Want to simplify how the user gets added to the PBX computers list of approved IP addresses and at the
same time increase the security? Then put a man in the middle. The idea is to have a cheap, stripped
down computer that determines the IP address of the user and then relays the IP address along with
two items typed in by the user (user ID and a 6 digit Time based One Time Password - TOTP) to the PBX
server. The PBX server verifies the userid and password and then adds the IP address to the list of
approved IP addresses. Within a couple of minutes, the user will be sent an email confirming that
the IP address they are using has been whitelisted and remote access is now enabled.
With the very inexpensive cloud hosting services and Raspberry Pi's available these days you can
easily afford to create a web site that only does one thing - it displays a web page where a user can
enter their ID and a TOTP password ( a time based one time password which can be generated using any
one of the free apps available for computers, tablets, and cell phones). As previously mentioned the
users current IP address is determined by the server and the ip address, userid and password is then
relayed to the PBX server. So there is no need to store information in the cloud except for the IP
address of the PBX server. To help prevent attacks, in the attached program I do store the number of
failed attempts for each user and for each IP address. For each failed attempt the connection from
the relay server to the PBX server is delayed by an additional second. Since there are 1,000,000
possible passwords and each password is only valid for 1.5 minutes, a second delay for each failed
attempt should prevent all attacks since only 12 passwords can be tried before a password is invalid.
On the PBX server you run one additional service which monitors port 5559. This port is only opened
up to the relay server in the cloud, no other IP addresses. The incoming userid is used to look up
the users account number and base32 seed password. This seed is then used to generate the TOTP one
time password. If the calculated password matches the password entered by the user, the IP address
is stored and I let TM4 scripts then handle the rest. Also, a SSL connection is used between the
relay server in the cloud and the PBX server. Both the client server certificates must match for the
SSL connection to be allowed.
On the users cell phone you have to install a browser program such as chrome, and a TOTP password
generator. One free option is freeOTP which is available on both android and ios devices.
The steps required are:
On PBXserver
1. download to the PBX server the programs to generate base32 password seeds and monior port 5559
2. Create an admin password to prevent unauthorized use of the password program
3. Generate client and server certificates with the provided script
4. open port 5559 to the IP address of your relay server in the cloud
5. On your router forward port 5559 to the PBX service
6. start the PBX server monitoring service called allow_entry
7. Install travelin man 4 (TM4)
On cloud host relay server
1. Install apache
2. Download to the cloud server the relay program and web page
3. copy the server and client certificates from the PBX server to the cloud relay server
4. Allow your IP address and then block all other IP addresses to all ports except ports 80 and 443
5. Start apache
On users cell phone
1. Install a TOTP one time password generator such as freeOTP.
2. On the PBX server generate a base32 seed password and put it in the TOTP app. To do this with
FreeOTP, open it and press the symbol key + . Then on the first line, in the email entry enter the
userid used to generate a password on the asterisk machine. On the next line press the space bar. On
the third line for secret enter the number you generated on the asterisk machine. Leave type as TOTP
and leave DIGITS as 6, also leave algorithm as SHA1 and leave interval as 30. Now press add. On the
new screen touch the entry with the userid you just entered. The symbol shows you how long until the
one time password is invalid and the number shown is the one time password you need to enter into the
web site. Currently the one time password is valid for 90 seconds. For security the same password can
not be immediately reused.
3 Add the cloud server as a favorite in the browser on the users cell phone
Longer term I am hoping to create a simple app for the phone which will connect with the relay server
and transmit the userid and TOTP password. Included in the zip file already is a relay program which
will monitor port 5560 on the cloud server and pass the information on to the PBX server. I also
have included python and java versions of the program to run on the users machine.
same time increase the security? Then put a man in the middle. The idea is to have a cheap, stripped
down computer that determines the IP address of the user and then relays the IP address along with
two items typed in by the user (user ID and a 6 digit Time based One Time Password - TOTP) to the PBX
server. The PBX server verifies the userid and password and then adds the IP address to the list of
approved IP addresses. Within a couple of minutes, the user will be sent an email confirming that
the IP address they are using has been whitelisted and remote access is now enabled.
With the very inexpensive cloud hosting services and Raspberry Pi's available these days you can
easily afford to create a web site that only does one thing - it displays a web page where a user can
enter their ID and a TOTP password ( a time based one time password which can be generated using any
one of the free apps available for computers, tablets, and cell phones). As previously mentioned the
users current IP address is determined by the server and the ip address, userid and password is then
relayed to the PBX server. So there is no need to store information in the cloud except for the IP
address of the PBX server. To help prevent attacks, in the attached program I do store the number of
failed attempts for each user and for each IP address. For each failed attempt the connection from
the relay server to the PBX server is delayed by an additional second. Since there are 1,000,000
possible passwords and each password is only valid for 1.5 minutes, a second delay for each failed
attempt should prevent all attacks since only 12 passwords can be tried before a password is invalid.
On the PBX server you run one additional service which monitors port 5559. This port is only opened
up to the relay server in the cloud, no other IP addresses. The incoming userid is used to look up
the users account number and base32 seed password. This seed is then used to generate the TOTP one
time password. If the calculated password matches the password entered by the user, the IP address
is stored and I let TM4 scripts then handle the rest. Also, a SSL connection is used between the
relay server in the cloud and the PBX server. Both the client server certificates must match for the
SSL connection to be allowed.
On the users cell phone you have to install a browser program such as chrome, and a TOTP password
generator. One free option is freeOTP which is available on both android and ios devices.
The steps required are:
On PBXserver
1. download to the PBX server the programs to generate base32 password seeds and monior port 5559
2. Create an admin password to prevent unauthorized use of the password program
3. Generate client and server certificates with the provided script
4. open port 5559 to the IP address of your relay server in the cloud
5. On your router forward port 5559 to the PBX service
6. start the PBX server monitoring service called allow_entry
7. Install travelin man 4 (TM4)
On cloud host relay server
1. Install apache
2. Download to the cloud server the relay program and web page
3. copy the server and client certificates from the PBX server to the cloud relay server
4. Allow your IP address and then block all other IP addresses to all ports except ports 80 and 443
5. Start apache
On users cell phone
1. Install a TOTP one time password generator such as freeOTP.
2. On the PBX server generate a base32 seed password and put it in the TOTP app. To do this with
FreeOTP, open it and press the symbol key + . Then on the first line, in the email entry enter the
userid used to generate a password on the asterisk machine. On the next line press the space bar. On
the third line for secret enter the number you generated on the asterisk machine. Leave type as TOTP
and leave DIGITS as 6, also leave algorithm as SHA1 and leave interval as 30. Now press add. On the
new screen touch the entry with the userid you just entered. The symbol shows you how long until the
one time password is invalid and the number shown is the one time password you need to enter into the
web site. Currently the one time password is valid for 90 seconds. For security the same password can
not be immediately reused.
3 Add the cloud server as a favorite in the browser on the users cell phone
Longer term I am hoping to create a simple app for the phone which will connect with the relay server
and transmit the userid and TOTP password. Included in the zip file already is a relay program which
will monitor port 5560 on the cloud server and pass the information on to the PBX server. I also
have included python and java versions of the program to run on the users machine.
Phone System 