Supportdesk

First aid for VOIP issues

Avatar
FONZER Support | Filip Muylle | customer experience manager
Updated

1. First Examination

1.1 Restart your telephone

Do you suddenly have a problem with one specific IP device? Then remove the plug from the device, wait 20 seconds and reconnect the plug. Wait until the device has restarted and has registered. Test if the problem is solved.

Note: with a Gigaset IP DECT device you have to restart the DECT base station.

1.1 Restart your modem router, switch and IP devices one by one

Do you suddenly have problems with all your IP telephones? Then the chances are small that it is up to the devices. Possibly a power outage, a major thunderstorm, a short outage of your modem router or maintenance of an internet provider caused instability in the network; IP telephones are often sensitive to this.

We advise you to first restart your modem router (turn it off, wait for about 20 seconds and turn it on again). Do the same with the switch and finally with your IP devices. Be careful not to interrupt the start-up cycle of the IP devices (eg by pulling out the plug during start-up). This gives all equipment the opportunity to log in again.

 

1.2 Check whether things have changed in your network recently

Have problems occurred recently? It may be that the commissioning of a new firmware or device is the cause of your problem. Consider, for example, a firmware update of your modem router, placement of a new modem router because you have changed providers, replacement of a switch or replacement of a firewall in the data center.

If this is the case, try to investigate whether this change is the cause. And have it repaired.

 

1.3 You can or cannot call in or out

Check if you have internet connection

If you do not have a working internet connection, then your IP telephones will not be able to register. Contact the internet provider to ask if there is a problem. To be sure, set up a forwarding to another (eg mobile) number so that you don't miss out on phone calls, and solve the problem with your internet connection. As soon as the internet connection is stable again you can switch off the switch to mobile if required.

Check your router firewall

Many problems with receiving incoming telephony are caused by your router firewall not allowing the VoIP signals to pass through properly, so your telephone does not ring or you or the other party do not hear anything. Check if your router has the latest available firmware. If not, upgrade the firmware. Many VoIP firewall problems are solved by a recent firmware, because the manufacturer offers support for VoIP traffic. With older firmwares, this support is often not present or to a lesser extent. For detailed instructions, consult the manual and / or manufacturer / website of your router.

Disable firewall services

Some routers change SIP data packages, creating VoIP problems. Go to the configuration page of your firewall (often menu options such as Configuration / Firewall / Advanced Settings) and:

  • turn off Stateful Packet Inspection (SPI) > save and test.
  • turn off SIP Application Layer Gateway (SIP ALG) > save and test.
  • turn off Strict Security under the firewall options> save and test.

Disable Firewall

Try to disable the firewall (disable), restart router and VoIP phone and test. This is not a final solution but a test to see whether the firewall is causing the problem. Regardless of whether or not this offers a solution / improvement, it is advisable to reactivate the firewall in order to avoid unnecessary network risks. Try to find and remove the pain point in the firewall configuration.

 

1.4 Feel free to contact your IT partner for assistance.

The following information is important:

  1. when did the problems start?
  2. day and time of a few recent problem reports.
  3. Is the problem present in incoming or outgoing calls, or both?
  4. does the problem occur on one or more / all devices?
  5. what is the telephone number of the other caller (eg mobile, landline, etc.)
  6. what have you already done to solve the problem and what was the result?

 

2. GhostCalls

Your telephone rings and if you answer, no one is on the line. But that is not all: your device can then continue to drink and this is particularly annoying. As a "caller" you often see: 100, 101, 1000 or 10 * 0 * 1 * 199.

1.1 Sip Scanners

Ghostcalls are caused by people (often malicious) from outside scanning networks of (and therefore also your network) and "pelting" with signals for the purpose of breaking into a device. The malicious work with SIP scanners that send a message to your internet connection hoping to find a poorly secured network to break into and call outside at your expense.

SIP scanners are programs that automatically scan the entire internet in search of poorly secured SIP equipment (telephones and the like). These programs work by sending SIP INVITE messages to random devices (IP addresses) on the internet. In some cases a device responds to this by ringing. So there is no question of an actual incoming telephone call. If you look at the telephone exchange you will also see that these calls are not in the call lists and therefore it is not possible to block these calls.

 

1.2 Hard limits and trust score

In addition to intelligent monitoring of device behavior, the Fonzer telephone service also uses hard call limits (per hour, day, week) so that any abuse can be seen and stopped quickly.

 

1.3 Tips to prevent ghostcalls

Step 1

Adjustments for Yealink:

okee.png

koe.png

Adjustments for Gigaset DECT N510:

Pig.png

Step 2:

Restrict (unwanted) access from outside:

Place your device behind a secure NAT router. Block (unwanted) traffic from outside to your device:

Delete any port forwardings in your router to your SIP equipment.

Do not place your VoIP equipment in DMZ (= directly available from outside).

Disable the options [uPnP] and [one-to-one NAT] in your router / firewall.

Instruct your SIP device

On the device you can set the device to only accept "INVITE" messages from known SIP servers. In some cases this is described in exchanges or devices as 'Allow Anonymous Calls' or 'Direct IP calls', which can be switched off to refuse these calls. The exact name of this setting can often be found in the manual of the telephone or exchange that you use. Limiting messages from / to port 5060 (the SIP port) to this IP address can prevent the messages from the SIP scanners from reaching a device. Note: not every device type or firmware version offers these advanced blocking options.

Change the SIP front door (SIP port)

Change the local SIP port (default 5060 = the normal front door for SIP) on your device to something other than 5060-5080 (eg 4000 to 5000). The front door is then difficult to find.

On the router or firewall it can be set that SIP messages to the devices may only come from the IP addresses of the Fonzer exchange.

Below is an overview of ports and ranges that are usually used by VoIP. These ranges must be accessible for traffic from and to the telephony servers, both from the inside (from IP Phones on the local network) and from outside (incoming traffic). The telephony servers are on domain sip.fonzer.com, network 185.19.236.30/39. The router must properly route the traffic.

UDP of all ports in range: 185.19.236.0 - 185.19.239.255

UDP to all ports in range: 185.19.236.0 - 185.19.239.255

3. My VoIP device (telephone, fritzbox) is not registering

You have a VoIP device, you have your Fonzer customer details to hand and you are logged in to the Fonzer telephone exchange. Whatever you do, the VoIP account does not register; the VoIP device keeps saying [not registered].

Some suggestions:

  • do you have a working internet connection?
  • try calling out; do you hear anything that comes in handy?
    • This password is not valid > u used a wrong password.
    • This account number is not active > your account may have expired/been blocked.
      -> In this case, contact Fonzer or your IT partner.


If this is not the case, continue with the points below.

Annotation_2019-06-07_111654.png

 

4. Have you entered the correct data in the correct fields?

To register a VoIP account in a further VoIP-accessible network, you usually only need three data:

  • your SIP username
  • your SIP password
  • the SIP server address: sip.fonzer.com
  • also mention the sip server in the proxy server field

 

5. Is the VoIP device configured correctly?

A first check is to check whether you have configured the VoIP device (FRITZ! Box, IP telephone, etc.) correctly. See also point 2. You can log in to the Fonzer telephone exchange and see if you have registered the device there.

 

6. Is the VoIP device defective?

There is a (very) small chance that your VoIP device (FRITZ! Box, IP telephone, etc.) is defective. You can determine whether a device is defective, for example, if all the lights of the product have gone out (power failure), if you can no longer log in and if the device does not work elsewhere (in a different network).

Check in any case:

  • whether the product has a recent / the latest firmware
  • or it helps if you reset the product to factory settings

With IP DECT systems, it is also possible that a handset has lost contact with the base. Then try registering the handset to the base again. If this does not work and there is no light on the base, the power to the base station may be defective.

If the device works and is on, but does not register the VoIP account, it is unlikely that the device is faulty, but it depends on how the device is connected to your network and / or the signals that the device allow or disable router(s) in the network.

Then try:

  • connect the device to another location on the network
  • preferably as close as possible behind your ADSL or cable modem

 

7. Is the problem in your network?

If you have verified that your VoIP device is properly configured, you have a working internet connection, the device is not defective, but still does not work with your Fonzer account, test whether the device is working properly in another place on your network functions. For example, place the IP telephone directly behind your modem / router and thus avoid switches and cabling that may cause a problem. If the problem persists, try to take the IP telephone or VoIP adapter to another location (different network, eg at home or at the office). If the device does function there, then you know that the problem occurs somewhere in your network.

In 75% of the cases, problems are caused by the network router.

Problems often have an ad hoc character: one conversation there is no problem, the next one is. This can also be explained. Telephony runs through changing gates; some are open and others closed. This way it can go well for quite some time and suddenly after you restart your phone it will be completely wrong. Resolving this is very difficult in many cases.

Because your hours and those of your system administrator are expensive, we recommend that you consult with us about what other device will work well in your situation and replace the disobedient device.

8. My VoIP account was registered but is suddenly no longer there!

For various reasons, a VoIP device can lose its registration with the Fonzer telephone exchange. Reasons are for example: a short hic-up of the internet connection, maintenance of the internet provider (eg at DNS level), a short power outage / peak, a problem with one of your network devices (router, switch, computer), maintenance telephone exchange.

The first advice that is often effective in this situation is the switching off and on of your VoIP equipment and possibly. from your modem, router, switch, IP telephone. Wait approx. 15 seconds between turning on and off.

For example: if you have a FRITZ! Box, and if it has suddenly lost its registration, you will want to restart the FRITZ! solve the problem in many cases.

 

9. Audio problem: if my number is called, the caller hears nothing and finally my voicemail

This situation is caused by the fact that most of the registration of your account goes well, but the transport of the call data within your network is not. If you log in to the Fonzer Telephone Exchange and you go to the device overview, you will see a bullet behind the device account. This means that the telephone exchange thinks everything is fine and sends an incoming call to your device for a few seconds. Only when there is no answer does the conversation go to voicemail. That explains the silence before the call switches to voicemail or to a follow-me rule (eg mobile).

The signal of the incoming call arrives at your network, but (part of the signal) stands in front of a closed door. This causes no telephone to ring, the caller does not hear a transition tone. Sometimes this also happens, and other components of the signal flow are lost (see also next point).

The cause is your network router. The solution must therefore be sought here. Adjust the configuration so that the router does properly route the signals.

10. Audio problem: I cannot hear my conversation partner or vice versa

For audio problems you can keep the following rule of thumb in mind:

  • If there is one side that does not belong, the cause often lies with the router.
  • If there are two sides that do not belong together, then it can also be the device.

In a so-called single-way audio situation you will not hear your conversation partner and you will hear it, or vice versa. You will often not hear your conversation partner: your firewall blocks the incoming VoIP signal that goes from outside to inside. This usually means that your router is struggling to transport the audio signal within your network. That is namely a complicated job for which a series of ports is used (usually UDP: 10000 - 20000).

See the following points for general instructions for setting up your firewall. Unfortunately, it is not possible to provide point-by-point instructions for each brand and type of router, but we can often recommend alternative equipment to solve your problem.

Some suggestions:

It is a good goal to ensure that your firewall is not placed behind a cable or DSL router. If this cannot be prevented, set a DMZ in this first router that points to the firewall behind it. If that is also not possible, check whether you can set the modem as a bridge and let the firewall behind it establish the connection via the WAN side. The IP address then enters directly into the firewall router and not into the first router (in fact you pass the first router).

Some modem routers can be configured as a bridge (IP Spoofing).

If you have a single-audio problem or incoming calls don't get through, this is a blockage of the firewall or the router's natting.

Suggestion 1: 

set that traffic originating from the Fonzer telephone exchange (185.19.236.x) is always allowed through.

Suggestion 2:

place your IP phone or the second router in your network in DMZ so that all external traffic is passed through and NOTHING is blocked.

Suggestion 3:

if your router itself is apparently not so good at making the right NAT routings, then create a rule in the router's NAT table so that the underlying VoIP equipment goes out on a number of fixed ports. You can also open these ports for incoming traffic through another NAT rule.

Do you have a Cisco router? Then try the following configuration: no ip nat service sip udp port 5060

A FRITZ! Box at the start of your network is usually an excellent basis for VoIP. If you also have an advanced firewall, the following setup may suit you: use the FRITZ! as a modem router and connect your phones to it (analogue, ISDN equipment and IP Phones).

Via menu [Internet]> [Port Forwarding] you can choose the setting [Exposed Host] and forward all network traffic to the IP address of your firewall.

Single-way audio problems with ZyXEL modem routers can be solved in the following way in various cases:

  • Go to menu [Network] > [NAT] > choose tab [ALG]
  • Uncheck [Enable SIP ALG] here and save.
  • Test now if the problem still occurs.

When using the X-Lite softphone you can try solving single-way audio problems as follows:

  • call the number *** 7469 with X-Lite> a separate settings page will be opened
  • search for parameter [honor] and set it from [0] to [1]
  • test now if the problem still occurs.

11. Which port settings are required for VoIP to pass through the NAT router / firewall?

The NAT router / firewall must in principle allow the ports 10000-20000 (UDP) to enable a symmetrical connection (= audio in two directions) with the Fonzer telephone exchange.

Below is an overview of ports and ranges that are usually used by VoIP. These ranges must be accessible for traffic from and to the telephony servers, both from the inside (from IP Phones on the local network) and from outside (incoming traffic). The telephony servers are on domain sip.fonzer.com, network 185.19.236.30/39. The router must properly route the traffic.

UDP of all ports in range: 185.19.236.0 - 185.19.239.255
UDP to all ports in range: 185.19.236.0 - 185.19.239.255

Port 80 TCP to 185.19.236.0 - 185.19.239.255 (web interface and provisioning)
Port 443 TCP to 185.19.236.0 - 185.19.239.255 (web interface and provisioning)

5060 UDP -> SIP (signaling port -> allows registration)
10000 - 20000 UDP -> RTP (audio traffic -> important if you have audio problems)

Important advice: In the firewall configuration, try to allow all UDP ports in the range of the Fonzer telephone exchange. Be cautious about changing the firewall settings because this can affect all users.

A whole set of IP telephones can be present in a local network.

The IP telephone registers SIP accounts based on the standard port 5060. The network router links port 5060 (registration) for a specific account to a pseudo port in the range 10000 to 20000. This way, the network router knows which signal is intended for which telephone .

If your account is registered on your equipment, you can view it at the telephone exchange. To do this, you can log in to the customer login, choose [Accounts] from the menu, click [Show accounts]. If registered, you will see a blue dot behind the relevant account. Click on the account and you will also see the brand and type of device at User Agent.

If you or your system administrator are unable to get your network router in order and successfully perform the routing, consider purchasing a router that does offer these options. This can be a lot cheaper than searching and solving the problem. Consider the hours of your system administrator and the frustration of your staff.

12. Modem, router, firewall, server: how do I build the network?

It is important that your VoIP traffic is blocked by as few things as possible in order to optimize your call quality.

Therefore, place your VoIP equipment as CLOSED as possible behind the cable / ADSL bottom with if necessary. a simple switch that does not disrupt routing, and preferably not behind a heavy firewall and not behind your Windows Small Business Server or other server with routing function.

For clarity: VoIP behind your server is possible, but often noticeable in terms of quality. Getting this configuration properly makes more demands on the skills of your network administrator and this will in any case result in extra work for you….

Some background: a normal FireWall that is supposedly VoIP-aware or VoIP-compatible will automatically keep the correct ports open based on keep-alive sessions. For that you need to do NOTHING.

If this is not the case in a certain situation, you will need to help the device adjust its behavior to what is required for VoIP. VoIP on multiple telephones in one network is comparable to the internet traffic from multiple computers in one network. If you consult a certain website on a computer and navigate over it, it is comparable to a VoIP telephone call. A difference between telephoning via the internet and surfing is that the speech sound must of course come in without or with as little delay as possible (= real-time character) and that this concerns audio signals that must pass through the network.

Because VoIP is dynamic and uses ports randomly based on the session, it is a nightmare for more complex FireWalls. In addition, because the RTP traffic sets quite a few requirements with regard to the delay (as small as possible), the use of a FireWall that allows all traffic to go through a so-called "proxy" is not recommended, since it all adds up together and before you know it there is a lot of delay in the conversation path, clearly noticeable.

This whole combination of requirements has led some manufacturers to build special VoIP Firewall's. This is therefore placed in parallel with an existing FireWall, uses its own addresses and then often uses a separate VLAN on the network to keep telephone and data traffic separate. In this whole combination, VoIP and data traffic is therefore treated as separately as possible in order to be able to meet the requirements that can be set for both. There may also be a second WAN port to use two internet connections.

The simple approach is: UDP open to the world

This should make it possible for every User Agent (VoIP device) behind the firewall to communicate with the outside world. Port 5060 allows traffic through, via port mappings the router knows which User Agent has which session with the outside world and each user agent conducts its own conversation.

There are network administrators who do not want this because of potential security breaches. This risk is minimal because there are few or no leaks on UDP - it is not used for normal internet traffic.

There is an alternative: normally a User Agent works on port 5060. Everything is neatly arranged via NAT, so that the so-called port mappings take care of it. With multiple WAN ports you can see here which WAN port the traffic is running on.

mceclip0.png

that every User Agent can communicate with the outside world. In the more difficult cases a set of ports must therefore be reserved per User Agent to keep the FireWall open for SIP traffic.

For instance:

5060 for telephone 1

5062 for telephone 2

5064 for telephone 3

etc.

Note that this is in even numbers! Gates from 10,000 to 20000 are then opened to the world in order to allow the dynamic RTP traffic.

TIP: various products offer the setting [use random port]. If this option is offered, turn it on. This is, among other things, the case with GrandStream IP Phones and Siemens IP DECT devices.

13. My account is registered but the connection is lost after a while (number of seconds or minutes)

This too can be a symptom of your router or telephony equipment that is not completely set up properly or is tuned to other equipment in the network (eg VoIP equipment versus router). Your VoIP device (IP Phone, ATA, Gateway, PBX) does not comply with the rules for keeping a session open (= conversation) within NAT, or the NAT router / firewall is troubled by misconduct.

Many routers / firewalls have a timer that expires after x time and whereby an opened port is closed again. So if this port is 5060 - on which communication with the Fonzer Telephone Exchange takes place, then your equipment will no longer be accessible from outside.

Very often there are session timers in the VoIP equipment that neatly keep port 5060 open provided that the timer value is set within half the timer of the NAT router / firewall.

Advice: make sure that the session refresh timer (there are different terms in circulation) of your VoIP device is set to half the router's timeout (or just set it very low) and set the session re-register in about 20-30 minutes. Then everything remains accessible. Even if 1 package is lost, the 2nd package is still within the timer. If you have multiple types of VoIP devices, with one device doing well, and the other not, look for the cause here.

Note: in practice, tools such as Ethereal and Wireshark have demonstrated that not every device actually does what can be configured. The manufacturer of the equipment is responsible for ensuring that the device adheres to the standards and cooperates with equipment that also adheres to the standards. This is just a meager comfort.

14. Where can I find useful networking tools to see what happens?

http://voiptest.8x8.com/

http://www.wireshark.org/  

Note that monitoring traffic on a network requires a hub or switch with a monitor port.

 

15. My account is registered but the connection is very bad

CODEC  

Check whether your equipment works with a certain CODEC (coding - decoding) your equipment. The Fonzer telephone exchange works with the ISDN codecs G.711a-law and G.711u-law. This offers the high quality that you are used to. Adjust your codecs and see if the speech quality improves now.

BAND WIDTH

You can then check whether you have sufficient bandwidth at your disposal. There are online tools for this check:

www.speedtest.net: Here you can find out how much upload speed you have. As a rule of thumb, you need approximately 100kB upload and download speed for every VoIP call.

http://myvoipspeed.visualware.com: An extensive test of your bandwidth and the quality that you should be able to achieve in terms of VoIP. This test ends with a conclusion and some tips.

QUALITY OF SERVICE

If you have enough bandwidth, but you have poor call quality, it is possible that your router will not effectively spread the available bandwidth in your network. Suppose other users in the network occasionally use too much bandwidth, this can result in poor call quality.

The term Quality of Service (QoS) refers to an intelligent router feature that allows your router to prioritize certain information flows in the network. VoIP is usually one of the information flows in the network that take precedence over other types of network traffic. The other network users usually hardly notice this, but the VoIP callers do! An intelligent router with QoS offers you the guarantee that VoIP will be given priority, and with that an optimal call quality.

We recommend a professional network router, for example one of the DrayTek products, or an all-in-one VoIP device (eg FRITZ! Box) that does the bandwidth distribution itself, that knows that there is VoIP traffic and that take this into account (QoS).

If you use a FRITZ! Box in router mode, for example behind a cable modem, pay attention to the setting for upload speed and download speed in the Account Information> these are set very low by default.

16. How can a SIP request get through a Stateful Firewall?

A stateful firewall only accepts requests from the inside, how can an incoming call be detected at all?

The SIP User Agent (your VoIP device) sets up a session with the Fonzer Telephone Exchange. That works via a proxy. All calls also go through that proxy, so that a STUN server and wash lists open ports are not needed.

In other words, the VoIP device has opened a session on port 5060 with the Fonzer telephone exchange. A good VoIP device sends a refresh / keep-alive signal to the telephone exchange every x seconds (eg 20-60 seconds) which also gives a good answer. The average Firewall with Stateful Packet Inspection only closes a port / session after inactivity between 1 and 15 minutes, depending on how this is set.

17. Does STUN benefit me?

A STUN service can be an answer, but in principle you don't have to work with it. STUN is a "patch" to get a path back through a router. With STUN, it is also often necessary to open various ports in the router configuration (origin ANY) to the internal address of the VoIP device. That is not a hole but a hole in your network where you are vulnerable to eg a DoS attack.

18. Can DID / DDI also be used with Fonzer?

DID or DDI stands for Direct Inward Dialing is in fact the use of a number from one account that is sent as an ID with one or more other accounts. Within a block of numbers on one customer account, it is possible to send the number of another account as CLI (Caller Line Identification). You can set the number that is sent with your user accounts on the Fonzer telephone exchange. You do this at the user's settings.

19. I don't want a number to be sent - devices cannot be called directly from outside

You can create device accounts; they always have an internal number so that they can be called by colleagues. If you do not include the account in your calling plan for one or more numbers, the number cannot be called from outside.
 

20. What do the terms Attended and Unattended transfer mean?

Attended Transfer or hot transfer is the transfer with consultation. You have someone on the line, put this call on hold and call another number. You announce the call and then transfer it. Not all equipment supports the attended transfer function flawlessly - two calls (call legs) have to be linked together. Not only the IP Phones but also the router in the network (and sometimes the switches) can influence the ability to connect. We have good experiences with almost all types of current IP devices with a special recommendation for the IP devices of the Gigaset / Yealink brand. Most FRITZ! Boxes also support external transfer (hot / cold) by putting a conversation partner on hold, calling a second one and then choosing [R4] (see the FRITZ! Box manual for the exact codes for your box type). Both conversation partners are connected to each other.

Unattended Transfer or cold transfer is transfer without consultation: the call is immediately transferred to the person to whom you transfer. This is a technically quite a simple function that works with the SIP function REFER.

 

21. Can I also receive the voicemail files in a format other than .mp3?

No, unfortunately this is not possible. However, the mp3 format is most suitable for many users due to its wide usability and the fact that they are small files.

22. Have I also lost bandwidth for internal calls?

Yes, the bandwidth consumption applies to both internal and external devices. Bandwidth is the basis of all your work nowadays. This will therefore not have to cause a problem quickly.

23. Do I also run a security risk if I use VoIP?

The big advantage of VoIP is that it is not tied to a fixed location. With our service, the use of an account is also not tied to a specific IP address. Your VoIP account can therefore be used on any internet connection anywhere in the world. This means that your VoIP account information is an open wallet. Protect this information well!

Should it nevertheless happen that your VoIP account is unexpectedly misused, the damage will remain limited. The Fonzer telephone exchange monitors your usage and limits are set for all customers. If 80% of this limit is reached, you will receive a message. If 100% of the limit is reached, your account will be closed automatically.

Do you realize that both the alerts and calling at a set limit only occur if damage has already been suffered. Without these mechanisms, the damage would undoubtedly have been higher. Make your preparations to prevent this unpleasant situation.

You can also do something yourself.

  • keep your Fonzer customer data form safe and out of reach of unauthorized persons.
  • report device theft to us!
  • change your SIP passwords and access rights when an employee leaves
  • protect your equipment and network properly

 

24. Important - vulnerability of OpenSource PBX systems

Do you use your own telephone exchange (Asterisk, Elastics, FreePBX, etc.) with one or more Fonzer accounts as a trunk? Be alert to a rapidly increasing trend with hacking and intrusion attempts on OpenSource PBX exchanges such as Asterisk. This trend is not limited to our customers, but occurs globally as a side effect of the worldwide increasing use of Voice over IP.

The hack usually starts with calling from 'the Internet'. If that is considered by the asterisk as a 'possibly relevant' invite in processing, e.e.a. can start rolling. It starts with putting access lists on the asterisk server. Most Linux servers have iptables on board, with which you can build a twisted strong firewall. Basically, an asterisk server does not allow an Invite from anyone, except from the Fonzer exchange. Then you have addressed the OS of the asterisk server, the next step is to do something similar in the asterisk dialplan, where only calls from the trunk (= the Fonzer SIP server) are allowed further into the dialplan. Using extension 's' as an entry to the dialplan is dangerous.

This requires some knowledge of both Linux and asterisk.

If this knowledge is lacking, it is advisable to use a firewall, such as Astaro appliances.

Test your firewall with, for example, the firewall tester at www.grc.com (Shields Up).

The most striking symptom is that unexpected traffic is being sent to regions such as North Korea, Somalia, Latvia, Lithuania, Cuba, Eritrea and other less common destinations. Often the misuse can be traced back to not mastering general system security principles. In some cases, a hole in the dialplan, and in some cases a hack in the web server "next to it" that cracked devices on the inside due to weak passwords. We would like to bring this to your attention as a matter of urgency that Open Source PBXs are vulnerable at home, and that special attention must be given to security at the network, (operating) system and dial-plan level. However, warning systems and other types of safety nets must be seen as a last resort: if those functions are activated, too much has gone wrong at the front.

We strongly advise you to pay extra attention to the security of your networks and systems, but also to consider how these environments can be set up for reporting and alerting to your system administrator.

Related articles

Powered by Zendesk