A Phone Environment for Charities
The open source Asterisk voice over ip platform is great for many reasons. It served me well for many years, but it wasn’t “bulletproof”. I had to fix it for good.
I have been running asterisk, the open source voice over ip (VOIP) for many years. Though it served me quite well, it wasn’t “bulletproof”. It failed from time to time, sometimes without me knowing, but that didn’t matter as I didn’t expect anything urgent anyway.
When we started our “Pecos Valley Public Services” charity, we wanted to establish a 24/7 help line, and, of course, we would use Asterisk for it. My current asterisk software ran ok, with one issue: It failed from time to time, sometimes without me knowing, but that didn’t matter as I didn’t expect anything urgent anyway. But failure could not be an option in Pecos Valley Public Services’ environment.
My “old” Asterisk was running on a server that hadn’t been upgraded for ages, even the Asterisk software itself was almost enough to apply for a drivers license. This would be a great time to put it on a new hardware platform (Raspberry PI 5 with USB hard disk) and, of course, the latest version of the Asterisk software. There were a few issues with the conversion going from sip to pjsip (yeah, the “old” version was really old) but, with heavy searching, reading and some support from AI, I was finally able to get that out of the way. I didn’t just wanted to convert the configuration, I wanted to understand why it had to be that way. Somewhere down the road it clicked and the rest was easy. I am nowhere near being an “asterisk” or pjsip guru, but I grasp the concept and I am able to set things up the “pjsip” way. Task accomplished.
Our phone system allows for folks to call in and connect to a Pecos Valley Public Services volunteer. We have options for “urgent” requests that will, depending on the current time, be routed differently. We are currently implementing text to speech and speech to text so callers can retrieve community information easier. All in all, our charities’ phone system serves as a central contact point to shield our volunteers from having to give away their personal cell numbers. It also offers a more “professional” way to present ourselves to the outside world.
With the server up and running, I turned my attention to the black side of life – the constant attacks all Internet facing services have to endure all the time. In order to secure the asterisk installation, I disabled all costly outbound dialing on the uplink side (the sip provider), switched to IP-based authorization and I installed fail2ban.
daroot@phonesys:~# fail2ban-client status asteriskStatus for the jail: asterisk
|- Filter
| |- Currently failed: 1
| |- Total failed: 911
| -Actions
|- Currently banned: 6
|- Total banned: 42
`- Banned IP list: 217.160.16.161 185.243.5.203 104.167.220.149 68.69.186.118 198.12.125.154 87.98.236.89
I wish we would find a way for fail2ban ip-list to be shareable, and we could implement a “attack one server and your out on all servers” mode, but that doesn’t seem to exist as of today. I am not sure why folks would attack a lonely Raspi running a provider-side outbound-disabled asterisk (and nothing else). The Raspi itself is behind a NAT router and additionally, is isolated from the rest of our network. But there you go. You have to protect your environment.
But there was one nagging problem: Our asterisk would still drop the registration to the sip provider once in a while without me telling about it. Yes, I have the line qualified and yes, “sip show endpoints” would show the line to be “avail”. I reached out to our provider who wasn’t very helpful, so I had to dig into the problem myself. I think I traced the problem to the way how udp packets are handled through the NAT process. It seems that the router sometimes “forgets” the udp-nat-binding too fast so it loses its registration while the “ping” would continue to succeed. Thankfully, Asterisks allows to use tcp for the registration so I reconfigured pcjsip with a “transport tcp” block and so far, I haven’t had any problem with dropped registrations anymore. That’s because tcp-nat-binding are usually kept alive much longer than udp bindings.
I am also now having our tin-brain (our local AI) monitor the “pjsip show registration” status and notify me, if something doesn’t seem to look ok.
All in all, our asterisks works fine and has been used by the community often and reliably. We get a lot of services out of that phone system and it only costs pennies to operate. Asterisk is a really good way to stay in touch with your clients.
Time to move on to a different project.
Michaela Merz is an entrepreneur and first generation hacker. Her career started even before the Internet was available. She invented and developed a number of technologies now considered to be standard in modern web-environments. She is a software engineer, a Wilderness Rescue volunteer, an Advanced Emergency Medical Technician, a FAA Part 61 (PPL , IFR) , Part 107 certified UAS pilot and a licensed ham . More about Michaela ..