You should click the new rule button and add the IP address of the first server with the CIDR of /32 (One address allowed)

Screen shot 2014-01-02 at 11.54.07 AM

Then move the rule up using the up and down buttons next to the service number, anywhere above the last three rules will work. Make a new rule for each valid server IP address from your SIP trunk provider. Your SIP provider may give you a range of expected RTP IP addresses as well, and you can set up those addresses for RTP in a similar fashion. My SIP trunk provider only provides them for SIP connections so I have to leave RTP open.

Now go ahead and edit the Firewall rules for the services that you do use to include only the IP ranges you want to allow to access them, For example edit the incoming SIP rule to your local network to allow for LAN devices to connect. Edit the SSH rule to be your personal workstation or your local LAN.

Now use the Lightbulb icon to deactivate any services you do not use.

At the end of the day your firewall should look similar to this:

Screen shot 2014-01-02 at 12.07.20 PM

The rules basically say:

  1. Loopback traffic is OK
  2. Traffic from 37.75.0.0 /16 on any protocol is Blocked (Region was trying to break in often)
  3. Traffic from my LAN is allowed on SSH
  4. Traffic from Provider SIP IP 1 on UDP:5060 is allowed
  5. Traffic from Provider SIP IP 2 on UDP:5060 is allowed
  6. Traffic from Provider SIP IP on UDP:5060 is allowed
  7. Traffic from Provider SIP IP on UDP:5060 is allowed
  8. Traffic from my LAN on UDP:5060 is allowed
  9. Traffic from my LAN on HTTPS is allowed
  10. Traffic from my lan on Dell Openmanage is allowed
  11. Traffic from any address on RTP is allowed

To set up rule 10 or a similar rule for a non-standard service/port you need to go to define ports and add a new port for your service then add a firewall rule to allow the service for the appropriate IP ranges.

All the rules below are disabled with the yellow light bulb except the final three system rules.

Screen shot 2014-01-02 at 10.40.24 AM

Now you have a more-secure Elastix system, using the Elastix Firewall GUI.

A word to the wise, should you break your ability to access the Elastix admin via HTTPS with the Elastix Firewall GUI, you need to SSH or locally access the system and type:

SUDO service iptables stop

Then go ahead and log in via the admin panel, change the offending rule and then go back in via SSH or local access and type:

SUDO service iptables start

Launch a simple WordPress site using Amazon Web Services

Who doesn’t love WordPress? It is responsible for somewhere around 19% of the web’s content and if you’ve never used it you should give it a try. Who doesn’t want to learn how to use AWS? Well probably most people but I’ve been liking the granular control of AWS since I started playing around with it. If you want to give it a spin, here is a brief tutorial that should get you up and running in about a half hour and give you a look at many of the key components.

First of all you are going to need to set yourself up, depending upon your OS and what you already have going on, you are going to need to install an SSH client, Putty is a great free tool and the software of choice for most, but I actually like the free edition of MobaXTerm as it automatically supports the .pem public key format from amazon, is more colorful and has SFTP built right in.


Screen shot 2013-12-18 at 9.15.46 AM

You will be using the terminal, SSH and the Linux command line for this project.

Next head over to AWS.amazon.com and sign up for a free tier account. This will allow you to use up to 750 hours of hosting for free among other things.

Once you have done all the verification steps and are able to log into the AWS console head to the EC2 Managment Console

Screen shot 2013-12-18 at 9.39.52 AM

 

In the Network and Security section make a new keypair and download the .pem file to your computer and put it in a safe location. This is the public key encryption information that take the place of a password for your server. It is more secure tan a simple password as long as you keep the file away from prying eyes. In fact on Linux and OSX you will need to chang the permissions of the .pem file to 600 (Only You can Read and Write all others forbidden) in order to use it to connect. You can do this simply on the command line using: 

sudo chmod 600 /pathtoyourfile/keyname.pem

Now you can use your terminal program of choice to connect to your server isntance once you create it in AWS.

Now you can go ahead and head back to the root of the AWS console by clicking the orange box in the upper left. Now head over to Cloud Formation.

Screen shot 2013-12-18 at 9.48.59 AM

This is where you can set up templates for server instances that you can create on demand. Click the “Create Stack” button to begin the process you can tinker with custom test based templates to your heart’s content in the future, but for now give your template a name like “WordPressLab” and use the following URL in the “Provide a Template URL field”

https://s3.amazonaws.com/cloudformation-templates-us-east-1/WordPress_Single_Instance.template

Screen shot 2013-12-18 at 9.50.38 AM

In the next screen enter strong passwords. You’ll need to enter your key name that you chose and CHANGE THE INSTANCE type to:

t1.micro

If you do not enter the key exactly you will not be able to connect and if you do not change the instance type it won’t be free. If you have a static ip address for your home computer or dont mind changing this seting frequently for added security change the SSH Address to 111.111.111.111/32 where the 1’s are your systems static IP address, that way only that system can log in through SSH with the encrypted key.

Skip by the “Tags” screen and you should get to the confirmation screen.

Screen shot 2013-12-18 at 10.00.51 AM

and clear the next screen and you should see this in the Cloud Formation console:

Screen shot 2013-12-18 at 10.03.43 AM

 

Head back on over to the EC2 Instance Manager where you made the Key Pair and take a 5 minute coffee break.

You should now have a running WordPress Web Server and the console will look somewhat like this:

Screen shot 2013-12-18 at 10.11.58 AM copy

 

The IP address listed there is a public IP and you can put it in a new browser window and you will see that your Apache is up and running just fine.

If you head to http://yourserverIP/wordpress/ the wizard will let you create a login to your new blog. Its easy as pie from there.

Screen shot 2013-12-18 at 10.07.54 AM

 

Screen shot 2013-12-18 at 10.08.06 AM Screen shot 2013-12-18 at 10.09.54 AM

However, you are not done that easily. Unfortunately your server does not support pretty hyperlinks so your blog posts will always have ugly names and you really don’t want that. Also you should know how to login to your server via SSH so fire up your terminal program.

If you are using ModXterm you simply need to set up an new connection and chose the .pem key in the connection screen, the username is

ec2-user

Its similar using putty but you need to use putty convert to to change the pem file to a ptk file, just google that. This is not a Putty or ModXterm article.

If you are using a linux or OSX terminal use:

ssh ec2-user@yourserverip -i /pathtopemfile/keyname.pem

Add the server with a yes and you are greeted with:

:~ user$ ssh ec2-user@yourserverip -i /pathtokey/keyname.pem
The authenticity of host 'yourserverip' can't be established.
RSA key fingerprint is a5:44:98:e9:88:c9:ea:ec:24:26:eb:a2:fb:13:ce:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'your server ip' (RSA) to the list of known hosts.
__| __|_ )
 _| ( / Amazon Linux AMI
 ___|\___|___|
See /usr/share/doc/system-release/ for latest release notes.
There are 38 security update(s) out of 243 total update(s) available
Amazon Linux version 2013.09 is available.
[ec2-user@ip-172-31-7-36 ~]$

Now you are in, you can use the SUDO command to do root things and have control to your heart’s content. In order to enable the pretty hyperlinks you ned to issue the following command, this is assuming you know how to use the vi editor:

sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.backup
sudo vi /etc/httpd/conf/httpd.conf

Find the section here:

 

Screen shot 2013-12-18 at 10.28.23 AM

 

And change BOTH instances of:

AllowOverride None

to

AllowOverride All

Save your file and then use

sudo httpd -k restart

Now you are ready to log back into your wordpress blog, head to settings>permalinks and choose the permalink you you want. You are also ready to SSH in when you need to!

Happy Pressing!