Child pages
  • sipXcom 20.04
Skip to end of metadata
Go to start of metadata

April 9, 2020

Summary

eZuce is pleased to announce the Generable Availability of sipXcom 19.12.

We're bringing a couple of nice new features to sipXcom. In previous versions if somebody dialed a user's name in dial by name directory the system would read back a mailbox number if the user had not setup their name in voicemail. Now the system will read back the user name.

The second new feature we'll highlight here is a security enhancement. We worked with the guys at https://apiban.org to add their automatically created ban list of IP's to sipXcom. Check out their site, they're offering a great service. All you need to do is request an API key and you can have sipXcom automatically poll their honeypot created ban list.

Highlights

sipXcom New Features

  • Read back voice mailbox owner name if the user has not configured their voicemail greeting.
  • Support for apiban.org to automatically ban SIP scanners

sipXcom Improvements:

  • Log error messages at Notice level vs. at higher proxy logging levels.
  • Firewall blacklist allows entries that are added automatically by fail2ban to be kept in ban list
  • Manage list of banned IP's in Admin GUI

Notes

  1. 19.08 and later are now released on CentOS 7 only. This will require that administrators install CentOS 7 minimal, then install Uniteme with our single line installer and then restore from a previous version backup.
  2. AudioCodes and other gateways may need to have their configuration changed if faxing is used. See SIPX-811.
  3. For Let's Encrypt certificates to work properly, the server must have a valid outside DNS name and have port 80 and 443 open to LE's servers.

Who Should Install?

New software releases are made at a rate of two to four releases a year. Releases are numbered in the <yy>.<mm>.<uu> format where <yy> and <mm> designate the year and the month, respectively, in which a release is made generally available. Where applicable, <uu> corresponds to an update release relative to a general release on which fixes are made available. 

Questions

Please post to the sipXcom-users google group if you have questions. 

https://groups.google.com/forum/#!forum/sipxcom-users

Specific Issues Addressed

SIPX-738Firewall Blacklist EnhancementAn administrator would like to allow automatically added banned hosts to be remembered and re-loaded when a server is restarted or IPTables is restarted.

Each type of system message in System -> Security -> SIP Security should allow for a setting of -1 to add the host to the banned hosts list.

Additionally, the administrator would like to be able to see the banned hosts in the admin GUI, why they were banned (sip-dos, invites, registrations, etc.) and be able to remove individual hosts from the list of banned hosts.
EnhancementSecurity Firewall
SIPX-740SIP Proxy should write errors to log file at Notice levelAn administrator would like to have certain SIP system errors written to log when at Notice level. Proxy logs are overly verbose at Info or Debug.

sipxProxy should write some additional errors to log file at Notice Level.

The log file should have the date and time, a description of the error, the offending source IP address and destination IP address.

This would be for 4xx, 5xx and 6xx message that sipXproxy can generate.
EnhancementLogs
SIPX-803Cleanup Temp Directory on ResetWhen the user runs "sipxecs-setup --reset-all" it should cleanup the /var/sipxdata/tmp directory. Some of the files within the directory are used by other services and a cleanup is necessary to do a proper reset.FixSetup
SIPX-804sipx-backup and postgresql_runningLooks like the /usr/bin/sipx-backup is making a call to postgresql_running that fails even though postgresql is running.FixBackup
SIPX-809Read back voice mailbox owner nameAn administrator would like to have the voicemail system play back a user's name if the user has not recorded their name for voicemail.

This can be done with mod_flite

Speaking the name

If the user has recorded their name, then that recording will be used when listing the matches. If they have not, the name will be read one letter at a time by default. If you would like the system to read their name as if it were being spoken, the following two files will have to be edited:

[freeswitch_root]/conf/lang/[language]/dir/sounds.xml - Replace the action tag under "directory_result_say_name" with:

<action function="speak-text" data="$1"/>
[freeswitch_root]/conf/lang/[language]/[language].xml - Make sure that your tts engine and voice are correct in the line:

<language name="[language]" say-module="[language]" sound-prefix="$${sounds_dir}/en/us/callie" tts-engine="flite" tts-voice="slt">
If you are using flite, you can find information about it here: mod_flite

language is the two character language abbreviation

freeswitch_root is the root of your Freeswitch installation
EnhancementVoicemail
SIPX-820/var/log/messages spammed by ipv6 messagesThe system /var/log/messages log is spammed by these messages:

Oct 24 08:30:37 1912 systemd: Reloading.
Oct 24 08:30:37 1912 systemd: Binding to IPv6 address not available since kernel does not support IPv6.
Oct 24 08:30:37 1912 systemd: Binding to IPv6 address not available since kernel does not support IPv6.

Looks like a service that keeps trying to start but can't because ipv6 is disabled. This should be found and removed or its ipv6 support disabled

UPDATE: This happens in connection to sipxagent runs. Further investigation has found that it is rpcbind that is misconfigured. On CentOS 7.2 and later it comes with default binding on ipv6 also.

FixLogs
SIPX-821Reverse DNS errors (SERVFAIL) in messages lognamed is spamming the messages log with reverse DNS errors from queries coming from cluster members.BugLogs
SIPX-825Fix CFEngine promisesCFengine promises don't work with newer versions of CFEngine.

The policy file parser is stricter in CFEngine >=3.5.0. The parser is now fully compliant with the CFEngine language syntax reference. The main difference you will encounter is that promiser/promisee no longer allows a comma at the end of the line. This will cause your existing policies to produce errors when they are read by CFEngine 3.5.0.
BugConfig
SIPX-827Users report registrations are expiringRegistrations are expiring for a while on different CentOS 7 versions of MongoDB, one had 3.4 and another 3.6. This happens only in clusters.

Might or might not be related to

http://jira.sipxcom.org/browse/SIPX-745

Testing has revealed that expired registrations happen on certain nodes, not related to phone location and/or network. Investigation of registrar logs on DEBUG has seen weird expires values on these servers:

grep RegDB sipregistrar.log

"2019-12-18T06:56:40.156575Z":150380:SIP:INFO:caracal.iuliu.test::7f7300988700:sipxregistry:"RegDB::getUnexpiredContactsUser Identity: 202@iuliu.test Contact: <sip:202@10.3.0.11;transport=tcp;x-sipX-nonat> Expires: 18446744073709551309 sec Call-Id: 253f71d042b2fac4712c900ccf819fa3"

Registration flow for the call-ids seems ok

Changed Registrar to default to 60 minute registration grace period. Set this as the new default in system
BugRegistrar
SIPX-829Setting DHCP to "unmanaged" disables it instead of leaving it runningA customer issue has showed us that there is some kind of problem with running DHCP in "unmanaged" mode, with the service unexpectedly dying.

Investigation has shown that setting DHCP to "unmanaged" causes cfengine to kill the service instead of leaving it running and just not managing the configuration. Upon manual start of the service, it keeps running until the first cfengine run when it is killed.

Seems like /usr/share/sipxecs/cfinputs/plugin.d/dhcpd.cf needs to be modified
FixDHCP
SIPX-830"Identity Validity" setting in Proxy is not documented and doesn't seem to work"Identity Validity" setting in Proxy is not documented and doesn't seem to work.

The value of X-Sipx-Authidentity and P-Asserted-Identity headers are signed using MD5. The signature is calculated over the content of the header value, signature timestamp, data from the SIP message and a unique secret, known only to sipXecs components in a given installation. This should prevent (or minimize) the replay attacks on the system making it relatively difficuilt to spoof the X-Sipx-Authidentity and P-Asserted-Identity headers. Signature includes a timestamp as epoch seconds indicating when the signature was calculated.

- "signature-hash" is MD5(<timestamp><secret><from-tag><call-id><identity>)

Signature validation fails if the signature is older then a configurable amount of time (Identity Validity defaulted to 300).
FixConfig
SIPX-835Update freeswitch flite RPMsFlite is broken in our rpms, the module does not load, needs updating:

From here

https://files.freeswitch.org/repo/yum/centos-release/7/x86_64/

Flite must be version 2.0.0-1 not 2.0.0-0

flite-2.0.0-1.el7.centos.x86_64.rpm 2017-01-12 22:27 13M
flite-debuginfo-2.0.0-1.el7.centos.x86_64.rpm 2017-01-12 22:27 19M
flite-devel-2.0.0-1.el7.centos.x86_64.rpm 2017-01-12 22:27 36K
FixFreeswitch
UC-48141904.centos7 voicemail and cdr restore prompt config optionsWhen uploading just cdr or just voicemail and clicking restore, the config archive options are prompted next. See attached images.FixRestore
UC-481719.04 sipregistrar webui optionsIn the 1904 webui the 'log console' option is not defined. It's not defined in the wiki either. I'm not sure what that does?

http://wiki.ezuce.com/display/unite/SIP+Registrar

Setting does nothing, remove from WebUI
FixConfig
UC-4821zen 8412: domain alias limitationAlso reported in (4.2, closed) XX-9799 , there is a limitation to the amount of domain aliases you can enter in the webui (varchar 255). Customer workaround was to stand up a second system. Have tested now to 3000 charactersFixConfig
UC-4839Support APIBAN.orgapiban.org keeps a honeypot generated list of SIP 'bad actors'.

An administrator would like to poll apiban.org periodically and update a local list of banned IP's to block with unite / sipxcom's integrated firewall.

https://apiban.org/doc.html
EnhancementSecurity
UC-484119.12 sipxecs init script references sipxfreeswitchThe 'sipxecs' service script still references sipxfreeswitch. For example:

[root@sipx ~]# service sipxecs status | grep freeswitch
/etc/init.d/sipxecs: line 21: /etc/init.d/sipxfreeswitch: No such file or directory
[root@sipx ~]# ll /etc/init.d/freeswitch
-rwxr-xr-x 1 root root 3953 Nov 28 07:24 /etc/init.d/freeswitch
[root@sipx ~]# ll /etc/init.d/sipxfreeswitch
ls: cannot access /etc/init.d/sipxfreeswitch: No such file or directory

[root@sipx init.d]# grep 'freeswitch' /etc/sipxpbx/sipxecs-services.ini
sipxfreeswitch
FixConfig




  • No labels