Asterisk config manager.conf
Configuration of the Asterisk manager API
Note that activating the manager API opens a TCP port. Make sure you know what you are doing. Maybe it's enough to just activate this for the local loopback interface, 127.0.0.1. However, by using AstManProxy communication can be secured using SSL/HTTPS, and there is also AMI SSL/TLS support in Asterisk 1.6.
New: Asterisk 1.4 introduces AMI-over-http as an alternative approach, using the internal Asterisk http server (see AJAM).
Note: "portno" has changed to "port" (at least as of Asterisk 1.2.4). So if one doesn't work try the other. Simply reloading asterisk will not enable the manager. You must shut down asterisk and restart. To test just telnet to port 5038 on the asterisk box. If bindaddr = 0.0.0.0 then the manager will bind to ALL Ip's on the server.
;
; Asterisk Call Management support
;
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
webenabled = no
; Each user has a section labeled with the username
; so this is the section for the user named "mark"
[mark]
secret = mysecret
deny=0.0.0.0/0.0.0.0
permit=209.16.236.73/255.255.255.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
system,call,log,verbose,command,agent,user
system: DBGet, DBPut, SIPpeers, SIPshowpeer
call: Hangup, Status, Setvar, Getvar, Redirect, Originate, ExtensionState, AbsoluteTimeout, MailboxStatus, MailboxCount, SetCDRUserField, Monitor, StopMonitor, ChangeMonitor
log: * couldn't find any *
verbose: * couldn't find any *
command: Command
Agent: Agents,AgentLogoff,AgentCallbackLogin, QueueAdd, QueueRemove, QueuePause
User: * couldn't find any *
None (commands that can be issued without explicit privileges associated): Ping, Events, Logoff, ListCommands, ZapTransfer, ZapHangup, ZapDialOffhook, ZapDNDon, ZapDNDoff, ZapShowChannels, IAXpeers, IAXnetstat, Queues, QueueStat, ParkedCalls
Go back to Asterisk
Note that activating the manager API opens a TCP port. Make sure you know what you are doing. Maybe it's enough to just activate this for the local loopback interface, 127.0.0.1. However, by using AstManProxy communication can be secured using SSL/HTTPS, and there is also AMI SSL/TLS support in Asterisk 1.6.
New: Asterisk 1.4 introduces AMI-over-http as an alternative approach, using the internal Asterisk http server (see AJAM).
Note: "portno" has changed to "port" (at least as of Asterisk 1.2.4). So if one doesn't work try the other. Simply reloading asterisk will not enable the manager. You must shut down asterisk and restart. To test just telnet to port 5038 on the asterisk box. If bindaddr = 0.0.0.0 then the manager will bind to ALL Ip's on the server.
Example
;
; Asterisk Call Management support
;
[general]
enabled = yes
port = 5038
bindaddr = 0.0.0.0
webenabled = no
; Each user has a section labeled with the username
; so this is the section for the user named "mark"
[mark]
secret = mysecret
deny=0.0.0.0/0.0.0.0
permit=209.16.236.73/255.255.255.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
Security tips
- No encryption is used, even the password is sent in plaintext. Notes: However you can use md5 challange-and-reply for a slightly safer means to transmit the password; Asterisk 1.4 will come with SSL encryption)
- Don't enable it on a public IP.
- Use http://www.stunnel.org/ or a SSH tunnel
- Watch out with management programs with direct interface to the manager.
- Limit the privileges per user (especially the system!)
Questions
Anyone able to explain the exact meaning of each these entires?system,call,log,verbose,command,agent,user
Answer
All manager API commands registered by varoius asterisk modules have a privilege group associated to it. In order for a manager API user to be able to issue a command, it has to have read or write privilege to the appropriate group. Following is a list of commands groupped by privilege groups as of Asterisk 1.2.7.1:system: DBGet, DBPut, SIPpeers, SIPshowpeer
call: Hangup, Status, Setvar, Getvar, Redirect, Originate, ExtensionState, AbsoluteTimeout, MailboxStatus, MailboxCount, SetCDRUserField, Monitor, StopMonitor, ChangeMonitor
log: * couldn't find any *
verbose: * couldn't find any *
command: Command
Agent: Agents,AgentLogoff,AgentCallbackLogin, QueueAdd, QueueRemove, QueuePause
User: * couldn't find any *
None (commands that can be issued without explicit privileges associated): Ping, Events, Logoff, ListCommands, ZapTransfer, ZapHangup, ZapDialOffhook, ZapDNDon, ZapDNDoff, ZapShowChannels, IAXpeers, IAXnetstat, Queues, QueueStat, ParkedCalls
See also
Go back to Asterisk
Comments
333Re: Can not get around Authenticatin error with simple telnet
i have in trouble connecting non-local asterisk server at my sip phone. my asterisk server is not local, and im getting this error .
failed for 78.99.00.00 ACL error (permit/deny)
how can i fix it? how can i make my asterisk server for using non local ip phones?
please help me
umit
333Manager passwork keeps resetting to the default.
333any additional port
I've gastman installed on windows and the asterisk runnings on debian... Error " connection failed - 172.25.25.3 10061" I'm not sure what 10061 (maybe port).. I've alloed in iptables aswell as port 5038 ..Are there any additional ports ?
--
mo
secret = whateverxxxx
deny=0.0.0.0/0.0.0.0
permit=172.25.25.1/255.255.255.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
thanks,
Mohamed
333any additional port
I've gastman installed on windows and the asterisk runnings on debian... Error " connection failed - 172.25.25.3 10061" I'm not sure what 10061 (maybe port).. I've alloed in iptables aswell as port 5038 ..Are there any additional ports ?
--
mo
secret = whateverxxxx
deny=0.0.0.0/0.0.0.0
permit=172.25.25.1/255.255.255.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
thanks,
Mohamed
333Re: Can not get around Authenticatin error with simple telnet
333Can not get around Authenticatin error with simple telnet
Also, not sure if this is relevant, but if I change my bindaddr to 0.0.0.0 as was suggested in another post, I constantly get the error: "Connect attemp from '127.0.0.1' unable to authenticate" even though I am not trying to telnet in at that point. It just keeps repeating itself.
Thanks for any help on this. (my first post here, so far I've been able to figure out my other issues on my own) (:cry:)
general
enabled = yes
port = 5038
bindaddr = 192.168.1.11
tony
secret = mypass
permit=0.0.0.0/255.255.255.255
deny=0.0.0.0/0.0.0.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
333Can't authenticate
Then when I tried to login:
telnet 192.168.1.12 5038
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
Asterisk Call Manager/1.0
Action: login
Username: mark
Secret: mysecret
Response: Error
Message: Authentication failed
Connection closed by foreign host.
I can't work out what's going wrong. I'm using Asterisk 1.0
Any Ideas?
333d00t
mark
secret=
etc etc
mark is the username, change it to whatever you want
333And how exactly DO i specify a username?
What tag?
That can't be too secret!
333Re: I had to permit localhost
So, no problem there