วันจันทร์ที่ 26 พฤศจิกายน พ.ศ. 2555

Ballistic-PBX / install-opensbc-ubuntu.sh

#!/bin/bash
#OpenSBC Debian
#/bin/sh
#Install OpenSBC - CentOS edition
#Copyright (C) 2010 Star2Billing S.L.
#Author Jonathan Roper jonathan@star2billing.com
#This program is free software; you can redistribute it and/or
#modify it under the terms of the GNU General Public License
#as published by the Free Software Foundation; either version 2
#of the License, or (at your option) any later version.
#This program is distributed in the hope that it will be useful,
#but WITHOUT ANY WARRANTY; without even the implied warranty of
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#GNU General Public License for more details.
#You should have received a copy of the GNU General Public License
#along with this program; if not, write to the Free Software
#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#==================================================================================================
#This script will install OpenSBC on an existing asterisk server, and will be available on port 5061
#It will provide upwards registration, and RTP proxy services.
#No configuration in Asterisk is required.
#Simply point your phone at <<IPADDR>>:5061
#If this is installed behind NAT, forward UDP 5061 and 10,000 > 20,000
#==================================================================================================
apt-get update
apt-get install -y mc autoconf automake cvs flex expat libexpat1-dev libtool build-essential libxml2 libxml2-dev
libtiff4 libtiff4-dev libssl-dev libncurses5-dev bison libaudiofile-dev subversion libnewt-dev libcurl3-dev
libnet-ssleay-perl openssl ssl-cert libauthen-pam-perl libio-pty-perl libcrypt-passwdmd5-perl libdigest-md5-perl
libpg-perl libdbd-pg-perl openssl ssl-cert flex bison build-essential libxml2 libxml2-dev expat libexpat1-dev libspeex-dev speex
cd /usr/src
echo "================================================================================"
echo "When prompted for a CVS password, just press enter"
echo "================================================================================"
cvs -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack login
cvs -z3 -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack co -P opensipstack
cvs -z3 -d:pserver:anonymous@opensipstack.cvs.sourceforge.net:/cvsroot/opensipstack co -P opensbc
cd /usr/src/opensipstack/
chmod +x ./configure
./configure --enable-localspeex --enable-gpllibs
make bothnoshared
cd ../opensbc
chmod +x ./configure
./configure --enable-gpllibs
make bothnoshared
make distrib
cp /usr/src/opensbc/distrib/* /usr/local/bin/
echo "/usr/local/bin/opensbc -d -p /var/run/opensbc.pid -H 65536 -C 1024000" > /usr/local/bin/startup.sh
echo "/usr/local/bin/opensbc -u root -k -p /var/run/opensbc.pid" > /usr/local/bin/shutdown.sh
echo "/usr/local/bin/startup.sh" >> /etc/rc.local
mkdir /root/OpenSIPStack
mkdir /root/OpenSIPStack/OpenSBC_data
echo "
[OpenSBC-General-Parameters]
SIP-Log-Level=1
PTRACE-Log-Level=1
Log-File-Prefix=b2bua
SBC-Application-Mode=B2BUpperReg Mode
Enable-Trunk-Port=True
Enable-Calea-Port=True
RTP-Min-Port=10000
RTP-Max-Port=20000
NAT-Keep-Alive-Interval=15
Send-OPTIONS-NAT-Keep-Alive=True
Send-Responses-Using-New-Socket=False
Enable-Local-Refer=False
Disable-Refer-Optimization=True
Max-Forwards=70
Encryption-Mode=XOR
Encryption-Key=GS
Alerting-Timeout=30000
Seize-Timeout=60000
SIP-Timer-B=Default
SIP-Timer-H=Default
Session-Keep-Alive=1800
Session-Max-Life-Span=10800
Max-Concurrent-Session=100
Max-Call-Rate-Per-Second=10
[SIP-Transports]
Main-Interface-Address Array Size=1
Main-Interface-Address 1=sip:*:5061
Backdoor-Interface-Address=sip:*:5062
Trunk-Interface-Address=sip:*:5064
Media-Server-Interface-Address=sip:*:5066
CALEA-Interface-Address=sip:*:5068
Auxiliary-Interface-Address=sip:*:5070
Interface-Route-List Array Size=0
[RTP-Proxy]
Proxy-On-Private-Contact=True
Proxy-On-via-received-vs-signaling-address=True
Proxy-On-Private-Via=True
Proxy-On-Different-RPORT=True
Proxy-All-Media=False
[Trusted-Domains]
Accept-All-Calls=True
Trusted-Domain-List Array Size=0
X-Remote-Info-List Array Size=0
[Host-Access-List]
Trust-All-Hosts=True
Trusted-Host-List Array Size=0
Enable-Selective-Banning=True
Banned-Host-List Array Size=0
[Upper-Registration]
All-Reg-As-Upper-Reg=True
Enable-Stateful-Reg=False
Rewrite-TO-Domain=True
Rewrite-FROM-Domain=True
Route-List Array Size=1
Route-List 1=[sip:*] sip:127.0.0.1:5060
[B2BUA-Routes]
Route-List Array Size=1
Route-List 1=[sip:*] sip:127.0.0.1:5060
Insert-Route-Header=True
Rewrite-TO-URI=True
Prepend-ISUP-OLI=False
Route-By-Request-URI=False
Route-By-To-URI=False
Drop-Routes-On-Ping-Timeout=False
Use-External-XML=False
External-XML-File=b2bua-route.xml
" > /root/OpenSIPStack/OpenSBC_data/OpenSBC.ini
echo "================================================================================"
echo "The web interface for this is on <<ipaddress>:9999"
echo "By default it has no password on it"
echo "After reboot, please go to the website and configure a username and password"
echo "================================================================================"
echo "Please reboot"
echo "================================================================================"
echo "
1. http://11.22.33.44:9999/Internal-DNS-Mapping
This is where we create the DNS entries for the internal IP addresses, this not compulsory, but it does make admin easier.
So assuming you have pbx.yourdomain.com on 192.168.1.101,
Create a DNS entry on your DNS server for pbx.yourdomain.com = 11.22.33.44
Now add the internal DNS mapping with [sip:pbx.yourdomain.com] sip:192.168.1.101:5060
Click the update button.
Repeat as necessary for all PBX systems.
2. http://11.22.33.44:9999/Upper-Registration
Next we need to deal with the registration aspect, so that when you create an extension on a PBX, OpenSBC checks to see that it is valid.
Edit Route list, and add entries for each of your PBX systems.
[sip:*@pbx.yourdomain.com:*] sip:pbx.yourdomain.com:5060
or if you have not bothered with Step one - [sip:*@pbx.yourdomain.com:*] sip:192.168.1.101:5060
Then click the update button
So registrations that are sent to pbx.yourdomain.com will be forwarded to the internal PBX, 
and if the username and password is correct, OpenSBC will allow the endpoint to register. 
Note that the endpoint must be configured with the hostname, e.g. pbx.yourdomain.com, NOT 11.22.33.44
Repeat as necessary for all PBX systems.
3. http://11.22.33.44:9999/B2BUA-Routes
This is how the call is actually routed when someone picks up the phone and makes a call.
The syntax here is the same as in step 2 for upper registration, e.g.Edit Route list, and add entries for each of your PBX systems.
[sip:*@pbx.yourdomain.com:*] sip:pbx.yourdomain.com:5060
or if you have not bothered with Step one - [sip:*@pbx.yourdomain.com:*] sip:192.168.1.101:5060
Then click the update button.
4. Register your endpoint
Now attempt to register a phone to your extension@pbx.yourdomain.com and make a call.
5. DID forwarding
To forward DID to your systems from your DID provider or A2Billing system, simply forward the DID to sip/DID-Number@pbx.yourdomain.com
Please test and test again, particularly in respect of MWI lights, extension to extension calls and check that it does what you need it do.
" > /root/OpenSIPStack/README

OpenSBC (INVITE of Death)

The IMS Security Team


OpenSBC (INVITE of Death)

Advisory Draft Date: 2nd Feburary, 2009.
Release Date: 16th Feburary, 2009.

Affected ApplicationOpenSBC Server
SeverityHigh
StatusDisclosed
Reported ToJoegen Baclor (CTO Solegy Systems)
AuthorM. Zubair Rafique and Dr. Muddassar Farooq

Background

OpenSBC is an ongoing attempt to create an open-source Session Border Controller that is fully compliant with the mandates of RFC 3261. OpenSBC can be used as a SIP router, media anchor for farend NAT traversal, SIP egress and ingress trunking among others. More information about the server can be found at http://opensipstack.org/

Overview

The INVITE of Death vulnerability in OpenSBC server allows the attacker to crash the server causing remote Denial of Service (DOS). The problem specifically exists in OpenSBC version 1.1.5-25 in the handling of “Via” field caused from maliciously crafted SIP packet.

Proof of Concept

The proof of concept code can be downloaded from here: OpenSBC.pl.
The malicious Packet on which the server crash is shown below:
INVITE sip:bob@open-ims.test SIP/2.0
Via:::::: SIP/2.0/UDP localhost.localdomain:5060;branch=z9hG4bK000000
From: 0 ;tag=0
To: Receiver 
Call-ID: 0@localhost.localdomain
CSeq: 1 INVITE
Contact: 0 
Expires: 1200
Max-Forwards: 70
Content-Type: application/sdp
Content-Length: 131
v=0
o=0 0 0 IN IP4 localhost.localdomain
s=Session SDP
c=IN IP4 127.0.0.1
t=0 0
m=audio 9876 RTP/AVP 0
a=rtpmap:0 PCMU/8000

Work Around


The OpenSBC devolpment team has been reported about the vulnerability. Below is the E-mail exchange content between our research team and the CTO of Solegey Systems:


Credits

The vulnerability was discovered by Zubair Rafique and Sohail Aziz from the IMS security research project team.

Contact

M. Zubair Rafique                       M. Ali Akbar
Zubair.rafique@nexginrc.org       ali.akbar@nexginrc.org
+92-346-5356929                     +92-321-2936105

Disclaimer


The contents of this advisory are copyright (c) 2009 nexGIN RC , and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 


LINK: http://ims-bisf.nexginrc.org/OpenSBC-vul.html

OpenSBC Setup Guide

Setup:
  • OS: Fedora 8
  • No.of NIC: two, both with Public IP Address
    SipXecs and OSBC are installed on the same box, each using a separate IP address
  • UA's: Behind NAT


LINK: http://wiki.sipfoundry.org/display/sipXecs/OpenSBC+Setup+Guide


This document will attempt to provide working OpenSBC configurations for a few commonly used sipxecs calling scenarios. It is a work in progress, so please check back often. For any questions or comments, contact the author (raymund.nones [at] gmail.com) or post to the OpenSBC forum at http://www.opensourcesip.org.
This page is work in progress. It will have more screenshots for Linux, OSBC and SipXecs and a more clearer guide.

Scenario #1: Using OSBC for Far End NAT Traversal(FENT) - Public .

This enables remote workers on the WAN to access a sipXecs instance, where sipXecs has a public IP address, from behind NAT routers.
Setup:
  • OS: Fedora 8
  • No.of NIC: two, both with Public IP Address
    SipXecs and OSBC are installed on the same box, each using a separate IP address
  • UA's: Behind NAT
Dues to a limitation where the gateway configured in sipxecs always uses port 5060, OSBC can not be used for FENT and SIP Trunking simultaneously.

1.a Registering a NAT'd UA to sipxecs through OSBC with UpperReg(without and with domain rewriting)

In OSBC:
Setting OSBC with UpperReg Mode:
  1. Go to OSBC General Parameters
  2. Select B2BUpperReg Mode
  3. Press Update (Note: After Update you need to restart OSBC)
Setting OSBC to listen to a specific interface:
  1. Go to OSBC General Parameters
  2. Input the interface address at the Interface Address Field and Click Add
  3. Press Update (Note: After Update you need to restart OSBC)
Setting OSBC Upper Registration
  1. Go to Upper Registration
  2. Input the Route at the Route-List Field and select Add
    for the given example route: [sip:*] sip:sipx.example.com
    this will route all traffic from OSBC to SipX instance at sipx.example.com
    For domain rewriting, click the check box for Domain Rewriting (i'll be giving examples regarding the Rewrite Feature on my next update)
    If Rewrite-TO-Domain is check, domain of the To-URI will be rewritten and use the domain parameter of the route-uri.
    If Rewrite-FROM-Domain is check, domain of the From-URI will be rewritten and use the domain parameter of the route-uri
  3. Press Update
In SipXecs:
  1. Create a user / extension ex. Uid: 200 Pw: 200
In UA:
  1. Setup your phone
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- this domain should resolve to the IP address of your SipXecs instance
    Proxy: osbc.example.com <-- tjis domain should resolve to the IP address of your OSBC instance

1.b Calls between UAs behind NAT

Callflow: UA1 ? OSBC ? SIPX ? OSBC ? UA2
In OSBC:
  1. Using the settings for OSBC from Scenario #1, Go to B2BUA Routes
  2. Add Routes to Route-List
    Ex. [sip:*] sip:sipx.example.com
    for the given example route: [sip:*] sip:sipx.example.com this will route all calls from OSBC to SipX instance at sipx.example.com
  3. Press Update
In SipXecs:
  1. Create two users / extensions ex.
    Uid: 200 Pw: 200
    Uid: 201 Pw: 201
In UA:
  1. Setup your phones
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- this domain should resolve to the IP address of your SipXecs instance
    Proxy: osbc.example.com <-- this domain should resolve to the IP address of your OSBC instance
    Uid: 201 Pw: 201
    Domain: sipx.example.com <-- this domain should resolve to the IP address of your SipXecs instance
    Proxy: osbc.example.com <-- this domain should resolve to the IP address of your OSBC instance

1.c Calls to PSTN, UAs behind NAT

Callflow: UA1 ? OSBC ? SIPX ? OSBC _-> PSTN Gateway
In OSBC:
  1. Using the settings for OSBC from Scenario #1, Go to B2BUA Routes
  2. Add Routes to Route-List
    Ex.
    [sip:*] sip:sipx.example.com
    for the given example route: [sip:*] sip:sipx.example.com this will route all calls from OSBC to SipX instance at sipx.example.com
    [sip:12*] sip:mypstngateway
    for the given example route: [sip:12*] sip:mypstngateway this will route all calls starting with 12(Prefix 9 was drop by SipXecs for outgoing call) from OSBC to PSTN Gateway
  3. Press Update
In SipXecs:
  1. Create users / extensions ex.
    Uid: 200 Pw: 200
  2. Setup your Gateway at SipXecs (Point your Gateway to OSBC Instance)
In UA:
  1. Setup your phones
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- your SipXecs instance
    Proxy: osbc.example.com <-- your OSBC instance

1.d Calls From PSTN, UAs behind NAT

Callflow: PSTN Caller ? OSBC ? SIPX ? OSBC ? UA1
In OSBC:
  1. Using the settings for OSBC from Scenario #1, Go to B2BUA Routes
  2. Add Routes to Route-List
    Ex. [sip:12345678] sip:100@sipx.example.com
    replace 12345678 with your correct DID number
    for the given example route: [sip:12345678] sip:100@sipx.example.com this will route calls from OSBC(12345678) to SipX AutoAttendant(indicated by ext 100 or replace with 200 to go directly to extension) at sipx.example.com
  3. Press Update
In SipXecs:
  1. Create users / extensions ex.
    Uid: 200 Pw: 200
In UA:
  1. Setup your phones
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- your SipXecs instance
    Proxy: osbc.example.com <-- your OSBC instance

Scenario #2: Using OSBC for Far End NAT Traversal (FENT) - Private.

This enables remote workers on the WAN to access a sipxecs instance, where SIPX has a private IP address, from behind NAT routers.
Setup:
  • OS: Fedora 8
  • No.of NIC: two, One with Public IP Address and the other with a Private IP Address
  • SipXecs and OSBC are installed on the same box, each using a separate IP address
  • UA's: registered to sipxecs on a local network using private IP addresses, there is no NAT traversal involved.
Dues to a limitation where the gateway configured in sipxecs always uses port 5060, OSBC can not be used for FENT and SIP Trunking simultaneously.

2.a Calls to PSTN, UAs and SipXecs on a Local Network

Callflow: UA1 ? SIPX ? OSBC _-> PSTN Gateway
In OSBC:
  1. Go to B2BUA Routes
  2. Add Routes to Route-List
    Ex.
    [sip:12*] sip:mypstngateway
    for the given example route: [sip:12*] sip:mypstngateway this will route all calls starting with 12(Prefix 9 was drop by SipXecs for outgoing call) from OSBC to PSTN Gateway
  3. Press Update
In SipXecs:
  1. Create two users / extensions ex.
    Uid: 200 Pw: 200
  2. Setup your Gateway at SipXecs (Point your Gateway to OSBC Instance)
In UA:
  1. Setup your phones
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- your SipXecs instance

2.b Calls from PSTN, UAs and SipXecs on a Local Network

Callflow: PSTN Caller ? OSBC ? SIPX ? UA1
In OSBC:
  1. Go to B2BUA Routes
  2. Add Routes to Route-List
    Ex. [sip:12345678] sip:100@sipx.example.com
    replace 12345678 with your correct DID number
    for the given example route: [sip:12345678] sip:100@sipx.example.com this will route calls from OSBC(12345678) to SipX AutoAttendant(indicated by ext 100 or replace with 200 to go directly to extension) at sipx.example.com(local SipXecs Address)
  3. Press Update
In SipXecs:
  1. Create users / extensions ex.
    Uid: 200 Pw: 200
In UA:
  1. Setup your phones
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- your SipXecs instance

Scenario #3: Using OSBC for SIP trunking (this example uses RingCentral).

This enables sipxecs users on a local private network to connect to the PSTN using a SIP Trunk account on the public network.
Setup:
  • OS: Fedora 8
  • No.of NIC: two, One with Public IP Address and the other with a Private IP Address
  • SipXecs and OSBC are installed on the same box, each using a separate IP address
  • UA's: registered to sipxecs on a local network using private IP addresses, there is no NAT traversal involved.
  • SIP Trunk provider: This call flow was tested using a RingCentral account
Dues to a limitation where the gateway configured in sipxecs always uses port 5060, OSBC can not be used for FENT and SIP Trunking simultaneously.

3.a Registering OSBC to the SIP Trunk*

In OSBC:
Setting OSBC to Register to a Sip Trunk Provider:
  1. Go to OSBC Sip Trunk Config
  2. Paste the XML for the config (sample below)
    <root>
    <siptrunk trunk-name="my.sipprovider.com"
    route-set="sip:sip.sipprovider.com"
    sip-domain="sip.sipprovider.com"
    expires="10">
    <trunk-accounts>
    <account user-name="xxxxxxx"
    auth-user-name="xxxxxx"
    auth-password="xxxxxx"
    inbound-route="sip:100@sipx.example.com"
    expires="3600"/>
    </trunk-accounts>
    <transient-accounts>
    <account user-name="xxxxx"
    auth-user-name="xxxx"
    auth-password="xxxx"
    inbound-route="sip:100@sipx.example.com"
    expires="3600"/>
    </transient-accounts>
    </siptrunk>
    </root>
  3. Press Update
  4. To check if registration is successful, Go to Sip-Trunk Registration Status
    sip:xxxxxxx@sip.sipprovider.com sip:xxxxxx@xxx.xxx.xx.xx:5066 00773236-91be-dd11-8be9-e96beb558260@sip.sipprovider.com SIP/2.0 200 OK

3.b Routing of inbound calls from a trunk provider to the sipxecs autoattendant

Callflow: Caller ? SipTrunk Provider ? OSBC ? SipX
In OSBC:
  1. After Registration to a Trunk Provider from Scenario 3.a
  2. Go to B2BUA Routes
  3. Add Routes to Route-List
    Ex. [sip:100*] sip:sipx.example.com
    for the given example route: [sip:100*] sip:sipx.example.com this will route all calls with prefix 100 from OSBC to SipXecs Auto Attendant at sipx.example.com
  4. Press Update
In SipXecs:
  1. Create users / extensions ex.
    Uid: 200 Pw: 200
In UA:
  1. Setup your phones
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- your SipXecs instance

3.c Routing of outbound calls from a trunk provider

Call Flow: UA1 ? SIPX ? OSBC _-> Sip Trunk Provider
In OSBC:
  1. Go to B2BUA Routes
  2. Add Routes to Route-List
    Ex. [sip:12*] sip:sip.ringcentral.com;sip-trunk=true
    for the given example route: [sip:12*] sip:sip.ringcentral.com;sip-trunk=true, this will route all calls starting with 12(Prefix 9 was drop by SipXecs for outgoing call) from OSBC to Sip Trunk Provider (in this case, Ring Central)
  3. Press Update
In SipXecs:
  1. Create users / extensions ex.
    Uid: 200 Pw: 200
  2. Setup your Gateway at SipXecs (Point your Gateway to OSBC Instance)
In UA:
  1. Setup your phones
    Uid: 200 Pw: 200
    Domain: sipx.example.com <-- your SipXecs instance


INFO: http://wiki.sipfoundry.org/display/sipXecs/Overview

OpenSBC : OpenSBC is an open source (MPL License) Session Border Controller and B2BUA.

OpenSBC

OpenSBC is an open source (MPL License) Session Border Controller and B2BUA.
Features
  • Registrations
  • B2BUA
  • NAT traversal
  • ENUM

Open SBC has been under developement and in use for 7 years in high volume applications.

Commerical support is available from the original developers.

See Also




INFO: http://www.voip-info.org/wiki/view/OpenSBC