Security

How to Configure Class of Service Objects

The Class of Service Manager is used to create objects used to assign permissions or restrictions to Outgoing Lines, Incoming Lines, Extensions, Feature Codes, or Applications.

Great care should be taken when configuring Class of Service objects.

Please refer to https://blog.scopserv.com/2012/06/important-security-settings-when-using-class-of-service-cos/ before configuring Class of Service objects.

 

Module 8 - ScopTEL - Class of Service Configuration
Read More

CentOS 5 Official Support Closure

As previously advised in the ScopServ blogs and ScopNEWS, CentOS 5 has now officially reached its End Of Life date. As a result, CentOS has officially shutdown their official repositories for CentOS EL5.

centoscycle

From now, if you are updating your existing ScopTEL EL5 packages this may cause errors similar to the following:

[root@pstn ~]# scopserv_yum update

==== scopserv_yum ====

— Executing yum…

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* centos-extras: mirror.netaddicted.ca

* centos-os: centos.mirror.iweb.ca

* centos-updates: centos.mirror.iweb.ca

* scopserv: us.mirrors.scopserv.com

http://mirror.netaddicted.ca/CentOS/5.11/extras/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found

Trying other mirror.

http://mirror2.evolution-host.com/centos/5.11/extras/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found

Trying other mirror.

http://centos.mirror.ca.planethoster.net/5.11/extras/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found

Trying other mirror.

http://centos.bhs.mirrors.ovh.net/ftp.centos.org/5.11/extras/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found

Trying other mirror.

http://centos.westmancom.com/5.11/extras/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found

Trying other mirror.

centos-extras                                                                                     | 2.1 kB     00:00

 

This does not mean your installation is broken, it simply means that the official CentOS EL5 mirrors have been shut down. ScopServ has released a new scopserv-server package that uses vault.centos.org to maintain existing dependencies.  This package will be automatically installed via scopserv_yum update and if the scopserv-server package is updated you will not see this error the next time you do scopserv_yum update.

Here are the options to resolve the error (pick one):

  1. Update your packages using the ScopTEL GUI
  2. From a bash prompt execute ‘scopserv_yum update’ (omitting quotes)
  3. ‘rpm –Uvh http://download.scopserv.com/dist/packages/scopserv-server/scopserv-server-5.1.6.11.20170601-1.nodist.scopserv.noarch.rpm’ (omitting quotes)

Since CentOS 5 is officially End Of Life ScopServ highly recommends that you upgrade your installation to CentOS 6.

A failure to do so will put your installation at risk since CentOS EL5 is no longer supported.

Please follow the official instructions to upgrade your installation at

https://blog.scopserv.com/2016/12/scoptel-centos-6-x-bootdisk-installation-guide/

ScopServ will not be responsible for any liabilities caused by a failure to upgrade to a supported Operating System.  Additionally, ScopServ will be announcing an End Of Life date for ScopServ EL5 packages and support in the near future.

Read More

ScopServ Remote Support Using AnyDesk

If you are looking to have ScopServ support connect to your system remotely, please be aware that we no longer support TeamViewer.  Our preferred remote desktop software is AnyDesk.  Download a ScopServ client from here

Read More

ScopTEL Documentation Collection Downloads

It is recommended that you read each Training Module in numerical order.

Module 0:

  • Previous versions of ScopTEL were either based on CentOS versions 4 or 5
  • However these versions have limited lifecycle support and it was necessary for ScopServ International to Release an installation ISO based on CentOS version 6.X

centoscycle

  • Refer to the official ScopServ Documentation to install CentOS el6

 

ScopTEL-CentOS6_-BootDisk-Installation-Guide

 

Module 1:

CentOS 5 DVD ISO Boot Disk Installation (deprecated, use CentOS el6)

Module 1 - ScopTEL - CentOS5 DVD ISO Boot Disk Installation

 

Module 2:

Basic ifconfig

Module 2 - ScopTEL - Basic ifconfig

 

Module 3:

Server Installation Wizard

Module 3 - ScopTEL - Server Installation Wizard

 

Module 4:

Version Switcher for Telephony

Module 4 - ScopTEL - Version Switcher for Telephony Server

 

Module 5:

PSTN Interfaces and Gateways

Module 5 - ScopTEL - PSTN Interfaces and Gateways

 

Module 6:

Outgoing Lines and Interface Groups

Module 6 - ScopTEL - Interface Groups and Outgoing Lines

 

Module 7:

Incoming Lines Management

Module 7 - ScopTEL - Incoming Lines Management

 

Module 8:

Class of Service Configuration

Module 8 - ScopTEL - Class of Service Configuration

 

Module 9:

Extensions Management

Module 9 - ScopTEL - Extensions Management

 

Module 10:

Automatic Provisioning System

Module 10 - ScopTEL - Automatic Provisioning System

 

Module 11:

Prompt Management

Module 11 - ScopTEL - Prompt Management

 

Module 12:

Managing Schedules

Module 12 - ScopTEL - Managing Schedules

 

Module 13:

Managing Conferences:

Module 13 - ScopTEL - Managing Conferences

 

Module 14:

Managing Auto Attendants/IVR

Module 14 - ScopTEL - Managing Auto Attendants

 

Module 15:

Managing Automatic Call Distribution

Module 15 - ScopTEL - Managing ACD

 

Module 16:

Managing Applications

Module 16 - ScopTEL - Managing Applications

 

Module 17:

Backup and Restore Using the Server Manager GUI

Module 17 - ScopTEL - Backup and Restore

 

Module 18:

Backup and Restore Using Putty and WinSCP

Module 18 - ScopTEL - Backup_Restore Using Putty_WinSCP

 

Module 19:

Troubleshooting

Module 19 - ScopTEL - Troubleshooting

 

Module 20:

Quality of Service Training

Module 20 - ScopTEL - Quality of Service Training

 

Module 21:

ScopTel Reports Summary

Module 21 - ScopTEL - Reports Summary

 

Module 22:

Sangoma/Vegastream Gateway Configuration

Module 22 - ScopTEL - Sangoma Gateway Configuration

 

Module 23:

Sangoma Hardware Transcoding Integration Installation

Module 23 - ScopTEL - Sangoma Transcoding Installation

 

Module 24:

Asterisk 11 T.38 Fax Gateway Configuration

Module 24 - ScopTEL - Asterisk 11 T.38 Fax Gateway Configuration

 

Module 25:

Avaya IP Office Conference Bridge Integration (Add Conference Bridging to IP Office Using ScopTEL)

Module 25 - ScopTEL - Avaya IP Office Conference Bridge

 

System Network Lab (Hands On: Learn How To Network Multiple Servers Using SIP Tie Trunks):

Module LAB - ScopTEL - System Networking LAB

 

How to set up a Server to Server SIP Trunk:

ScopTEL - How to set up a Server to Server SIP Trunk

 

ScopTEL Fixed Mobile Convergence and Follow Me:

ScopTEL - Fixed Mobile Convergence and Follow Me

 

ScopTEL Networking DHCP Configuration:

ScopTEL - DHCP Configuration

 

Configuration ScopTEL SIP for Network Address Translation/NAT:

ScopTEL - Configuring ScopTEL for NAT

 

ScopTEL Cisco SIP Phone Integration:

ScopTEL - Cisco SIP Phone Integration

 

ScopTEL Certificate Manager (How To Configure a ScopTEL Server to Support HTTPS GUI management and Encrypted Media and Signalling):

ScopTEL - Certificate Manager

 

How To Optimize a ScopTEL Installation to Save Voice Recordings:

ScopTEL - Call Recording Server Optmization

 

ScopTEL Installation Hierarchy (If you are new to ScopTEL follow this document to manage the correct flow of your new installation to optimize configuration prerequisites):

ScopServ - Basic Installation Hierarchy for Telephony Server New Design v04

 

How To Configure Customer Call Ratings Using IVR Menus and Custom Scripts:

Rating calls using IVR menus and custom scripts

 

End User Voicemail Cheat Sheet:

ScopTEL Voicemail End User Card

 

Configuring Speed Dials and PIN’s Using Outgoing Line Configurations:

ScopTEL - Speed Dials and Outgoing Line Configurations

 

How To Configure the Same Extension Number On Multiple SIP Devices:

ScopTEL - Shared Users for Devices

 

Background On directmedia/re-INVITE Management in ScopTEL:

ScopTEL - RTP directmedia handling

 

Using Join.me to Support Customers (use for webinars, remote help sessions, desktop sharing, conference bridging):

ScopTEL - Remote Support Using join.me

 

End User Guide for Polycom SoundPointIP Phones (integrated with ScopTEL Proprietary EFK functions):

ScopTEL - Polycom End User Training

 

ScopTEL Installation on Mediatrix Sentinel Virtual Machine (How To):

ScopTEL - Mediatrix Sentinel ScopTEL VM Installation

 

How To Integrate a ScopTEL Installation with a Mediatrix ISDN Gateway (T1/E1 Interfaces):

ScopTEL - Mediatrix ISDN Gateway Configuration

 

How To Integrate a ScopTEL Installation with a Mediatrix Trunk, Station Gateway (Analog/POTS FXO/FXS):

ScopTEL - Mediatrix Analog Gateway Configuration

 

If you are an ITSP looking to terminate SIP VoIP Interfaces to Reseller or End User ScopTEL installations you need to read this:

ScopTel - ITSP SIP Trunking

 

And End User Guide for Snom Phone Users:

ScopTEL - Snom End User Training

 

ScopServ Quick Sales Presentation:

ScopServ Presentation 2015

 

ScopServ Full Customer Presentation:

General Presentation ScopTEL ENGLISH

 

ScopTEL ScopSTATS Reporting Admin Guide:

ScopSTATS_Manual

 

ScopTEL Automatic Call Distribution Customer Presentation:

Presentation ScopServ ACD English V3

 

ScopTEL Feature List:

ScopTEL Feature List

 

Required Settings for Gmail or Office 365 SMTP Smart Relay

Gmail and Office 365 each require unique settings for Smart Relay Configuration.  This document describes each.

ScopTEL - SMTP Relay Settings Gmail Office 365

 

Call Forwarding End User Guide

Users can manage their Call Forwarding rules using this cheat sheet.

ScopTEL Call Forwarding End User Card

 

ACD Pause Code Usage

A simple ‘how to’ explaining ACD Pause Code Usage

ScopTEL ACD Pause Code Usage
Read More

Product Bulletin: CVE-2015-0235 Ghost Vulnerability

Details:

https://rhn.redhat.com/errata/RHSA-2015-0090.html
Updated glibc packages that fix one security issue are now available for ScopServ Distributions built on CentOS 5.
Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the Name Server Caching Daemon (nscd) used by multiple programs on the system.  Without these libraries, the Linux system cannot function correctly.
A heap-based buffer overflow was found in glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls.  A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application. (CVE-2015-0235)

Immediate Recommendations:

In order to protect your server and at the earliest convenience:
From the Linux shell execute (without quotations):

‘scopserv_yum update glibc* -y’

Ensure all updates have completed and then execute (without quotations)

‘reboot’

The minimum package requirements are:

glibc-devel-2.5-123
glibc-2.5-123
glibc-headers-2.5-123
glibc-2.5-123
glibc-common-2.5-123
nscd-2.5-123

Read More

Product Bulletin: Support for TLSv1.1 and TLSv1.2 on WebGUI

Today, we proudly annonce an update to ScopTEL PBX to support TLSv1.1 and TLSv1.2 in WebGUI when using SSL encryption in order to secure communication on the Management interface.

Since the release of TLSv1, many changes have happened to both the development of TLS and the known attacks against the cryptographic protocol.  TLSv1.1 and TLSv1.2 were both released in the mid to late 2000s which fixed many problems seen in TLSv1 but, unfortunately, adoption was meager at best.  This left the door open to many attacks against the protocols in use (namely SSLv3 and TLSv1) including BEAST, CRIME, various cipher renegotiation and rollback attacks, and attacks on the RC4 encryption cipher.

In order to use new encryption protocols, you simply need to go on Server -> Packages Manager and click on Update Now.

If you want to update from SSH, you can type :

scopserv_yum update httpd scopserv-server

Read More

Product Bulletin: ScopServ Vulnerability CVE-2014-1691 January 26, 2015 Addendum

In addition to https://blog.scopserv.com/2015/01/product-bulletin-scopserv-vulnerability-cve-2014-1691-january-26-2015/

If your installation cannot immediately and fully be upgraded as per the product bulletin.

You may use this minimal upgrade method to upgrade the required packages (but it highly recommended a full upgrade is performed):

From the Linux shell execute (without quotations) ‘scopserv_yum update scopserv scopserv-core scopserv-framework scopserv-server’

After all packages are successfully updated then from the Linux shell execute (without quotations) ‘service scopserv restart’

Read More

Product Bulletin: ScopServ Vulnerability CVE-2014-1691 January 26, 2015

Scope:
ScopServ, ScopTEL installations could be vulnerable to CVE-2014-1691.

Description:
Unsanitized variables are passed to the unserialize() PHP function. A remote attacker could specially-craft one of those variables allowing to load and execute code.

Required Action:
In order to protect a ScopTEL installation from this vulnerability you must update to scopserv-5.0.0-2 scopserv-core-5.1.0.8.20150126-1 scopserv-framework-5.0.0.7.20150126-1 and meet all other dependencies including php-pecl-json-1.2.1-5

Immediate Recommendations:
It is highly recommended to perform a full update on each ScopServ, ScopTEL installation in order to simplify the upgrade procedure and also ensure all dependencies are met.
It is also highly recommended to reboot your server after the updates in order to ensure all services and scripts and have been updated.
From the Linux shell execute (without quotations) ‘scopserv_yum update’
And after the updates are completed execute (without quotations) ‘reboot’

Read More

How to Blacklist Phone Numbers on ScopTEL PBX

You need to block some phone numbers of callers and avoid unwanted calls or simple ban specific destinations such as premium-rate phone number on your ScopTEL  PBX ? The reason for blocking one or more telephone numbers are numerous and ScopTEL PBX offers simple solutions to block phone numbers with Blacklist. It is also possible to have a whitelist to allow only some phone numbers.

ScopTEL PBX lets you block (or whitelist) a phone number or multiple numbers from integrated CallerID Lookup management system.

This article will explain how to use an SQL table to store 1000’s of phone numbers and blacklist some destinations on Outgoing Lines.

 

Configure CallerID Lookup

The first step is to configure an External Source  from Lines -> CallerID Lookup. Simply set the Type to “External Source” and set the Table Name to “blacklist” then click on Save button.

Blacklist - Lines -> CallerID Lookup -> External Source (SQL)

Lines -> CallerID Lookup -> External Source (SQL)

 

 

Enable Call Restrictions (Blacklist)

On Lines -> Outgoing Lines, click on the Dial String tab and check the option “Restrict Disallowed Outgoing Numbers” then select the External Source (blacklist) you created.

Blacklist - Lines -> Outgoing Lines -> Call Restrictions

Lines -> Outgoing Lines -> Call Restrictions

 

Create SQL table

You must now create an SQL table that will store all phone numbers that you want to blacklist. Go on Tools -> Server and click on SQL Shell menu. You must copy the following content and click on Execute button  to create the SQL table .

 

[box title=”SQL Query” color=#ddd]

CREATE TABLE blacklist (
   phone_number varchar(100),
   calleridnum varchar(100),
   calleridname varchar(100)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

[/box]

 

Blacklist - Tools -> Server -> SQL Shell

Tools -> Server -> SQL Shell


Import Data

We now need to fill the blacklist SQL table in the ScopServ database. In this example, we will use a simple text file that contain a single phone number per line.  Create a file named /tmp/blacklist.txt and define all telephone number to block.

[box title=”Sample Data” color=”#DDDDDD”]

01230126675
01230312624
01230871502
01236161496
01237627016
01234545454
01237741360
01232780766
01235100042

[/box]

 

The following simple shell script allow read the text file, create SQL INSERT query and execute it on MySQL scopserv database. If you aren’t using default MySQL setting, you will have to manually adapt the script.

[box title=”Import Shell Command” color=”#DDDDDD”]

# Specify Source file
SRC="/tmp/blacklist.txt"
# Destination File
DST="/tmp/blacklist.sql"
# Set SQL database name (default is scopserv) 
SQL="scopserv"

awk '{ print "INSERT INTO blacklist SET phone_number="" $1 "";" }' $SRC > $DST
cat $DST | grep -v '""' | mysql $SQL

[/box]

 

Read More

ScopServ Hardening Guide – Enhance System Security

This guide is designed to provide you with essential information about how to harden the ScopServ Telephony PBX server. You should use this guide as part of your overall security strategy for ScopTEL.

 

Password Policy

Hopefully you already use strong passwords, but if you are not, then try to choose passwords that contain:

  • Minimum of 8 characters
  • Mix of upper and lower case letters
  • Mix of letters and numbers
  • Non alphanumeric characters (e.g. special characters such as ! ” £ $ % ^ etc)

The benefits of strong passwords have an impact on all aspects of systems security.

How to change the ‘admin’ password

The default user name to log into the ScopTEL PBX is admin and the default password is admin. To improve the security of your server, you should change the administrative password immediately after installing the server.

Log into the GUI and click on Tools -> Password and enter a new password

Tools -> Password

Tools -> Password

Enable SSL access on the GUI

HTTPS is a secure communications channel that is used to exchange information between a client computer and a server. It uses Secure Sockets Layer (SSL). To enable SSL in ScopTEL and encrypt/decrypt the information that is transferred over the network, you must first log into the GUI  and …

  • Go to Configuration -> Server -> Configuration
  • Go to the Security (SSL) tab and click on ‘Edit’ button
  • Click on ‘Enable SSL’ then check the ‘Use Self-Sign SSL key’ option.
  • Click on ‘Save’
Server -> Configuration -> SSL

Server -> Configuration -> SSL

How to protect the SSH server

We recommend to change the default root password and to create a dedicated user that will be used to log into the server.

Change the ‘root’ password :

  • Log into the server using SSH, we recommend to use ‘putty’ as client.
  • Enter the IP of the SSH server and click on Connect/Open
  • At the login prompt, enter: root
  • The default password is: scopserv

Add a new username:

  • From SSH do ‘ adduser admin ‘
  • Disable SSH root login from the Server

Protect against SSH brute-force

If you are using SSH to connect into your server console, then you will sooner or later notice someone trying to hack into your box using dictionary attacks.

  • Go to Configuration -> Server -> SSH Server
  • Open the Security tab and click on ‘Edit’ button
  • Enable the option ‘Automatically blocks SSH attacks’
  • Click on Save

Once DenyHosts enabled, you must enable Service on boot :

  • Go to Configuration -> Server -> General and click on Edit Services
  • Enable the ‘DenyHosts’ service and click ‘Save’
SSH Bruteforce Protection

SSH Bruteforce Protection

Firewall

Firewall policies consist of one or more rules that work together to allow or block users from accessing the network.  The ScopTEL integrated firewall protects your server from undesirable traffic.

  • Go to Configuration -> Network -> Firewall
  • Click on Configuration Wizard and follow instructions.

If you need remote access to the server, you need to allow traffic to ports 22/tcp (SSH) and 5555/tcp (GUI). In case of VoIP protocols, you can allow traffic to  5060/udp (SIP), 4569/tcp (IAX2) and range 10000-20000/udp (RTP).

Network -> Firewall

Network -> Firewall

 

Protect against SIP/IAX2 brute-force

Brute force attacks essentially allow an attacker to run an automated application/script that will try to determine an account’s password from a given list of passwords (dictionary file).  If you are using ScopTEL PBX, you could take advantage of the ‘Flood Protection’ system under Telephony configuration.

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • On the ‘Flood Protection’ section, enable the ‘Automatically blocks SIP/IAX2 attacks’ option and click on ‘Save’
Password Policy

Password Policy

Password Policy

password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization’s official regulations and may be taught as part of security awareness training. The password policy may either be advisory or mandated by technical means.

Voicemail Password:

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Enable the Trivial Password Check
  • Set the Minimum Length (ex. 6 digits)
SIP / IAX2 Password Policy:
  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Enable the Password Policy option and click ‘Save’

Define Access Control List for Extensions (SIP/IAX2)

An Access Control List refers to rules that are applied to SIP/IAX2 protocols, each with a list of hosts and/or networks permitted to use the service.  Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

  • Go to Configuration -> Telephony -> Extensions
  • Go to the Security (ACL) tab and click on ‘Add a new ACL’
  • Set the name of the group (ex. Local) and add list of allowed IP/networks
  • Click on ‘Add’ to save the new group
  • Go to Configuration -> Telepony -> Extensions
  • Go to the Phones tab, select an extension and click on ‘Edit’ button
  • Go to the ‘Authentication’ tab and select the group (ex. Local) on the ‘Security (ACL) Mode’ option

 

Access Control List (ACL)

Access Control List (ACL)

 

 

VoIP Distributed Blacklist

VoIPBL is a distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX’s and it fully integrated on the ScopTEL PBX.  This application also allow to blacklist and/or whitelist specific countries or Regional Internet Registry (eg. ARIN) and interact directly with the Network Firewall.

  • Go to Configuration -> Telephony -> Configuration
  • Open the Security tab and click on the ‘Edit’ button
  • Check the option Enable VoIP Blacklist support and click Save.

 

VoIP Distributed Blacklist

Read More