Gundy Dot Org

Sometimes you don’t want to mess around with people cracking into your SIP servers and run up your phone bill (aka toll fraud). So, with this little script, we block all traffic from anywhere and everywhere. Be careful, it’s pretty heavy handed. BTW, there are some outputs for ClearOS, IPtables and Ubuntu’s UFW.

This should be useful for people running, FreeSWITCH, Asterisk, OpenSIPS and Kamailio.

#!/bin/bash

################################################################################
# We don't like blocking of huge parts of the world, but we often don't have the
# time or resources to deal with those who try to haxor our networks. kthanksbye
################################################################################

# Edit this to fit your level of frustration.
REGISTRIES="CHANGE_ME"

# This is how I roll:
#REGISTRIES="(AfriNIC|APNIC|LACNIC|RIPE NCC)"

################################################################################
# APNIC     Asia/Pacific Region
# ARIN      North America Region
# AfriNIC   Africa Region
# LACNIC    Latin America and some Caribbean Islands
# RIPE NCC  Europe, the Middle East, and Central Asia
################################################################################

IANA="http://www.iana.org"
IPV4_LIST="/assignments/ipv4-address-space/ipv4-address-space.txt"

REGEX="[0-9]{1,3}\.0\.0\.0/8"

BLOCK_LIST=`wget --quiet -O - ${IANA}${IPV4_LIST} | \
egrep "${REGISTRIES}" | \
awk '{print $1}' | \
sed "s/\//.0.0.0\//" | \
sed "s/^0*//"`

for NET in ${BLOCK_LIST}; do
    if [[ ${NET} =~ ${REGEX} ]]; then
        # Time to do your thing.
        echo "Sorry to break things off, ${NET}, it's not you... it's me."

        ########################################################################
        # IPtables
        ########################################################################
        #iptables -I INPUT -j LOG --log-prefix "${NET} Dropped: " --log-level 7
        #iptables -I INPUT -s ${NET} -j DROP

        ########################################################################
        # ClearOS firewalls - Blocked Incoming Connections
        # (add to the RULES section of /etc/clearos/firewall.conf)
        ########################################################################
        #echo "${NET}||0x10000002|0|${NET}|| \\" | sed "s/\//_/"

        ########################################################################
        # Ubuntu's UFW - Uncomplicated Firewall
        ########################################################################
        #sudo ufw deny from ${NET}

    fi
done

Happy hacking!

UPDATED: Now works with Ubuntu 12.04 LTS

Also, the web server is currently configured to block squid-deb-proxy (if you don’t use it, you should).

This little bash script will get Blink installed properly. This is what I’ve been using when testing FreeSWITCH and OpenSIPS. I guess it would work for my Asterisk buddies too ;)

#!/bin/bash
##############################################
KEY_URL="ag-projects.com"
KEY_NAME="agp-debian-gpg.key"
UBUNTU_VERSION="precise"
LIST_NAME="${KEY_URL}.list"

wget http://download.${KEY_URL}/${KEY_NAME}
sudo apt-key add ${KEY_NAME}

rm ${KEY_NAME}

cat << EOF > ${LIST_NAME}
## Sources for AG Projects (makers of Blink).
deb http://${KEY_URL}/ubuntu ${UBUNTU_VERSION} main
EOF

sudo chown root.root ${LIST_NAME}
sudo chmod 644 ${LIST_NAME}
sudo mv ${LIST_NAME} /etc/apt/sources.list.d/
echo "Updating packages... this might take a while."
sudo apt-get -qq update
echo "Installing Blink."
sudo apt-get -y install blink
##############################################

And there you go. That’s the best SIP client out for Linux. Why isn’t this in the Ubuntu repos already? That’s my question.

So, at work we build lots of custom telephony stuff based on FreeSWITCH. Sometimes, when the job is more than an application server (something like offering SIP services to hundreds or even thousands of customers), you need other systems to complement FreeSWITCH.  Lately we’ve been using OpenSIPS to fill that gap. Setting up network and infrastructure to provide these types of services can be tricky and involved. Most people (well, Debian sysadmins) agree that installing software from .debs makes it a little nicer to work with; it allows them to focus on the more involved parts of the setup and configuration.  Anyway, here is a build script (download a copy) to help you get started with OpenSIPS (commented for newbies)…

#!/bin/bash

# We need subversion to check out the code.

sudo apt-get install subversion

# Check out the code at the latest branch.

svn co https://opensips.svn.sourceforge.net/svnroot/opensips/branches/1.7 \

opensips-1.7

# Now we need the basic tools we’ll need to build debs.

sudo apt-get -y install \

devscripts \

build-essential \

fakeroot

# Change directories to the newly checked out source code.

cd opensips-1.7/

# The build wants the ‘debian’ dir here in the root of the source.

ln -s packaging/debian debian

# We could have installed this before, but this way we’re clear about what

# these packages actually depend on.

sudo apt-get -y install \

bison \

dpatch \

flex \

libconfuse-dev \

libcurl4-gnutls-dev \

libdb-dev \

libexpat1-dev \

libgeoip-dev \

libjson0-dev \

libldap2-dev \

libmemcached-dev \

libmysqlclient15-dev \

libpcre3-dev \

libperl-dev \

libpq-dev \

libradiusclient-ng-dev \

libsnmp-dev \

libxml2-dev \

libxmlrpc-c3-dev \

unixodbc-dev \

xsltproc \

zlib1g-dev

# Now, we actually do the work of building… this might take a few mins.

debuild -i -us -uc -b

# Go back to the parent directory.

cd ..

# Let’s make a nice place to hold all of these shiny new .debs :)

mkdir opensips_debs

# And now move them into their new home.

mv opensips[_-]*.deb opensips_debs/

# If you’re happy with the build, you can clean this up (you might want to review them first).

rm opensips_1.7.0-1_amd64.build opensips_1.7.0-1_amd64.changes

You’ll need to configure the mail server as part of this setup.  Default values are usually OK.

Also, this shouldn’t build your debs on the server that will run OpenSIPS. You don’t want all the extra packages that are required for building. So, build the .debs and then copy them to the server you’ll be using.

As always, I wouldn’t recommend running Ubuntu 11.4 on a production server —stick with the LTS versions :)

BTW, here are the packages you should end up with…

opensips_1.7.0-1_amd64.deb

opensips-dbhttp-module_1.7.0-1_amd64.deb

opensips-memcached-module_1.7.0-1_amd64.deb

opensips-snmpstats-module_1.7.0-1_amd64.deb

opensips-b2bua-module_1.7.0-1_amd64.deb

opensips-dialplan-module_1.7.0-1_amd64.deb

opensips-mysql-module_1.7.0-1_amd64.deb

opensips-unixodbc-module_1.7.0-1_amd64.deb

opensips-berkeley-module_1.7.0-1_amd64.deb

opensips-geoip-module_1.7.0-1_amd64.deb

opensips-perl-modules_1.7.0-1_amd64.deb

opensips-xmlrpc-module_1.7.0-1_amd64.deb

opensips-carrierroute-module_1.7.0-1_amd64.deb

opensips-identity-module_1.7.0-1_amd64.deb

opensips-postgres-module_1.7.0-1_amd64.deb

opensips-xmpp-module_1.7.0-1_amd64.deb

opensips-console_1.7.0-1_amd64.deb

opensips-jabber-module_1.7.0-1_amd64.deb

opensips-presence-modules_1.7.0-1_amd64.deb

opensips-cpl-module_1.7.0-1_amd64.deb

opensips-json-module_1.7.0-1_amd64.deb

opensips-radius-modules_1.7.0-1_amd64.deb

opensips-dbg_1.7.0-1_amd64.deb

opensips-ldap-modules_1.7.0-1_amd64.deb

opensips-regex-module_1.7.0-1_amd64.deb

Happy telephony hacking!

P.S. feel free to contact us if you think Izeni might be able to help you with your telephony needs.

UPDATE: Download the debs here if you like.