A howto on installing Asterisk with SS7 supported via libss7 on Sangoma hardware along with support for ISUP SAM messages.
After much head banging in bringing up an SS7 link with SAM support, I am documented what worked here.
Firstly, what is SAM support? One end of an SS7 link initialises a new call by sending an Initial Address Message (IAM). All SS7 software stacks support this and usually it’s enough. One case where it’s not enough is when one wants to address a phone number with more than the E.164 standard max length of 16 Â (usually to pass additional information tacked on the start, end of or even replacing an A or B number). In this scenario, SS7 uses a Subsequent Address Message (SAM)Â to send the additional digits. Most / all mainstream Asterisk SS7 software stacks do not support this.
The platform and software used is as follows:
Ubuntu 10.04 LTS standard CLI install;
dahdi-linux-complete-2.4.0 from the archives (direct link);
a patched version of libss7 supporting SAM via SVN (see below);
a patched version of chan-dahdi via SVN (see below);
SetÂ pointcode, adjpointcode and defaultdpcÂ as appropriate;
setÂ networkindicatorÂ as appropriate and ensure it matches the other end (you can see what youâ€™re being sent and what youâ€™re sending viaÂ ss7 debug;
cicsbeginwithÂ is normally 1 but the telco on my end are starting at 2 â€“ this wasÂ groping in the darkÂ diagnostics and issues such as no audio, CICs not in service when both sides claim they are, etc may point to misaligned CICs;
make sure you have configuredÂ from-pstnÂ or the appropriate context in yourextensions.conf.
Confirming Your Link Is Up
Now start wanrouterÂ (/etc/init.d/wanrouter start); dahdiÂ (/etc/init.d/dahdi start);Â and AsteriskÂ (/etc/init.d/asterisk start). You should see your link come up via logs available with theÂ dmesgÂ command. Launch the Asterisk console and check the status of your links:
While I will try to respond to comments and questions on this blog, I donâ€™t have the time to provide one on one assistance pro-bono. Professional consultancy on Asterisk and SS7 is available worldwide through my company,Â Open SolutionsÂ withÂ contact details here.
For posterity, I have addedÂ Domjan Attila patched libss7 and chan_dahdi to GitHub:
On our own Asterisk PBX server for our office and on some customer boxes with open SIP ports, we have seen a dramatic rise in brute force SIP attacks.
They all follow a very common pattern – just over 41,000 login attempts on common extensions such as 200, 201, 202, etc. We were even asked to provide some consultancy about two weeks ago for a company using an Asterisk PBX who saw strange (irregular) calls to African countries.
They were one example of such a brute force attack succeeding because of a common mistake:
an open SIP port with:
common extensions with:
a bad password.
(1) is often unavoidable. (2) can be mitigated by not using the predictable three of four digit extension as the username. (3) is inexcusable. We’ve even seen entries such as extension 201, username 201, password 201. The password should always be a random string mixing alphanumeric characters. A good recipe for generating these passwords is to use openssl as follows:
openssl rand -base64 12
Users should never be allowed to choose their own and dictionary words should not be chosen. The brute force attack tried >41k common passwords.
Preventing or Mitigating These Attacks
You can mitigate against these attacks by putting external SIP users into dedicated contexts which limit the kinds of calls they can make (internal only, local and national, etc); ask for a PIN for international calls; limit time and cost; etc.
However, the above might be a lot of work when simply blocking users after a number of failed attempts can be much easier and more effective. Fail2ban is a tool which can scan log files like /var/log/asterisk/full and firewall IP addresses that makes too many failed authentication attempts.
See VoIP-Info.org for generic instructions or below for a quick recipe to get it running on Debian Lenny.
Quick Install for Fail2ban with Asterisk SIP on Debian Lenny
apt-get install fail2ban
Create a file called /etc/fail2ban/filter.d/asterisk.conf with the following (thanks to this page):
Put the following in /etc/fail2ban/jail.local:
Edit /etc/asterisk/logger.conf such that the date format under [general]reads:
Also in /etc/asterisk/logger.conf, ensure full logging is enable with a line such as the following under [logfiles]: