ckleea

New features of switchfin firmware

Hi Guys,

Recently few people using Switchfin reported that their PBXs have been hacked.

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints,
the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack
and defraud SIP endpoints including Asterisk-based systems as the one Switchvoice manufacture.
There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions,
and then scan valid extensions looking for passwords.

There are few simple things you may do to increase the security of your PBXs.

   1. Put your PBX behind router/firewall and open given port only if necessary.
   2. Use not trivial SIP/IAX user names and long difficult passwords. Never use user name and password being the same.
   3. Use the new deny/permit feature in the Switchfin GUI. As general practice always do this in case you need to connect to your PBX from outside of your local network and therefore you need to open SIP port 5060 on your router. For example to allow single IP (in this example 216.207.245.47) you will register from specify in the GUI rules like this. Note that rules order is important!



Thanks Jason for implementing this really nice new feature!

   4. You may consider changing the SSH password of your PBXs being more complex.

Please pay attention before you get hacked.
After all VOIP is to make the communication easier, more convenient and cheap.

Best Regards
Dimitar

ckleea

现在 switchfin 已进入 SVN 400，不断更新，但实在不知道改了甚麽或者 bug fix?

最渴望是加入 iptables.

基本上，运作正常和OK

ckleea

New features: PPPOE.

Service manager at GUI.

http://www.telecom-cafe.com/foru ... d=2963&pid=8013

ckleea

You may see how procwatch works

2007-01-01 00:00:12: Info: Process asterisk is now online
2010-10-08 13:28:34: Info: Cache flush, Memory at 4828KB (desired 5000)
2010-10-09 12:48:59: Info: Cache flush, Memory at 3648KB (desired 5000)
2010-10-09 12:52:05: Info: Memory OK @ 5236KB, Cache flush attempts = 31
2010-10-09 12:53:00: Info: Cache flush, Memory at 3828KB (desired 5000)
2010-10-09 12:56:12: Info: Memory OK @ 5536KB, Cache flush attempts = 32
2010-10-09 12:56:54: Info: Cache flush, Memory at 3392KB (desired 5000)
2007-01-01 00:00:12: Info: The watchdog timeout has been set to 27 seconds
2007-01-01 00:00:12: Info: Process asterisk is now online
2010-10-09 13:01:00: Info: Cache flush, Memory at 3848KB (desired 5000)

ckleea

New screenshots for svn 421

ckleea

Iptables has been available from the SVN source codes and menuconfig but not yet found in the firmware built. With this, the firmware is almost complete

bubblestar

Hi! ckleea,

Are there any ready-made Switchfin firmware like ATCOM-fashsion so that we can get started in an easy way?  Or we have to compile and install like the way as you advised in #4.

I am considering whether it is time to give it a try as it seems the product is becoming mature enough.

ckleea

回復 112# bubblestar


The simplest way is that I give you the compiled firmware. You can flash the firmware using the ATCOM GUI.  But I suggest to have a serial cable on hand to see what happens. To me, I don't encounter problem in flashing so far except at the beginning with ATCOm when I am not familiar and do not have a USB to RS232 dongle on hand.

Once you are using the switchfin firmware, I do not have any serious problem but too ambitious to have more packages installed. I can show you which packages are available so that you can consider.

You may also wait for a while until iptables is available as well. As far as I know it is not though it is available from the sources and configuration options.


To compile yourself, you need a linux server and some experience. YH has problems to get all the packages ok for compilation.

ckleea

My present configuration options

1. #
   
2. # Automatically generated make config: don't edit
   
3. #
   
4. SF_HAVE_DOT_CONFIG=y
   
5. SF_TARGET_TOOLCHAIN_COMPILER_4=y
   
6. # SF_PR1_APPLIANCE is not set
   
7. # SF_BR4_APPLIANCE is not set
   
8. # SF_IP04 is not set
   
9. SF_IP01=y
   
10. # SF_FX08 is not set
    
11. SF_TARGET_DEFAULTS=y
    
12. # SF_TARGET_CUSTOM is not set
    
13. 
    
14. #
    
15. # Package Selection for the target
    
16. #
    
17. 
    
18. #
    
19. # The default minimal system
    
20. #
    
21. SF_PACKAGE_UCLINUX_DIST=y
    
22. SF_PACKAGE_UCLINUX_CONFIG="package/uClinux-dist/uClinux-dist.config"
    
23. SF_PACKAGE_UBOOT=y
    
24. 
    
25. #
    
26. # Hardware settings
    
27. #
    
28. 
    
29. #
    
30. # DAHDI
    
31. #
    
32. # SF_PACKAGE_DAHDI_EXTRATOOLS is not set
    
33. # SF_PACKAGE_DAHDI_GSM1 is not set
    
34. 
    
35. #
    
36. # Asterisk
    
37. #
    
38. SF_PACKAGE_ASTERISK=y
    
39. SF_ASTERISK_1_4=y
    
40. # SF_ASTERISK_1_6 is not set
    
41. # SF_PACKAGE_ASTERISK_VERBOSE is not set
    
42. SF_SPANDSP_CALLERID=y
    
43. SF_PACKAGE_ASTERISK-H323=y
    
44. SF_PACKAGE_ASTERISK_G729=y
    
45. SF_PACKAGE_NVFAX=y
    
46. # SF_PACKAGE_DEVSTATE is not set
    
47. SF_PACKAGE_ATTRAFAX=y
    
48. # SF_PACKAGE_SPANDSPFAX is not set
    
49. 
    
50. #
    
51. # GUI
    
52. #
    
53. SF_PACKAGE_ASTERISKGUI=y
    
54. # SF_PACKAGE_NOGUI is not set
    
55. # SF_ASTERISK_GUI_3_0 is not set
    
56. SF_ASTERISK_GUI_4_0=y
    
57. 
    
58. #
    
59. # Applications
    
60. #
    
61. SF_PACKAGE_TFTPD=y
    
62. # SF_PACKAGE_PERL is not set
    
63. # SF_PACKAGE_LIGHTTPD is not set
    
64. SF_PACKAGE_SSMTP=y
    
65. SF_PACKAGE_N2N=y
    
66. SF_PACKAGE_RSYNC=y
    
67. # SF_PACKAGE_CGIC is not set
    
68. # SF_PACKAGE_VIM is not set
    
69. SF_PACKAGE_BONJOUR=y
    
70. SF_PACKAGE_INADYN=y
    
71. # SF_PACKAGE_CURL is not set
    
72. SF_PACKAGE_PROCWATCH=y
    
73. SF_PACKAGE_TIFF2PDF=y
    
74. # SF_PACKAGE_LUA is not set
    
75. # SF_PACKAGE_UW-IMAP is not set
    
76. SF_PACKAGE_IPTABLES=y
    
77. 
    
78. #
    
79. # Build options
    
80. #
    
81. SF_WGET="wget --passive-ftp -nd"
    
82. SF_SVN="svn co"
    
83. SF_TAR_OPTIONS=""
    
84. SF_DL_DIR="$(BASE_DIR)/dl"
    
85. SF_SOURCEFORGE_MIRROR="easynews"
    
86. SF_TOPDIR_PREFIX=""
    
87. SF_TOPDIR_SUFFIX=""
    
88. SF_GNU_BUILD_SUFFIX="bfin-uclinux"
    
89. SF_JLEVEL=1

複製代碼

bubblestar

Thanks! CK,

Appreciated your great effort to generate such an useful compiled firmware.  

My second Asterisk server using PC has just been set up and need sometime to check its stabiliity and robustness.  Hence, I cannot afford making my ATCOM IP01 into a mess at this stage.  In this connection, I'd rather wait for the readiness of the iptables and get a more completed and compiled firmware from you.

Also, I don't have available RS232 tools on hand to see what might be going on IP01 when I do it myself at this moment, especially I'm not as skillful as both YH and you on this issue to deal with some unexpected happenings.

ckleea

No problem at all. You may let me know which packages you want later. I did the compilation for you. I use ATOM centos server. It does take quite some time for compilation.

For USB-RS232 dongle, I got mine from Yahoo at HK$23 inclusive of postage. So far no problem, you get the puttytel to work with it.

bubblestar

Just hung around the featured-rich Switchfin from the site that you provided.  It is quite impressive to me and its respond time is out of my expectation -- very quick and much much better than that of ATCOM IP01.  Especially, the Service Manager under Admin is also very useful whenever we need to enable/disable system service.

Sure I will upgrade to this promising firmware later when iptables or related modules are ready.  

BTW, the USB-RS232 dongle is quite handy but it seems we cannot get it here in Hong Kong so easily.  Will try to order one in next purchase.

Thanks, CK.

ckleea

回復 117# bubblestar


    The dongle is readily available from yahoo.com.

bubblestar

Thanks! I got the site already.

ckleea

差小小未解決，developer 最近將GUI 改動，我就有login 的問題。但 developer clean install 又 works！ 奇怪！