Stuff I'm Up To

Technical Ramblings

One Time Password and SSHD — May 1, 2020

One Time Password and SSHD

I made a bit of a fool of myself suggesting that we add a free means of securing our external SSH gateway by using Google Authenticator. My boss simply turned around and said

“Why would we recommend that all our users get Google accounts just to logon to our services?”

My Boss

It’s because I haven’t fully moved my mindset away from large commercial free but closed source services, into free and open source.

After five minutes I’d got FreeOTP installed on my phone and setup libpam-oath on my ssh server.

Continue reading
Asterisk + WebRTC — April 16, 2020

Asterisk + WebRTC

Enable WebRTC so you can use a plain old HTML5 browser to make calls.

I had already configured Asterisk’s http server to use my Let’s Encrypt certificates. This was pretty much redundant for http usage as I always put systems behind an Nginx reverse proxy where I can.

http.conf

[general]
servername=pbx.domain.tld
enabled=yes
bindaddr=0.0.0.0
bindport=8088
tlsenable=yes            ; enable tls - default no.
tlsbindaddr=0.0.0.0:8089 ; address and port to bind to - default is bindaddr and port 8089.
tlscertfile=/etc/asterisk/keys/fullchain1.pem ; path to the certificate file (*.pem) only.
tlsprivatekey=/etc/asterisk/keys/privkey1.pem ; path to private key file (*.pem) only.

/etc/nginx/conf.d/asterisk.conf

Snippets added into the nginx.conf to proxy to the asterisk /ws path.

Note the use of the non-https port for the upstream asterisk.

upstream asterisk {
  server 127.0.0.1:8088;
}
server {
  ...
  location /ws {
    proxy_buffers 8 32k;
    proxy_buffer_size 64k;
    proxy_pass http://asterisk/ws;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 999999999;
  }
}

pjsip.conf

[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0

ps_aors

Set the max_contacts to 5

ps_endpoints

Set dtls_auto_generate_cert to yes, webrtc to yes

References

https://wiki.asterisk.org/wiki/display/AST/Configuring+Asterisk+for+WebRTC+Clients

https://wiki.asterisk.org/wiki/display/AST/WebRTC+tutorial+using+SIPML5

https://www.bidon.ca/fr/notes/asterisk-webrtc

Jitsi + Asterisk = Jigasi — April 15, 2020
Asterisk – IAX — April 14, 2020
Asterisk – SIP + TLS — April 13, 2020
Asterisk and PostgreSQL — April 12, 2020

Asterisk and PostgreSQL

I started out wanting a real-time database connection to our existing LDAP server. This went well, but involved importing a schema into the LDAP cn=config and mapping the data into Asterisk.

It then became apparent that the effort involved in linking Asterisk to LDAP didn’t really produce the key result that I was after. My whole reason for linking Asterisk to LDAP was to share authentication credentials from our users for their SIP devices. After I’d deployed it I discovered that Asterisk would store it’s credentials in different fields and what’s worse is that the password could only be plain-text or an MD5 hash.

If our users must use a separate credential for logging into a SIP device, then using LDAP is no longer of interest to me. We may as well use a database – enter PostgreSQL.

Continue reading
Wireguard Config Builder — April 10, 2020

Wireguard Config Builder

Back in the day when OpenVPN ruled the seas installing it, securing it and authenticating clients with certificates was an process involving plenty of effort. Now with wireguard the setup is a breeze.

Pretty much install wireguard, generate a key pair and start it up!

It sounds too easy, but it is. But let’s cover a few essentials, so you understand what you need to provide to get it working.

Continue reading
Wireguard on a Raspberry Pi — April 9, 2020
iptables – Part 1 — April 7, 2020

iptables – Part 1

My understanding of iptables is rudimentary and I thought it’s time to improve on it. I have an understanding of firewalls, nat and packet filtering, but putting this into iptables always seems hard work.

There are lots of online resources, but nothing seems to be comprehensive enough to cover everything I wanted and writing these posts also acts as a means of driving the material into my own brain. So I thought I’d document it myself in the way that I would typically use it.

Continue reading
Asterisk PBX v17 Docker — March 14, 2020

Asterisk PBX v17 Docker

In light of the possibility of many people needing to work from home the boss wanted to upgrade the phone system to bring in some fixes and new features for home working.

I’ve no experience of Asterisk and I’m not really a phone person, but he asked me to get a replacement system using the latest v17 release. I noticed there are v16 images available, but he was insistent upon v17. That meant building from source.

It’s a week of firsts as up until now I haven’t built a multi-stage Docker image either.

Continue reading
PostgreSQL and Replication — March 8, 2020
Ansible and Client Certificates — March 4, 2020

Ansible and Client Certificates

Now we know how to inject client certificates into Firefox and Chrome it’s time to automate that process with Ansible.

The goal is to take a client and CA certificate and deliver it to the .pki keystore on the client. The actual generation of the certificate happens using easyrsa and is not part of this process. Let’s assume you already have generated a series of certificates, and converted them to a .pfx (pkcs12) for each client and just need to deliver them – although I may write up that process later.

Further let’s assume you are naming the certificate files with the same inventory hostname you are going to use in Ansible. This is so we can easily identify which file goes to which host, eg.

myclient01.pfx for inventory item myclient01.

Continue reading