1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
wardmundy

Travelin' Man 4 4.0.0

Remote IPtables WhiteListing by Phone

  1. wardmundy
    [IMG]

    Operating System Requirements:

    1. PIAF-Green or Incredible PBX 11 with CentOS 6.5, Scientific Linux 6.5, PIAF OS 3.6.5

    2. Incredible PBX for RasPBX (only BeagleBone Black has been tested)

    Software Prerequisites:

    1. Travelin' Man 3 - http://nerdvittles.com/?p=815 (optionally installed with Incredible PBX 11)

    NOTE: Travelin' Man 3 is preinstalled with RasPBX, but you must run /root/secure-iptables and amportal restart to activate it.

    2. ODBC add-on to PIAF-Green - http://nerdvittles.com/?p=604 (already included with Incredible PBX 11 for CentOS/SciLinux)

    NOTE: ODBC is not functional and Travelin' Man 3 is dormant as delivered on RasPBX platform. Issue the following commands to activate both:
    Code:
    # WARNING: This code is for RasPBX platform only
    apt-get -y install unixODBC unixODBC-dev libmyodbc
    cd /root
    ./secure-iptables
    amportal restart
    wget http://incrediblepbx.com/odbc-raspbx.tar.gz
    tar zxvf odbc-raspbx.tar.gz
    ./mysql-odbc
    ./mysql-sample
    ./odbc-gen.sh
    amportal restart
    
    Verifying Functioning Prerequisites:

    1. iptables -nL (shows a WhiteList is operational with legit IP addresses)
    2. Dial 222 and enter 12345 and verify "Uncle Ward" response (shows ODBC works)

    DO NOT PROCEED WITH INSTALL UNTIL BOTH PLATFORM & SOFTWARE PREREQUISITES ARE WORKING!!!

    Installation:

    Code:
    cd /root
    mkdir tm4
    cd tm4
    wget http://incrediblepbx.com/tm4.tgz
    tar zxvf tm4.tgz
    mysql -uroot -ppassw0rd < tm4-accounts.sql
    mysql -uroot -praspberry < tm4-accounts.sql
    sed -i '/\[from-internal-custom\]/r 'tm4-864'' /etc/asterisk/extensions_custom.conf
    cat tm4-func >> /etc/asterisk/func_odbc.conf
    mkdir /etc/asterisk/tm4
    chown asterisk:asterisk /etc/asterisk/tm4
    cp tm4-update /root/.
    cd /root
    /root/odbc-gen.sh
    amportal restart
    echo "*/2 5-22 * * * root /root/tm4-update > /dev/null 2>&1" >> /etc/crontab
    
    Configuration:

    Before you can add WhiteList IP addresses by dialing 864 (TM4), you first must set up some accounts and passwords for authorized users dialing in. Each account supports ONE and only ONE IP address. Each time the account is accessed to add an IP address, it will overwrite any previous WhiteList entry.

    To add accounts, open FreePBX 11 and use phpMyAdmin under Other. Choose the TravMan4 DB and click Insert tab to add a new entry. Use an 8-digit acctno (first number must not be zero and all digits must be numbers). Fill in a descriptive name for the account under acctname. Choose a 5-digit PIN (first number must not be zero AND all 5 digits must be numbers). Enter an email address for the account user to be notified when their new IP address WhiteList entry has been activated in the IPtables firewall. Permission defines which rights this user account will have on the server. 0 means ALL access rights, i.e. SIP, IAX, SSH, etc. If you wish to restrict access for an IP address to only certain services, then enter a list of authorized services separating the entries with commas, e.g. 1,2,3,4,5 (no spaces!).

    Available permissions include:

    0 - All Services
    1 - SIP (UDP)
    2 - SIP (TCP)
    3 - IAX
    4 - Web
    5 - WebMin
    6 - FTP
    7 - t*f*t*p
    8 - SSH
    9 - FOP

    Leave the ipaddress entry blank. This will be filled in when the caller successfully authenticates by dialing into extension 864.

    Operation:

    Travelin' Man 4 is intended to support remote users that need access to your PIAF-Green or Incredible PBX 11 server from sites outside your firewall. The procedure is simple. The user dials into a DID that points to extension 864. Since the 864 extension has been added to extensions_custom.conf, you will need to create a Misc Destination called Travelin Man 4 pointing a DID to 864 BEFORE this extension can be used in the FreePBX dialplan with either a dedicated Inbound Route or perhaps an IVR. If you don't have a spare DID to dedicate to TM4, you can obtain one at no cost from IPkall.com.

    Once connected to 864, the caller will be prompted for an account number and PIN. Once entered, the credentials will be verified against the TravMan4 DB. If there's a match, the caller will be prompted to enter an IP address to be WhiteListed in IPtables. The syntax is 12*34*56*78 where * is used for periods. Once the caller confirms the address, the call will be disconnected and the new IP address will be placed in a queue: /etc/asterisk/tm4.

    Every 2 minutes, a cron job in /etc/crontab will check the tm4 queue for files. The file names are the account numbers for the callers. The contents are the IP addresses to be WhiteListed. The tm4-update script will handle the rest. If the IP address does not include extra or missing periods, the entry will be added to the IPtables file and the service will be restarted with iptables-restart. The caller will be sent an email confirming or rejecting the WhiteList request.

    WARNING: NO FURTHER ERROR CHECKING IS PERFORMED. FOR EXAMPLE, 1234.5678.9999.1 WILL BE ACCEPTED AS LEGITIMATE ADDRESS.


    Troubleshooting Tips: If you get a call from a user saying that an IP address was whitelisted and they received a confirmation email, but they still cannot gain access. The first thing to do is run iptables-restart to determine if there are any whitelisted IP addresses which have been rejected for any reason. As noted, the IP address in red above could be registered, but it would be rejected by IPtables when the iptables-restart command was executed. The end user would not be alerted to this problem!

    Also be sure to alert callers to check their EMAIL SPAM FOLDER for the emails. Gmail in particular is very careful to reject emails from accounts such as root@piaf. These can be whitelisted in Gmail by clicking the down arrow in the search bar and typing @piaf in the From: field. Then click Create Filter with this search. Check the following options: Star It, Never Send It to SPAM, and Always Mark as Important.

    To change a WhiteListed address, the caller can call in again with the same credentials and specify a new IP address. The Administrator can manually remove the credentials from the /etc/sysconfig/iptables file and iptables-restart. The admin should also remove the account entry from the TravMan4 Accounts table using phpMyAdmin to assure that the caller can no longer gain access to add a new WhiteListed IP address.

    Administrator Utilities:

    The following utilities are provided in the /root/tm4 directory to assist with management of accounts for Travelin' Man 4: list-accounts, add-account, del-ipaddress, and del-account. Functions are self-explanatory but here it is anyway...

    ./list-accounts will display a listing of existing accounts in acct name order.

    ./add-account allows an administrator to add new entries to TravMan4 without resorting to phpMyAdmin.

    Syntax: ./add-account acctno "account name" pin email permissions

    ./del-account allows administrator to remove account from TravMan4 and deletes corresponding WhiteList entry from IPtables with IPtables restart.

    Syntax: ./del-account acctno

    ./del-ipaddress allows an administrator to remove an IP address from TravMan4 and also delete corresponding WhiteList entry from IPtables and restart IPtables. The account itself is preserved with existing acctname, pin, email, and permissions.

    Syntax: ./del-ipaddress acctno