Asterisk Server Troubleshooting: Finding and Fixing Bugs & Gremlins in Your PBX

Ashton-Tate of dBASE® fame used to call them anomalies. Sheer arrogance kept them from ever quite admitting there was an actual bug in their software. We don’t claim to be quite so perfect. If you use any software for very long, you’re going to encounter bugs. But not all reported problems turn out to be bugs. Many turn out to be errors generated by users that don’t quite know what they’re doing because they never bothered to RTFM. Whether they’re bugs or self-inflicted wounds, the result is still pretty much the same. The code doesn’t work as advertised.

As part of our Back to School series, today we’re going to introduce you to a methodology to keep your Asterisk® server running smoothly… warts and all. That process begins by your clicking the Getting Started Guide at the top of the Nerd Vittles page, identifying your particular platform, and reading the applicable tutorial from front to back. About nine times out of ten, that will tell you whether you’ve encountered a bug or just a feature that you haven’t quite mastered.

Unlike the other Asterisk aggregations, Incredible PBX™ includes an Automatic Update Utility. It gets run whenever you log into your server as root and is there primarily to address security issues. Depending upon the severity of the bug, we address some non-security related bugs as well. The problem from our perspective is that we’re dealing with a moving target with almost a dozen different versions and platforms. On each of those platforms, there are literally hundreds of software applications that are maintained and “improved” by various developers around the world. Sometimes things break. The other fact of life is there are only so many hours in the day and about 95% of all users of open source software never contribute a dime toward any open source project. Translation: We depend upon volunteers rather than paid staff to report and fix our bugs and those of other projects upon which we depend.

We’re happy to provide the latest software with the latest bug fixes at no cost. The rest is pretty much up to you. If the bugs in your current version become intolerable, then install a newer release and chances are that most of the problems will have been resolved. Yes, you will have to manually reconfigure your extensions and trunks and routes, but everything else will pretty much be the same. That’s the only real cost of using free software.

We want to identify the most common reported problems with Incredible PBX today and show you how to fix some of these issues yourself. After all, this is supposed to be a learning experience. And learning to fix things for yourself or at least knowing where to turn to get the answers is the best thing you can do to assure you have a stable platform for years to come. There are two terrific sources of information to keep your system current and stable. The first is the RSS Feeds for Asterisk, FreePBX®, and PBX in a Flash/Incredible PBX. The second is the Forums for these three platforms: Asterisk, FreePBX, and PBX in a Flash/Incredible PBX, especially the Bug Thread. If you’re going to use open source software, then you owe it to yourself and your server to check all of these sources at least once a week and address any new issues that have been identified. The downside of not heeding this advice is you are exposing your server to potential attacks that may compromise not only your server but the servers of others as well once your system has been transmogrified into a Zombie.

Top 10 List of Problems Encountered by New Asterisk Users

1. Login Failures: Linux CLI, Incredible PBX GUI, Web Apps, AvantFax, WebMin

There are four different passwords that cause problems for new users. On the Incredible PBX platform, these get set in different ways. The confusion typically arises when the user attempts to access a server resource and a password prompt appears. Fixing the problem depends upon which password is being requested. Be advised that more than two attempts to guess a password may get you locked out of your server for several hours because of Fail2Ban. Then you have two problems to contend with rather than one.

Linux CLI Root Password. Regardless of the Linux platform, the root password gets set when you install the operating system. If you can’t log in as root from the server console, chances are pretty good that you’ve forgotten the password or typed it incorrectly. Fixing this problem is major surgery and often you will be better served by reinstalling your server. If you’d prefer to reset the password, then follow the steps in this Linux Gazette article. While it doesn’t apply to Incredible PBX builds, you may encounter a failed root login using SSH or Putty if the server has been configured to deny root SSH access or to require an SSH key to log in. This can be remedied by logging in from the console and reconfiguring the login parameters for either the CentOS/Scientific Linux or Ubuntu/Debian/Raspbian OS.

Incredible PBX GUI’s admin Password. If you’re using a browser to access the Incredible PBX GUI and you’ve chosen the GUI Administration option from the Incredible GUI Main Menu (shown immediately above), then you arrived at a screen that looks something like what’s shown above. Clicking on Incredible PBX Administration will generate a prompt requesting your username and password. There can be any number of account names to access various Incredible PBX GUI resources, but there will always be an admin account. Reset this password by logging into your server as root and running the script: /root/admin-pw-change

If you’ve gotten fancy and added a password to the Incredible PBX Main Menu (shown at the top of this Top 10 List) using Admin -> Menu Configuration, then it won’t be too long until you forget what it was. You’ll need it to get back into the Admin options on the Main Menu. To retrieve the password, display the contents of the following file and look at the entry between the first two commas:

Incredible PBX User Control Panel Access. Also shown above is an icon to access the User Control Panel (UCP). This typically is used to allow end-users to manage one or more extensions on your PBX. Account names and passwords for UCP access are created in the Incredible PBX GUI by choosing: Admin -> User Management -> Add New User

Incredible PBX Web Application Access. From the Incredible PBX Main Menu and/or from the Maintenance tab in Incredible PBX GUI, users and administrators can gain access to a number of Incredible PBX web applications including AsteriDex, Telephone Reminders, phpMyAdmin, AvantFax, and others. All of these web applications require Apache login credentials consisting of a username and password. In the case of AvantFax, you will also need an AvantFax username and password that is requested after your Apache credentials have been provided. All of these applications can be accessed using the admin Apache account. To set the admin password: htpasswd -b /etc/pbx/wwwpasswd admin newpassword
Separate end-user accounts also can be created for applications such as AsteriDex and Telephone Reminders. To set up each of these accounts, use the following syntax: htpasswd -b /etc/pbx/wwwpasswd acctname acctpassword
The admin account and password are required to access phpMyAdmin and other administrator applications.

AvantFax Web Admin Access. As noted above, you first must enter any valid Apache web credentials to access AvantFax from the Incredible PBX Main Menu or from the AvantFax tab within the Incredible PBX GUI. After successfully entering your web credentials, you will be prompted for an AvantFax username and password. The admin user account for AvantFax can be set by logging into your server as root and issuing the command: /root/avantfax-pw-change

Once you gain admin access to AvantFax, you can create additional user accounts and passwords by clicking the Dashboard icon shown above and choosing: Menu -> New User

WebMin GUI Access. WebMin is a tool for use by skilled Linux administrators only. You can seriously and irreparably damage your PBX by making changes within WebMin. You’ve been warned. To access WebMin on Incredible PBX servers, click on the icon in the Main Administrator Menu. Or you can access WebMin using https://ServerIPaddress:9001. The username must be root, and the password is your Linux root password.

2. Emails/Voicemails Don’t Get Sent/Delivered

Identifying the Problem. 99% of the problems with delivery of emails with voicemail attachments from your server have little to do with your server. They are the result of one of two things. Either your email client has placed the incoming email messages in its SPAM or JUNK folder, or your Internet Service Provider (ISP) is blocking downstream SMTP mail servers from sending email. The ISPs claim this is a security precaution to reduce SPAM generated from compromised servers.

Testing Email Delivery. Try this: echo "test" | mail -s testmessage yourname@emailserver.com

Fixing the SPAM problem. If you find the test email message in your SPAM or JUNK folder, there are two ways to go about fixing the problem. The simplest is to mark the sending email address (whatever it happens to be in the email message) as NOT SPAM in your email client. For Gmail, simply create a filter for the email sender and specify “Never send it to SPAM” and “Mark it important.” The alternative is to assign a Fully-Qualified Domain Name (FQDN) to your server. This could be done using a Dynamic DNS Server such as dyndns.org. Once you’ve set up your FQDN, this thread on the PIAF Forum will walk you through assignment of the FQDN to your server.

Fixing ISP Blocking of Downstream SMTP Traffic. If your ISP happens to be one of those that blocks emails from downstream SMTP servers (e.g. Comcast), you will first need the FQDN of your ISP’s SMTP gateway. We will reconfigure SendMail to use your ISP’s mail gateway as the SmartHost for your server and send emails out using their SMTP gateway instead of yours. This usually means they will tack on some hidden information to the email messages so that they can identify the sender if a SPAM problem is reported. Once you have the name of your ISP’s SMTP gateway, log in as root and edit /etc/mail/sendmail.cf. Search for DS and append your ISP’s SMTP FQDN with no space, e.g. DSsmtp.comcast.net
Save the file and restart SendMail: service sendmail restart.

3. Asterisk Won’t Start/Restart

Identifying the Problem. This part is easy. Restart Asterisk and see what happens: amportal restart

The Fix. This part isn’t. Keep in mind that, on FreePBX-enabled Asterisk servers, FreePBX actually starts up Asterisk as part of its initialization process. Unfortunately, the error messages are cryptic. The causes can be just as obscure. If you’ve recently made changes to an Asterisk config file in /etc/asterisk, start there. The next thing to test is whether MySQL is functioning properly. Without MySQL, FreePBX won’t start. Here’s the simple test: /etc/init.d/mysqld restart

If MySQL fails to start, have you changed your passwords for MySQL? If so, change the root password back to passw0rd. Then test access from the Linux CLI: mysql -u root -ppassw0rd. Next, find your asteriskuser password in /etc/freepbx.conf. Now test MySQL access again using the password you deciphered: mysql -u asteriskuser -p

The other critical piece for a successful startup is PHP. If it isn’t functioning properly, Asterisk with FreePBX won’t start. From the Linux CLI, issue this command and look for errors: echo "< ?php phpinfo(); ?>" | php

If all else fails, Google is your friend.

4. IPtables Firewall Testing

There’s one component of Incredible PBX that separates the men from the boys. That’s a secure and functioning firewall with a WhiteList of those authorized any type of access to your server. Obviously, if it’s not functioning, you’re not secure. Running the status command from the Linux CLI should tell you whether IPtables is working properly. To be doubly sure, issue the following command: iptables -nL. If the result looks like this, you’re missing the IPtables config file and need to head to the PIAF Forum for some help:

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Next, issue the restart command and fix any reported errors: iptables-restart

Finally, there’s one more configuration setting that should be checked. Because the Travelin’ Man 3 WhiteList feature allows you to enter either IP addresses or FQDNs, we need to be sure IPtables is started up after DNS services are enabled on your server, or IPtables startup will fail. By default on many servers, IPtables startup occurs first. That means a manual configuration change is required to be sure IPtables startup is successful. Issue the following command to display the custom startup for your CentOS server: cat /etc/rc.d/rc.local. On Ubuntu/Debian/Raspbian platforms, issue the command: cat /etc/rc.local. The results should include: /usr/local/sbin/iptables-restart. If not, add it before exit 0.

5. Fail2Ban Log Scanner Testing

Fail2Ban is a log scanner that searches for certain text strings which indicate failed attempts to access your server. It is NOT failsafe because these text strings change from time to time and because your server must have sufficient horsepower to scan complete logs before the bad guys find a hole in your security. That often is difficult if the bad guys are using high-powered servers such as Amazon EC2. Nevertheless, it’s another layer of security that is worth having, and we need to make sure it’s functioning properly. Whenever IPtables is restarted, Fail2Ban needs to be restarted. This should be handled in the iptables-restart script. To be sure, issue the following command: grep fail2ban /usr/local/sbin/iptables-restart. It should return the following result: service fail2ban restart. If not, add it to the script by issuing the following command after logging into your server as root:

echo "service fail2ban restart" >> /usr/local/sbin/iptables-restart

To verify that Fail2Ban is functioning, issue the command: iptables -nL

The final lines of the listing should look something like this:

Chain fail2ban-ASTERISK (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-BadBots (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

Chain fail2ban-asterisk-udp (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0

6. HylaFax/AvantFax in Limbo.

For those using Incredible Fax, there are two main problems: not being able to log in to AvantFax and the dreaded “IAXmodem please wait” message once you get there. On the CentOS platform, the most important fix is making sure you’re using the latest Incredible Fax install script. If you’ve already encountered the problem on CentOS servers, just download the new script, tar zxvf incrediblefax11-centos*, and run the installer again. We know: you’re not supposed to. If that doesn’t address your problem and you’ve already reset your admin password as documented in section 1, see this PIAF Forum thread for some helpful hints.

7. Asterisk Server Log Rotation

Identifying the Problem. Some Incredible PBX servers were missing the script required to rotate the Asterisk logs which means your /var/log/asterisk/full file continues to grow. To test whether your server is missing the log rotator, run this command: if [ ! -f /etc/logrotate.d/asterisk ]; then echo "Missing"; fi

The Fix. If the test above reports Missing, then issue the following commands as root to fix the problem:
cd /etc/logrotate.d
wget http://incrediblepbx.com/asterisk-logrotate.tar.gz
tar zxvf asterisk-logrotate*
rm -f asterisk-logrotate*

8. Detecting Trunk Failures

One of our most requested utilities is a script to notify administrators when a trunk goes off-line. Just issue the following commands to install it. Then edit /root/trunkcheck.sh and insert your email address. Works for SIP, IAX, and GV trunks.
cd /root
wget http://incrediblepbx.com/trunkcheck.tar.gz
tar zxvf trunkcheck.tar.gz
rm -f trunkcheck.tar.gz
echo "5 * * * * root /root/trunkcheck.sh > /dev/null 2>&1" >> /etc/crontab
nano -w /root/trunkcheck.sh

9. Detecting Whether Asterisk Is Running As Root

Don’t ask us why but on some servers Asterisk ends up running as the root user rather than the asterisk user. Given the current design of FreePBX which assigns almost all privileges to the asterisk user anyway, it’s more an academic problem than a real one. If an intruder gains asterisk user access to your server, your system is toast whether the intruder has root privileges or not.

Identifying the Problem. To test whether the main Asterisk program is running as root, just issue the following command: ps aux | grep sbin/asterisk. If the first column of the first entry in the list shows root, then apply the fix.

The Fix. Issue the following commands to reset the Asterisk application to run as the asterisk user:
amportal kill
chown -R asterisk:asterisk /var/run/asterisk
sed -i '/END INIT INFO/a AST_USER="asterisk"\nAST_GROUP="asterisk"' /etc/init.d/asterisk
amportal restart

10. Inability to Activate Repository Tabs in Module Admin

Identifying the Problem. Some users have reported a problem activating the various repository tabs within the GUI’s Module Admin component.

The Fix. Issue the following commands from the Linux CLI to correct the problem:

amportal a ma uninstall digium_phones
gui-fix

Special thanks to Lorne Gaetz and Andrew Nagy for the fix.

Originally published: Wednesday, September 2, 2015



Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Why Reinvent the Wheel: Incredible PBX GUI Application User’s Guide

We’ve spent the last two months introducing a half dozen new flavors of Incredible PBX™ featuring the new GPL-compliant Incredible PBX GUI. We hope you’re enjoying the new builds. But it’s Back-to-School Time in the United States so today we’re shifting gears and providing a refresher course on the three dozen or so applications for Asterisk® that accompany every Incredible PBX install.

For those just beginning your Incredible PBX adventure, start here and choose your favorite platform. There are plenty of choices featuring Asterisk 11 or 13, FreePBX® GPL-compatible modules for versions 2.11 and 12, plus your favorite operating system: CentOS 6.7 and 7.0, Ubuntu 14, and Raspbian for the Raspberry Pi 2. There’s even an installer for the AsteriskNOW and FreePBX Distro proprietary platforms.

Once your system is up and running, you’ll be ready to kick the tires and discover all of the hidden goodies that await. Today we’ll cover all of the applications for Asterisk® that are included in the new Incredible PBX GUI platforms. After reading this tutorial, if you have specific questions, by all means post them on the PIAF Forum for some quick and friendly help.

Table of Contents to the Incredible PBX Applications

  1. Checking System Status
  2. Enabling Speech Recognition
  3. Wolfram Alpha for Siri-like queries by phone*
  4. Automatic Update Utility
  5. Asterisk Upgrade Utility
  6. Apache Authentication for Apps
  7. IPtables Firewall WhiteList
  8. PortKnocker Remote Access
  9. Travelin’ Man 4 Remote Access by Phone
  10. Conference Bridge
  11. CallerID Name (CNAM) Lookups
  12. Faxing with Incredible PBX
  13. Voicemail 101 with Incredible PBX
  14. Email Delivery of MP3 Voicemails
  15. Reconfiguring SendMail for SmartHosts
  16. SMS Blasting with Google Voice
  17. SMS Voice Messaging with Google Voice*
  18. SMS Messaging with VoIP.ms
  19. SIP URI Calling with Speed Dials
  20. IVR Demo of Incredible PBX Applications*
  21. Backup and Restore Options
  22. AsteriDex – The Poor Man’s Rolodex®
  23. Voice Dialing with AsteriDex*
  24. Speed Dialing with AsteriDex
  25. Scheduling Reminders by Phone or Web
  26. DISA Access with Incredible PBX
  27. Yahoo! News Headlines
  28. Weather Forecasts with Incredible PBX*
  29. ODBC Application Support
  30. Today in History
  31. Time of Day
  32. WebMin: The Linux Swiss Army Knife
  33. phpMyAdmin: The MySQL Swiss Army Knife
  34. SIP Gateways for Secure (and Free) Google Voice Calling
  35. User Control Panel for Extension Management

* Requires Voice Recognition implementation. See #2 above.

1. Checking Current Status of Incredible PBX

There are several ways to check the status of your server. First, log into your server as root and type: status

The second option is to use a browser to access your server. Choose the Admin menu. Then click Incredible PBX Administration. Log in as admin with the password you set in the Linux CLI: /root/admin-pw-change. Once you log in with your Incredible GUI admin password, the System Status menu will be displayed.

Once you roam through the GUI options, you can redisplay the System Status screen by clicking Reports -> System Status.

2. Adding Speech Recognition to Incredible PBX

Google changed the licensing of their speech recognition engine last year and now restricts use to “personal and development use.” Assuming you qualify, the very first order of business is to enable speech recognition for your new PBX. Once enabled, the Incredible PBX feature set grows exponentially. You’ll have access to the Voice Dialer for AsteriDex, Worldwide Weather Reports where you can say the name of a city and state or province to get a weather forecast for almost anywhere, Wolfram Alpha for a Siri-like encyclopedia for your PBX, and Lefteris Zafiris’ speech recognition software to build additional Asterisk apps limited only by your imagination.

Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

1. Using an existing Google/Gmail account, you first must join the Chrome-Dev Group.

2. Using the same account, create a new Speech Recognition Project.

3. Click on your newly created project and choose APIs & auth.

4. Turn ON the Speech API by clicking on its Status button in the far right margin. HINT: If you forgot to complete Step #1, the Speech API option will be missing!

5. Click on Credentials in APIs & auth and choose Create New Key -> Server key. Leave the IP address restriction blank!

6. Write down your new API key or copy it to the clipboard.

7. Log into your server as root and issue the following command:

nano -w /var/lib/asterisk/agi-bin/speech-recog.agi

8. When the nano editor opens, go to line 70 or so of speech-recog.agi: my $key = "". Insert your API key from Step #6 above between the quotation marks and save the file: Ctrl-X, Y, then Enter.

Congratulations! Speech recognition is now available with Incredible PBX applications.

3. Using Wolfram Alpha with Incredible PBX

Ever wished your Asterisk server could harness the power of a 10,000 CPU Supercomputer to answer virtually any question you can dream up about the world we live in? Well, so long as it’s for non-commercial use, today’s your lucky day. Apple demonstrated with Siri™ just how amazing this technology can be by coupling Wolfram Alpha® to a speech-to-text engine on the iPhone. Now you can do much the same thing using voice recognition with Incredible PBX.

Before using Wolfram Alpha from any phone connected to your PBX, you first must configure it by obtaining and adding a Wolfram Alpha application ID to Incredible PBX. Here are the simple steps:

1. Obtain your free Wolfram Alpha APP-ID here.

2. Log into your server as root and issue the following command:

nano -w /var/lib/asterisk/agi-bin/4747

3. When the nano editor opens, the top line of the file will look like this:

APPID="Your-Wolfram-Alpha-App-ID-Goes-Here"

4. Replace the text between the quotes with your APP_ID key from Step #1 above. Then save the file: Ctrl-X, Y, then Enter.

To use Wolfram Alpha, dial 4747 (that’s S-I-R-I backwards) from any extension.

Here are some sample queries to get you started:

Weather in Charleston South Carolina
Weather forecast for Washington D.C.
Next solar eclipse
Otis Redding
Define politician
Who won the 1969 Superbowl? (Broadway Joe)
What planes are overhead? (flying over your server’s location)
Ham and cheese sandwich (nutritional information)
Holidays 2015 (summary of all holidays for 2015 with dates and DOW)
Medical University of South Carolina (history of MUSC)
Star Trek (show history, air dates, number of episodes, and more)
Apollo 11 (everything you ever wanted to know)
Cheapest Toaster (brand and price)
Battle of Gettysburg (sad day :-) )
Daylight Savings Time 2015 (date ranges and how to set your clocks)
Tablets by Samsung (pricing, models, and specs)
Doughnut (you don’t wanna know)
Snickers bar (ditto)
Weather (local weather at your server’s location)

4. Automatic Update Utility for Incredible PBX

A key security component of Incredible PBX is its Automatic Update Utility. Each time you log into your server as root, the Automatic Update Utility is run. It installs the latest fixes and security patches for your server. Don’t disable it! In fact, don’t delete anything from the /root folder. You’ll need all of it sooner or later.

We recommend you log into your server as root at least once a week to keep your server current. Ditto for the web interface to Incredible PBX. Insofar as security is concerned, we make a best effort to keep the components of Incredible PBX up to date. The Linux operating system was installed by you before the Incredible PBX install began. That’s a nice way of saying Linux security is primarily your responsibility. When an egregious Linux vulnerability comes along that we know about, we will try to notify you of the issue on the PIAF Forum and on the RSS Feed that is part of the Incredible PBX Main Menu shown at the top of this article. Check the RSS Feed with a browser at least once a week. As a condition of use of the free Incredible PBX, you accepted ultimate responsibility for the security and reliability of your server. None of this discussion changes any of that.

5. Asterisk Upgrade Utility for Incredible PBX

We’ve developed a script to upgrade Asterisk to the latest version whenever you feel the urge. This brings you current in your existing release, e.g. Asterisk 11 or 13. It does NOT upgrade Asterisk 11 to 13! Before beginning the upgrade, log into your server as root using SSH and maximize the window. Otherwise, Asterisk may not compile properly. Then execute these commands:
cd /root
wget http://incrediblepbx.com/upgrade-asterisk-to-current.tar.gz
tar zxvf upgrade-asterisk-to-current.tar.gz
rm -f upgrade-asterisk-to-current.tar.gz
./upgrade-asterisk-to-current

6. Implementing Apache Authentication with Incredible PBX

With the exception of the Incredible GUI and WebMin, all web-based applications included in Incredible PBX require successful authentication with the Apache admin password to gain access. When you installed Incredible PBX, you should have created an Apache admin account. If not, issue the following command using a secure password after logging in as root:

htpasswd -b /etc/pbx/wwwpasswd admin newpassword

With the exception of AsteriDex and Reminders, you gain access to other Incredible PBX applications with the Apache admin account. For the remaining apps, you may wish to (but don’t have to) assign different account names and passwords to various departments in your organization. To set up these accounts, use the syntax above substituting the name of the department for “admin” and the department password for “newpassword.”

7. Managing the IPtables Linux Firewall and WhiteList

As installed, Incredible PBX includes a preconfigured, locked-down Linux firewall that restricts incoming IPv6 traffic to localhost and, via a WhiteList, limits incoming IPv4 traffic to your server’s public and private IP addresses, your desktop computer’s IP address (that was used for the install), private LAN and NeoRouter VPN traffic, and a collection of our favorite SIP providers. You can WhiteList additional IP addresses for additional providers or for SIP and IAX phones located outside your firewall. The following firewall management scripts are mostly installed in the /root directory:

  • ./add-ip — WhiteList an additional IP address or IP address range (CIDR)
  • ./add-fqdn — WhiteList a site using a fully-qualified domain name (FQDN)
  • ./del-acct — Remove previously designated entry from the WhiteList
  • ./ipchecker — Check whether specified FQDNs have changed & update IPtables
  • iptables-restart — Used exclusively to restart IPtables and test for failed FQDNs
  • iptables -nL — Check the current status of your IPtables firewall

IPtables can be manually configured (if you know what you’re doing) by editing iptables and ip6tables in /etc/sysconfig (CentOS) or rules.v4 and rules.v6 in /etc/iptables (Ubuntu/Debian/Raspbian). NEVER use traditional iptables commands such as service iptables save to update your IPtables configuration, or you will permanently delete all of your FQDN entries! Instead, edit the files directly and then restart IPtables using iptables-restart. This protects the FQDN entries in your setup while also checking for invalid FQDN entries and removing them temporarily so that IPtables will successfully restart. If you use service iptables restart to restart IPtables and there happens to be an FQDN entry for a host that is either down or has disappeared, IPtables will fail to restart and your server will be left with NO firewall protection! The reason for this is the IPtables design which converts all FQDN entries to fixed IP addresses when it starts up. It’s also the reason we have to periodically check for changed FQDN entries using the ipchecker script with cron. For this to work properly, you will need to manually add your FQDN setups to the top of /root/ipchecker by inserting the filenames of any add-fqdn entries you have created. For additional details, read our Travelin’ Man 3 tutorial.

8. PortKnocker Remote Access to Incredible PBX

IPtables is a powerful firewall that keeps the bad guys out. It also will keep legitimate users (including you) from gaining remote access to your server unless you had the forethought to WhiteList your remote IP address before you left on that family vacation. Unfortunately, you don’t always know your IP address in advance. And dynamic IP addresses assigned with hotel WiFi frequently change. To address this problem, Incredible PBX includes a preconfigured PortKnocker utility. This lets you send three secret “knocks” on random TCP ports to your server to tell it to let you in temporarily (until IPtables is again restarted or the access window time expires).

For PortKnocker to work, you obviously need to know the secret knocks. You’ll find them in /root/knock.FAQ. Record them in your wallet or inside your suitcase for that rainy day! There are PortKnocker apps for almost all smartphones as well as for Windows, Mac, and Linux computers. Install your favorite AND test access before you leave town.

Finally, be aware that PortKnocker does not need any special access to your server to work; however, if your server is behind a hardware-based firewall, then you must map the three PortKnocker TCP ports to the private IP address of your server, or the knocks obviously will never get delivered to your server.

Review our PortKnocker tutorial for additional configuration tips.

9. Travelin’ Man 4 Remote Access to Incredible PBX (Dial TM4)

In addition to PortKnocker, Incredible PBX also includes a telephone-based solution to temporarily gain remote access to your server. This does require a bit of preplanning since you must create account credentials for the person to whom you wish to give remote access via a phone call. The complete tutorial for Travelin’ Man 4 is available on the PIAF Forum. All of the pieces already are in place on your server so skip down to the Configuration & Operation sections for details on implementation. The tutorial also covers the Administrator Utilities in /root/tm4 which let you set up remote user accounts.

10. Using the Conference Bridge in Incredible PBX (Dial C-O-N-F)


A new turnkey Asterisk Conference Bridge has been added to Incredible PBX. A conference bridge allows a group of people to participate in a joint phone call. Typically, participants dial into a virtual meeting room from their own phone. This virtual meeting room supports dozens or even hundreds of participants depending upon server capacity.

You do not need a timing source for conferencing with Incredible PBX! Old-style Asterisk MeetMe Conference Rooms which required a timing source are disabled.

To access the Conference Bridge, dial C-O-N-F (2663) from any phone connected to your server. Remote users can be added to a conference by providing a DID that points to an IVR which includes Conference Bridge access. Once connected to the conference bridge, a caller is prompted for the Conference Bridge PIN and his or her name.

To display Conference Bridge PINs, open Incredible GUI with a browser. Choose Applications -> Conferences -> 2663 and your Conference Bridge PINs will be shown. Reset them as desired.

11. CallerID Name (CNAM) Lookups with Incredible PBX

By default, Incredible PBX is configured to automatically provide CallerID Name lookups using CallerID Superfecta, an application initially developed on Nerd Vittles almost a decade ago. You also have the option of using free OpenCNAM CallerID name lookups for the first ten calls received each hour. These lookups are only from cached entries in the OpenCNAM database; however, you can enable the commercial lookup service if desired. The cost is four tenths of a cent per successful query.

12. Free Faxing with Incredible PBX

If you added Incredible Fax to your server by running incrediblefax script in the /root folder, then you’re in for a treat. As part of the install, you provided an email address for delivery of incoming faxes. That’s all the setup that is required to have incoming faxes delivered via email in PDF format. The best way to figure out whether a particular provider supports fax technology on their DIDs is to send a test fax to yourself. FaxZERO lets you send 5 free faxes of up to 3 pages every day. Give it a whirl.

You also can send faxes using standard document types with the AvantFax web application. Log into AvantFax from the main Incredible PBX page by clicking on the AvantFax icon. Choose the Send a Fax option from the main menu, fill in the blanks, and attach your document. AvantFax uses the default dialplan so use the prefix desired to send the fax using your preferred provider. HINT: Google Voice does an excellent job with both incoming and outgoing faxes, and the calls are free in the U.S. and Canada.

Copies of all incoming faxes also are available for retrieval within AvantFax.

13. Voicemail 101 for Incredible PBX

Voicemail functionality is enabled on an extension-by-extension basis as part of the Extension setup under the Applications tab in the GUI. Once enabled, you can set up your mailbox and retrieve your messages by dialing *98. You can leave a message for any extension without actually calling the extension. Just prepend * to any extension number before dialing, e.g. *701. A number of the system settings for voicemail can be tweaked under the Voicemail Admin option under the Settings tab.

14. Email Delivery of MP3 Voicemails with Incredible PBX

Speaking of email delivery, your voicemails also can be delivered to any email address of your choosing. For every Extension, simply add an Email Address in the Voicemail section of the form. With Incredible PBX, the voicemail message will be attached to the email in MP3 format so it’s suitable for playback with most email clients on desktop PCs, Macs, and smartphones. Be advised that some Internet service providers (such as Comcast) block downstream SMTP servers. You can check whether your outbound email is flowing by accessing WebMin (below) and choosing Servers -> SendMail Mail Server -> Mail Queue. If you find outbound mail is accumulating, then you’ll need to add your ISP’s SMTP server address as a SmartHost for SendMail as documented in the next section.

15. Reconfiguring SendMail for SmartHost SMTP Delivery Of Outgoing Emails

Many residential Internet service providers block downstream SMTP servers such as the SendMail server running with Incredible PBX. If you’re sending emails but they never arrive and you’ve checked your SPAM folder, then chances are your ISP is the culprit. The simple solution is to add your ISP’s SMTP server as a SmartHost for SendMail. This means outbound emails will be forwarded to your ISP for actual email transmission over the Internet. Here’s how. Edit /etc/mail/sendmail.cf and search for DS. Immediately after DS, add the FQDN of your ISP’s SMTP server, e.g. DSsmtp.comcrap.net (no spaces!). Save the file and then restart SendMail: service sendmail restart. Your email and voicemail messages with attachments should begin flowing without further delay.

Email from: Asterisk PBX asterisk@pbx.local...
"Nerd Vittles" at 8001234567 left a new voicemail message 1 for extension 6002 on Thursday, January 29, 2015 at 01:42:33 PM.

You can test email delivery by sending yourself a message from the Linux CLI:

echo "test" | mail -s testmessage yourname@somedomain.com

16. SMS Blasting with Google Voice and Incredible PBX

Out of the box, Incredible PBX supports SMS Message Blasting if you have a functioning Google Voice account set up. Before first use, you must add your credentials, address list, and text message to the SMS Blaster scripts in the /root folder.

In smsblast, insert your credentials:

GVACCT="yourname@gmail.com"
GVPASS="yourpassword"
MSGSUBJECT="Little League Alert"

In smslist.txt, insert one or more recipients for your message. These can be a combination of SMS addresses and email addresses and will be delivered accordingly.

NOTE: For most cellphone providers, you also can send an email message for SMS delivery by the provider. The complete list of providers is available here. Email messaging for SMS requires that you know the cellphone provider for your recipient while standard SMS messaging does not.

# In lieu of SMS number, email is also OK
8431234567 Doe John
mary@doe.com Doe Mary
8435551212@txt.att.net Mr T

In smsmsg.txt, enter the text message to be sent.

Once you have all three files configured, run the script: /root/smsblast.

17. Voice-Activated SMS Messaging with Incredible PBX (Dial S-M-S)

In addition to message blasting, you also can dial 767 from any extension and dictate an SMS message to send through your Google Voice account. When prompted for the destination, simply enter the 10-digit SMS number of the recipient.

18. SMS Messaging with VoIP.ms and Incredible PBX

Incredible PBX also supports SMS messaging through VoIP.ms if you have an account and an SMS-enabled DID. See the VoIP.ms wiki for setup info on the VoIP.ms side.

To install the VoIP.ms SMS scripts, follow these steps:

cd /root
mkdir sms-voip.ms
cd sms-voip.ms
wget http://incrediblepbx.com/voipms-SMS.tar.gz
tar zxvf voipms-SMS.tar.gz

Edit voipms-sms.php and insert your VoIP.ms number that supports SMS messaging (no spoofing allowed!):

$SMSsender="8005551212";

Edit class.voipms.php and insert your VoIP.ms API credentials:

    /*******************************************
     *  VoIPms - API Credentials
    *******************************************/
    var $api_username   = 'yourname@youremail.com';
    var $api_password   = 'yourpassword';

Send an SMS message through VoIP.ms with the following command where smsnumber is the 10-digit number of the SMS recipient and “sms message” is the text message surrounded by quotes:

/root/sms-voip.ms/voipms-sms.php smsnumber "sms message"

NOTE: VoIP.ms has indicated that sooner or later there will be a penny per message charge for SMS messages; however, they’re still free as of now.

19. SIP URI Calling with Incredible PBX (Demo: Dial L-E-N-N-Y)

With one line of dialplan code, you can add Speed Dials for free SIP URI calling worldwide. Just create an Other (Custom) Device Extension. Provide an extension number for the SIP URI and enter the SIP URI in the following format in the dial field: SIP/2233435945@sip2sip.info

20. IVR Demo of Incredible PBX Applications (Dial 7001)

The easiest way to try out a number of the Incredible PBX applications is to take the IVR Demo for a spin. Just pick up any phone and dial D-E-M-O (3366). The sample code for the IVR is available for review and modification in extensions_custom.conf. Just search for 3366. You can create your own IVRs and AutoAttendants using the IVR option under the Applications tab in the GUI.

21. Incredible Backup & Restore with Incredible PBX

Incredible Backup and Restore scripts are included in the /root folder. These scripts make and restore snapshots of the settings on your server and should be used in conjunction with a full system backup solution. The GUI includes its own backup snapshots by choosing Backup & Restore under the Admin tab.

22. AsteriDex – The Poor Man’s Rolodex

AsteriDex is a web-based phonebook application for Incredible PBX. You can access it from the main web menu. Scripts are also available to import your contacts from Outlook and Google Contacts.

23. Voice Dialing with AsteriDex (Dial 411)

If you have voice recognition enabled on your server, you can call anyone in your AsteriDex database by dialing 411.

24. Speed Dialing with AsteriDex (Dial 412 or 000+)

For those without voice recognition, Incredible PBX includes two speed dialing utilities. The first is accessed by dialing 412. Then enter any 3-digit dialcode from your AsteriDex database to complete the call.

For a complete listing of your AsteriDex dial codes, execute this query:

mysql -u root -ppassw0rd asteridex -e "select name,dialcode from user1 order by name"

25. Telephone Reminders (Dial 123)

Incredible PBX includes a sophisticated reminders system that lets you schedule individual or recurring reminders using your phone by dialing 123 or a web browser. A complete tutorial is available here. For phone reminders, a password is required to access the reminder system. You’ll find or can set your Reminders password by searching for 123 in extensions_custom.conf. Typically, these reminders set up a return call at a scheduled time that then plays back either a recorded message or a TTS message generated from the text you entered in the browser application. Incredible PBX also includes a new addition that lets you schedule web reminders that are delivered by email or SMS message. Links to the web-based reminders applications are in the main Incredible PBX web menu.

26. DISA Access with Incredible PBX

Direct Inward System Access (aka DISA) is one of the great PBX inventions of the last 50 years. It’s also one of the most dangerous. It lets someone connect to your PBX and obtain dial tone to place an outbound call using your trunks… on your nickel. Typically, it is offered as an option with an IVR or AutoAttendant. DISA extensions can be added using the DISA option under the Applications tab. Make sure you assign a very secure password. It’s your phone bill.

27. Yahoo! News (Dial 951)

Yahoo! news headlines are available by dialing 951. The news option also is included in the sample IVR application.

28. Weather Forecasts by Phone (Dial 949 or Z-I-P)

If you have voice recognition enabled on your server, you can retrieve a weather report for most cities in the world by dialing 949 and saying the name of the city plus the state, province, or country. For PBXs without voice recognition, you can obtain a weather forecast for most zip codes by dialing 947 (Z-I-P) and entering the 5-digit zip code.

29. ODBC Application Support for Asterisk

ODBC/MySQL application support for Asterisk is included in Incredible PBX. You can try out a few sample applications that are included to get you started. Dial 222 and enter 12345 for the employee number. This retrieves an employee name from the MySQL timeclock database using Asterisk. Dial 223 to retrieve an AsteriDex name and phone number by entering the 3-character dialcode. You then have the option of placing the call by pressing 1. Once you have created accounts for Travelin’ Man 4, you can dial 864 (T-M-4) to WhiteList an IP address for that account after entering the account number and matching PIN. Use the * key for periods in the IP address. The code for all of the samples is in the following files in /etc/asterisk: odbc.conf and func_odbc.conf. If you create new MySQL databases, remember to add corresponding entries in res_odbc.conf and /etc/odbc.ini. Then restart Asterisk: amportal restart.

30. Today in History (Dial T-O-D-A-Y)

It’s always interesting to find out what happened Today in History. And Incredible PBX now delivers it by phone. Just dial 86329 (T-O-D-A-Y) for a walk down memory lane.

31. Time of Day

Speaking of yesteryear, if you grew up dialing TI-4-1212 for the time of day, Ma Bell may have discontinued the service, but we haven’t. Now you can do it on your very own PBX. Just dial into the DEMO IVR and choose option 4.

But suppose you want your users to be able to dial in for the time. Just dial *61 for a time update.

32. WebMin: The Linux Swiss Army Knife

There is no finer Linux application than WebMin. There is no more dangerous Linux application than WebMin. You’ve been warned. We heartily recommend WebMin as a tool to LOOK at your server’s settings. We strongly discourage changing anything in WebMin unless you totally know what you are doing. This is especially true with management of Linux applications that make up the core of Incredible PBX: the Linux kernel, SendMail, IPtables, Apache, MySQL, PHP, and…

To access WebMin, click on the WebMin link in the main Incredible PBX web menu. The username is root. The password is your root password. WebMin has root privileges to your server. Reread paragraph 1 and act accordingly.

For an exhaustive tutorial on WebMin, download The Book of WebMin by Joe Cooper. For a more recent commercial offering, take a look at Michal Karzyński’s WebMin Administrator’s Cookbook.

33. phpMyAdmin: The MySQL Swiss Army Knife

The same caveats we expressed regarding WebMin apply to phpMyAdmin. It is a powerful tool for managing MySQL databases in the right hands. It is a dangerous tool in the wrong hands. There should be little need to use phpMyAdmin unless you are developing a customized database solution for your business. We’ve included phpMyAdmin just in case.

To access phpMyAdmin, click on the phpMyAdmin link in the main Incredible PBX web menu. For tutorials on phpMyAdmin, see the phpMyAdmin wiki. For an excellent commercial offering focused on the version of phpMyAdmin installed on your server, consider Mastering phpMyAdmin 3.4 for Effective MySQL Management by Marc Delisle.

34. SIP Gateways for Secure (and Free) Google Voice Calling

If you have difficulty finding the Google Chat option after setting up a new Google Voice account, follow this tutorial. If you’d prefer a secure, pain-free method of accessing Google Voice via SIP for a modest one-time fee, there are some other options:

35. User Control Panel for Extension Management

For those that have clamored for a safe way to permit end-users to manage their extensions and voicemails, your ship has arrived. Meet the User Control Panel (UCP) which now is part of the Incredible PBX GUI. First, set up accounts for your users with the User Management option under the Admin tab. Specify account names, passwords, and extensions to be managed. Other entries for email addresses are optional. Then choose the UCP option in the GUI, login with one of the accounts you’ve created, and follow your nose.

Originally published: Wednesday, August 26, 2015



Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Introducing Incredible PBX GUI for AsteriskNOW and the FreePBX Distro


Before we get started today, let’s clear the air on a few things that have been brought to our attention. We’re not opposed to any organization making money. That includes Digium® and Sangoma®. And we fully appreciate that both of these companies need to make money to continue to deliver first rate products like Asterisk® and FreePBX®. Our fundamental disagreement with SchmoozeCom and now Sangoma stems from their sales methodology. In a nutshell, they’ve taken what purports to be an open source GPL product and turned it into a marketing tool for a whole host of commercial, closed source, time-restricted add-ons. If this were done in keeping with the GPL requirement for clear separation between the GPL components and the commercial ones, we would have no objection at all. As it stands, the Sangoma commercial bundling approach is functionally identical to distributing commercial components tied to the Linux GPL kernel, a practice that is specifically prohibited by the GPL. The prohibition stems from hooking commercial components to any GPL component, not merely the Linux kernel. Hence, hooking commercial FreePBX components to the open source GPL FreePBX and Linux ISO platforms is just as problematic as hooking a commercial driver to the Linux kernel. You’re profiting off the free work of others while confusing consumers on what’s free software and what’s not.

Sangoma’s decision to commingle and intertwine the GPL and commercial components in such a way that end-users have no choice but to install the entire bundle including the NagWare and CrippleWare hooks is problematic in another way as well. It also means users cannot legally redistribute the SHMZ ISO (even though it includes the functionally identical components found in the RedHat Enterprise Linux GPL ISO) because consumers also would be redistributing non-GPL software without a license to do so.

If you really want to have some fun (on a non-production machine, of course), try setting the clock up about 26 years and experience time bomb software in all its glory. And we thought this disappeared in the shareware days. Heh.

Last, but not least, Sangoma has shrouded the essential Cloud components of the FreePBX distribution in secrecy with encrypted signatures to prevent others from adding to the GPL-advertised project without encountering nasty error messages suggesting that your server has been compromised. Issuing keys while keeping exclusive control over issuance and rescission of those keys doesn’t help. That is a textbook example of PROPRIETARY software.

Until these issues are addressed, we believe everyone is better served by converting your GUI platform to the Incredible PBX GUI which offers GPL-compatible modules and an open source, GPL-based Cloud platform for all to see. That’s what FREEDOM really means, Sangoma. And that’s our objective for today, no more and no less.



Installing the SHMZ Base Operating System

If you’ve installed Incredible PBX on another operating system platform, today’s exercise isn’t that different. You’ll start by downloading and installing a fresh copy of AsteriskNOW or FreePBX Distro 6.12. You need a fresh install because all of your setup will be modified as part of the Incredible PBX install anyway. Both the 32-bit and 64-bit platforms are supported. Once the install begins, we recommend choosing the NO RAID setup because upgrading to FreePBX 13 down the road reportedly leaves you with a kernel that does not support RAID.

Begin by installing the 32-bit or 64-bit version of your choice on your favorite hardware or Desktop. Or you may prefer to use a Cloud provider1 that already offers a preconfigured image. In the latter case, you can skip this section.

For those using a dedicated hardware platform or wishing to install as a virtual machine, the drill is the same. Start by downloading the ISO. Then burn the ISO to a DVD unless you’ll be booting from the ISO on a virtual machine platform such as VirtualBox. On virtual platforms, we recommend at least 1GB RAM and a 20GB dedicated drive. For VirtualBox, here are the settings:

Type: Linux
Version: RedHat 64-bit or 32-bit
RAM: 1024MB
Default Drive Options with 20GB+ space
Create
Settings->System: Enable IO APIC and Disable HW Clock (leave rest alone)
Settings->Audio: Enable
Settings->Network: Enable, Bridged
Settings->Storage: Far right CD icon (choose your ISO)
Start

Boot your server with the ISO, and start the install. Here are the simplest installation steps:

Choose NO-RAID install and Click Continue
Choose Whether to Enable IPv6 Support
Choose Time Zone and Uncheck System Clock Uses UTC
Create Root Password: somepassword, somepassword, Click Done
Wait for Install and Setup to finish (about 30 minutes)

Installing Incredible PBX for SHMZ 6.5

Unlike other Linux operating systems, today’s ISOs will leave you with a functioning Asterisk platform with the FreePBX GUI. Both are built from RPMs rather than being compiled on the fly from source. We’ve chosen to leave the Asterisk platform in place for those that prefer the ease of use of an RPM solution. Be advised that this means adjustments to Asterisk modules are extremely difficult should you ever decide you need some functionality that is not provided in the default build. The FreePBX GUI platform will be replaced with the Incredible PBX GUI using GPL-compatible modules from version 12.

To begin, log in to your server as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx11-12.1.shmz.tar.gz
tar zxvf incrediblepbx*
./IncrediblePBX*

Once you have agreed to the license agreement and terms of use, press Enter and go have a long cup of coffee. The Incredible PBX installer runs unattended so find something to do for the next 30-60 minutes unless you just like watching code compile. When the installation is complete, run /root/admin-pw-change to set the admin password for GUI access using a browser. Log out and back into your server. After the Automatic Update Utility runs, you’ll be greeted by the status display:

Press ENTER and perform at least the first 5 steps below:

Make your root password very secure: passwd
Set an admin GUI password: ./admin-pw-change
Create admin password for web apps: htpasswd /etc/pbx/wwwpasswd admin
Set your correct time zone: ./timezone-setup
Restart Asterisk: amportal restart
Reload the GUI: amportal a r
Clean Up GUI Module Signature Mess: gui-fix
Make a copy of your Knock codes: cat knock.FAQ
Decipher IP address and other info about your server: status

Incredible PBX includes an Automatic Update Utility which downloads important updates whenever you log into your server as root. We recommend you log in once a week to keep your server current. If you haven’t done so already, now would be a good time to log out and back into your server at the Linux command line to bring your server up to current specs.

You can access the Incredible PBX GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display.

Choose Incredible GUI Administration from the Admin menu of the Kennonsoft GUI (shown above). The default username is admin and the password is what you set above. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for your 701 extension and voicemail account: Applications -> Extensions -> 701. If you’re behind a hardware-based firewall, change the NAT setting to: YES. NOTE: The fax option will not appear until you’ve run the Incredible FAX installation script in /root.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:


947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to set up a free Google Voice account. Google has threatened to shut this down but as this is written, it still works. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax 11, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX. It’s free at least through 2013. Google Voice no longer is by invitation only so, if you’re in the U.S. or have a friend that is, head over to the Google Voice site and register.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. Google used to permit outbound Gtalk calls using a fake CallerID, but that obviously led to abuse so it’s over! You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in the GUI. After logging in with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work with these simple settings in the GUI: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

A Few Words about the Incredible PBX Security Model

Today’s Incredible PBX install joins our previous builds as our most secure turnkey PBX implementation, ever. As configured, it is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. The latest release also includes Port Knocker for simple, secure access from any remote computer or smartphone. You can get up to speed on how the technology works by reading the Nerd Vittles tutorial. Your Port Knocker credentials are stored in /root/knock.FAQ together with activation instructions for your server and mobile devices. The NeoRouter VPN client also is included for rock-solid, secure connectivity to remote users. Read our previous tutorial for setup instructions. As configured, nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. You can whitelist additional IP addresses by running the command-line utility /root/add-ip. You can remove whitelisted IP addresses by running /root/del-acct. Incredible PBX is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking. We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. And it’s your phone bill. 😉

The IPtables firewall is a complex piece of software. If you need assistance with configuring it, visit the PIAF Forum for some friendly assistance.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX server on the same platform, simply copy the image to a server running Asterisk 11 and the same version of the Incredible PBX GUI. Then run /root/incrediblerestore. Doesn’t get much simpler than that.

Switching Major Versions of Asterisk

One of the unique features of this aggregation is the ability to quickly switch from one major version of Asterisk to another, e.g. from Asterisk 11 to 13 or from Asterisk 13 back to 11. It will also bring your particular Asterisk version up to the current release. This functionality has been retained in the Incredible PBX implementation.

WARNING: You will lose your free faxing capability with HylaFax/AvantFax if you deployed it before switching Asterisk versions! You may be able to restore the fax functionality by running the incrediblefax installer again. No guarantees.

To switch versions, issue the following commands after logging into your server as root:

sed -i 's|enabled=0|enabled=1|' /etc/yum.repos.d/FreePBX.repo
asterisk-version-switch
sed -i 's|enabled=1|enabled=0|' /etc/yum.repos.d/FreePBX.repo

Incredible PBX Automatic Update Utility

Every time you log into your server as root, Incredible PBX will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along.

A Word to the Wise: yum update can be a very dangerous tool. We have disabled the FreePBX repositories as part of the Incredible PBX install. We recommend you keep it that way. Security updates, if necessary, are distributed through the Automatic Update Utility. This puts an additional layer of protection between your server and yum repos. Keep it that way!

In the meantime, we encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie.

Originally published: Wednesday, August 19, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.

NEWS FLASH: There’s a message thread to handle Bugs & Fixes for this new release. If you have issues with your install, start there.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Introducing the FUD-Free Firewall for FreePBX Distro and AsteriskNOW

After frequent complaints from our FreePBX® users, we introduced a firewall application for the PBX in a Flash™ and Incredible PBX™ platforms that protected FreePBX resources. That was over 5 years ago. The product became Travelin’ Man™ 3, an IPtables-based WhiteList that totally eliminated access to your Asterisk® server unless a WhiteList entry had been authorized by the administrator. The application was further embellished over the years to facilitate access by remote users. First, we introduced PortKnocker™ for Asterisk® and later we introduced Travelin’ Man 4 to let users call in with a passcode to authorize server access. For the past several years, a preconfigured firewall has been an integral component in what has become the 7-Layer Security Model included in all Incredible PBX builds. TIP: Security is not a new idea for us.

During this evolution, the FreePBX developers introduced their own distribution, the FreePBX Distro™. Conspicuously absent was a functioning firewall. We believed that the shortcoming would be remedied quickly. Hasn’t happened! In the meantime, a number of serious security vulnerabilities arose in the FreePBX product that compromised numerous servers running their distribution because of the absence of a functioning firewall. Digium® recently reintroduced AsteriskNOW™ as a clone of the FreePBX Distro. But still no firewall.

About a month ago, we decided to close the loophole for everyone’s security and develop a firewall for the only FreePBX-based distributions without a firewall, the FreePBX Distro and AsteriskNOW. Last week we began the rollout with a Nerd Vittles article explaining why this was essential, as if an explanation were necessary. Today, you get the GPL code.

Suffice it to say, our article was not well received. The usual Sangoma® players went into Damage Control Mode with what has become a predictable scenario whenever security issues are raised concerning the FreePBX design or vulnerabilities.

Meet The Sangoma 7.

  • The Good Cop: If only you’d purchase Genuine Sangoma Hardware, all of your security problems would disappear
  • The Bad Cop: Enjoy this nice Cup of FUD about your own distro which proves we’re all just alike
  • The Techie Cop: We thought of developing an open source firewall just the other day, and now you’re complaining
  • The Rest of “The Team”: Let the Astroturfing Begin… Retweet, favorite, and cheer for the brilliance of My 3 Cops

The Good Cop offered to solve all your security woes if you’d just buy (some more Sangoma) hardware.

The Bad Cop suggested that, with “cookie cutter security, you might as well hand out your password.” Just in case you have any doubts about whose approach has stood the test of time, let’s Google the FreePBX Security Vulnerability Track Record.

The Techie Cop claimed we had stolen his 2-day old idea to create an Open Source Firewall. Really?
Earth to Techie Cop: Where have you been for the past five years??

Funny stuff… if it weren’t so damaging to the Asterisk community and those trying to decide whether to put their faith in open source communications software.

Firewall Basics.

We’ve written dozens of articles on Asterisk security and firewall approaches so we won’t repeat all of the information. Here’s what you need to know. Software-based firewalls on Linux servers need to be integrated into the Linux kernel to be secure. IPtables is kernel-based and extremely reliable. Blacklist-based firewall designs, i.e. those that seek to identify the IP addresses of every bad guy on the planet don’t work very well. Bad guys aren’t stupid. They can do their damage by commandeering a little old lady’s Windows machine so you’re never going to collect all of the necessary “bad” IP addresses. They’re also smart enough to poison the blacklists with Internet resources you need such as DNS servers. So don’t waste your time with blacklists. WhiteLists work very well. You identify the IP addresses and FQDNs of all the Internet sites you need to support and all the SIP providers you wish to use. Nobody else even sees your server on the Internet. If the bad guys can’t see your server, they can’t attack it. Simple as that.

Travelin’ Man 3 WhiteList Tutorial.

Here are the fundamentals of the Travelin’ Man 3 design. We allow access from anybody and everybody on your private LAN. They still need a password to access FreePBX or to gain root access, but they can “see” your server. Private LAN addresses are non-routable over the Internet which means the bad guys can’t access your 192.168.0.4 IP address if you’re sitting behind a NAT-based hardware firewall. All of your internal phones will work with no firewall modifications. You may need to adjust these settings if you’re using a Cloud resource such as Amazon because they actually route non-routable IP addresses which would leave your server vulnerable without removing these entries (especially the 172 subnet for Amazon):

#-A INPUT -s 10.0.0.0/8 -j ACCEPT
#-A INPUT -s 172.16.0.0/12 -j ACCEPT
#-A INPUT -s 192.168.0.0/16 -j ACCEPT

Travelin’ Man 3 also authorizes access for certain mandatory services that are needed to keep your server operating properly. In addition, during installation, Travelin’ Man 3 whitelists localhost and the public and private IP addresses of your server as well as your PC or workstation. You obviously don’t want to lock yourself out of your own server.

As of today, Travelin’ Man 3 is primarily an IPv4 whitelist toolkit. IPv6 addresses are only supported to allow localhost access to your server. Any other IPv6 addresses must be added manually in /etc/sysconfig/ip6tables. We recommend not using FQDNs with IPv6 for the time being. And always restart IP6tables after adding new entries: service ip6tables restart.

You have the option of enabling the Incredible PBX collection of IP addresses used by many of the leading SIP providers around the world. Just run the enable-trusted-providers script in /root. The list of included providers is available here. You also have the option of adding (whitelisting) or deleting users’ and providers’ IP addresses and FQDNs yourself. Use the included scripts in the /root folder: add-ip, add-fqdn, and del-acct. For each account you set up, you get to define which access permission or combination of permissions will be available:

0 – ALL Services
1 – SIP (UDP)
2 – SIP (TCP)
3 – IAX
4 – Web
5 – WebMin
6 – FTP
7 – TFTP
8 – SSH
9 – FOP

Once you have made your selection, a user account will be created in /root with the name of the account and an extension of .iptables. Do NOT delete these files. They keep track of current IP addresses and accounts authorized for server access.

If you have remote users on the Internet, e.g. traveling salespeople, you can individually authorize access for them using a dynamic FQDN (add-fqdn) coupled with a dynamic DNS server that keeps IP addresses current as folks move around. Just load a dynamic DNS updater on their smartphone. Then plug the user entries into the included ipchecker script and execute a cron job on your server every few minutes to keep the FQDN entries refreshed. Simple.

echo "*/10 * * * * root /root/ipchecker > /dev/null 2>&1" >> /etc/crontab

IPtables does not directly support FQDN rules through the kernel. However, IPtables lets you configure your firewall rules using FQDNs which get translated into IP addresses whenever IPtables is restarted. The gotcha here is that, if an FQDN is not resolvable, IPtables fails to load, and you’re left with a vulnerable server. Travelin’ Man 3 takes care of this by employing a special restart script that temporarily disables unresolvable IP addresses.

The moral of the story:

ALWAYS USE iptables-restart TO RELOAD IPTABLES OR YOUR SERVER MAY END UP WITH NO FIREWALL!

We’ve also included support for a neat little trick that lets you whitelist remote SIP access to your server using a special FQDN. No further firewall adjustments are necessary. This is supported on most platforms except OpenVZ containers. The way this works is you first assign an obscure FQDN to your server’s IP address. It needs to be obscure because anyone with the FQDN gains SIP access to your server. But chances are pretty good that the bad guys will have a hard time figuring out that xq356jq.dyndns.org points to your server. You then can embed this FQDN in the SIP phone credentials for all of your remote users. The final step is to uncomment the last few lines in /etc/sysconfig/iptables after plugging in your obscure FQDN. Then restart IPtables: iptables-restart.

-A INPUT -p udp --dport 5060:5061 -m string --string "REGISTER sip:xq356jq.dyndns.org" --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060:5061 -m string --string "OPTIONS sip:" --algo bm -j DROP

Finally, a word of caution about deploying Travelin’ Man 3 on the FreePBX Distro and AsteriskNOW platforms. We currently don’t have a vehicle in place to push security updates out to you as we do with Incredible PBX. This means you will have to remain vigilant to what’s happening in the telecommunications world and load updates yourself. You can stay current in a number of ways. We will post updates to this article in comments below so you can simply check back here periodically. An easier way to keep up with the latest security alerts and updates is to subscribe to the PBX in a Flash RSS Feed. This can be added to the FreePBX Status page by editing RSS Feeds in Settings -> Advanced Settings and adding:

http://pbxinaflash.com/rssfeed.xml

As you can see, there’s nothing “cookie cutter” about Travelin’ Man 3. It’s totally customizable to meet your own unique requirements. All we have done is tame IPtables and eliminate much of its complexity so that you can get a functional firewall up and running quickly. Now it’s deployment time!

Installing Travelin’ Man 3 for the FreePBX Distro & AsteriskNOW.

Log into your server as root from a desktop PC using SSH or Putty. This assures that you will have access from a device other than the console when you are finished. Then issue the following commands:

cd /root
wget http://incrediblepbx.com/tm3-firewall.tar.gz
tar zxvf tm3-firewall.tar.gz
./enable-iptables-whitelist

If you wish to enable the Incredible PBX trusted providers whitelist, issue the following command:

./enable-trusted-providers

ALWAYS use the following command to start or restart IPtables:

iptables-restart

NEVER use the following syntax with Travelin’ Man 3:

service iptables...

CHECK the status of your server at any time:

/root/status

The GPL Is NOT Dead: Coming Soon to FreePBX Distro and AsteriskNOW…

Stay tuned for Incredible PBX GUI, all of the GPL modules you know and love with NO NAGWARE and NO GOTCHAS. This also will assist users that got duped by the Sangoma offer to convert PBX in a Flash into a proprietary FreePBX Distro. After reading the Sangoma disclaimer about the script being donated by an anonymous user, ask yourself this question. When was the last time Sangoma republished code that they did not own or create themselves? Try NEVER.

BEFORE:

AFTER:

Originally published: Monday, August 10, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Firewalls 101: Why Every Asterisk Server Should Have a Functioning Firewall


Part of our fundamental disagreement with the FreePBX® design can be summed up in one word: FIREWALL or the lack of a functioning firewall in the FreePBX Distro and in the functionally identical Digium product, AsteriskNOW®.1 Most of the other design choices including the controversial, non-GPL compliant Module Signature Checking mechanism are touted as failsafe ways to detect altered systems even though changes in FreePBX MySQL tables and Asterisk config files can be modified easily without triggering alerts. In short, the Band-Aid® approach to module tampering does nothing to address the fundamental problem, prevention of unauthorized intrusions in the first place.

Some would contend that the included Fail2Ban product is specifically designed to prevent unauthorized intrusions by locking out the bad guys after a certain number of failed login attempts. Assuming Fail2Ban were functioning properly, which does not appear to be the case, putting all your eggs in the Fail2Ban basket also ignores several critical shortcomings in Fail2Ban. First, it has been documented that powerful servers such as Amazon EC2 and Twitter botnets give hackers almost unlimited intrusion attempts before Fail2Ban ever gets a time slice sufficient to scan logs for intrusion attempts. Second, Fail2Ban provides no protection against stealthy distributed bruteforcing activity. For example, if a botnet with 770,000 PCs attacked your server and each PC executed only two login attempts, Fail2Ban never gets triggered even assuming your server could handle the load and Fail2Ban got sufficient server resources to actually scan your logs. Finally, Fail2Ban provides no protection against Zero Day vulnerabilities where an intruder basically walks right into your server because of an unidentified vulnerability lurking in the existing code. Unfortunately, these are not hypothetical situations but regular occurrences over the past 10 years of Asterisk and FreePBX development. In a nutshell, that’s why you need a real firewall. It completely blocks all access to your server by unauthorized users all of the time.

Numerous companies have intentionally exposed Asterisk® servers to the public Internet in a continuing effort to identify problems before they affect “real servers.” We know of no similar efforts with a platform that includes FreePBX as an integral component of the server. Why? Because the potential for Zero Day Vulnerabilities in a platform of modular design is enormous. One vulnerable component in FreePBX and the entire house of cards collapses because of the blank check server access that a compromised FreePBX asterisk user account gives to an intruder. It’s the fundamental reason that services such as Apache were engineered to run with different user credentials than a root user in the real world. In essence, the current FreePBX design with Asterisk has elevated asterisk user credentials to allow root-like access to almost every server file and function with the exception of SSH access. And SSH access becomes all but unnecessary given the scope of the GUI functionality provided within FreePBX and the escalated privileges it enjoys.

On FreePBX-based Asterisk servers, the absence of any user account separation means Asterisk, Apache, and FreePBX services all operate under the single asterisk user account. If any piece collapses due to a vulnerability, the intruder gets the keys to the castle including read/write access to Asterisk and FreePBX manager credentials and config files as well as broad MySQL access. This, in turn, exposes your VoIP account credentials in addition to facilitating SQL injection into any and all FreePBX database tables. Because FreePBX “hides” numerous settings in over a hundred MySQL tables, the Asterisk DB, and dozens of Asterisk config files, once the asterisk user account access is compromised, many of the major components on your server could be cleverly reconfigured without leaving much of a hint that your server had been compromised. In fact, VoIP account credentials could be extracted and used elsewhere with no traceable footprint back to your server. For all you would know, your provider compromised your credentials rather than the other way around. Just another reminder that keeping a credit card on file for automatic replenishment with VoIP providers is a very bad idea!

Providing the asterisk user with these broad permissions was a (poor) design choice. Why was it done? To make it easy for the developers to alter virtually everything on your Asterisk server using FreePBX’s integrated Module Admin component. Root user permissions are never required to do much of anything other than server platform upgrades once the FreePBX Distro or AsteriskNOW product is installed. That’s exactly the design one would expect to find in a commercial, closed source software platform. But it’s unusual in the open source community to put it charitably. We trust we’ve made the case why a rock-solid firewall with any product that uses FreePBX modules is absolutely essential. FreePBX is a wonderful GUI, but use of the platform without a properly configured, fully functional firewall could be financially catastrophic not to mention the serious damage it could cause to others including the good reputation of Asterisk in the Internet community.

Our objective next week will be to help you implement a functioning Linux-based software firewall on the FreePBX Distro and AsteriskNOW platforms. It’s FREE! Not only will this improve the security of your server, but it will deny the bad guys a platform from which to launch mischievous acts against the rest of us. Unless you’re running Asterisk on a Cloud-based platform, do all of us a favor NOW! Run, don’t walk, to your nearest electronics store (including WalMart and BestBuy) and purchase one of the dozens of inexpensive NAT-based routers. Install it between the Internet and your server TODAY! This is the one we use, but there are plenty from which to choose including our refurbished one.2


NEWS FLASH:
Download the new FUD-Free Firewall for FreePBX Distro and AsteriskNOW.

Originally published: Monday, August 3, 2015




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Technically, IPtables is running on the FreePBX Distro and AsteriskNOW platforms; however, it’s sole function is to act as the shutdown mechanism for Fail2Ban-detected breaches. It does not independently examine packets. There is no functioning iptables config file. From our vantage point, serving as the Fail2Ban traffic cop doesn’t qualify as a functioning firewall since it lacks any of the traditional IPtables rules that manage PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING of packets. []
  2. Where prices are competitive or availability is a factor, we often recommend Amazon because Amazon provides financial support to Nerd Vittles through our referral links. We encourage everyone to shop independently and purchase products from suppliers that best meet your own requirements. []

The Rise and Fall of FreePIX: The 15-Year Journey of an Internet Sensation

NOTE: While on vacation, we dreamed up this fictional company depicting fictitious events to highlight some of the potential pitfalls which could arise when transfers of ownership lead to unanticipated future operational changes. Lawyers get paid to think about this stuff. Today, you get the hypotheticals at no charge. Give them some thought. WARNING: Do NOT visit the .com address associated with our fictional company. It takes NSFW to a whole new level. Similarities to existing companies are purely coincidental. We do not believe the facts depicted apply to any current owner of any company of which we are aware. But the scenario highlights what potentially could happen when a morphing project ultimately is sold to a company with vastly different objectives. We chose FreePIX for our company name because worldwide prior use by numerous entities would make ownership of the mark all but impossible.

Being huge fans of free photography, imagine our surprise upon first learning that the trademark for our new photography site was available. The next decade would see FreePIX.us grow into the largest public site for free storage of photos in the world. The beauty of FreePIX was two-fold. First, storage of an unlimited quantity of photos in any size and format was free. And the web-based GUI to view those photos was second to none. There were no restrictions on usage and no time limitations on free storage. It also provided a simple utility allowing developers to add new photography filters for site-wide use. In short, FreePIX was a photographer’s dream come true. Offload tens of thousands of photos into a high performance web site that’s available to friends and business clients at the click of a web browser button.

Going into our third year in “business” and reality is starting to sink in. People have lots of photos. What used to be one megapixel images have now quadrupled to four. Storage and bandwidth costs have escalated geometrically with the quadrupling of image sizes, but it’s worth it. We love photography. We’ve started to get inquiries from venture capitalists offering to help fund our site in exchange for a percentage interest in the company. No thanks!

We’re starting year five, and the average image now is 8 megapixels. What used to require a dedicated digital camera is now available on every smartphone. Our user base increased ten-fold in just the last year. And I desperately need some additional programming help to keep the web site ahead of the curve. Could also use some networking help to assist in managing the FreePIX storage platform. We’ve obviously got to figure some things out moving forward. Did we mention the storage and bandwidth costs have gone through the ceiling? One of the leading camera companies has made us an offer for the company. It’s not a lot of money, but we could still run the operation even though they would have the final say on future direction. They would simply insert a few ads on the web site to cover the costs. Some favorite commercial photographers of ours have also offered to lend a free hand with the programming and networking chores. Sounds like a good plan!

It’s year six, and our parent company just got sued for copyright infringement because a couple of jerks posted photos owned by some commercial photographers. The plaintiff’s lawyers want a lot of money for a silly mistake, but we obviously are going to need to tighten up and monitor the images that get posted. One of the image filtering apps on the site also looks strikingly similar to a commercial product with an existing patent on the specific filtering methodology. The parent company has brought in their legal team to make some changes.

It’s year seven now, and the parent company says it’s bleeding red ink on what they thought would be a charitable endeavor. And the legal hassles keep on coming. Sounds like FreePIX has been put on the auction block. Lucky for us, one of our commercial photographers has expressed an interest in buying everything, and he’s promised no major operational changes. He has some fresh ideas together with broad experience in the photography business so I think we’re in good shape moving forward. I can hardly believe how talented his programmers are. Looks like smooth sailing lies ahead.

It’s year nine now, and we’ve made further improvements. We now offer a library of commercial photos which can be licensed on the site. Doesn’t impact our free photo storage at all. The new owner now wants to restrict the site to non-commercial entities and to convert all of the photos to lower resolution to conserve disk space and reduce costs. I can’t much blame him. Can you believe commercial photography businesses store all of their work on our site? Doesn’t seem fair that we should foot the bill for their storage and bandwidth when they are competing with our commercial photography business.

We’ve also asked the programmers and lawyers to think of some ways to better insulate us from future copyright and trademark infringement lawsuits. They’ve come up with several ideas. First, we’d require indemnification of our legal expenses by anyone that uses our site. Second, we’d implement license keys for anyone posting images or apps on the site. This gives us a way to flag unauthorized material and warn visitors about the potential risk (as depicted above).1 Third, we’d impose a daily download limit of five images to further conserve our bandwidth. Finally, we’d ban other commercial entities from profiting off our site either with apps or commercial photography. These steps also provide a mechanism to quickly disable images and apps if we spot a problem with an individual poster or if an app competes with our own commercial products. Seems like a fair tradeoff for free photo storage. What’s not to like?

Fast forward to year 15 now. FreePIX has gone through a couple of additional owners. These owners have implemented pay-as-you-go image storage to cover bandwidth costs. Users were given 30 days of “free storage” to remove any photo collections. Only image applications sold by the site owner are now permitted on the site “for legal reasons.” All images uploaded to and preserved on the site for more than 30 days become the exclusive, copyrighted property of the site owner.

The current owner has just received a $100 million purchase offer from a porn site that wants to monetize the 10 million registered users of the site. The potential buyer promises to preserve all photo content on the site for at least 30 days and will do nothing during that period to disable license keys or site access by current users. What could possibly go wrong?

Bar Exam Question: Would/should the results be any different with an open source, GPL platform where the owner retains exclusive control over issuance and termination of GPG keys needed to preserve the full functionality of the GPL software and access to the GPL repository with its keys?

Layman’s Translation: What if Dad gave me a shiny, new car but kept the keys?

Short-Term Fix for Incredible PBX GUI Users:

Originally published: Monday, July 27, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. This image is perfectly safe. WARNING is used only to demonstrate how the FreePIX site might protect itself with unregistered images. []

Ringbinder theme by Themocracy