Home » Security

Category Archives: Security

The Most Versatile VoIP Provider: FREE PORTING

Zero-Day Vulnerabilities Compromise All FreePBX Systems



If you’re a user of Asterisk® and FreePBX®, the DEFCON 31 Conference in Las Vegas did not disappoint this year. It exposed not one but three critical, unpatched vulnerabilities in affected FreePBX-based platforms that can compromise your servers in under a minute. I would hasten to add that all of these vulnerabilities were disclosed to Sangoma® months ago and remain unaddressed for months. What this meant was a hacker could easily get administrator privileges on your server with a blank check to make free calls on your nickel or further infect your server with additional hidden components.




 

How Vulnerable Are You? Here’s a quick summary of the bugs documented in the presentation above. If you expose a port on your server to configure SIP phones, you’re compromised. If your users have public IP access to the User Control Panel (UCP), you’re compromised. Any user can delete any asterisk-owned file from your server. Use a Digium® or Sangoma® VoIP phone? You’re compromised. Actually, all you need is the MAC address of one of these phones and its password login and the User-Agent header of any Digium Phone (Digium D60 2_7_0), and you’re compromised if the dphone API RestApp is running on your server. Are you running the API module in FreePBX with public IP address access to your server? You’re compromised because of a bug in the generateDocumentation function. These are classic command injection and authentication bypass issues in FreePBX that can even be triggered from the bad guys’ servers using generated access tokens.


Sangoma, Sangoma. Wherefore Art Thou? You can read all about Sangoma’s Bug Bounty Program here. It was conveniently deleted immediately after this zero-day vulnerability was reported. We’ve reproduced the page from the Wayback Machine. So what happened? According to the good pseudonym researcher, not much. Aside from an initial response indicating that the bugs had been addressed, there was never a follow-up response when the researcher advised that the patches did not work.




 

What Can You Do? Your safest bet is to switch to a security model that does not expose your server or its assets to the public Internet. Incredible PBX is an out-of-the-box platform that provides this security. It’s available for Rocky 8 (not recommended), Debian 11, Ubuntu 22.04 as well as virtualization platforms including VirtualBox, VMware, Proxmox, Windows WSLg, LXC Linux Containers, and Apple’s UTM platform. OpenVPN is also strongly recommended.

At the very minimum, put your server behind a hardware-based firewall with no public Internet exposure until these bugs are properly resolved. You’ve been warned!

Follow updated comments on this issue on the FreePBX Forum and the VoIP-info.org Forum.

Originally published: Sunday, September 17, 2023    Updated: October 13, 2023



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Our Favorite All-You-Can-Eat Deals in Cyberspace



Let’s begin with a mea culpa. We’ve been wrong on a few all-you-can-eat deals over the years including the CloudAtCost switcheroo, the Google Voice fiasco, and a few other cloud provider implosions. But our overall track record has been pretty good over the past decade, and today we have some fresh deals that are worth a careful look. We, of course, would encourage everyone to perform their own due diligence and at least acknowledge the cautionary note: "If a deal sounds too good to be true, it probably is." Having said that, these are all deals that we continue to use and to rely upon as this is written.

Free Oracle Cloud Hosting for Life


We’ve previously written about the free Oracle Cloud hosting deal so we won’t dwell on it here other than to provide a link that will show you how to sign up and use the Oracle Cloud to host your Incredible PBX servers for life at no cost, up to four of them. Here’s the link.

Domain Names at Cost


There are lots of sources to acquire domain names whether you need one or dozens. But nobody comes close to matching Spaceship pricing across the board. Here are some examples: .com for $8.80/year, .org and .net for $9.80, .us for $6.48, and .uk for $5.23.

VPN Unlimited for Life


Whether you use a VPN for anonymous protection while surfing the web or for access to premium movie services while visiting countries that block some services, a lifetime VPN subscription is a worthy investment. In this case, waiting for the deal to come along is worth a little patience. Our favorite lifetime service is VPN Unlimited which, as recently as November 2021 was selling for $18. Today it’s $199.99. Two weeks ago it was $99. There are numerous VPN for Life services but, if you stray from VPN Unlimited, we would encourage you to sign up for a one month plan to be sure it meets your needs in terms of performance and reliability with services such as Netflix. In the alternative, make frequent visits to LowEndTalk, LowEndSpirit, and StackSocial and await the next deal. It won’t be very long.

Unlimited Music Streaming Services


Perhaps the greatest blessing for parents was the arrival of unlimited streaming music services which all but eliminated the risk of being sued or prosecuted for music piracy. If you have a kid in college, the best deal on the planet is Spotify’s 4-year, $4.99 a month plan which provides access to their entire music catalog as well as a Hulu subscription. While you only get one stream at a time, lucky parents will soon discover that their listening hours rarely conflict with the waking hours of college students.

For Amazon Prime subscribers, Amazon has recently sweetened their music deal with Amazon Music Prime which provides free streaming access to 100 million songs. You can build playlists and so long as you stream them in Shuffle mode, Amazon will play all of your playlist selections before injecting any other content. Quite a deal.

Unlimited Home Internet Service



If you’ve grown weary of Comcast, Spectrum, and WOW regularly moving their pricing goalposts, you’ll be pleased to learn that both T-Mobile and Verizon now offer Home Internet Service with no data caps. We actually use T-Mobile’s offering in two locations so the first costs $30 a month with a Magenta Max cell plan and the second costs $50 a month, still a deal compared to the cable companies. Even in remote areas, we’ve found the download speeds to be quite reasonable at 200+ Mbps. And, with T-Mobile, the price is guaranteed for life. With Verizon and a qualifying cell plan, the monthly cost is $25 a month with a 2-year price guarantee. Both will partially cover early termination fees from your previous cable provider.

Lifetime Cloud Storage Services


We would be the first to warn you that lifetime cloud offerings can be a slippery slope simply because the provider’s monthly costs never go down. So long as their subscription model provides more revenue than their cost of doing business, they will probably stay around. Once the math changes, your investment AND your data goes down the toilet along with the provider. Having said that, we’ve signed up with pCloud which has been in business for a decade and boasts a subscriber base of 16 million users. Their lifetime 2TB Individual Plan provides 2TB of storage and 2TB of monthly download bandwidth for $399. Their 500GB Individual Plan provides 500GB of storage with 500GB of monthly download bandwidth for $199. Both plans include a PUBLIC folder (ours is here) in which you can store files with download links that are accessible anonymously using web browsers, wget, and curl. All of their monthly and lifetime plans include a 10-day money-back guarantee. Rave reviews are available from numerous sources using a Google search for pcloud reviews.

On the other end of the usability spectrum is the first provider we tried, Internxt. We bought their 1TB lifetime offering for €99.00, and it’s no longer available. Instead, they now offer a 2TB lifetime plan for $299 or a 5TB plan for $499. The gotcha with Internxt is their crippled download service. It only supports downloads using a web browser. Wget and curl downloads all fail with their support staff professing surprise or ignoring support requests. Steer clear!

Lifetime Email Hosting for BYO Domains


Email hosting is something that most of us take for granted, either because we have a free service from Google or Microsoft or because our Internet provider provides "free" email accounts. The old adage that you’re being penny-wise and pound-foolish seems particularly appropriate here. Your email service is a key critical component particularly if you’re in business. Our solution and the one we recommend is the MXroute Lifetime Plan for $199. With it, you can host unlimited domains and unlimited email accounts with a storage limit of 10GB and 300 outbound emails per hour. They have awesome tutorials to help you get started.

Originally published: Tuesday, May 23, 2023



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



The Ambidextrous Laptop: A Perfect Fit for Asterisk and VoIP



Until we bought a 15-inch Windows laptop with 20 gigs of RAM and a 1 terabyte NVMe SSD for under $500, we never would have considered such a computer an ideal virtual machine platform. And, to our surprise, with Windows 11 and a 4-core Ryzen 3 processor, it not only ran VirtualBox flawlessly, but Microsoft’s Windows Subsystem for Linux (WSLg) also performed admirably.
 


And then we tried out the UTM virtual machine platform on one of Apple’s new MacBook Air machines with an M1 processor and 16 gigs of RAM. Wow! How the world has changed. The MacBook Air 1TB offering buys you triple the performance of the Ryzen machine. But it’s more than triple the cost. So our message for today is don’t underestimate the benefits of running Asterisk® in a virtual machine environment where flawless backups are only the click of a button away. And, yes, it can travel with you without missing a beat. Add a free softphone such as Zoiper 5, and you have an instant mobile office. Of course, if your primary use is commercial, you’ll need to pay for Zoiper 5 Pro. The $50 price tag won’t break the bank.

What’s our favorite platform? You can probably guess. But, to be honest, the Ryzen-based Windows 11 machine is a steal and performs more than adequately as a virtual machine platform. And, if you’re more comfortable in the Windows ecosystem, it’s a smart choice. LibreOffice is available at no cost on both the Windows and Mac platforms as is Zoiper. So, functionally, as a travel companion and as a robust virtual machine host, you can’t lose.

While we’re on the mobile computing topic, we would be remiss in not addressing the topic of security. If you travel and are away from the protections of your home or office firewall, we will restate the obvious. You still need firewall protection for your computer. This is especially true if you’re also using the machine to host a PBX capable of making worldwide VoIP calls. While Windows and Mac platforms as well as Incredible PBX® all offer software-based firewalls, we still consider a hardware-based firewall a prudent addition. It’s your phone bill.



So here’s our tip of the week for a gadget to slip into your travel bag. Never leave home without it! It’s the GL.iNet Mini Travel Wireless Pocket Router currently available on Amazon for $32. You can plug it into your PC or a USB power source and set up a private WiFi network in minutes whether you’re in a hotel or any other location with public WiFi access. For those that always rely upon virtual private networks for communications as we do, this little router has OpenVPN support built in.

Full Disclosure: As an Amazon Associate, Nerd Vittles earns commissions from qualifying Amazon purchases to keep the Nerd Vittles lights burning brightly. And, as has always been the case, Nerd Vittles eats its own dog food. Simply stated, we always use and test products before recommending them to others.

Originally published: Monday, April 10, 2023



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Sangoma Beefs Up FreePBX Security… For a Price



We’ve lost count of the number of FreePBX® security breaches that were directly attributable to vulnerabilities in the FreePBX web interface. Suffice it to say, it was the reason that PBX in a Flash and Incredible PBX instituted the Travelin’ Man 3 firewall a decade ago hiding the FreePBX GUI from everyone except those on a whitelist controlled by the PBX administrator.

More than a decade later, Sangoma® finally introduces Multi-Factor Authentication (MFA) with two major gotchas. First, you have to pay for it. And second, it’s only available using Sangoma’s proprietary FreePBX platform rather than the open source release. There are so many things wrong with this greedy approach that we really don’t know where to begin.

For openers, offering a commercial MFA solution for a supposedly open source product is fundamentally wrong. Think of it this way. You only offer a safe version of your free product if users pay for it. Next, it demonstrates a fundamental misunderstanding of why two-factor authentication (2FA) and MFA have become ubiquitous. These tools provide an extra layer of security where users have no control over the underlying code of the application. For example, you don’t own PayPal or your bank’s platform so 2FA and MFA provide an extra layer of security for customers attempting to log into their accounts, to prove they are who they say they are using a previously registered cellphone or email account.

Contrast this scenario to those deploying FreePBX who have complete control of the underlying operating system and the FreePBX code itself. MFA doesn’t keep a disgruntled employee from gaining access to a server using an administrator password. MFA also provides zero protection against the myriad of security holes for which FreePBX has become infamous. In short, 2FA and MFA have a single task: allowing users to prove who they say they are by confirming their identity through an external source they control.

We believe Incredible PBX has always offered a better security solution for those that control their own PBX platforms. First, the Travelin’ Man 3 firewall lets you define exactly who can see your FreePBX GUI on the public Internet. If a user isn’t in the TM3 whitelist, they not only can’t login to the FreePBX GUI, they can’t even see it. Second, for the truly paranoid, you can add a third layer of security to the TM3 firewall and FreePBX authentication. Apache offers an additional login threshold for those seeking web access to any application over which the administrator has control. With Incredible PBX, it’s as simple as adding an additional freepbx.conf file in /etc/pbx/httpdconf and restarting Apache:

#Password protect /var/www/html/admin
<directory /var/www/html/admin>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/pbx/wwwpasswd
Require valid-user
</directory>

An administrator then has control over server access with three layers of security: (1) TM3 firewall access using the add-ip and add-fqdn scripts in /root, (2) Apache access using the apache-pw-change script, and (3) FreePBX GUI access using the admin-pw-change script.

We believe this three-tier, administrator-managed security model offers better and safer protection not only for every user of the FreePBX platform but also for the platform itself. Most importantly, it is and always has been FREE! Start by choosing an Incredible PBX platform that best meets your requirements by visiting the Incredible PBX Wiki.

Originally published: Monday, December 5, 2022



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 




 

Black Friday Tip: August Door Locks Have No Competition



We do a considerable amount of traveling so electronic door locks are a must if you want the flexibility of sharing your home or letting a neighbor in when something comes unglued… or leaks. There’s no shortage of options if you do a quick scan of Amazon’s offerings. But, if you already have a deadbolt on your door, there’s one that stands head and shoulders above the competition. The August Smartlock + WiFi Bridge checks all the must-have’s. It’s an easy 5-minute install that leaves the outside of your door untouched. It supports Bluetooth and WiFi connectivity. It has automatic locking and unlocking, if desired. It talks to Alexa, and it has outstanding battery life thanks to a separate WiFi Bridge that plugs into the wall. With Black Friday just around the corner, you can bet the price will be even better than the current 28% Amazon discount which brings the current cost down from $200 to $144.48.

TIP: Using our Amazon referral links helps fund Nerd Vittles reviews.



What we love about the August locks is the app for your smartphone which lets you create separate "homes" for multiple locks so it’s simple to identify the one you wish to use. You can program the lock to unlock when you walk up to the door or, if you have an Alexa device near your door, you can even program the lock to unlock when you say "unlock the front door." Not to worry, you can set a PIN so every burglar in town can’t walk into your house uninvited.

A word of caution. August makes a number of smart locks. We’ve tried two of them, one with integrated Bluetooth and WiFi and our favorite which has Bluetooth in the lock and a separate WiFi Bridge. Suffice it to say, WiFi drains batteries quickly. If you plan to be away from a site for more than a couple months, don’t use the lock that includes WiFi. Also, the all-in-one lock uses harder-to-find batteries unlike the lock we prefer which uses four Alkaline AA’s.

Finally, if you care about awards, August has won almost all of them: Voted CNET Editor’s Choice two years in a row (2020/2021), Best Smart Lock by Good Housekeeping (2021), Best Smart Lock by Tom’s Guide (2021).

Small Fish in a Big Pond: A Few Words About Twitter. We try to steer clear of political subjects on Nerd Vittles. That’s what Twitter was for, with emphasis on the word "was." Since Elon’s takeover, just about everything at Twitter has blown up in his face and ours . If you read nothing else about why this matters, read MIT’s article on what the world would lose without Twitter.

What does this have to do with Nerd Vittles? Well, actually lots. You see we use Twitter almost exclusively to store ALL of the artwork for Nerd Vittles. In addition to photos, there are literally thousands of code screenshots. So a Twitter implosion would render huge portions of Nerd Vittles unusable. Anticipating that this was a distinct possibility when Elon first toyed with buying Twitter, we began archiving virtually all Nerd Vittles articles with their images on SourceForge. You’ll find them in the Nerd Vittles Greatest Hits folder. So, if Twitter suddenly dies, rest assured that we’ve preserved most Nerd Vittles content in easy-to-read PDF documents. And, in the event that happens, we will rework the current index of articles (shown below) so that it reflects the SourceForge links rather than Nerd Vittles links. Here’s hoping our worst fears never come to pass.

Follow us on Mastodon. Coming soon: The Incredible PBX Mastodon platform.

Originally published: Monday, November 14, 2022



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 




 

Happy Fourth: Our Gift to You — 17+ Years of Nerd Vittles


Originally published: Monday, July 4, 2022



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Migrating Incredible PBX 2022 to a PUBLIC-Facing Cloud PBX



Today we want to show you how to reconfigure Incredible PBX 2022 for Rocky 8 into a PUBLIC-facing Cloud PBX. What that means is authorized users can connect a SIP phone to the PBX regardless of where the user might be located without worries about an ever-changing dynamic IP address and the requirement to whitelist the new IP address. A PUBLIC-facing PBX also provides free SIP URI connectivity to users of your PBX by anyone from anywhere in the world. In other words, it’s similar to the way you could connect to any Ma Bell telephone in the world simply by knowing the number to dial. The difference, of course, is SIP URI connectivity is free while there were often staggering long distance charges for remote connectivity in the Ma Bell days. Fifty years ago it was not uncommon for a college boy to spend $200 a month calling his college sweetheart less than 200 miles away in the same state. Ask me how I know.

Why is this such a big deal? The short answer is security and your phone bill. You don’t want bad guys on the other side of the globe attempting to register a SIP phone to your PBX so that they can use your trunks to make free phone calls on your nickel. You also don’t want anybody and everybody calling your users by simply guessing the IP address of your PBX. As with Incredible PBX 2021 PUBLIC for Debian, today’s design combines several security mechanisms to make a PUBLIC-facing PBX safe and secure. First, we will block all SIP connectivity to your PBX by IP address. Second, we will identify 30,000+ known SIP bad guys and block their access to your PBX entirely. Third, we will only permit SSH access to your PBX using public key authentication instead of traditional username/password authentication. Fourth, we will only permit web access to the Incredible PBX portal from whitelisted IP addresses and OpenVPN private addresses. We haven’t mentioned the elephant in the room, Distributed Denial of Service (DDoS) attacks, but today’s methodology reduces the risk considerably since your PBX cannot be ping’d, and all IP address access is blocked at the Linux kernel level.

Prerequisites. To put all these safeguards in place, you’ll need a cloud-based Incredible PBX 2022 KVM platform running Rocky 8. Install the latest Incredible PBX 2022 platform using our tutorial. Next, you’ll need these items:

  1. Public IP Address of your server
  2. Obscure FQDN linked to this public IP address
  3. Random SSH port with registered public keys for SSH access
  4. List of SIP extensions to enable for SIP URI access
  5. IP Addresses to WhiteList for Access to the Web GUI

1. Deciphering Public IP Address of Your PBX

After logging into your PBX as root, you can execute pbxstatus to decipher the public IP address of the PBX. Or issue the command: wget -q -O - ipinfo.io/ip

2. Obtaining an FQDN for Your PBX

Security through obscurity provides a critical layer of protection for your server so choose an FQDN carefully. sip.yourname.com provides little protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with SIP registrations because registered extensions on your PBX can obviously make phone calls that cost you money. If you don’t have your own domain, you can always obtain a free hostname from a service such as NoIP.com.

3. Securing SSH Access to Your PBX

Whatever you do, don’t leave SSH access via port 22 exposed on your PBX. In the time it took to create a new PBX on CloudAtCost, there were over 400 attempted logins to the default SSH port of the new server. The simplest (but least secure) method to avoid these script kiddie attacks is to change the port number for SSH access to your server. We suggest using the year you were born as the port number because it’s easy to remember. Edit /etc/ssh/sshd_config and uncomment the Port line replacing 22 with the port number you chose. Then restart SSH: systemctl restart sshd.

The preferable solution to secure SSH is to create and use SSH keys for access and set PasswordAuthentication no on the last line of /etc/ssh/sshd_config. Digital Ocean has an excellent tutorial to walk you through the setup process.

4. Choosing Extensions for SIP URI Public Access

With today’s PUBLIC design, exposing an extension for PUBLIC access means anyone in the world that knows the FQDN of your server and the extension number can do two things using any SIP client: (1) they can call you and (2) they can attempt to register to that extension and make calls on your trunks AND your nickel. So only expose extensions for public access if there is a need to connect or call from remote locations. For extensions you decide to expose, make certain that the passwords for these extensions are extremely secure, lengthy, and use numbers with both UPPER and lower case letters. Never use default extension passwords!

5. Whitelisting IP Addresses for Public Web Access

Without enumerating IP addresses for public web access, you won’t be able to connect to the web GUI of your PBX from any IP address. Down the road, if you wish to authroize additional IP addresses, you can use /root/add-ip to add them via SSH.

Deploying Incredible PBX PUBLIC Firewall

To get started, log into your server as root and issue the following commands:

cd /tmp
wget http://incrediblepbx.com/newpublic.tar.gz
tar zxvf newpublic.tar.gz
rm -f newpublic.tar.gz

Next, edit /tmp/iptables.base and change the highlighted entries:


Change port 22 in the dport entry to the SSH port number you chose in Step 3, above.

Change 8.8.8.8, 8.8.4.4., and 1.1.1.1 to actual public IP addresses of desktop machines you wish to use to access the web GUI of your PBX. If you don’t need three entries, comment out the other entries with # at the beginning of each line.

Replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

Save the file.

On the Rocky 8 platform, issue the following commands:

cd /etc/sysconfig
cp /tmp/iptables.base .
mv iptables iptables.orig
cp iptables.base iptables

Using Incredible PBX PUBLIC with Asterisk

The first line of defense with this PUBLIC implementation is your FQDN. Second is the IPtables firewall setup above. And third is the Asterisk® extensions configuration in extensions_override_freepbx.conf. Here’s how to configure it. Edit /tmp/extensions_override_freepbx.base and change the highlighted entries:


If there are phone numbers assigned to your PBX that you want processed according to your Inbound Routing rules, duplicate the first highlighted line above and, for each trunk, replace 8881234567 with your actual DID numbers.

In exten => _.,1 line, replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

In exten => _.,10 line, replace your-servers-FQDN with the actual FQDN assigned to your PBX from Step 2, above.

Scroll down in the file to the following section:



Comment out undesired default extensions. Place a semicolon at the beginning of the lines.

For any extensions you wish to add, insert a new line in the following format replacing both 7000 entries with the desired extension number:

exten => 7000,13,Dial(local/7000@from-internal)

Save the file and then execute the following commands to complete the PUBLIC setup:

cd /etc/asterisk
cp /tmp/extensions_override_freepbx.base .
mv extensions_override_freepbx.conf extensions_override_freepbx.orig
cp extensions_override_freepbx.base extensions_override_freepbx.conf
fwconsole restart
asterisk -rx "dialplan reload"
iptables-restart
sed -i 's|-A INPUT|-I INPUT|' /root/add-ip
sed -i 's|-A INPUT|-I INPUT|' /root/add-fqdn

Adding IPSET Incredible PBX 2022 Protection

We’re not the biggest fans of blacklists because the bad guys spend a lot of time trying to corrupt them by inserting valid IP addresses of sites such as DNS servers in the lists to wreak havoc. Having said that, there are two blacklists that are carefully monitored on a daily basis, and both provide additional protection for your PBX by weeding out access by 30,000+ potential bad guys. The oldest of these is VoIP Blacklist. And the new kid on the block is APIBAN from LOD.com and Fred Posner. We’ve simplified the setup process for use with Incredible PBX 2022. To get started, obtain an APIBAN API key here. Then issue the following commands to put all the pieces in place on your server:


cd /usr/local/sbin
wget http://incrediblepbx.com/incrediblepbx-ipsets8.tar.gz
tar zxvf incrediblepbx-ipsets8.tar.gz
rm -f incrediblepbx-ipsets8.tar.gz

Next, edit /usr/local/sbin/apiban-init and insert your APIkey.

Finally, issue the following command to reload the firewall: iptables-restart

Verifying Firewall Setup of Incredible PBX

Let’s make certain that everything got installed correctly. Begin by issuing this command: iptables -nL

Scroll toward the top of the list, and you should see two entries for the voipbl and apiban ipsets indicating that entries in those lists will be dropped by the firewall.


Next, verify that the voipbl and apiban ipsets are populated. The first two commands below will list all of the blocked IP addresses. And the next two commands will provide a count of the dropped IP addresses.

ipset list voipbl
ipset list apiban
ipset list voipbl | wc -l
ipset list apiban | wc -l

Finally, you can refresh the ipsets with the following two commands:

voipbl-init
apiban-init

Rebooting or restarting the firewall with iptables-restart also refreshes the ipset listings.




 

Calling an Incredible PBX PUBLIC Extension

Any extensions that you have whitelisted in the blue section above can be called from anywhere using any SIP client. Simply enter the SIP URI for the extension in the following format: SIP/extension@your-servers-FQDN

CAUTION: If a caller attempts to call any extension on your PUBLIC server from an extension on another Asterisk server to which the caller is registered, the call will fail if there is a matching extension number on the PUBLIC server and the two servers are not registered to each other. So remember to use unique extension numbers on your PUBLIC server if you expect callers from other Asterisk servers.

Registering Incredible PBX PUBLIC Extension

If you wish to login to a whitelisted extension using a SIP client, enter the extension and password of the extension. For the server address, enter the FQDN of your server. If it’s a PJsip extension, add :5061 to the end of the FQDN.

Originally published: Monday, April 25, 2022



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Is SIP Trunking Safe & Reliable in the DDoS World?



Since last Thursday when VoIP.ms suffered (and continues to suffer) one of the worst Distributed Denial of Service (DDOS) attacks in the VoIP era, we’ve been asked a thousand times whether any SIP trunking provider can provide a safe and reliable platform under circumstances similar to the VoIP.ms outage. We obviously cannot vouch for every trunking provider but, based upon our discussions with two of the major carriers that support Incredible PBX, we are confident that either of them could withstand a similar attack and your phones would still ring. Keep in mind that one of the hidden beauties of VoIP is the ability to configure your PBX to use multiple carriers for failover in making outbound calls, something we have always recommended. Unfortunately, inbound calls are tied to registration of each DID with one and only one carrier. Thus, if that carrier goes off line, incoming calls to DIDs registered with that carrier will fail.

To restate the obvious, no provider is going to publicly document their DDOS remediation methodology thereby providing attackers with a blueprint to their network design and remediation strategy. However, under non-disclosure agreements, we have spoken at length with the owners of our two major Incredible PBX providers: Skyetel and Clearly IP. Based upon our NDA discussions over the past few days, we are satisfied that the SIP trunking offerings of our two primary carriers are sufficiently robust to withstand a VoIP.ms-like DDOS attack. Having said that, we are optimistic that the VoIP.ms outage has placed a renewed spotlight on the seriousness of these DDOS attacks with the FBI and the U.S. Department of Homeland Security.

So what’s missing from the VoIP.ms design that has made their infrastructure so vulnerable? Lots. For openers, VoIP.ms apparently does not rely upon SIP proxies or firewalls using industry-standard network management procedures. In fact, until several days ago, VoIP.ms reportedly was hosting its own DNS servers exclusively. While that has been addressed by moving to Cloudflare, other design vulnerabilities have been more difficult to ameliorate. For example, SIP trunking with VoIP.ms by design requires registration to one of several dozen POPs on both your PBX and on their public-facing portal. An inability to access their public portal means an administrator cannot redirect traffic to another POP in case of an outage. And, if an individual POP is overwhelmed with a DDOS attack, that POP can no longer redirect its incoming calls to a failover location. And apparently it is the only server from which this redirection can be initiated. As the current five-day outage makes clear, reengineering this design would be a Herculean task. So an important lesson learned should be that FORWARDING DIDS TO ANOTHER NUMBER OR SIP ADDRESS SHOULD BE COMPLETELY INDEPENDENT OF YOUR PUBLIC-FACING ARCHITECTURE.

What can you do at this juncture to lessen your vulnerability to a future DDOS attack? First, don’t put all of your eggs in one carrier’s basket. This is especially true with your main phone numbers (DIDs). Second, if you are a major organization, move your most important DIDs to one of our preferred providers, Skyetel or ClearlyIP. And, if money is no object, consider an AT&T, Verizon, T-Mobile, or Google Voice trunk. With multi-path forwarding, simultaneous incoming calls can be redirected to other DIDs hosted with SIP trunking providers. These paths can easily be adjusted in the event of a DDOS attack. Many of these providers offer heavily discounted rates for forwarding calls to other SIP destinations which need not be publicly disclosed.

Latest VoIP.ms Update:


Originally published: Monday, September 20, 2021



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.