Lazy sip trunk with asterisk

In this scenario we are providing a sip trunk to connect two asterisk in different offices (Bangkok and Singapore), connected trough vpn already set up. Since we already have a secure firewall we won't be adding username authentication (otherwise we really should!). Bangkok have the extensions in the 6XXX range, Singapore in the 5XXX.

In Bangkokś side, we edit the file sip.conf and we add the following - changing ip for your host's one, trunk name, favorite codecs and context. That that last one I left it by default, so calling between PABX is enabled by default in both places (lazy way :)

• In Bangkok's sip.conf:

[Singapore]
host = 10.9.9.1
username =
secret =
trunkname = singapore
group = null
hasexten = no
hasiax = no
hassip = yes
registeriax = no
registersip = yes
trunkstyle = voip
disallow = all
allow = g729,ulaw,gsm
insecure = port,invite
nat = no
qualify = yes
context = defaultDialPlan
careinvite = no

• In Singapore's sip.conf:

[Bangkok]
host = 10.8.9.1
username =
secret =
trunkname = bangkok
group = null
hasexten = no
hasiax = no
hassip = yes
registeriax = no
registersip = yes
trunkstyle = voip
disallow = all
allow = g729,ulaw,gsm
insecure = port,invite
nat = no
qualify = yes
context = defaultDialPlan
careinvite = no

Now we have the sip trunk configured, we will create a digit map to be able to call.

• Edit Bangkok's extensions.conf:

[InterPABX]

 exten => _5XXX,1,DIAL(SIP/Singapore/${EXTEN})

• Edit Singapore's extensions.conf:

[InterPABX]

 exten => _6XXX,1,DIAL(SIP/Singapore/${EXTEN}) 

 After this, we need to add the InterPABX rule to the default dial plan in the extensions.conf in both sides:

[defaultDialPlan]

...

 [InterPABX]

We are done. Now we reload the sip and dialplan:

• asterisk -rv
•  BKK-asterisk-001*CLI>sip reload
•  BKK-asterisk-001*CLI>dialplan reload
•  BKK-asterisk-001*CLI>exit

Now we can grab a phone and make our first free call between our two places.

Lazy Postfix queue management

Postfix do come with some nice utilities to manage it's queues. In this case we are using qshape, postqueue and postsuper.

qshape allows us to check the 'shape' of the queues. The available queues are:

• incoming - messages pending to be processed
• hold - queue available to deposit messages that will remain on standby
• active - messages being processed at that moment
• deferred - messages that can't be delivered at that moment
• maildrop - messages delivered locally

for checking the incoming, hold and active queues we will execute qshape -s incoming hold active (-s for displaying the sender domain's statistics)

                          T 5 10 20 40 80 160 320 640 1280 1280+

TOTAL             6  2  2    0    0    0     0     0     0      0     2

asiarooms.com  1  1  0    0    0    0     0     0     0      0     0

jahoo.com          3  1  2    0    0    0     0     0     0      0     0

pepeluis.es        2  0  0    0    0    0     0     0     0      0     2

The statistic shows us that we have a total of 6 emails, one email from asiarooms arrived in less than 5 minutes, 3 from jahoo.com that arrived between 1 and 10 minutes, and two from pepeluis.es with an age of more than 1280 minutes. 

A more detailed examination can be performed with the tool postqueue:

#postqueue -p

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

2FEE01260AA*   28213 Fri Aug 19 03:00:12  pepe.lopez@asiarooms.com  pepe.lopez@asiarooms.com

D516B1260A4*    5799 Fri Aug 19 03:00:22  faemalia@jahoo.com  info@asiarooms.com

028691260B8*    5803 Fri Aug 19 03:00:23  faemalia@jahoo.com  info@asiarooms.com

-- 19 Kbytes in 3 Requests.

The Queue ID will tell us the ID of each message. If we would like to get rid of any email, we can use the tool postsuper :

#postsuper -d 2FEE01260AA

That command will delete the first email showed from the postqueue. If we would like to delete all the current messages in a particular queue (i.e., deferred queque):

#postsuper -d ALL deferred

Or just all our emails to be delivered:

#postsuper -d ALL

This is a very basic overview of these commands, a lot more functions are shown on each command's man page, or in the official postfix documentation http://www.postfix.org/documentation.html

Lazy setup of a Cisco Wireless LAN Controller on a 2951 router

Once the card is installed in the router we can access giving an IP address to the WLC and using the service-module command:

• Cisco#config t
• Cisco(config)#interface Integrated-Service-Engine1/0
• (can be 2/0 depending on what bay you intalled the card)
• Cisco(config)# ip address 10.9.9.254 255.255.255.0
• Cisco(config)# ip nat inside
• Cisco(config)# end

Now we can start a session on the module:

• Cisco#service-module Integrated-Service-Engine 1/0 session
• Trying 10.9.9.254, 2131 ... Open
  
  
  User Access Verification
  
  Username:

Default credentials are admin / admin. The first time we will go trough a configuration wizard where we can define the management, ap-manager and virtual router addresses, between other options. When we are done, we can exit from the session using the key combination [ctrl + alt + 6, then x].

Once we have our WLC properly configured, we need to add the magic options to the dhcp in order to associate the AP with the WLC - in my case the AP is a Airo 3500. If you use this model with a WLC running old software you will need to upgrade to the latest 7.0 verion - you can find the firmware on Cisco's download section, the file is named AIR-WLCM-K9-7-0-116-0.aes.

We add the AP to the dhcp as follows:

• option space Cisco_LWAPP_AP;
  option Cisco_LWAPP_AP.server-address code 241 = array of ip-address;
  option Cisco_LWAPP_AP.controller code 43 = string;

• host AIRO-3500-Kitchen {
          hardware ethernet e0:5f:b9:10:66:68;
          fixed-address 10.9.9.199;
          option vendor-class-identifier "Cisco AP 3500";
          vendor-option-space Cisco_LWAPP_AP;
          option Cisco_LWAPP_AP.server-address <list of controller IPs>;
          option routers 10.9.99.254;
  }

After the AP gets the config from the DHCP it will appear in the WLC access point list. You can finalize the setup doing a telnet on port 2131 of the management card or just using a web browser on the IP setup during the wizard as management IP.

In case you want to use the same IP as the current router's we can add this config:

• Cisco#config t
• Cisco(config)#interface Integrated-Service-Engine1/0
• Cisco(config)# ip unnumbered <your router's interface name (gigabitethernet0/0?)
• Cisco(config)# end

And if we want to add add dot1Q (vlan) to your ESSID:

• (Previously created the first ESSID on the WLC)
• Cisco#config t
• Cisco(config)#interface Integrated-Service-Engine1/0.1 <- ESSID identifier
• Cisco(config)# encapsulation dot1Q 888 <- VLAN ID
• Cisco(config)# ip address 10.9.8.254 255.255.255.0
• Cisco(config)# ip nat inside
• Cisco(config)# end

You might need to modify your routing table depending on your setup, specifying where the WLC interfaces are located:

• Cisco#config t
• Cisco(config)#ip route <WLC IP> <netmask> interface Integrated-Service-Engine1/0
• Cisco(config)#end

For additional information about this card's setup you can check:

• http://www.cisco.com
• http://supportdocs.polycom.com/PolycomService/support/global/documents/support/user/products/voice/view_cisco_wism.pdf 

Lazy WEP key test with aircrack-ng on Debian

We can test how secure are our old WEP wi-fi keys following these few steps:

1 - Ensure you have a compatible chipset:

• http://www.aircrack-ng.org/doku.php?id=compatibility_drivers&DokuWiki=
• (If you have doubts about what chipset you posses, try to find out with lspci or lsusb tools)

2 - Install aircrack-ng:

• Nova:amartin# sudo apt-get install aircrack-ng

3 - Load the monitor on your wi-fi interface:

• Nova:amartin# sudo airmon-ng start <wlan interface>

 4 - Start to capture the traffic with the dump utility:

• Nova:amartin# sudo airodump-ng -w /tmp/mykey -d <your AP BSSID>

5 - After a while, and with enough traffic captured (10K+ packets) let's try to find out the key:

• Nova:amartin# sudo aircrack-ng /tmp/mykey*cap
• (* for if we have multiple capture files)

6 - After some processing probably you will find your key in hexadecimal


7 - Change your security to WPA2 at least :)

Lazy mrtg graphs with Debian + Cisco

1 - SSH / telnet / whatever to your router and enable snmp :

• Cisco#Config t
• Cisco(config)#snmp-server community public RO
• Cisco(config)#end
• (you may need to modify ACL to allow traffic to the snmp port)

2 - Install snmp, mrtg and your favorite web server packages on your debian - lighthttpd in this case:

• Nova# sudo apt-get update
• Nova# sudo apt-get install mrtg lighttpd snmp 
• (Satisfy all the depencies shown)

3 - Check snmp is working properly:

• Nova# snmpwalk -v 2c -C public <router IP>
• (You should be seeing lots of strings, then it works!)

4 - Create the templates for mrtg:

• Nova# sudo cfgmaker -global WorkDir:/var/www/mrtg --output=/etc/mrtg/myrouter.cfg public@<router IP>
• (You might want to edit the cfg file to customize the options, interfaces, etc. I always add Options[_]:growright)

5 - Create the file /etc/cron.d/mrtg with this content and make cron check your device:

       */5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/myrouter.cfg 2>&1

6 - Create the index file for viewing the graphs executing this command:

• Nova# sudo indexmaker --sort=title --output=/var/www/mrtg/index.html /etc/mrtg/myrouter.cfg

8 - Configure your browser to be able to show the index.html created before.

9 - Open the html file with your browser (http://localhost/mrtg ?)

10 - Wait some minutes to check all the graphs are showing properly :)