VoIP, Linux, Security & much more fun
If you need any help regarding these subjects do not hesitate about sending me a text

FusionPBX has a click-to-call application that it is not very easy to find, but it is not hidden at all. The click-to-call capability allows the linking between to endpoints from a http event. To be more clear, a perfect click-to-call example is the one that bank pages have on their pages, where you put your phone number, click the button and after a moment you get a call from the bank.

You can pay using: Mastercard, Visa, American Express, JCB, Discover, and Diners Club.
/
Each

Twilio is one complete VoIP carriers these days. Among its SMS capabilities, it provides sip trunks as well. The good or bad thing about Twilio is that its SIP trunk only works with SSL/TLS. This will help you to warrant your confidentiality but it needs more work from you to make it work. I will talk how I did it.

Today I have published in OKay's RPM repository RPMs for Kamailio 5.0.3. Kamailio is a very fast, reliable and flexible SIP (RFC3261) proxy server. Written entirely in C, Kamailio can handle thousands of calls per second even on low-performance hardware. A C Shell-like scripting language provides full control over the server's behavior. Its modular architecture allows only required functionality to be loaded. Among available features: IPv4, IPv6, digest authentication, accounting, CPL scripts, instant messaging, MySQL, Postgres and UNIXODBC support, NoSQL backends Redis, Cassandra, Redis, Memcached, radius authentication, record routing, SMS gateway, ENUM, UDP, TCP, TLS and SCTP, transaction and dialog module, OSP, statistics support, registrar and user location, SNMP, SIMPLE Presence, Lua, Perl, Python, Java and Mono programming interfaces, WebSocket support for WebRTC, IMS extensions, embedded XCAP server and MSRP relay, DNSSEC, gzip compression.

RPM's are available for Centos 6 and 7. And you can find it if you type yum search kamailio.

Enjoy!

Today, I am publishing the RPMs for SNGrep 1.4.4 All you need to do is to add my OKay's RPM repository, and just install it. SNGrep is a tool for displaying SIP calls message flows from the terminal. It supports live capture to display real-time SIP packets and can also be used as PCAP viewer.

If you wonder what is the big difference from my RPM's, these have all the options enabled as much as possible. This RPM enables the HEP/EEP protocol, very handy if you want to use it to interact with Homer.

RPM's are available for Centos 6 and 7. And you can find it if you type yum search sngrep.

Now that I am managing some cluster with a lot of activity, one of the most common issues is when a user does a change he wants it right away. This is almost true for the most part of the things, but there are some things, such as music on hold or call center. The thing here is that in order to take the new settings, FreeSWITCH requires a module reload; sadly, the module cannot be reloaded if it is being used.

FusionPBX, it is a web frontend for the FreeSWITCH (the best VoIP switch in my opinion). By default, FusionPBX hard links a username to its domain. This means user1 in the domain something.inside-out.xyz with password 123 is totally different and isolated to user1 in the domain else.inside-out.xyz with password 123. But this default behavior is not always what we want in our PBX.

FusionPBX allows you to have a unique login. This is not a surprise, almost every web site has moved to this by using email as the login. FusionPBX is not the exception. But it is turned off by default in 4.2. If you turn this on, you will be able to use your unique login (for example the email, as it is supposed that there is only one full address) to get into fusion. This is very handy, you will save money by only purchasing a simple SSL certificate instead of a wildcard one, and you can have somehow an independent server for the FusionPBX page. Just some ideas.

The Bug

DISCLAIMER: I have not personally reproduced this bug, but I have more than one report it has happened. Please note you are only exposed to this bug if you know you have turned on the unique logic.

While working on my day job, I was told that somehow, a user was able to rename a username with its unique login in different tenants. And after doing it, the user was able to log into a domain that was not meant to log in.

Furthermore, if a user knows the unique login of another user and if it updates a user with that username, he was able to log. For example, unique user This email address is being protected from spambots. You need JavaScript enabled to view it. has admin access to its domain dog.inside-out.xyz. Miguel knows the user This email address is being protected from spambots. You need JavaScript enabled to view it. is the admin of the domain bunny.inside-out.xyz. Miguel is aware of this bug. Then, Miguel creates user This email address is being protected from spambots. You need JavaScript enabled to view it. with a known password for him. Miguel edits the username This email address is being protected from spambots. You need JavaScript enabled to view it. and renames it to This email address is being protected from spambots. You need JavaScript enabled to view it. which it already exists (here it is the bug). Miguel tries to log into the system with the new user he just created, and voilá! If he is lucky, he will get access to domain bunny.inside-out.xyz.

The Patch

Today I have sent two pull requests #2484 and #2485 that prevents this. I will put it here anyway (for 4.2).

Edit the file core/users/usersupdate.php, and look around line 115. You will find something like this:

$sql= "select count(*) as num_rows from v_users where domain_uuid = '".$domain_uuid."' and username = '".$username."'";

Replace that line for these:

$sql = "select count(*) as num_rows from v_users where username = '".$username."'";
if ($_SESSION["user"]["unique"]["text"] != "global"){
    $sql .= " and domain_uuid = '".$domain_uuid."'";
}

You are done. Good Luck!

HAProxy is as its name says, a proxy that aims high availability. It can be used not only to proxy the HTTP (Layer 7) but to proxy TCP (Layer 4). Among the many things HAProxy has, it is possible to access its management page to do active monitoring. I will talk about how to set up a simple Nagios monitoring.

Yesterday, I have published in OKay's RPM repository RPMs for the Nagios FreeSWITCH plugin 0.3. This is a very simple Nagios plugin that connects to your FreeSWITCH through the fs_cli application to get useful information.

Release 0.3 has the following plugins:

  • check_fs_registered: which it sends a signal if you do not have enough endpoints registered
  • check_fs_registered_cap: which it sends a signal if you have too many endpoints registered

I want to thanks to T5 Telecom for sponsoring the release 0.1.

RPM's are available for CentOS 6 and 7. You can find it doing a yum search nagios-plugins-freeswitch

Enjoy!

 

FusionPBX offers a way to remotely reboot your registered endpoints. Of course, those endpoints must honor the SIP signal. However, the problem becomes when you have many extensions. Last week, I had the challenge to reboot more than one thousand endpoints, where eight hundred of them were registered in a single server. As you imagine, the clicking way is too much hassle. There should be another way.

If you need more help than the free one provided here...