This is not a full featured script like the project here which is under development. This will just display incoming calls on your TV and pause the movie or music or whatever is playing.

I have Elastix but this will work with any Asterisk distribution. In Elastix you will need to create a Misc Destination. I named my Misc. Destination “XBMC” and then gave it the number *9262 which is the numerical representation of the letters XBMC on a phone dial-pad. It doesn’t matter what number you choose, but this provides coherence.

Once you have it created then you will need to change your inbound route to go to the XBMC destination. So now when a call comes in instead of going to your ring group it will go to this XBMC destination and now we have to tell Asterisk what to do when it gets there. In Elastix you will need to edit extensions_custom.conf

The following is the code that I used in extensions_custom.conf:

[xbmc-cid]
exten => *9262,1,Macro(user-callerid)
exten => *9262,2,TrySystem(wget -b -O /dev/null -o /dev/null "http://192.168.1.100/xbmcCmds/xbmcHttp?command=ExecBuiltIn&parameter=XBMC.Notification(Incoming%20Call%2C${CALLERID(name)}%20%3C${CALLERID(number)}%3E%2C15000)")
exten => *9262,3,TrySystem(wget -b -O /dev/null -o /dev/null "http://192.168.1.100/xbmcCmds/xbmcHttp?command=Pause")
exten => *9262,4,Goto(ext-group,600,1)


The first line uses your caller ID lookup method to get the ID. The second line uses wget to execute the command to pop-up the notification in XBMC and it passes the CID name and CID number variables to it. In this command make sure you set the correct IP address for XBMC. The thrid line sends a command to pause XBMC. The fourth line moves onto my ring group 600 which rings all the phones in my house. Make sure to include this context in [from-internal-custom] and then reload the dial plan and you are done.

Edit file: extensions_custom.conf

[from-internal-custom]
include => spoof

[spoof]
exten => _*555NXXNXXXXXX,1,Set(CALLERID(all)=Private <1${EXTEN:4}>)
exten => _*555NXXNXXXXXX,2,Answer
exten => _*555NXXNXXXXXX,3,Playback(pls-entr-num-uwish2-call&beep)
exten => _*555NXXNXXXXXX,4,WaitExten(10)
exten => _*555NXXNXXXXXX,5,Dial(IAX2/callwithus:${EXTEN})
exten => _*555NXXNXXXXXX,6,Hangup()

The way it works is that you dial *555# where # is the 10 digit number that you want displayed as your caller ID.

The first command sets the caller ID name to private which usually isn’t forwarded and sets the caller ID number to the number that you dialed by removing the first 4 characters (*555) and prepending a 1. The second command just answers which is followed by the third command which plays “Please enter the number you wish to call” and then beeps. The fourth command waits for you to put in a number and then the fifth command dials it.

Most people are only going to need to change your caller ID to one other number so this would be a little faster in this regard.

[spoof]
exten => _*555,1,Set(CALLERID(all)=Business Name<####>)
exten => _*555,2,Answer
exten => _*555,3,Playback(pls-entr-num-uwish2-call&beep)
exten => _*555,4,WaitExten(10)
exten => _*555,5,Dial(IAX2/callwithus:${EXTEN})
exten => _*555,6,Hangup()

Whenever you would dial *555 then it sets caller ID to “Business Name” and your business number, represented by #### in the command. The rest of the commands are the same.

You don’t want to have password authentication on the WAN side or it is possible to get compromised by a brute force attack. The solution is to implement public key access.

First open PuTTY Key Generator and from the top menu select Key > SSH2 RSA key. Then click on the Generate button and move your mouse around the window until it gets enough random data and creates your key. Now click on the Save private key button and save your key somewhere that you won’t lose it. If you want to password protect your key then enter a password in the password boxes. You can create one with a password and one without password if you want. Copy the text on the top where it says Public key for pasting into OpenSSH authorized_keys file. It should look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAqnogKGS3oHTp4nDfLzdwL4NlbZR3i5UXvk+oE9T
3oiycPk3r+Nj4WCWjjNnwUN/561S0G891EQNv8I3BkN1wox7ImM0SV33rdKx1md1Ay
txfs0rcymT0DS/+3AbyskzoZHmZfs3PWforj0yoEhT9SVdkwPPOq+935aM8cb33tE0=
rsa-key-20090701

Now ssh into your router and you will be adding that to the authorized_keys file with the following command:

root@router:~# echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAqnogKGS3oHTp4nDfLzdwL4NlbZR3i5UXvk+oE9T
3oiycPk3r+Nj4WCWjjNnwUN/561S0G891EQNv8I3BkN1wox7ImM0SV33rdKx1md1Ay
txfs0rcymT0DS/+3AbyskzoZHmZfs3PWforj0yoEhT9SVdkwPPOq+935aM8cb33tE0=
rsa-key-20090701 >> /etc/dropbear/authorized_keys

You will be pasting your own public key that you copied instead of the one that is in the example.

We still have a few more options that need to be changed. You don’t want to leave dropbear running on the default port or it is more likely to be discovered and attacked.

root@router:~# vi /etc/config/dropbear

Change PasswordAuth = off and Port = 443. You can change the port to anything that you like, but you want to choose something that is not common. I like port 443 because it is the SSL port so when I am tunneling through my router from work my traffic looks natural. Also, port 443 is never going to be blocked. PasswordAuth off is just turning off the password authentication which we don’t want anymore because we are using keys.

We still need to open up the port that dropbear is running on to the WAN, because as I mentioned earlier OpenWRT has all inbound WAN ports closed.

root@router:~# vi /etc/config/firewall

You can do this by editing the firewall configuration file and adding:


config 'rule' 'ssh'
option 'src' 'wan'
option 'proto' 'tcp'
option 'src_ip' ''
option 'dest_ip' ''
option 'dest_port' '443'
option 'target' 'ACCEPT'

Or you can do this in the web interface. I have X-WRT and I am not sure what web interface it uses, but for me it is under Network > Firewall > Incoming Ports.

Quick note… Some people mention that you should also run dropbear on a local port with password authentication turned on in case you lose your private key. This is not necessary if you have a web interface because you can always get into your web interface from LAN and edit the files to turn password authentication back on until you update the key file. But for those without a web interface you will want to do the following:

root@router:~# vi /etc/init.d/dropbear

You should see this line, or a line like it that starts dropbear.

/usr/sbin/dropbear $DROPBEAR_ARGS

Just add another line below it.

/usr/sbin/dropbear -p 22

Now you will also have password access from LAN on port 22.

After making all of these changes you will need to reboot or just run /etc/init.d/dropbear restart

In order to access it, open PuTTY and enter your IP and port. Then under Connection > Data for Auto-login username enter root. Under Connection > SSH > Auth click on Browse and select your private key. I recommend saving the session and then creating a shortcut to it. You can create shortcuts to putty sessions by running putty.exe @sesssion_name.

I had set weak secrets for my extensions and they were able to brute the secret and start making calls from my machine. I immediately changed all the secrets and have not had a problem since, but this article will show you some tools that can be used to test your own box and some settings that should be changed in order to secure it.

The tool that I use to scan Asterisk boxes is sipvicious. You will need to have python installed in order to run the scripts. There are two scripts that I use in the sipvicious tool suite: svwar.py to enumerate extensions and svcrack.py to crack the extension’s secret.

python svwar.py -e 100-499,1000-2999 192.168.1.223

This would scan my Asterisk box and enumerate extensions 100-499 and 1000-2999. You can also input a dictionary file of extensions by using the -d switch.

| Extension | Authentication |
| 200 | reqauth |

The return shows that I have extension 200 and it requires authentication. So now I could run svcrack.py to crack the secret.

python svcrack.py -u 200 -r 1-9999 192.168.1.223

This would try to login to extension 200 with secret 1 through 9999. svcrack.py can also be used with a dictionary using the -d switch.

Some useful .bat files that I created to make it quicker:
@echo off
cd C:\(directory with sipviscous scripts)
:input
set SIP_IP=
set /P SIP_IP=Enter IP Address: %=%
if "%SIP_IP%"=="" goto input
python svwar.py -e 100-499,1000-3999 %SIP_IP%
pause

@echo off
cd C:\(directory with sipviscous scripts)
:sip_ip
set SIP_IP=
set /P SIP_IP=Enter IP Address: %=%
if "%SIP_IP%"=="" goto sip_ip
:sip_exten
set SIP_EXTEN=
set /P SIP_EXTEN=Enter Extension: %=%
if "%SIP_EXTEN%"=="" goto sip_exten
python svcrack.py -u %SIP_EXTEN% -r 0-9999 %SIP_IP%
pause

To secure my box I have done the following:
1. Long multi-character secrets.
2. Added alwaysauthreject=yes to /etc/asterisk/sip_custom.conf
3. Blocked WAN ports to Asterisk on network firewall (except port 5060).
4. Changed default passwords on everything that comes with Elastix.
5. Installed Fail2Ban.

The first thing that you will want to do is create a IAX2 extension. After that is done go to your Fax tab and select New Virtual Fax. The extension and secret should be the same of the IAX2 extension that you created. Fill in the rest of the required fields.

Once that is done go to General Settings and set the fax extension to the IAX2 extension that you created. Enter the email addresses here as well. Next go to your inbound route and for Fax Extension select FreePBX default, for Fax Detection Type select NVFax, and for Pause After Answer enter 5.

It is almost setup, but we still need to install NVFax.

You can download the files here:

http://www.elastix.org/images/fbfiles/files/NV_Apps_elastix_0-f1b156f398276beb9feb5856e88edc88.zip

The instructions are in the archive, but basically you are just going to SCP three .so files over to your Elastix box. Once that is done you should be able to receive faxes. Check the Fax Visor under the Fax tab because the email notification won’t work unless you set that up before now. For instructions on setting up email please refer to the Elastix without Tears guide section 20.1 ENABLING EMAIL NOTIFICATION OF VOICEMAIL. If you don’t want the daily usage reports to be sent to you then you will need to edit the cronjob. Open /etc/cron.daily/hylafax in Vi or Nano. You need to comment out the section where the output of faxcron gets mailed.

Change this:
-tmp 7 | mail -s "HylaFAX Usage Report" faxmaster
To This:
-tmp 7 # | mail -s "HylaFAX Usage Report" faxmaster

The script will still run to delete the old and temporary data, but it will no longer mail the reports to you.

Sending faxes is done using either JHylaFAX or Winprint Hylafax. Both applications have enough documentation to get them connected to Elastix so I won’t go into detail. I use Winprint Hylafax and the only thing it requires is the Elastix IP, extension, and secret.

If your recording device records ADPCM .WAVs then you will know that you can’t open these files in sound editors like Audacity. If you search online you will find that most conversion applications like CDex don’t support this format either. I couldn’t find any free or open source program to convert this type of file until I opened it in Windows Sound Recorder. Windows Sound Recorder which comes with Windows is able to convert ADPCM to MP3. First open the file and then choose File > Properties.

Click on the Convert button and then you will see this screen where you can choose your new format.

I set the attributes to match those of the original. If you right-click on the original and select Properties then you can see what attributes it has, my recorder records 8000Hz, 32kbps, Mono.

Now you just save the file with an .mp3 extension and you are now able to open it in your favorite sound editor.

I am always looking for open smtp, ssh, or sip servers. This is the routine that I have set up to scan for these open hosts. In order to set this up for yourself you will need to have Nmap and AutoIt installed. If you are using the non-install version of Nmap then you will need to add the Nmap directory to PATH. You can either do that in the .bat file that I use or by right-clicking My Computer and selecting properties. Go to the advanced tab and click the environmental variables button. Add the Nmap directory to PATH.

Here is my .bat file to run the scan.

@echo off
title nmap scan
nmap -iL hosts.txt -sS -sV --version-all -vv --open -p 80,5060 -oX results.xml --stylesheet http://www.insecure.org/nmap/data/nmap.xsl
start results.xml

The first two lines just make the command prompt look pretty by removing the output and giving the window a title. The third line actually runs the scan. It uses the file hosts.txt to import the IP addresses from, it uses the TCP SYN technique to scan, it is checking service information for each port, verbose mode is turned on, it will only show open ports, it is scanning ports 25 (smtp), 80 (http), and 5060 (sip). It is outputting the results to results.xml, and it is using the stylesheet from the nmap website to make the xml file readable. The last line just opens the xml file.

If you don’t add the Nmap directory to the environmental variables then in the .bat file before running Nmap add this line where C:\program files\nmap would be the Nmap directory.

set path=%path%;C:\program files\nmap

How do I populate the hosts.txt file? I like to get a bunch of random hosts, and the best way that I have found to do that is through P2P networks. In uTorrent I just go to the Peers tab, right-click, and choose Copy Peer List.

This is going to give you a nice random selection of potentially open/vulnerable hosts. I then paste this list into the hosts.txt file. The only problem is that the peer list also has the port numbers at the end of the IP address in this fashion 192.168.1.1:5454. Nmap only wants the IP address so we have to get rid of the port number. To do this I set up an AutoIt script.

$input = InputBox("Remove Ports", "Filename:")

If $input = "" then Exit

$open = FileOpen($input, 0)
$write = FileOpen("peers -ports.txt", 2)

while 1
$line = FileReadLine($open)
If @error = -1 Then ExitLoop
$array = StringSplit($line, ":")
FileWriteLine($write, $array[1])
wend

FileClose($open)
FileClose($write)
FileDelete(”hosts.txt”)
FileCopy(”peers -ports.txt”, “hosts.txt”)
FileDelete(”peers -ports.txt”)
MsgBox( 1, “”, “Done.”)

If your host file doesn’t always change then it would be faster just to set $input to the filename of the script instead of using an input box. Note: On Windows Vista the above script wouldn’t work unless I changed the double quotes to single quotes.

Blacklist
Blacklist is not a built-in feature in the Elastix build that I am using. In order to install and use Blacklist, you must click on the PBX tab on the top and then click on Unembedded FreePBX. The default login is admin:admin. Once you are logged in then go to the Tools tab and then under that Module Admin. Find Blacklist, click on it, check Install, and on the bottom click on the Process button. This will install Blacklist and you can block any numbers that you want by accessing it through Unembedded FreePBX.

Anonymous Call Block
If you want to completely block anonymous, restricted, private, unidentified, etc. calls then you will want to do the following.

SSH into your Elastix box.
[root@elastix ~]# locate page.did.php
/var/www/html/admin/modules/core/page.did.php

We just found where the page.did.php file is located, now we want to edit the lines outlined in this patch. I like to use nano when I need to search through a file, so if you don’t have it installed yet then type:
[root@elastix ~]# yum -install nano

To edit the file type:
[root@elastix ~]# nano -w /var/www/html/admin/modules/core/page.did.php

We will basically be finding this line:
if (!isDialpattern(theForm.cidnum.value))

deleting the last close-parenthesis and adding:
&& theForm.cidnum.value != "Private" && theForm.cidnum.value != "Blocked" && theForm.cidnum.value != "Unknown" && theForm.cidnum.value != "Restricted" && theForm.cidnum.value != "Unavailable")

Save the file, you are now done editing files. I know the patch says that the functions.inc.php file needs to be edited, but I didn’t touch that file and everything works fine for me.

For the next step go back into the Elastix WebUI and go to the PBX tab and then to Inbound Call Routes.

For the Caller ID Number type in Restricted or Unknown or Private or Blocked or Unavailable. It is case sensitive so make sure you have the proper case. Then you can set the destination to Terminate Call and it will hangup when that type of call comes in, but I am sure that you would rather have it go to a message that says you do not accept blocked calls. If you want to do that then do the following.

Go to System Recordings and go to Built-in Recordings and select privacy-unident. You will now see this recording listed on the right-side menu. Click on it and change the name to “Unidentified”. Save and apply. Then from the second drop down select privacy-thankyou. Save and apply. Then from the third drop down select goodbye. Save and apply. The “Unidentified” message will now be, “The party you are trying to reach does not accept unidentified calls, thank you, goodbye.”

Go to Announcements and name it “Restricted”, select the “Unidentified” recording, and choose Terminate Call. Save and Apply.

Now go back and edit your Restricted, Private, Unknown, etc routes and instead of having the destination be set to terminate the call, have it set to play the “Restricted” announcement.

UPDATE:
I recently upgraded to version 1.5.2 and this version includes the ability to enter “Blocked,” “Restricted,” “Anonymous,” etc. but my calls are sent to me as “1Restricted” so I still had to edit a couple of files to make it accept “1Restricted.”

[root@elastix ~]# nano -w /var/www/html/admin/modules/core/page.did.php

Search for restrict and where you see this line:
if (!isDialpattern(mycid) && mycid.substring(0,4) != "priv" && mycid.substring(0,5) != "block" && mycid != "unknown" && mycid.substring(0,8) != "restrict" && mycid.substring(0,7) != "unavail" && mycid.substring(0,6) != "anonym")

Change:
"restrict"
to:
"1restric"

[root@elastix ~]# nano -w /var/www/html/admin/modules/core/functions.inc.php

Search through functions.inc.php for restrict and you will find a similar line as above. You must do the same thing by changing “restrict” to “1restric”. I also found that in this version of FreePBX/Elastix that I had to check CID Priority Route on my inbound route in order for it to actually take effect, so check that if you haven’t already. Now you will be able to block restricted calls sent from CallWithUs.

Some other things that Elastix offers are an address book where you can initiate calls just by clicking on the number that you want to call, speech synthesis for converting text to speech, business tracking solutions vTigerCRM and SugarCRM, integrated echo canceler, and support for calling cards.  These are all features that trixbox does not have and not only that but Elastix is just more user friendly and polished.

I will delve deeper into Elastix in later posts. So if you want to learn how to setup faxing or block anonymous calls then check back here.

Go to T3CH and download both the latest version and then also rev16762 built on 12-30-08. Upgrade XBMC to the latest version and then once you are done upload just the imdb.gif, imdb.xml, and imdb tv.xml from rev16762. The files are located in “XBMC\system\scrapers\video” and should be uploaded to the same location on your X-box. Now the IMDB scraper will work just fine.