Tiki RSS feed for weblogs

Doorbell 2.0

Taneli Otala — Fri, 11 Dec 2009 04:11:51 +0100

Having a large house (well, not by square foot, but by distance of my home office from the front door...) poses a problem with how to make a doorbell work.

So, I looked at various sellers of doorbells — any doorbell that works across 300 yards, will cost some money.
Then, I have two doors that I'd like to have the doorbells at.

Isn't this just begging a geeky solution?

Since I already have the whole house wired with multiple gigabit backbone (bragging here) and an Asterisk/FreePBX phone system... isn't there a better solution?

And, since I can find Sipura SPA-841 phones on eBay for $10 a piece... (I bought a dozen)

So, all that was needed, was just to build some weather resistant enclosures for the phones, and program them so they only work in intercom mode.

The magical ingredient, was to put in the EXT1/EXT2 dialplan of the phones:

(S0:501@192.168.254.1:5060)

(Sorry; add a less-than before the first colon, and a greater than before the closing parenthesis)

Where 501 is the extension for whole-house bidirectional intercom, and 192.168.254.1 is the IP address (inside my network) for the asterisk. The rest is normal.

Of course, the whole-house intercom on the asterisk, is just a simple "Paging and Intercom" configuration on FreePBX. It works beautifully with the Polycom and Sipura phones I have amassed from eBay.

If a long-distance doorbell costs $90 (times two doors, and four ringers), and two measly SPA-841 phones cost just $10 a piece... what was the question?
And now, if someone "rings the doorbell" I can get it to my cell phone... and I can press "1" to open the door lock... (see more on the home automation side)

Unlimited incoming trunks...

Taneli Otala — Fri, 11 Dec 2009 03:50:08 +0100

Incoming trunks, how many calls can you have?
(and, on a side-note, do you have teenage daughters?)

Taking a basic Broadvoice trunk line, it allows two simultaneous calls, inbound, outbound or mix.

I obviously need much more

Enter ipkall and unlimited incoming calls...
You get free numbers in Seattle, and you route them to your Asterisk via IAX2 (they used to only support SIP, but IAX2 is more compressed, less traffic, better security, etc).

Throughout this example, I'm using 3601111111 as the number that you get assigned by IPKall, obviously you'll want to use the real number.
As the password, I'm using "mypasswd" — again, please use your imagination.

Go to the site, register a number.

Account type: IAX
IAX User Name (after registration, change to the number you got): 3601111111
IAX Proxy: your asterisk DNS name and /3601111111
Password: mypasswd

Now, on your asterisk, create a Trunk:

Trunk name: ipkall
User context: 3601111111

User Details:

type=user
context=from-trunk
host=voiper.ipkall.com
auth=plaintext
secret=mypasswd

The rest of the fields should be left blank

Finally, in Inbound Routes, create a new one:

DID Number: 3601111111
CID Name prefix: IPKall:
- This is not necessary, but since they don't pass the caller-id, you might as well make it easier to know what the call is about.
The rest of it... route as you choose

So there... You might want to punch up "asterisk -r" to verify the routing of the incoming call.
If everything goes right, you should be receiving incoming calls as authenticated IAX2 calls, and you can route them as you choose.

Final bits:

Go to your VoIP provider, and have them route all calls "when busy" (i.e. all your incoming connections are used) to the IPKall number
Make sure you dial the IPKall number at least once a month, so they don't release it as "unused"
- Or, better yet, make an automated script that calls (and tests) your new number once a week...
Create a conference call room on your Asterisk/FreePBX
Remind everyone, that "mute is golden" while not speaking — if enough callers, things can get noisy

I have had conference calls of 12 callers successfully with this setup.

Howto: recognizing one of many phone numbers and routing

Taneli Otala — Fri, 11 Dec 2009 01:40:42 +0100

Broadvoice (and other VoIP) providers allow you to register multiple phone numbers...
All the phone numbers come through the same VoIP (SIP) registration.

All you get is a "call indicator" or "distinctive ring pattern" or "short-short-long" to identify which number (DID) was actually called.

How do you tell the incoming numbers apart in an Asterisk/FreePBX scenario?

If you are using a plain asterisk, this is fairly easy to just build into the dialplan... but if you are using FreePBX (as I have switched to use, so I can spread some of the maintenance to other people), you have to actually know where to put it...

My main phone number is 4087739689, that is the registered Broadvoice number.
I have another number, 4089921711 which is for my consulting business.
I also have another number, 5307250195, for use when family is vacationing at Lake Tahoe.

Find in your asterisk/freepbx setup, the file /etc/asterisk/extensions_custom.conf

Add the following:

[from-pstn-custom]
exten => 4087739689,n,GotoIf($["${SIP_HEADER(Alert-Info)}" = "http://127.0.0.1/Bellcore-dr3"]?from-pstn,4089921711,1)
exten => 4087739689,n,GotoIf($["${SIP_HEADER(Alert-Info)}" = "http://127.0.0.1/Bellcore-dr4"]?from-pstn,5307250195,1)

NOTE: the "http:...drX" needs to be inside less-than and greater-than brackets... it seems I can't get TikiWiki? to agree to that...

Note, the "from-pstn-custom" is a pre-determined context, read in by /etc/asterisk/extensions.conf

Note also, that I don't define the 4087739689 at all — I let it "fall through" without any handling.

All I'm doing here, is picking the "Alert-Info" of "Bellcore-dr3" and "Bellcore-dr4" which are the distinctive ring patterns for the 2nd and 3rd number I have... putting the proper DID in place by means of "Goto" back (recursively) to "from-pstn" context... and letting asterisk/freepbx do the rest of the work.

One thing needed... now you need to add a few inbound routes.
You probably already had the inbound route for "4087739689" — but now you also need inbound routes for "4089921711" and "5307250195" to route them as you please.

In my scenario, I just route those pseudo-DIDs now to different IVRs and/or direct extensions.

denyhosts -- almost best thing since sliced bread

Taneli Otala — Thu, 19 Nov 2009 08:25:44 +0100

Denyhosts

Almost too good to be true...

What's good, is that it allows you to get almost rid of dictionary attacks on your SSH port...

What's not so good, is that as of recent, the dictionary attacks on POP3, IMAP4, TELNET, FTP are significantly on the rise... and Denyhosts does not make it particularly easy to block the other protocols...

If I manage to get the other protocols blocked, I'll publish the regex'es for those.

Meanwhile, if you notice it in your log files, rememember that:

iptables -A INPUT -s x.x.x.x -j DROP

always works....

Networking Asterisk with multiple uplinks

Taneli Otala — Thu, 19 Nov 2009 08:19:41 +0100

Asterisk (VoIP) has an interesting bug...
You can't really network Asterisk to use two uplink network connections, since Asterisk grabs the default interface and "rides with it"

If you have a bastion host, that is routing all traffic from your SOHO (small office/home office), and you're trying to get the traffic separated, you will run into the problem of separating the traffic (traffic shaping), since you have to give asterisk the "default route"

Here is what you do...

Give Asterisk, the default route, i.e. define "ip route add default via 1.1.1.1 ethX"
That should be the gateway and ethX interface that will be carrying your VoIP traffix.

(remember to make asterisk listen to all interfaces, bind 0.0.0.0)

Prepare the tables with:
echo 100 att >> /etc/ip_route2/rt_tables
echo 101 speakeasy >> /etc/ip_route2/rt_tables

Then, assuming two interfaces (eth1 on at&t at 1.1.1.2, and eth2 on speakeasy (good only for bulk traffic) at 2.1.1.2), make source routing tables:

ip rule add from 1.1.1.2 table att
ip route add default via 1.1.1.1 dev eth1 src 1.1.1.2 table att
ip rule add from 2.1.1.2 table speakeasy
ip route add default via 2.1.1.1 dev eth2 src 2.1.1.2 table speakeasy

You're halfway there... now let's get source routing in place... this is what makes the server respond back on the same IP that it receives requestss...

ip rule add from 1.1.1.2 table att
ip rule add from 2.1.1.2 table speakeasy

Now, if a packet comes from 1.1.1.2 it will take the att route, if it's from 2.1.1.2 it will take the speakeasy route.

Finally, let's add the special incantation to get your local traffic (on eth0, with 10.0.0.0/24 to go through speakeasy, since it's only good for bulk traffic)

We need to mark the packets before "routing decision"

iptables -t mangle -A PREROUTING -i eth0+ -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MARK — set-mark 1

Now we route the packets the right way; i.e. all local outbound SNATted traffic takes the bulk speakeasy route

ip rule add fwmark 1 table speakeasy

And finally, we make the SNAT rule for speakeasy, for all fwmark 1 packets

iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to 2.1.1.2

Now, please... the fictitious IP numbers:

1.1.1.1 is the gateway for 1st DSL
1.1.1.2 is your IP for the 1st DSL
2.1.1.1 is the gateway for 2nd DSL
2.1.1.2 is your IP for the 2nd DSL
10.0.0.0/24 is your local network

Change all, as appropriate... don't ever assume that these are valid IP numbers.
(Only networks like 10.x.x.x or 192.168.x.x are private, if you pick anything else for your internal network, you will be blocking out parts of the internet for yourself)

Oracle 10g Express Edition vs. 64 bit client drivers

Taneli Otala — Thu, 19 Nov 2009 07:45:25 +0100

If you have the Oracle 10g (10.2.0.1.0) Express Edition, you'll notice that everything is 32 bit...

But, what if you have a 64 bit client, such as RHEL 5/64 (or CentOS 5/64)?

What you'd do... is to download the normal 10g client, for 64 bits...

And then configure the client to use a connection string like: host.domain.com:1521/XEXDB

The XEXDB (service name) is something you'll find on the server from the init.ora with the dispatchers parameter...

The Express Edition is pretty cool for casual testing, building a test framework, etc.
Remember that it has the 2GB data and memory size limitation.

C++ programming with Ubuntu 9.10 and Boost 1.40

Taneli Otala — Thu, 19 Nov 2009 07:35:04 +0100

I'm starting this blog backwards...

But, I want to help others who have run into an issue, developing with Boost 1.40 on Kubuntu/Ubuntu 9.10

Basically, if you run into a number of problems, once you've upgraded to Ubuntu 9.10, the issue might be that you have an ealier version of Boost, such as 1.37 installed...

Earlier version of Boost would install in /usr/local/include — and your build system might end up with a hybrid of header files from 1.40 in /usr and 1.37 from /usr/local, resulting in mysterious non-compiles...

What you need to do, is to remove or rename (as sudo) the /usr/local/boost directory (which is a symlink to the 1.37) — only for development.

Boost, changed their methodology for versioning in 1.40 — all for the better, finally to the LSB standard — but the transition is going to give us a bit of pain.

Using Pion for network security

Taneli Otala — Mon, 20 Jul 2009 08:07:56 +0100

Pion, by Atomic Labs can do some pretty incredible tricks on detecting anomalies, hacking attempts, etc. by passively looking at the network traffic.

Imagine, being able to program (graphically, no program code) any kind of web/smtp/voip event, and being able to take action real-time.

Check out http://atomiclabs.com — I will write actual recipes soon.

Russian (caravan.ru) link spammers

Taneli Otala — Mon, 03 Sep 2007 16:11:44 +0100

Tiki link spammers

So tired... seriously, first email spam (BTW, how about a presidential candidate that has capital punishment for spammers?) and now trackback link spammers.

There is this russian network, caravan.ru, that is relentlessly pounding on my dozen or so tikiwiki sites, adding a trackback link spam every few second.

Here is what it looks like in your logs:

217.23.147.210 - - 03/Sep/2007:08:53:10 -0700 "POST /tiki-view_blog_post.php/1/1 HTTP/1.1" 200 - "-" "WordPress/1.9"
212.24.48.34 - - 03/Sep/2007:08:53:16 -0700 "POST /tiki-view_blog_post.php/1/2 HTTP/1.1" 200 - "-" "WordPress/2.0"
217.23.143.226 - - 03/Sep/2007:08:53:31 -0700 "POST /tiki-view_blog_post.php/1/2 HTTP/1.1" 200 - "-" "WordPress/2.0"
217.23.133.242 - - 03/Sep/2007:08:53:39 -0700 "POST /tiki-view_blog_post.php/1/5 HTTP/1.1" 200 - "-" "WordPress/1.9"
217.23.151.130 - - 03/Sep/2007:08:53:45 -0700 "POST /tiki-view_blog_post.php/1/5 HTTP/1.1" 200 - "-" "WordPress/1.9"
217.23.143.224 - - 03/Sep/2007:08:53:50 -0700 "POST /tiki-view_blog_post.php/3/19 HTTP/1.1" 200 - "-" "WordPress/2.1.2"
217.23.132.114 - - 03/Sep/2007:08:53:54 -0700 "POST /tiki-view_blog_post.php/3/19 HTTP/1.1" 200 - "-" "WordPress/2.1.2"
212.24.48.31 - - 03/Sep/2007:08:53:58 -0700 "POST /tiki-view_blog_post.php/2/7 HTTP/1.1" 200 - "-" "WordPress/2.0"
217.23.143.26 - - 03/Sep/2007:08:54:02 -0700 "POST /tiki-view_blog_post.php/2/7 HTTP/1.1" 200 - "-" "WordPress/2.0"
212.24.48.52 - - 03/Sep/2007:08:54:04 -0700 "POST /tiki-view_blog_post.php/3/9 HTTP/1.1" 200 - "-" "WordPress/2.1.2"

Let's see, what are the options?

Disallow trackback links? There goes the idea of wiki...
Disallow user registrations? Where's the fun in that?
Require user registrations to be manually approved, and require registration before trackback links are allowed?
All of the above?

Well, let's just first plain block the caravan.ru network out:

iptables -A INPUT -s 212.24.48.170/24 -p tcp --dport www -j droplog
iptables -A INPUT -s 81.176.0.0/15 -p tcp --dport www -j droplog
iptables -A INPUT -s 62.213.64.0/18 -p tcp --dport www -j droplog
iptables -A INPUT -s 212.158.160.0/20 -p tcp --dport www -j droplog
iptables -A INPUT -s 217.23.128.0/19 -p tcp --dport www -j droplog
iptables -A INPUT -s 212.24.32.0/19 -p tcp --dport www -j droplog
iptables -A INPUT -s 85.255.118.92/24 -p tcp --dport www -j droplog
iptables -A INPUT -s 72.232.191.50 -p tcp --dport www -j droplog

SPAM on the rise...

Taneli Otala — Sun, 15 Oct 2006 16:00:39 +0100

Is it just me, or have others noticed that SPAM is on the rise?

It is really annoying when I get 100 SPAMs per day on the email account I use on my cell phone...

Time to "tighten the screws" again!

Links:

So, I go through my sendmail.mc configuration, and notice that I could add a few blacklists again.

FEATURE(dnsbl, `relays.ordb.org', `Rejected -- see http://ordb.org/ for reason')dnl
FEATURE(dnsbl, `sbl-xbl.spamhaus.org', `Rejected -- see http://www.spamhaus.org/SBL for reason')dnl
FEATURE(dnsbl, `bl.spamcop.net', `Rejected -- see http://spamcop.net for reason')dnl
FEATURE(dnsbl, `dnsbl.sorbs.net', `554 Rejected see http://dnsbl.sorbs.net')dnl
FEATURE(dnsbl, `list.dsbl.org', `Rejected -- see http://dsbl.org for reason')dnl
FEATURE(dnsbl, `block.rhs.mailpolice.com', `Rejected -- see http://rhs.mailpolice.com')dnl
FEATURE(dnsbl, `cbl.abuseat.org', `Rejected -- see http://cbl.abuseat.org')dnl
FEATURE(dnsbl, `l1.spews.dnsbl.sorbs.net', `Rejected -- see http://spews.org')dnl

Basically I ended adding dnsbl.sorbs.net and l1.spews.dnsbl.sorbs.net

Results are good:

This morning; 450 messages, 110 internal => external emails: 340
SPAM (Blacklist) blocked: 259, i.e. 76%
Bad targets (cleaning up mailboxes): 17, i.e. 5%
Caught by SORBS: 58, i.e. 17% (that weren't caught by the others), so now 17% more gets caught

Good work for a quiet Sunday morning, though I wish I could find a good milter in open source, to do better — and not rely so much on blacklists.