Saturday, March 5, 2016

Check script for FreePBX-Asterisk realtime and CDR for suspicious calls (Nagios compatible)


image source:: http://www.chanakyadetective.com/software-investigation.html

Here’s a simple script we wrote to check real-time calls and historical data of n minutes in CDR for suspicious activities based on a number pattern and length. We find this utmost useful especially when your servers are exposed to public to check against hack attempts, abuses or checking matching numbers to “catch” and report. The current action sends email, of course, you can build more functions as you please and run them at each EXIT code in the script appropriately doing stuff like seen in the script for sending email. You need the local mailer program, called mail to be able to send emails from CLI already for the email function to work, otherwise, it may just output via CLI.

This  script has been tested on Debian, FreePBX 2.11 and Asterisk 11. It should work on most regular platforms as well as distros.  I’ve tested on Nagios Core, NagiosXI, Icinga, Icinga2.0.

This script basically does the following;

  • Its all bash, so should be quite compatible with many systems
  • It checks the CDR for n minutes of past records also set by flags
  • It checks asterisk current channels for external numbers only
  • It combines both results as a “total” value to evaluate with the given parameters
  • Uses filters based on the dst column on your CDR to match that you specify during execution (the parameters), this can be prefixes or whole numbers, and as many patterns as you want to check on a single run.
  • You can set the flag to check the prefix and the number of digits which is same or greater so that you won’t catch local calls, normally international calls have higher number of called digits, I.e. > 10
  • To automatically check or do it almost real-time, you can use cron on your server locally (It can also work with Nagios too, however, this guide does not cover configuring on Nagios,you need to set the flag NAGIOSMODE=YES). If you set Nagiosmode, it will not independently send out email and instead your Nagios server will decide what to do according to what you’ve set it to.
  • Be sure to change NAGIOSMODE, SYSADMINEMAIL,EMAILSUBJECT,USER,PASS and if needed, db port,db database name,db table name, and db server & also location of your binaries (find them by typing whereis asterisk and whereis mysql and whereis curl)
  • In some distro (FreePBX distro) the MySQL has no password (yeah, i know!), so in this case, leave the PASS=”” will suffice.

Setup:

  • cd /usr/local/bin/
  • wget http://www.orencloud.com/public/checkintl.sh
  • Modify the parameters as described below and/or in the script
  • Make the script executable and test  (chmod +x /usr/local/bin/checkintl.sh) Test : /usr/local/bin/checkintl.sh --help
  • You can run it like example below and/or put it up as a cronjob if you wish to automate checking (crontab –e), e.g. like this     */15 * * * * /usr/local/bin/checkintl.sh -w 3 -c 10 -i 60 -p 00:6,900:6
  • When adding complex scripts that call many functions be sure to test your cron output, here’s an easy way to see the output of cronjob in syslog (/var/log/syslog) by simply adding adding  2>&1 | /usr/bin/logger  -i  -t ASTIOSALERTS at the end of the script, like shown below
    • */15 * * * * /usr/local/bin/checkintl.sh -w 3 -c 10 -i 60 -p 00:6,900:6 2>&1 | /usr/bin/logger –i -t ASTIOSALERTS
  • Then tailf your syslog to see the output, it should not throw errors but should show you outputs.
  • Above cronjob does the checks for every 15 minutes, 60 minutes of records from bottom of the CDR table and warns on 3, critical on 10 for pattern matching front digits 00, with length greater than or equals 6 numbers and for pattern 900 with length greater than or equals 6 numbers
  • Always test manually. You surely can run this manually and try to invoke the trigger by making n number of calls and you should get an email alert based on the email address you specified
  • This script requires a MySQL CDR for Asterisk (therefore making it perfect for use with FreePBX, out of the box)
  • Set these below before running the script
      • Be sure to set the following inside the script (edit it)

        NAGIOSMODE="NO"
        SYSADMINEMAIL=SOMEONE@SOMEWHERE.COM,SOMEONE2@SOMEWHERE2.COM
        EMAILSUBJECT="HOST $MYHOST INTERNATIONAL CALLS ALERT"
        user="DBUSERNAME"
        pass="DBPASSWORD"

        MYCURL=/usr/bin/curl
        MYSQLBIN=/usr/bin/MySQL
        MYAST=/usr/sbin/asterisk

      • If using Nagios, just set the flag NAGIOSMODE=YES

    Run examples:

    /usr/local/bin/checkintl.sh -w 3 -c 10 -i 60 -p 00:10,900:10

    In the above example, it will

    -w 3 – Warn when both CDR and running channel defined patters is equal to or greater than 3

    -c 10 – Throw critical alert when both CDR and running channel defined patters is equal to or greater than 10

    -i 60 – Check CDR for a total time of 60 minutes (note, time on server needs to be accurate for this to work properly)

    -p 00:6,900:6 – This means, check for pattern 00 and 900 in the dst fields. If it exist, check length of >= 6 digits at minimum on both cases, in this example

    Sample outputs

    image

    No calls/threshold not hit like above

     

    image

    With a warning out which sends email when NAGISOMODE=NO. Also, if critical , it will send out emails like above.

     

    image

    image

    In Nagios mode, it will show up just like this above in CLI and in Nagios itself, it will look like this

    image

  • Email

    image

     

    As usual, do give us feedback if find bugs and/or improvements/suggestions. Do give it a try and comment please if you found something helpful for others to note on your findings.  Thanks and happy weekend.