Reply To: Asterisk goes offline when connected to ZS

Home Page Forums Network Management ZeroShell Asterisk goes offline when connected to ZS Reply To: Asterisk goes offline when connected to ZS

#51380

atheling
Member

@lip wrote:

atheling, to be clear, do you consider an asterisk box behind a zeroshell router to be a viable professional solution for a small/medium office? To simply provide reliable call quality without reboots of the router and asterisk boxes?

Every situation is a little different. In my case, yes I think an Asterisk box behind a Zeroshell router can be reliable for a SOHO environment.

But the whole system is more than just those two boxes. What are the failure modes likely in your area (power, reliability of ISPs, etc.)? What is your budget? In the “good old days” first world telephone companies set a goal of “5 nines” availability. That is that the system would provide dial tone and handle a call 99.999% of the time. That works out to about 5 minutes of down time per year. It takes a couple of minutes for either of my net5501 boxes to reboot. It takes a couple of minutes for Zeroshell to detect a WAN failure, switch over then for Asterisk to detect that its registration with my VoIP providers has failed and re-register. Net result is that my uptime is less than 99.999% since I’d only be allowed maybe two reboots per year and no WAN failures. Making a good phone system is very hard if you set the goal to match the old TelCo standards. But if you lower your standards to 99.9% or maybe even 99.99% availability it is achievable.

Same consideration for voice quality. Maintaining consistent high quality voice (or any two way streaming data) in the packet switched, store and forward environment that the Internet provides is a challenge. What is “good enough” for you?

@lip wrote:

And in particular with zeroshell on the low power C3-533Mhz box I mentioned?

I too have been considering the comparison to a simple hardware based router such as DLink, TP-LINK, Asus, etc (w/wo WRT/Tomato firmware) if it will provide the stability, lower operational cost and feature set, (VOIP/SIP, bonding/failover, MLPPP(tomato), (VPN), etc), and if this will resolve the linux routing/switching issue(s)?

I don’t have any specific knowledge of the C3-533 MHz box you mentioned. But the specifications sound similar to the net5501 boxes I have been successfully using. I haven’t stress tested mine but I would expect that I could handle 10 or so simultaneous calls. I don’t do any transcoding in the Asterisk box. Were I to have it do transcoding I would expect the maximum simultaneous traffic would be lower.

@lip wrote:

You mention monitoring/testing for issues. I will watch ping and loads, but is there a way to see any IP attacks? Do I have to enable some logging?

I have both my Zeroshell box and my AstLinux box send logging to my mail server. The mail server could be setup to email me when odd things are in the log. There is a big body of software specifically designed for doing things like intrusion detection. I basically just keep an eye on the logs and look for patterns that I then manually respond to.

On the Zeroshell box I put in a number of rules to block IP addresses if they have too many log in attempts in too short a time. I found the rules on the Internet but was unable to figure out how to do them easily through the GUI so I just used one of the scripts that Zeroshell allows to do the following:

# Block dictionary and flood attacks against traffic to servers
iptables -t filter -N custom_forward
# SSH port
iptables -t filter -A custom_forward -p tcp –dport 22 -i ETH01 -m state –state NEW -m recent –update –seconds 600 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 22 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 22 -i ppp0 -m state –state NEW -m recent –update –seconds 600 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 22 -i ppp0 -m state –state NEW -m recent –set
# POP3 port
iptables -t filter -A custom_forward -p tcp –dport 110 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 110 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 110 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 110 -i ppp0 -m state –state NEW -m recent –set
# Mail submission port
iptables -t filter -A custom_forward -p tcp –dport 587 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 587 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 587 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 587 -i ppp0 -m state –state NEW -m recent –set
# POP3S port
iptables -t filter -A custom_forward -p tcp –dport 995 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 995 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 995 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 10 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 995 -i ppp0 -m state –state NEW -m recent –set
# CVS port
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p tcp –dport 2401 -i ppp0 -m state –state NEW -m recent –set
# SIP port
iptables -t filter -A custom_forward -p udp –dport 5060 -i ETH01 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p udp –dport 5060 -i ETH01 -m state –state NEW -m recent –set
iptables -t filter -A custom_forward -p udp –dport 5060 -i ppp0 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 -j DROP
iptables -t filter -A custom_forward -p udp –dport 5060 -i ppp0 -m state –state NEW -m recent –set
iptables -t filter -A FORWARD -j custom_forward

Unfortunately the SIP version of this does not seem to work the way I’d like as it UDP is not a session based protocol and the attackers to not wait long enough between attempts for distinct sessions to be detected by iptables. This logic does work very well for stopping things like ssh dictionary attacks.

@lip wrote:

AussieWISP, I found instructions to enable SFTP in zeroshell on this forum, which will allow you to use WinSCP from your PC which will make file management (patches etc) easy.

After rebooting Zeroshell, I log in on the CLI, get to bash and then set the login shell to bash. After that I can ssh in directly to bash which means that I can use the ssh component of the FUSE filesystem to mount Zeroshell as a filesystem on a Linux or Macintosh computer. I don’t do Windows if I can avoid it, so I don’t know if mounting a filesystem on a remote box accessed by ssh is possible there.