General

ScopTEL – Advanced Training on QoS and VLANs

Ever wonder how to set up VLAN’s or set priority on the default VLAN for voice traffic?

Mechanisms like LLDP and CDP are not a necessity to set up voice priority or VLAN’s.

This document covers prerequisites for the ScopTEL advanced training and reseller exam.

QoS – VLAN – CODEC – Best Practices – MPLS – VoIP Protocols – MOS

Module 20 - ScopTEL - Quality of Service Training

 

Read More

ScopServ Developper Kit for Linux (PHP classes)

ScopServ released today the first version of its ScopDEV (SDK) for Linux (PHP classes).

This PHP class API has been eagerly awaited by the community and follows the Windows API released about 6 months ago.

It comes with some 50 samples and will enable any PHP programmer to interface with our flagship software, ScopTEL IP PBX.

You can download this SDK at the following address: http://www.scopdev.com/

 

 

 

Read More

ScopServ Hardening Guide – Enhance System Security

This guide is designed to provide you with essential information about how to harden the ScopServ Telephony PBX server. You should use this guide as part of your overall security strategy for ScopTEL.

 

Password Policy

Hopefully you already use strong passwords, but if you are not, then try to choose passwords that contain:

  • Minimum of 8 characters
  • Mix of upper and lower case letters
  • Mix of letters and numbers
  • Non alphanumeric characters (e.g. special characters such as ! ” £ $ % ^ etc)

The benefits of strong passwords have an impact on all aspects of systems security.

How to change the ‘admin’ password

The default user name to log into the ScopTEL PBX is admin and the default password is admin. To improve the security of your server, you should change the administrative password immediately after installing the server.

Log into the GUI and click on Tools -> Password and enter a new password

Tools -> Password

Tools -> Password

Enable SSL access on the GUI

HTTPS is a secure communications channel that is used to exchange information between a client computer and a server. It uses Secure Sockets Layer (SSL). To enable SSL in ScopTEL and encrypt/decrypt the information that is transferred over the network, you must first log into the GUI  and …

  • Go to Configuration -> Server -> Configuration
  • Go to the Security (SSL) tab and click on ‘Edit’ button
  • Click on ‘Enable SSL’ then check the ‘Use Self-Sign SSL key’ option.
  • Click on ‘Save’
Server -> Configuration -> SSL

Server -> Configuration -> SSL

How to protect the SSH server

We recommend to change the default root password and to create a dedicated user that will be used to log into the server.

Change the ‘root’ password :

  • Log into the server using SSH, we recommend to use ‘putty’ as client.
  • Enter the IP of the SSH server and click on Connect/Open
  • At the login prompt, enter: root
  • The default password is: scopserv

Add a new username:

  • From SSH do ‘ adduser admin ‘
  • Disable SSH root login from the Server

Protect against SSH brute-force

If you are using SSH to connect into your server console, then you will sooner or later notice someone trying to hack into your box using dictionary attacks.

  • Go to Configuration -> Server -> SSH Server
  • Open the Security tab and click on ‘Edit’ button
  • Enable the option ‘Automatically blocks SSH attacks’
  • Click on Save

Once DenyHosts enabled, you must enable Service on boot :

  • Go to Configuration -> Server -> General and click on Edit Services
  • Enable the ‘DenyHosts’ service and click ‘Save’
SSH Bruteforce Protection

SSH Bruteforce Protection

Firewall

Firewall policies consist of one or more rules that work together to allow or block users from accessing the network.  The ScopTEL integrated firewall protects your server from undesirable traffic.

  • Go to Configuration -> Network -> Firewall
  • Click on Configuration Wizard and follow instructions.

If you need remote access to the server, you need to allow traffic to ports 22/tcp (SSH) and 5555/tcp (GUI). In case of VoIP protocols, you can allow traffic to  5060/udp (SIP), 4569/tcp (IAX2) and range 10000-20000/udp (RTP).

Network -> Firewall

Network -> Firewall

 

Protect against SIP/IAX2 brute-force

Brute force attacks essentially allow an attacker to run an automated application/script that will try to determine an account’s password from a given list of passwords (dictionary file).  If you are using ScopTEL PBX, you could take advantage of the ‘Flood Protection’ system under Telephony configuration.

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • On the ‘Flood Protection’ section, enable the ‘Automatically blocks SIP/IAX2 attacks’ option and click on ‘Save’
Password Policy

Password Policy

Password Policy

password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization’s official regulations and may be taught as part of security awareness training. The password policy may either be advisory or mandated by technical means.

Voicemail Password:

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Enable the Trivial Password Check
  • Set the Minimum Length (ex. 6 digits)
SIP / IAX2 Password Policy:
  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Enable the Password Policy option and click ‘Save’

Define Access Control List for Extensions (SIP/IAX2)

An Access Control List refers to rules that are applied to SIP/IAX2 protocols, each with a list of hosts and/or networks permitted to use the service.  Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

  • Go to Configuration -> Telephony -> Extensions
  • Go to the Security (ACL) tab and click on ‘Add a new ACL’
  • Set the name of the group (ex. Local) and add list of allowed IP/networks
  • Click on ‘Add’ to save the new group
  • Go to Configuration -> Telepony -> Extensions
  • Go to the Phones tab, select an extension and click on ‘Edit’ button
  • Go to the ‘Authentication’ tab and select the group (ex. Local) on the ‘Security (ACL) Mode’ option

 

Access Control List (ACL)

Access Control List (ACL)

 

 

VoIP Distributed Blacklist

VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX’s and it fully integrated on the ScopTEL PBX.  This application also allow to blacklist and/or whitelist specific countries or Regional Internet Registry (eg. ARIN) and interact directly with the Network Firewall.

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Check the option Enable VoIP Blacklist support and click Save.

 

VoIP Distributed Blacklist

Read More

Installing Old Packages from the Repository

We may need to install some old packages such as the Asterisk version in your ScopTEL PBX server. Let’s use installing a older version of Asterisk 1.8 as the example to introduce how to install old packages from the repository using yum.

By now, suppose we have install asterisk18-1.8.12.0 in the server  and we want to install some older version available in the repository.

First find out all the asterisk18 packages  in the repository by:

[note color=”#ddd”] # scopserv_yum list –showduplicates asterisk18[/note]

All the Asterisk 1.8.x packages will be listed like this:

[note color=”#ddd”] Installed Packages

asterisk18.x86_64             1.8.12.0-1.el5.scopserv                      installed

Available Packages
asterisk18.x86_64             1.8.4-3.el5.scopserv                          scopserv
asterisk18.x86_64             1.8.10.0-1.el5.scopserv                      scopserv
asterisk18.x86_64             1.8.11.0-4.el5.scopserv                      scopserv
asterisk18.x86_64             1.8.11.1-1.el5.scopserv                       scopserv
asterisk18.x86_64             1.8.12.0-1.el5.scopserv                      scopserv[/note]

We find out that 1.8.10.0 package is available. We can install it now:

[note color=”#ddd”] # rpm -e –nodeps asterisk18

# scopserv_yum install asterisk18-1.8.10.0-1.el5.scopserv[/note]

Then “scopserv_yum” will install the older version. For other packages, the method is similar with asterisk18. We just need to replace asterisk18 with the package name above.

Read More

Important Security settings when using Class of Service (CoS)

Class of Service (CoS) is where you configure permissions for extensions, incoming lines, applications, features codes, outgoing lines, etc. It very important to properly configure each Class of Service, because this is where all validation for routing is done (examples: if an incoming line,  extension, or if an outgoing line route exists)

To add, modify or delete a Class of Service, login to the ScopServ GUI, and click on Telephony -> Manager- > Class of Services

In each Class of Service, you have different sections where you can set different permissions.

On the Services tab, you can specify which feature code(s)  (Voicemail, Agent Login, Call Forward, DND, etc.) are available. It is not recommended to use the ‘All Features’ option when the Class of Service is used by an “untrusted” source. So if the users that will use this Class of Service do not need full access then do not check the ‘All Features’ option and instead select individual features codes that will be available.

On the Applications tab, you can specify which applications (created on Applications -> Application) are available. It is not recommended to use the ‘All Applications’ option when the Class of Service is used by an “untrusted” source. If you check ‘All Applications ‘ and have a custom application that executes a “sensitive” task (example: turn off the alarm system) then this is a major security risk, this is why you must select individual permissions.

On the Local Extensions tab, you can specify which extensions are reachable. If you want all extensions to be available for users that use this Class of Service, then simply check the ‘ All Extension ‘ option. If you want to restrict the ability to reach some local extensions then select a list of allowed local extensions.

On the Outgoing Lines tab, you specify which outgoing lines you want to be reachable. You can set the line priority (examples: 011X must be defined before X. else 011X will never be reachable). If some users need access only to local/national calls but must not be able to make international calls, or be restricted to use specific trunks, then the Outgoing Lines tab is used to select individual outgoing lines.

On the Miscellaneous tab, you can set miscellaneous options like Agent or Hotdesk restrictions. It is also possible to include others permissions (Class of Services) by selecting one or more contexts.  The option ‘Include other permissions’ allows to include others permissions in order to create group like Class of Service objects. This is useful to create a Class of Service that will include a hierarchy of other Class of Service objects.

Class of Services can be used in different places like Interfaces (VoIP Account, Digital, Analog) to lookup destinations. They can also be used on Extensions to specify which permissions the extension will have (examples: can the extension reach Voicemail or disable DND). They can also be used on an Auto Attendant (IVR) menu to lookup a key pressed by a user so it is very important to ensure that everything is properly configured.

For example: if you configure an Auto Attendant (IVR) to use a Class of Service that has access to all services, then any person that reaches the IVR will be able to execute any inherited service such as *888 to spy on extensions, or dial *78 to set a CallForward, or reach DISA, or dial any included feature, and etc. So ensure that an IVR does not have access to Class of Services with excessive permissions else major security holes can exist in the configuration.

In summary it is very important to properly configure Class of Services to restrict access permissions to a user.

Read More

How to install ScopServ Telephony Server

If you want to use a computer as Telephony Server then you need to install ScopTEL IP Telephony software on the computer. In a simple Linux distribution, you will have all software needed to setup a PBX will be automatically installed, including Asterisk 1.4 and 1.8, DAHDI, Wanpipe and others dependencies.

Installing from ScopServ installation disk

To get the lastest ScopServ installation disk (ISO Image), please visit http://download.scopserv.com/iso/ and download proper ISO according to your system architecture (32 bit / 64 bit). The latest version available, at time of writing, is ScopServ 2.5, that is based on CentOS 5.8.

Once you have downloaded the lastest ScopServ Installation disk (ISO image), you need to burn the ScopServ installation disk (ISO Image) on a CD-Rom disk, put the disk on the server CD-Rom drive, boot-it and follow on-screen instructions.

After installing the ScopTEL IP Telephony software, you need to log into another computer on the LAN, and access the GUI of ScopServ Telephony Server using a Web browser, such as Internet Explorer and Firefox.

To access the GUI, you need to provide the IP address of the computer on which you have installed the ScopTEL IP Telephony software. On providing the correct IP address, the login page of ScopServ Telephony Server appears.

NOTE: The IP address must be followed by the port number. For example, if the IP address is 192.168.0.100 then you need to type the following address in the Web browser: http://192.168.0.100:5555.  The default username and password is set to “admin”.

Getting started with ScopServ

Once you are logged into the ScopServ GUI, I highly recommand to execute the “Configuration Wizard” available on the sidebar menu, this will create all basic Server, Network and Telephony configurations.

Now that the initial configurations is done, it time to create a Class of Services, this one allow you to control what a phone extension can do (ex. Voicemail, Call Parking, Local/National/International Calls, etc). On the GUI, go to Telephony -> Manager -> Class of Services and create a new one (ex. default) and set the Services, Applications and Lines that you want this Class of Services have access.

To made a simple setup, you can create two (2) new SIP extensions from Telephony ->Extensions -> Phones and click on the Commit button visible on the top right corner to generate Asterisk configurations files.

Now you are ready to test dialing between your new extensions !

Module 3 - ScopTEL - Server Installation Wizard
Read More