Scribd
Upload
291 views8 pages

Encrypting Voice Calls in Elastix and Fail2ban

This document discusses how to encrypt voice calls in Elastix by: 1. Creating security keys and certificates and storing them in the /etc/asterisk/keys folder. 2. Configuring the IP-PBX to support TLS by editing sip_general_custom.conf and adding TLS settings. 3. Enabling encryption on specific SIP peers by adding "transport=tls" to sip_custom.conf and reloading the SIP module. It also discusses installing and configuring Fail2Ban to block suspicious login attempts in Elastix by filtering logs, adding jail filters, and overriding settings in jail.local.

Uploaded by

Godspower Inibu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
291 views8 pages

Encrypting Voice Calls in Elastix and Fail2ban

This document discusses how to encrypt voice calls in Elastix by: 1. Creating security keys and certificates and storing them in the /etc/asterisk/keys folder. 2. Configuring the IP-PBX to support TLS by editing sip_general_custom.conf and adding TLS settings. 3. Enabling encryption on specific SIP peers by adding "transport=tls" to sip_custom.conf and reloading the SIP module. It also discusses installing and configuring Fail2Ban to block suspicious login attempts in Elastix by filtering logs, adding jail filters, and overriding settings in jail.local.

Uploaded by

Godspower Inibu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 8

ENCRYPTING VOICE CALLS IN ELASTIX

In Elastix/Asterisk, the SIP calls can be encrypted in two ways: encrypting the SIP protocol
signaling and encrypting the RTP voice low. To encrypt the SIP protocol signal, we will use the
Transport Layer Security (TLS) protocol.

HOW TO DO IT

1. Create security keys and certificates. For this example, we will store our keys and
certificates in the /etc/asterisk/keys folder.

2. To create this folder, enter the mkdir /etc/asterisk/keys command.

3. Change the owner of the folder from the user root to the user asterisk:

chown asterisk:asterisk /etc/asterisk/keys

4. Generate the keys and certificates by going to the following folder:

cd /usr/share/doc/asterisk-11.20.0/contrib/scripts/
./ast_tls_cert -C chat.goldenoiltd.com -O "Goldenoil LTD" -d
/etc/asterisk/keys

Where the options are as follows:


-C is used to set the host (DNS name) or IP address of our Elastix server.
-O is the organizational name or description.
-d is the folder where keys will be stored.

5. Generate a pair of keys for a pair of extensions (extension 7002 and extension 7003,
for example):

For extension 7002:

./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k


/etc/asterisk/keys/ca.key -C 10.20.31.107 -O "GoldenOil LTD"
-d /etc/asterisk/keys -o 7002

And for extension 7003

./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k


/etc/asterisk/keys/ca.key -C 10.20.31.106 -O "GoldenOil LTD"
-d /etc/asterisk/keys -o 7003

where:
-m client: This option sets the program to create a client certificate.
-c /etc/asterisk/keys/ca.crt: This option specifies the Certificate Authority
to use (our IP-PBX).
-k /etc/asterisk/keys/ca.key: Provides the key file to the *.crt file.
-C: This option defines the hostname or IP address of our SIP device.
-O: This option defines the organizational name (same as above).
-d: This option specifies the directory where the keys and certificates will
be stored.
-o: This is the name of the key and certificate we are creating.

Notes:When creating the client's keys and certificates, we


must enter the same password set when creating the
server's certificates.

6. Configure the IP-PBX to support TLS by editing the sip_general_custom.conf file


located in the /etc/asterisk/ folder.

7. Add the following lines:


tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=HIGH:!ADH
tlsclientmethod=tlsv1
tlsdontverifyserver=yes

These lines are in charge of enabling the TLS support in our IP-PBX. They
also specify the folder where the certificates and the keys are stored and set
the ciphering option and client method to use.

8. Add the line transport=tls to the extensions we would like to use TLS in the sip_
custom.conf file located at /etc/asterisk/. This file should look like:

[7002](+)
encryption=yes
transport=tls

[7003](+)
encryption=yes
transport=tls

9. Reload the SIP module in the Asterisk service. This can be done by using the
command: asterisk -rx 'sip reload'

10. Configure our TLS-supporting IP phones. This configuration varies from model to
model. It is important to mention that the port used for TLS and SIP is port 5061;
therefore, our devices must use TCP/UDP port 5061. After our devices are registered
and we can call each other, we can be sure this configuration is working.
11. If we issue the command asterisk -rx 'sip show peer 7003', we will see
that the encryption is enabled. At this point, we've just enabled the encryption at
the SIP signaling level. With this, we can block any unauthorized user depending on
which port the media (voice or/and video) is being transported or steal a username
or password or eavesdrop a conversation.
12. Now, we will proceed to enable the audio/video (RTP) encryption. This term is also
known as Secure Real Time Protocol (SRTP). To do this, we only enable on the SIP
peers the encryption=yes option.
13. The screenshot after this shows an SRTP call between peers 7002 and 7003. This
information can be displayed with the command: asterisk -rx 'sip show
channel [the SIP channel of our call]
14. The line RTP/SAVP informs us that the call is secure, and the call in the softphone
shows an icon with the form of a lock confirming that the call is secure.

.p12 Client Certificates


If your client requires a .p12 certificate file instead, you can generate that using openssl like:

# openssl pkcs12 -export -out MySuperClientCert.p12 -inkey ca.key -in ca.crt


-certfile asterisk.crt

INSTALLING FAIL2BAN IN ELASTIX 4.0

Fail2ban is a program that examines specific system logs in order to ban suspicious activity
from IP addresses, which could potentially lead to a failure or attack. It searches for regular
expressions declared in the *.conf files under the /etc/fail2ban/filter.d/ folder.
If a condition is matched, it will add the suspicious IP address to the Linux kernel's firewall
(iptables) and block it after a certain number of retries and for a certain period of time,
sending an e-mail address to the administrator. These actions are defined in the jail.conf
file, which is situated in the /etc/fail2ban/ folder. Fail2ban and iptables come installed in
Elastix by default. In case it is not installed, we can simply do it by typing yum -y install
fail2ban.

yum install fail2ban

Again, press y and Enter when prompted to continue.


Once the installation has finished, use systemctl to enable the fail2ban service:

systemctl enable fail2ban

1. Create a file called asterisk.conf under the /etc/fail2ban/filter.d/ folder.


This file will contain the regular expressions that we will want to trace whenever any
user tries to log in or use Asterisk's services. The file should look like this:

# Fail2Ban configuration file for asterisk


[Definition]
failregex = NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Wrong password
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - No matching peer found
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - ACL error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for
'<HOST>:.*' - Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from
<HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for
'.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device
.*\<sip:.*\@<HOST>\>;tag=.*
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice'
(language '.*')
ignoreregex =

2. Create the elastix.conf file and edit it as follows:


# Fail2Ban configuration file for Elastix WebGUI
[Definition]
failregex=LOGIN .* Authentication Failure to Web Interface login.
Failed password for .* from <HOST>.
LOGIN .* Authentication Failure to Web Interface login.
Invalid user .* from <HOST>.
ignoreregex =

3. Edit the jail.conf file by adding the following lines:

If we look at this file in the [DEFAULT] section, we can also use the following options:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host.
Fail2ban will not
# ban a host which matches an address in this list. Several
addresses can be
# defined using space separator.
ignoreip = 127.0.0.1
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last
"findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
Maxretry = 3

If we scroll down, we can see the services' logs that will be monitored by Fail2ban and
the actions to perform when a condition is met. For example, for the ssh service, we
can see that it's enabled by default, and it will add the suspicious IP address to the
firewall and block it for 600 seconds after 5 retries and send an e-mail to the address
[email protected] with a report of this incident.

# Asterisk jail
[asterisk]
enabled =true
filter =asterisk
action =iptables-multiport[name="asterisk", port="5060,4569",
protocol="udp"]
sendmail-whois[name="SIP", dest="root", sender="[email protected]"]
logpath =/var/log/asterisk/full
bantime =172800 # Elastix web interface

[elastix]
enabled = true
filter = elastix
action = iptables-multiport[name="elastix", port="http,https",
protocol="tcp"]
sendmail-whois[name="ELASTIX", dest="root", sender="[email protected]"]
logpath = /var/log/elastix/audit.log
bantime =172800

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender = [email protected]]
logpath = /var/log/secure
maxretry = 5

Configure Local Settings


The Fail2ban service keeps its configuration files in the /etc/fail2ban directory. There, you
can find a file with default values called jail.conf. Since this file may be overwritten by
package upgrades, we shouldn't edit it in-place. Instead, we'll write a new file called
jail.local. Any values defined in jail.local will override those in jail.conf.

jail.conf contains a [DEFAULT] section, followed by sections for individual services.


jail.local may override any of these values. Additionally, files in /etc/fail2ban/jail.d/
can be used to override settings in both of these files. Files are applied in the following order:

/etc/fail2ban/jail.conf
/etc/fail2ban/jail.d/*.conf, alphabetically
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.local, alphabetically

Any file may contain a [DEFAULT] section, executed first, and may also contain sections for
individual jails. The last value set for a given parameter takes precedence.

Let's begin by writing a very simple version of jail.local. Open a new file using nano (or your
editor of choice):

sudo nano /etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 192.168.1.0/24
bantime = 3600
findtime = 3600
Maxretry = 3

# Asterisk jail
[asterisk]
enabled =true
filter =asterisk
action =iptables-multiport[name="asterisk", port="5060,4569",
protocol="udp"]
sendmail-whois[name="SIP", dest="root", sender="[email protected]"]
logpath =/var/log/asterisk/full
bantime =172800 # Elastix web interface

[elastix]
enabled = true
filter = elastix
action = iptables-multiport[name="elastix", port="http,https",
protocol="tcp"]
sendmail-whois[name="ELASTIX", dest="root", sender="[email protected]"]
logpath = /var/log/elastix/audit.log
bantime =172800

[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=root, sender = [email protected]]
logpath = /var/log/secure

Also create asterisk.local and elastix.local under the /etc/fail2ban/filter.d/ folder.


asterisk.local

# Fail2Ban configuration file for asterisk


[Definition]
failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Wrong password
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No
matching peer found
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Username/auth name mismatch
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Device does not match ACL
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Peer is not supposed to register
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL
error (permit/deny)
NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' -
Device does not match ACL
NOTICE.* <HOST> failed to authenticate as '.*'$
NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
NOTICE.* .*: Failed to authenticate user .*@<HOST>.*
NOTICE.* .*: Sending fake auth rejection for device
.*\<sip:.*\@<HOST>\>;tag=.*
VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice'
(language '.*')
ignoreregex =

elastix.local

# Fail2Ban configuration file for Elastix WebGUI


[Definition]
failregex= LOGIN .* Authentication Failure to Web Interface login.Failed
password for .* from <HOST>.
LOGIN .* Authentication Failure to Web Interface login.Invalid
user .* from <HOST>.
ignoreregex =
Restart fail2ban service

systemctl restart fail2ban


The systemctl command should finish without any output. In order to check that the service is
running, we can use fail2ban-client:

fail2ban-client status

Output
Status
|- Number of jail: 1
`- Jail list: sshd
You can also get more detailed information about a specific jail:

fail2ban-client status asterisk

You might also like