Category: Networking

Security 101: A Fresh Look at Incredible PBX Security Audit Methodology

Incredible PBX remains one of the most secure VoIP server platforms on the planet for one simple reason. We always deploy a preconfigured Linux IPtables firewall with a whitelist that hides your server from everyone except you and trusted VoIP providers. IPtables is automatically configured and deployed as part of every initial install of Incredible PBX regardless of your platform. This includes XiVO with Debian 8 as well as CentOS 6 and 7, Ubuntu 14.04, Raspbian 7 and 8, and even SHMZ OS (not recommended). If your server happens to be housed behind a hardware-based firewall as well, then so much the better. That obviously isn’t possible with most Cloud-based servers so IPtables firewall security is a must.

Unlike most other VoIP server platforms, we don’t leave firewall configuration to chance. Nor do we assume you’re a firewall expert. It really doesn’t matter whether you are or not, you still need a server platform that is secure and protected. So we do it for you initially and, if you are a firewall expert or study to become one, you then can modify the default settings to meet your own requirements down the road. In the meantime, you and your server are protected.

As you probably have surmised, we conduct periodic security audits of our servers testing for vulnerabilities. And we perform these audits locally as well as remotely using servers we’ve deployed throughout the world. We also deploy honeypot servers from time to time in order to gather important information about what the bad guys are up to. With as many platforms as Incredible PBX now supports, just conducting local and remote security audits is no small feat.

Today we want to share some of the methodology we use in conducting our audits, and we’ll provide the results of our most recent remote security audit. We encourage everyone with a VoIP server, whether it’s Incredible PBX or some other platform, to periodically test your server(s) for vulnerabilities AND access. It not only could save you thousands of dollars, but it also protects the rest of us by assuring that you haven’t inadvertently provided malicious individuals with a zombie platform from which to launch denial of service and spam attacks against the Internet community. So let’s get started.

The first step in testing your server is to log into your server as root using SSH or Putty from multiple IP addresses. These sites should include logins from the home base of your server if it’s a dedicated machine, from your home PC, from a neighbor’s PC, from a public WiFi hotspot, and from your smartphone as well as someone else’s. If you gain access from all of these sites, you’ve got a problem. It means SSH access is not protected in any way on your server. While SSH is relatively secure, it has had its share of problems. And zero day vulnerabilities are regularly discovered in various Linux utilities so exposing all of your server’s important resources to the Internet is a very bad idea.

The second test deciphers the existing firewall rules that have been activated on your server: iptables -nL. If the results look like the following, you’ve got a major problem. It means there are no firewall rules blocking any access to your server:

root@incrediblepbx:~ $ iptables -nL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Next, reboot your server and repeat the first two tests to make certain that your firewall still is activated properly whenever your server experiences a power outage and comes back on line.

If your firewall is not running, try issuing the command, iptables-restart, and then retest: iptables -nL. If you get the same results shown above, then something has come unglued. Here’s how to easily fix things up. First, move to the directory where the iptables rules are stored on your server. For CentOS/SL/RHEL, it’s /etc/sysconfig. For Debian/Ubuntu/Raspbian, it’s /etc/iptables.

Next, copy the default Incredible PBX firewall settings to the proper file location.

For CentOS/SL/RHEL platforms:

cp -p /etc/sysconfig/rules.v4.ubuntu14 /etc/sysconfig/iptables
cp -p /etc/sysconfig/rules.v6.ubuntu14 /etc/sysconfig/ip6tables

For Debian/Ubuntu/Raspbian platforms:

cp -p /etc/iptables/rules.v4.ubuntu14 /etc/iptables/rules.v4
cp -p /etc/iptables/rules.v6.ubuntu14 /etc/iptables/rules.v6

Next, edit iptables (CentOS/SL/RHEL) or rules.v4 (Debian/Ubuntu/Raspbian) and move to the bottom of the file where you’ll find a section that looks like this:

# The IP addresses are your server, user, and public addresses respectively
-A INPUT -s 8.8.4.4 -j ACCEPT
-A INPUT -s 8.8.8.8 -j ACCEPT
-A INPUT -s 74.86.213.25 -j ACCEPT

Replace the existing IP addresses with the actual IP addresses of your server, user workstation, and public IP address. Be very careful here. If you don’t whitelist the IP address of the machine on which you are performing these tasks, you will lock yourself out when you restart your firewall. Once you’ve made the changes, save the file.

Finally, restart IPtables using the following command: iptables-restart. Then retest: iptables -nL.

We’re not going to spend a lot of time addressing what the proper firewall rules for your VoIP server should be. If you’re interested, you can take a look at the IPtables firewall setup that is deployed with Incredible PBX. On RHEL/CentOS/SL servers, you’ll find the firewall rules in /etc/sysconfig/iptables. On Debian/Ubuntu/Raspbian servers, the rules are in /etc/iptables/rules.v4. Suffice it to say that, if the only remote access required with your server is to connect to VoIP service providers, there is no reason to expose your web server or your SIP ports to the Internet, period. And this is true whether your server is sitting behind a hardware-based firewall or not.

The Incredible PBX security design uses a whitelist to provide access to most network services other than those that are absolutely essential to the operation of your server. The reason we use a whitelist is because blacklists don’t work. Those interested in doing harm to your server are perfectly capable of altering their IP addresses until they find one that isn’t blacklisted. And they also are adept at poisoning blacklists with IP addresses that are absolutely essential to the operation of your server, e.g. DNS servers and NTP servers.

As part of every Incredible PBX firewall install, we provide SIP and IAX access to many of the major VoIP providers around the globe. You may be wondering why we use IP addresses for providers rather than fully-qualified domain names. The reason is that IPtables doesn’t directly support FQDNs. Instead, when IPtables starts up, it looks up every FQDN and converts it into an IP address. If a server matching the FQDN happens to be off line, IPtables crashes and burns. The same is true if the lookup is attempted before DNS services are running on your server. So, the short answer to why we use IP addresses is because it is safer. The downside, of course, is you can’t eyeball the IP address and decipher to whom it belongs. If you ever have any doubt about the identity of the provider associated with any specific IP address, there’s a simple utility you can run to identify its owner: nslookup 178.63.143.236.

Here is a list of the providers included in the default Incredible PBX whitelist. Others can be added using the add-ip and add-fqdn utilities in /root. If you use FQDNs, be sure to add the entries to /root/ipchecker so that your IP addresses are periodically checked and updated when necessary. This is especially important for dynamic IP addresses at remote locations.

outbound1.vitelity.net
inbound1.vitelity.net
atlanta.voip.ms
chicago.voip.ms
dallas.voip.ms
houston.voip.ms
losangeles.voip.ms
newyork.voip.ms
seattle.voip.ms
tampa.voip.ms
montreal.voip.ms
montreal2.voip.ms
toronto.voip.ms
toronto2.voip.ms
london.voip.ms
didforsale.com
callcentric.com
sipgate.com
chi-in.voipstreet.com
did.voip.les.net
magnum.axvoice.com
proxy.sipthor.net
sip.voipwelcome.com
incoming.future-nine.com
outgoing.future-nine.com
DEN.teliax.net
LAX.teliax.net
NYC.teliax.net
ATL.teliax.net
IPkall (defunct) used two IP addresses: 66.54.140.46 and 66.54.140.47
gvgw1.simonics.com
sip2sip.info
googlelabs.com
talk.google.com
gmail.com

The major drawbacks to firewall whitelists are (1) you can inadvertently lock yourself out of your own server and (2) someone that needs access to your server from remote locations may have more difficulty connecting without intervention by a network administrator to authorize remote access. With Incredible PBX, we’ve provided some tools to ease the pain. First, Incredible PBX is deployed with both the PPTP and NeoRouter VPN platforms already in place. With a VPN IP address, remote logins are minimized because they work from almost anywhere. Second, Incredible PBX includes the PortKnocker utility which lets a remote user “knock” on the server using three randomly assigned port numbers to gain temporary access. Many Incredible PBX platforms also support Travelin’ Man 4 which lets you authorize remote access by telephone. You also need to test remote VPN, PortKnocker, and Travelin’ Man 4 access as part of your security audits.

Testing for vulnerabilities is only half of the puzzle. Also make certain that your server has the proper Linux tools in place to allow you to whitelist additional IP addresses so that remote users can deploy phones or gain access to your server when necessary. Try to run the nslookup and dig utilities to verify that they are installed on your server. If not, install them with yum install bind-utils (CentOS/SL/RHEL) or apt-get install dnsutils (Debian/Ubuntu/Raspbian).

Security Audit Results. We’re pleased to report that no vulnerabilities were identified in any of the Incredible PBX platforms; however, good security practices dictate that the IPkall IP addresses should probably be removed from the whitelist now that the company has ceased providing VoIP services.

For CentOS/SL/RHEL platforms:

sed -i '/66.54.140.46/d' /etc/sysconfig/iptables
sed -i '/66.54.140.47/d' /etc/sysconfig/iptables
sed -i '/66.54.140.46/d' /etc/sysconfig/rules.v4.ubuntu14
sed -i '/66.54.140.47/d' /etc/sysconfig/rules.v4.ubuntu14
iptables-restart

For Debian/Ubuntu/Raspbian platforms:

sed -i '/66.54.140.46/d' /etc/iptables/rules.v4
sed -i '/66.54.140.47/d' /etc/iptables/rules.v4
sed -i '/66.54.140.46/d' /etc/iptables/rules.v4.ubuntu14
sed -i '/66.54.140.47/d' /etc/iptables/rules.v4.ubuntu14
iptables-restart

We did identify a couple of access anomalies that kept the add-ip and add-fqdn utilities in /root from functioning properly. These glitches meant that a few administrators could not easily add remote IP addresses to their whitelists. Three fixes are recommended. First, be sure the utilities documented in the previous paragraph are installed on your server. Second, on CentOS/SL/RHEL platforms or servers installed using the Incredible PBX ISO, issue the following commands after logging into your server as root:

sed -i 's|/etc/iptables/rules.v4|/etc/sysconfig/iptables|' /root/add-ip
sed -i 's|/etc/iptables/rules.v4|/etc/sysconfig/iptables|' /root/add-fqdn

Third, for Incredible PBX deployments on the CentOS 7 platform, issue these commands while logged in as root:

 chattr -i /root/add-ip
 sed -i 's|iptables-persistent|iptables|' /root/add-ip
 chattr +i /root/add-ip

Be safe!

Originally published: Tuesday, August 9, 2016





Need help with Asterisk? Visit the PBX in a Flash Forum.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    The XiVO Adventure Continues: Adding Incredible PBX Goodies to Your Sandbox

    We began our XiVO adventure last week by introducing a terrific new communications platform for both businesses and hobbyists. This week we begin the task of incorporating the Incredible PBX Goody Bag into an already amazing PBX, and we’ll cover about a dozen new topics. We’ll also address a few XiVO basics such as where to find and how to use the backups that XiVO makes every morning while many of us are still sleeping. Since a new XiVO release is imminent, we also want to show you how easy it is to upgrade your server. Before we get to the good stuff, we want to take a moment and document a fourth platform for XiVO that will appeal to many large organizations and perhaps some of our pioneers. It’s our platform of choice for development of new applications.

    UPDATE: The first release of Incredible PBX for XiVO is now available here. Please consider this article superseded by the new release.

    Installing XiVO as a VMware Virtual Machine

    If your organization runs VMware, you may not need to worry about finding your own platform for XiVO. You can get your IT guys to build you a XiVO VM using XiVO’s Debian-based ISO. Then again, you might have followed our tutorial and chosen to run your own VMware ESXi server. In either case, a quick refresher on getting XiVO installed may be helpful. Begin by downloading XiVO to your Windows desktop. Then log into VMware vSphere Client on your Windows machine to access ESXi.

    First, you’ll want to upload the XiVO ISO as a VMware guest operating system so that it can be used to create virtual machines at any time. From your inventory, click on the Configuration tab. Then click Storage under the Hardware listing. When your Datastore appears, right-click on datastore1 and choose Browse Datastore. Finally, click the Upload Files to this Datastore icon in your Datastore Browser and choose Upload File option. Choose the XiVO ISO from the Upload Items menu to upload it into your Datastore.

    Now we’re ready to create a Virtual Machine. Right-click on the IP address of your VMware server and choose New Virtual Machine. Leave the Typical Configuration option selected and click Next. Give the virtual machine a name and click Next. Select the Destination Storage device and click Next. For the Operating System, choose Linux and pick Debian 8 (64-bit) then Next. Choose the NIC to use for the VM and click Next. Choose your Virtual Disk Size and Thin Provision option then Next. Check the box to Edit Virtual Machine Settings Before Completion and click Continue. Click the Options tab in Virtual Machine Properties and click Boot Options. Check the Force BIOS Setup option on next boot. Click Finish.

    Starting your virtual machine the first time is not exactly intuitive so follow these steps carefully and in order. Keep in mind that, on the initial bootup of your virtual machine, what we want to do is run the XiVO ISO installer just as if we had booted a standalone machine using a CD on which we had burned the XiVO ISO. To begin the boot process correctly, first highlight your new VM by clicking on it and then choose Power on Virtual Machine. Next, click on the CD/DVD icon in the toolbar, choose CD/DVD Drive 1, choose connect to ISO image on Datastore. Double-click on datastore1 and then double-click on the XiVO ISO we uploaded previously. Now click on Launch Virtual Machine Console icon in the toolbar. When the BIOS setup utility appears, click in the window and use the Right Arrow key to move to the Boot tab. Move the CD-ROM option to the top of the list by highlighting it and pressing the + key to move it up. Press F10 to Save and Exit from the BIOS Setup and boot into your XiVO ISO. Click Install option to begin the regular XiVO installation procedure. When you finish the install, log into your server as root and obtain your IP address: ifconfig. You then can exit from the Console window by pressing Ctrl-Alt and use a browser to complete the install by pointing to the IP address of your virtual machine. Don’t forget that root SSH access is disabled by default. Our original tutorial will show you how to fix it AND install the Travelin’ Man 3 firewall whitelist to protect your server.

    Adding a RingPlus SIP Trunk for Unified Communications with Sprint

    Last week we began the XiVO adventure by turning on free Google Voice calling in the U.S. and Canada. Today we want to integrate smartphones into the mix by providing an incredibly simple and dirt cheap way to expand your XiVO communications platform while transparently meshing it with a RingPlus smartphone and the Sprint cellular network. When we’re finished, calls to your smartphone will also ring on one or more XiVO extensions. And designated users of your XiVO PBX will be able to place free calls to U.S. destinations using a SIP trunk tied directly to your RingPlus cellular account. These calls won’t be cellular. They’ll be pure VoIP calls using Sprint’s Internet backbone so listen for that pin to drop. If you have a (free) unlimited calling plan with RingPlus, then you’ll inherit a (free) unlimited calling plan for your XiVO PBX. Stated another way, whatever calling minutes you have with RingPlus can be shared on your XiVO PBX as inbound and outbound VoIP calls. The silver lining is that voicemails left on RingPlus get transcribed and delivered to your email address in seconds. So you get the best of both worlds. That’s what Unified Communications is all about!

    Don’t worry if you’re late to the party and not yet a RingPlus user. They announce new deals every week so just check every few days until you find a plan that meets your needs. You won’t have to wait long. Here’s a list of all the previously announced PROMOS to give you a good handle on the scope of the RingPlus offerings. Deals don’t last but a couple hours or days so check often or sign up for RingPlus Alerts on SlickDeals and you’ll be the first to know! There’s a terrific deal tonight only from 8 p.m. until midnight.



    We’ve already documented the XiVO setup procedure on the PIAF Forum so hop over there to see how easy this is. Keep in mind that XiVO differs a bit from FreePBX® in the way Outbound Calls are managed. In FreePBX, you prioritized the routes by arranging them in a hierarchical list. In XiVO, you use unique dial strings, e.g. NXXNXXXXXX, for every Outbound Route. So, if you’re adding RingPlus to an existing XiVO server that already is using the NXXNXXXXXX dial string, then you’d need to use a different dial string to route calls out through the RingPlus trunk, e.g. 77NXXNXXXXXX with Stripnum=2. That tells XiVO that your users will dial calls to be handled by RingPlus with a prefix of 77 (RP), and then we want XiVO to strip off the first two digits before passing the call to the RingPlus SIP trunk for processing.

    If you’re new to RingPlus, start with the original Nerd Vittles article for some background and then follow the RingPlus threads on the PIAF Forum and DSL Reports for the latest tips and tricks.

    Adding a FreeVoipDeal (Betamax) SIP Trunk for Free International Calling

    Before deploying a SIP trunk from one of the Betamax companies, read our latest article about Betamax for tips and tricks and land mines to watch out for. Then click the link below when you’re ready to deploy FreeVoipDeal as a trunk on your XiVO PBX:


    Everything You Need to Know About XiVO Backups

    Another feature of XiVO that separates the men from the boys is its documentation. In the case of backups, you’ll find everything you need to know here. All backups are stored on your XiVO server’s local drive in /var/backups/xivo. Be sure you have ample storage space available and, if you’re smart, you’ll copy both data.tgz and db.tgz from the local drive to a safe remote location periodically just in case disaster strikes. The documentation shows you how to quickly restore a backup should that ever become necessary.

    Upgrading XiVO to the Latest Release

    The XiVO development cycle is nothing short of miraculous. A new version is released every three weeks! The average time to close a bug has dropped from 315 days in 2009 to 28 days in 2012! You’ll probably want to keep your system current. 🙂

    Upgrading XiVO is even easier than restoring a backup. Upgrade documentation is available here. Because we’ve added the Travelin’ Man 3 firewall, we recommend stopping IPtables during an upgrade and then restarting it when you’re finished. Your phone system is disabled during the upgrade. When upgrading XiVO, remember to also upgrade all associated XiVO Clients. Be sure to verify that things are back to normal once the upgrade procedure is completed: xivo-service status.

    The commands to upgrade your XiVO PBX are as follows:

    /etc/init.d/netfilter-persistent stop
    xivo-upgrade
    iptables-restart
    

    Update: There’s a great tip from one of the XiVO developers on a better way to do this. See the first comment below.

    Prerequisites for Today’s XiVO Adventure

    If you’re just getting started with XiVO, DON’T START HERE. Read our first article. Be sure you have completed the following 8 steps before proceeding:

    1. Set Up Root SSH Access to Your XiVO PBX
    2. Set Up the Travelin’ Man 3 IPtables Firewall Using an SSH/Putty Connection
    3. Complete the XiVO Setup Using a Web Browser
    4. Create At Least One User with a 701 Extension
    5. Create At Least One SIP Trunk to Use for Outbound Calls
    6. Configure Outbound Call Settings for Your Trunk Using NXXNXXXXXX
    7. Configure an Inbound Route for Trunk Pointing to Your User Account
    8. If Behind NAT Firewall, Set externip and local network in General Settings -> SIP Protocol -> Network

    Creating a MeetMe Conference Room for XiVO

    There are just two steps to setting up a conference room. First, you need to add the extensions you will use for your conferences in the Default context. Then you add the Conference Room under IPBX Settings. Let’s set up a conference room extension 2663 (C-O-N-F). In your Default context, click on the Conference Rooms tab and enter an extension range of 2663-2664 and click Save. Then, in the Conference Rooms tab, click the + icon to add a new CONF conference room at extension 2663 in the Default context. You can experiment with the other settings when you have some spare time. The entries are pretty much self-explanatory. Click Save to activate your conference room. You won’t have music on hold for the first participant just yet. We’ll do that next.

    Adding Music on Hold to XiVO

    By default, XiVO doesn’t come with any music on hold. Fortunately, Digium has negotiated a music on hold license that you can use to add it to your PBX at no cost. While logged into your XiVO PBX as root, issue the following commands:

    cd /
    wget http://incrediblepbx.com/moh-xivo.tar.gz
    tar zxvf moh-xivo.tar.gz
    /etc/init.d/asterisk restart
    

    Asterisk Application Development with XiVO

    For those coming from the FreePBX world, here’s a quick introduction to Asterisk application development on the XiVO platform. First and foremost, there are more similarities than differences. In the FreePBX environment, custom dialplan code was stored in /etc/asterisk/extensions_custom.conf. For custom extensions that you wanted to add, that code had to appear in the [from-internal-custom] context. For custom dialplan contexts, those appeared immediately below the last entry in the [from-internal-custom] context. If your custom code appeared anywhere else, there was always the risk that it might be overwritten with your next FreePBX reload.

    The XiVO design is quite different. As we noted last week, it is not an Asterisk code generator at all, unlike FreePBX. Instead, it has a realtime interface to Asterisk using its PostGreSQL database engine. Updates are nearly instantaneous without reloading Asterisk modules from disk.



    The other advantage is you won’t have to worry about XiVO stepping on your custom code as long as you leave PostGreSQL alone. HINT! The good news is there still are hooks to add your own custom dialplan extensions and code as well as PHP/AGI scripts. And it’s easy. In XiVO, custom extensions are stored in xivo-extrafeatures.conf which you’ll find in the /etc/asterisk/extensions_extra.d directory. Don’t edit files in /etc/asterisk/extensions_extra.d from the Linux command prompt! Instead, use the editor built into the XiVO GUI by selecting Configuration Files under IPBX configuration. This will automatically assure that realtime updates are posted correctly. To add additional contexts to your dialplan, create separate files for each context and store them in this same directory. Again, the easy way to make certain that Asterisk is updated automatically when you add new code snippets is to create and edit them within the XiVO GUI. These files all will appear under IPBX Configuration -> Configuration Files as well.

    In order to better mimic the FreePBX way of doing things so that your PHP/AGI scripts work in either environment, we recommend issuing the following symlink while logged into XiVO. We’ll do it as part of the SQLite3 install below.

    ln -s /var/lib/asterisk/agi-bin /usr/share/asterisk/agi-bin
    

    Once you’ve established the symlink, PHP/AGI scripts can be migrated from FreePBX to XiVO directly using the same directory structure for storage: /var/lib/asterisk/agi-bin. As with FreePBX, all files in this directory should be owned by asterisk with 775 permissions:

    chown asterisk:asterisk /var/lib/asterisk/agi-bin/*
    chmod 775 /var/lib/asterisk/agi-bin/*
    

    There are many other powerful features in XiVO that weren’t available at all in FreePBX. We’ll cover some of them in coming months. In the meantime, this brief overview of the dialplan environment should be sufficient to let you start building.

    Installing SQLite3 to Support Incredible PBX Applications

    There’s one other difference between XiVO and FreePBX that we’ve already touched upon. But it bears repeating here. XiVO doesn’t use MySQL or MariaDB for its database management tasks. Instead, the XiVO development team chose PostGreSQL which is equally powerful, but different. For the Incredible PBX application suite, we’ve chosen to rewrite the ones that depend upon MySQL so that they can run under SQLite3 which is considerably less processor intensive than running both PostGreSQL and MySQL 24/7. We also didn’t want to interfere with the PostGreSQL setup of XiVO since it is an integral component of the product and will get upgraded automatically as part of the regular XiVO upgrade cycle.

    Here’s how to put the SQLite3 and corresponding ODBC components in place on your new server. While logged into your server as root, simply issue the following commands:

    cd /
    wget http://incrediblepbx.com/sqlite3-xivo.tar.gz
    tar zxvf sqlite3-xivo*
    rm -f sqlite3-xivo.tar.gz
    cd /root
    ./sqlite3-xivo.sh
    

    Running a couple SQLite3 queries using the ZIPCODES and ASTERIDEX databases will give you a feel for the performance you can expect from SQLite3. The queries might look like this:

    sqlite3 /var/lib/asterisk/agi-bin/zipcodes.sqlite "select zip,city,state from zipcodes where zip=29401;"
    sqlite3 /var/lib/asterisk/agi-bin/asteridex.sqlite 'select name,out from user1 where name LIKE "%Airlines%";'
    

    And here are the results of the two queries:

    29401|CHARLESTON|SC
    --------------------------------
    American Airlines|8004337300
    Continental Airlines|8005250280
    Delta AirLines|8002211212
    Frontier Airlines|8004321359
    Iberia AirLines|8007724642
    Midway Airlines|8004464392
    Northwest Airlines|8002252525
    Southwest Airlines|8004359792
    Ted Airlines|8002255833
    United Airlines|8002416522
    WestJet Airlines|8005385696
    Yemen Airlines|8009368300
    

    We’ve included a bonus script in /root that will let you convert existing MySQL databases to SQLite3. For example, if you’re currently using AsteriDex on another Incredible PBX platform, it only takes a couple seconds to convert your MySQL database to SQLite3. The syntax to run the script should look like this:

    ./mysql2sqlite3.sh -u root -ppassw0rd yourdatabase | sqlite3 yourdatabase.sqlite
    

    You obviously cannot run the script on your XiVO server because your MySQL databases and MySQL itself are missing. So move the script to the server on which your MySQL databases are stored and run it there using the above syntax. Then copy the asteridex.sqlite file to your XiVO server and save it in /var/lib/asterisk/agi-bin.

    Installing and Activating the Festival TTS Engine with Asterisk

    We’ve got a couple more building blocks to put in place to support Incredible PBX applications. Then we’ll be ready to kick the tires with a few applications to get you started. In coming weeks, we’ll finish up the conversion of the remaining apps, and then we’ll publish an Incredible PBX installer for XiVO with all the pieces. But why wait? Finish up installing the remaining pieces today, and you’ll have something to play with. And, as we said, it will also provide you with simple scripts so you can actually see how Incredible PBX is put together.

    Many of the Incredible PBX applications rely upon text-to-speech and/or voice recognition (speech-to-text) to work their magic. Neither comes installed with XiVO by default, but Asterisk was properly configured to support Festival so let’s work with that. Festival is the Big Brother of FLITE and includes some additional voices of fairly good quality. The XiVO Demo IVR will give you an idea of the TTS voice quality you can expect:

    To get Festival installed and activated for use with Asterisk, issue these commands:

    cd /
    wget http://incrediblepbx.com/festival-xivo.tar.gz
    tar zxvf festival-xivo.tar.gz
    cd /root
    ./festival-xivo.sh
    

    Installing Dial Plan Code for Sample Incredible PBX Applications

    Now we’re ready to put today’s Dial Plan Code and IVR in place and load the PHP/AGI components necessary to make the sample applications work. Here’s how:

    cd /
    wget http://incrediblepbx.com/ivr-xivo.tar.gz
    tar zxvf ivr-xivo.tar.gz
    chown asterisk:www-data /etc/asterisk/extensions_extra.d
    chmod 775 /etc/asterisk/extensions_extra.d
    chmod g+s /etc/asterisk/extensions_extra.d
    /etc/init.d/asterisk restart
    

    Installing and Activating Voice Recognition for XiVO

    Google has changed the licensing of their speech recognition engine about as many times as you change diapers on a newborn baby. Today’s rule restricts use to “personal and development use.” Assuming you qualify, the very first order of business is to enable speech recognition for your XiVO PBX. Once enabled, the Incredible PBX feature set grows exponentially. You’ll ultimately have access to the Voice Dialer for AsteriDex, Worldwide Weather Reports where you can say the name of a city and state or province to get a weather forecast for almost anywhere, Wolfram Alpha for a Siri-like encyclopedia for your PBX, and Lefteris Zafiris’ speech recognition software to build additional Asterisk apps limited only by your imagination. And, rumor has it, Google is about to announce new licensing terms, but we’re not there yet. To try out the Voice Dialer in today’s demo IVR, you’ll need to obtain a license key from Google. This Nerd Vittles tutorial will walk you through that process. Don’t forget to add your key to /var/lib/asterisk/agi-bin/speech-recog.agi on line 72.

    Taking XiVO on a Test Drive with the Incredible PBX Apps

    Now set up a softphone using the IP address of your XiVO server and the Line credentials for Extension 701. When you obtain your credentials, double-check to make sure all of the fields for the Line are filled in correctly as shown below:

    Once your softphone is registered, you can try out some of the sample applications:

    • 4871 (IVR1) – Allison’s Demo IVR
    • 411 (Voice Dialing) – Call by Name (try “Delta Airlines”)
    • 2663 (CONF) – MeetMe Conference with Music on Hold
    • 951 – Yahoo! News Headlines (TTS)
    • 947 (ZIP) – NWS Weather by ZIP Code
    • 53669 (LENNY) – The Telemarketer’s Worst Nightmare

    You can review the Dialplan code in the GUI by choosing Configuration Files and clicking xivo-extrafeatures.conf. The sample IVR code is in ivr-1.conf.

    Taking Nerd Vittles’ XiVO IVR for a Test Drive

    There’s also a new Demo IVR running at www.pacificnx.com on their XenServer virtualization platform. Scott McCarthy, a leading outside XiVO developer and a principal at PacificNX, tells us they soon will have a $20 a month platform specifically tailored to XiVO. And that’s what you’ll be hearing when you call the Nerd Vittles IVR: 1-843-606-0555. Setup at PacificNX took less than a minute. Enjoy!

    Published: Thursday, May 12, 2016





    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    Sleep Well: Create a $10.50 Incredible Backup Server in the Cloud with WebDAV

    With the impending demise of Copy.com, it seemed like a good time to revisit the subject of backups and to do a little advance preparation for that rainy day when your Incredible PBX™ server decides it’s taken its last breath. We recently documented how to build an Incredible PBX in the Cloud for a one-time cost of $10.50. And we showed you how to build a Linux Sandbox in the Cloud for the same bargain-basement price. Today, we’re adding a third way to spend one day’s lunch money with our new Backup Server in the Cloud at CloudAtCost. And, like the other two, a one-time investment of $10.50 gets you a 10GB cloud repository to store your most important Asterisk® files for life!1 If you’re feeling really adventurous, you can double or quadruple your resources and your storage capacity at the same great 70% off rates with CloudAtCost coupon code: TAKE70. Some have asked us for a referral code to give credit where credit is due. Thanks for thinking of us, but we already have all of the CloudAtCost resources we could ever use. So this one, like the two before it, is on us!



    We recommend you start by building an Incredible PBX platform at CloudAtCost using our previous tutorial. Is it production-ready? Probably not. Is it a good standby server which can swing into action when your primary server croaks? Absolutely. Can it be used for off-site storage of backups from your primary Incredible PBX server? You bet. And today we’ll show you how. It’s about a 10-minute process once you have Incredible PBX up and running in the Cloud. We’ll also provide an updated Incredible Backup script to transparently upload backup images to your new CloudAtCost backup server.

    Got DAV?It’s been quite a while since we first explored WebDAV back in 2005. Today we’re going to bolt on WebDAV to your existing Incredible PBX platform so that some of that spare storage space in the Cloud can be used to house snapshot images of your Incredible PBX production server. Since this will be a fully-functioning Incredible PBX server in addition to serving as a backup server, it can perform double-duty as a hot standby on a moment’s notice. When disaster strikes, restore the latest backup which happens to be colocated on your Cloud server, and you’ll be back in business.

    Overview. As you probably know, WebDAV is an acronym for Web-based Distributed Authoring and Versioning. Simply put, it is an HTTP protocol extension that allows people anywhere on the Internet to edit and manage documents and other files using the same protocol and port used for surfing the web. In the Mac and Linux worlds, WebDAV provides a Disk Volume that “looks and feels” like any other networked hard disk. In the Windows world, WebDAV is called Web Folders. They can be used like any other mapped drive in Network Neighborhood. If you’re still a little fuzzy about the WebDAV concept, think of how you link to another drive on your local area network. WebDAV gives you the same functionality across the entire Internet with virtually the same ease of use. Depending upon user privileges, of course, you can copy files to and from a WebDAV volume, and the protocol imposes versioning control through file locking to assure that multiple people with access rights don’t change the same file at the same time.

    Initial Setup of WebDAV in the Cloud. For today, we’re assuming you already have a functioning Incredible PBX server at CloudAtCost running under CentOS 6.7. If not, start with our tutorial here. If you’d prefer to use the Linux Sandbox configuration for your WebDAV platform, skip down to the next section. To keep things simple, we’re going to set up a separate dav directory within your existing Incredible PBX cloud server to use for WebDAV storage. This means files and folders managed with WebDAV will appear in /var/www/html/dav on your server. We’ll password-protect the directory using Apache web credentials for the admin user. You first must set up these credentials by issuing the following command while logged into your server as root:

    htpasswd /etc/pbx/wwwpasswd admin
    

    To activate WebDAV on your Incredible PBX server at CloudAtCost, while still logged into your server as root, issue the following commands:

    mkdir /var/www/html/dav
    chown asterisk:asterisk /var/www/html/dav
    chown asterisk:asterisk /var/lib/dav
    cd /etc/pbx/httpdconf
    wget http://incrediblepbx.com/dav.conf
    service httpd restart
    

    Keep in mind that WebDAV is running on an Incredible PBX server which means that remote HTTP access will require that your remote IP address be in the IPtables WhiteList. You can add it easily using the add-ip or add-fqdn utilities in /root. Don’t forget, or none of this will work.

    Setting Up WebDAV on a CloudAtCost Linux Sandbox. If you’d prefer to set up WebDAV on a Linux Sandbox at CloudAtCost rather than the Incredible PBX platform, begin by installing the sandbox by following along in the Nerd Vittles tutorial. Once you’re up an running, issue the following commands to activate WebDAV:

    mkdir /etc/pbx
    htpasswd -c /etc/pbx/wwwpasswd admin
    mkdir /var/www/html/dav
    chown apache:apache /var/www/html/dav
    cd /etc/httpd/conf.d
    wget http://incrediblepbx.com/dav.conf
    service httpd restart
    

    You won’t have to whitelist the IP address of your local Incredible PBX server in the IPtables firewall running on your WebDAV server at CloudAtCost because port 80 already is whitelisted in the default Linux Sandbox setup.

    Accessing WebDAV in the Cloud. As installed, you’ll need your username (admin) and your Apache password assigned above to access your WebDAV server in the Cloud. Use a browser for read only access to the dav directory at the IP address of your server, e.g. http://23.45.67.89/dav. Or establish a network share to the WebDAV resource for read and write access.

    Configuring a Local CentOS/SL Server for WebDAV Access. Linux needs something special in order to treat remote WebDAV resources as part of your local file system. Fortunately, there is a packaged solution that does all the heavy lifting for you. On every CentOS/Scientific Linux server from which you want to access remote WebDAV resources, issue the following commands while logged into the server as root:

    yum -y install davfs2
    mkdir /dav
    cd /root
    wget http://incrediblepbx.com/incrediblebackup-dav
    chmod +x incrediblebackup-dav
    

    Configuring a Local Debian/Ubuntu/Raspbian Server for WebDAV Access. The setup drill is much the same as it is for CentOS except the package installation syntax needs to be adjusted. On every Debian, Ubuntu, or Raspbian (Raspberry Pi) server from which you want to access remote WebDAV resources, issue the following commands while logged into the server as root:

    apt-get -y install davfs2
    mkdir /dav
    cd /root
    wget http://incrediblepbx.com/incrediblebackup-dav
    chmod +x incrediblebackup-dav
    

    Connecting to Your WebDAV Server in the Cloud. The new Incredible Backup script, /root/incrediblebackup-dav, will automatically make a connection to your new WebDAV server in the Cloud once you’ve entered your admin credentials and the IP address of your WebDAV server. Do this by editing incrediblebackup-dav. Just plug in your admin password and the IP address of your WebDAV server in the Cloud. Then save the file.

    In case you’re curious, here is the command to access WebDAV as a file system from your local server. Assuming admin:passwd555 were your remote Apache credentials and 23.45.67.89 was the IP address of your CloudAtCost server, the mount command would look like this:

    echo passwd555 | mount.davfs http://23.45.67.89/dav /dav -o username=admin
    

    All of the /dav files on the WebDAV server in the Cloud then would be accessible in the /dav directory on your local server until the WebDAV connection was closed/unmounted. You can add, edit, and delete files and directories. All of your local changes will automatically be synchronized with your WebDAV server in the Cloud.

    To close the WebDAV connection, issue the following command:

    umount.davfs /dav
    

    Making a Backup to Your WebDAV Server in the Cloud. This is the easy part. Once everything is in place and you have configured the Incredible Backup script with your admin credentials and WebDAV server’s IP address, you’re ready to kick off a backup. Just issue the following command while logged into your server as root:

    /root/incrediblebackup-dav
    

    Restoring a Backup from Your WebDAV Server in the Cloud. There are two ways to do this. If your local server and Cloud-based server are running identical versions of Incredible PBX, then you can restore the backup image to your Cloud server and run Incredible PBX in the Cloud. Simply move the desired backup file from /var/www/html/dav on the Cloud server to /backup and then run incrediblerestore from the /root folder. Once the restore completes, reboot your Cloud server, reconfigure the IP addresses of your phones, and you’re back in business.

    If you’d prefer to restore a backup from the Cloud to a local server, then you would first build a new server to match the one from which the backup was originally made. Next, configure the new server to support WebDAV access to your Cloud-based server following the tutorial above. Then execute the following commands after logging into your local server as root. Use the credentials, IP address, and actual backup filename saved on your Cloud server:

    mkdir /backup
    cd /root
    echo passwd555 | mount.davfs http://23.45.67.89/dav /dav -o username=admin
    cp /dav/backupfilename.tar.gz /backup/.
    umount.davfs /dav
    ./incrediblerestore /backup/backupfilename.tar.gz
    rm /backup/backupfilename.tar.gz
    

    WebDAV Cautionary Notes and Gotchas. First, WebDAV does a lot of heavy lifting under the covers because its intended for use as a collaboration tool by multiple people accessing and updating the same resources. So synchronization is important. When we’re moving huge files from a local server to the WebDAV cloud, this synchronization activity can give the appearance that your server has hung either during the backup procedure or thereafter. It hasn’t. So, after you run the Incredible Backup script to upload a new backup image, leave your server alone for a while. On your local server, don’t attempt to list /dav or otherwise use it for about an hour to be safe. On a Raspberry Pi, just be patient while the backup procedure completes. After that, you should be good to go. Depending upon the Linux flavor of your local server, the Incredible Backup script may not dismount your WebDAV resource successfully. You can do this manually LATER although it won’t hurt anything to leave the connection in place. As noted above, the dismount command is umount.davfs /dav.

    Second, be very careful in configuring Incredible Backup to make certain that you specify the correct IP address for your WebDAV server in the Cloud. WebDAV will try to connect to any IP address, and you don’t want to inadvertently upload your backup files to someone else’s server. Third, ALWAYS use a web browser to access your WebDAV server in the Cloud after your backup completes to make certain that a backup with the current date and time is shown in the directory listing. Particularly with RedHat OS flavors, it may take some time for the entire tarball upload to complete even though the script will indicate it has finished. Again, patience is a virtue. Don’t reboot. Things will get sorted out in due course.

    Finally, as with other network connections, if the WebDAV connection fails for some reason, your backup would be stored locally in the /dav folder rather than on WebDAV in the Cloud. That’s obviously not too helpful in the event of a local disk crash. So don’t forget to check your WebDAV server in the Cloud to verify successful completion of the backup.

    Enjoy!

    Republished: Monday, April 25, 2016





    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    1. The lifetime promise is, of course, in the eye of the beholder. It may be your lifetime but, more than likely, it’s the lifetime of CloudAtCost. The two are not necessarily the same so plan accordingly. 🙂 []

    Taking a Fresh Look at the Asterisk, FreePBX, and Incredible PBX Security Models

    About once a year, we try to shine the spotlight on Asterisk® security in hopes of saving lots of organizations and individuals a little bit (or a lot) of money. In light of last week’s major security lapse in the Asterisk® dialplan of those using FreePBX® since the Asterisk@Home days, now seemed like a good time for a review. As we’ve noted before, the problem with open source phone systems is they’re open source phone systems. So the bad guys can figure out how they work just like the good guys. Unfortunately, some of the bad guys are paying particular attention to Asterisk and FreePBX so it behooves all of us to remain vigilant and patch vulnerabilities quickly. The FreePBX Devs have done an admirable job in responding quickly to this issue.

    Last week’s vulnerability involves the call transfer methodology that has been incorporated into FreePBX-based Asterisk servers for at least a decade. In a nutshell, it allows an internal or outside caller or called party to transfer a call using touchtones instead of a dedicated transfer button or hook flash. ## performs a blind transfer while *2 sets up an attended transfer where the person transferring the call can actually talk to the transfer recipient before executing the call transfer. Some of our foreign friends used this *2 methodology to initiate calls to Asterisk servers and then to transfer those calls to expensive destinations while the other party to the call listened to music on hold. Worse yet, it could be performed within an answering IVR on some servers so the administrator never knew the call transfer took place other than reviewing the call detail records. As with some previous vulnerabilities, this one had lain dormant since the inception of call transfer technology in Asterisk. The default settings in FreePBX permitted outside calling or called parties to initiate transfers using these feature codes. We’re reminded of a similar vulnerability that used to exist in many Asterisk voicemail systems that allowed callers to dialout to another number from within the voicemail system.

    We hope to persuade you today that allowing transfer of calls using touch tones is a very bad idea to begin with. Even when you don’t get a surprise phone bill, it often results in unanticipated consequences such as depicted in this video shared on DSL Reports:



    Here’s how you can protect any server that uses all or some of the FreePBX GUI. First, be aware that the FreePBX developers are working on a rewrite of the Core component in versions 13 and 12. The fix would limit use of this technology to those on the internal side of a PBX. In other words, remote callers would be blocked from calling into an Asterisk server and transferring themselves to a phone on a cruise ship sailing in the Indian Ocean. In the meantime, issuing the following commands will patch things up:

    mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
    mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
    amportal a r
    

    For those using Incredible PBX™, the Automatic Update Utility will patch your server the next time you log in as root.

    Olle Johansson has been one of the primary shakers and movers when it comes to educating folks on Asterisk security and inspiring developers to do a better job designing these systems. If you didn’t attend AstriCon 2013 and haven’t watched the Security Master Class, put these videos on your Bucket List. They’re all free and well worth your time.

    When we began building out Incredible PBX on other platforms several years ago, we decided it was an opportune time to revisit our Asterisk security model and make it as bullet-proof as possible given the number of people now deploying Asterisk servers in the cloud. As a practical matter, there are no hardware-based firewalls to protect you with many of the cloud-based systems. So you literally live or die based upon the strength of your own software-based security model.

    As in the past, security is all about layers of protection. A bundle of sticks is harder to break than a single stick. There now are Incredible PBX builds for CentOS, Scientific Linux, Ubuntu 14, and the latest Raspbian 8 for the Raspberry Pi 2 and 3. All of these releases include the new Incredible PBX security model. Here’s how it works…

    The 7 Security Layers include the following, and we will go into the details below:

    1. Preconfigured IPtables Linux Firewall
    2. Preconfigured Travelin’ Man 3 WhiteLists
    3. Randomized Port Knocker for Remote Access
    4. TM4 WhiteListing by Telephone (optional)
    5. Fail2Ban
    6. Randomized Ultra-Secure Passwords
    7. Automatic Security Updates & Bug Fixes

    1. IPtables Linux Firewall. Yes, we’ve had IPtables in place with PBX in a Flash for many years. And, yes, it was partially locked down in previous Incredible PBX releases if you chose to deploy Travelin’ Man 3. Now it’s automatically installed AND locked down, period. As installed, the new Incredible PBX limits login access to your server to those on your private LAN (if any) and anyone logging in from the server’s public or private IP address and the public IP address of the desktop machine used to install the Incredible PBX software. If you or your users need access from other computers or phones, those addresses can be added quickly using either the Travelin’ Man 3 tools (add-ip and add-fqdn) or using the Port Knocker application running on your desktop or smartphone. All you need is your randomized 3 codes for the knock. You can also enable a remote IP address by telephone. Keep reading!

    2. Travelin’ Man 3 WhiteLists. As in the past, many of the major SIP providers have been whitelisted in the default setup so that you can quickly add new service without worrying about firewall access. These are providers that we’ve used over the years. The preconfigured providers include Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. You are, of course, free to add other providers or users using the whitelist tools being provided. add-ip lets you add an IP address to your whitelist. add-fqdn lets you add a fully-qualified domain name to your whitelist. del-acct lets you remove an entry from your whitelist. Because FQDNs cause problems with IPtables if the FQDN happens to be invalid or non-functional, we’ve provided a customized iptables-restart tool which will filter out bad FQDNs and start up IPtables without the problematic entries.

    Be advised that whitelist entries created with PortKnocker are stored in RAM, not in your IPtables file. These RAM entries will get blown out of the water whenever your system is restarted OR if IPtables is restarted. Stated another way, PortKnocker should be used as a stopgap tool to get new IP addresses qualified quickly. If these addresses need access for more than a few hours, then the Travelin’ Man 3 tools should be used to add them to your IPtables whitelist. If your whitelist setup includes dynamic IP addresses, be aware that using ipchecker in a cron job to test for changing dynamic IP addresses will remove PortKnocker whitelist RAM entries whenever an IP address change triggers an iptables-restart.

    For more detail on Travelin’ Man 3, review our original tutorial.

    3. PortKnocker WhiteListing. We’ve previously written about PortKnocker so we won’t repeat the article here. Simply stated, it lets you knock on three ports on a host machine in the proper order to gain access. If you get the timing and sequence right, the IP address from which you knocked gets whitelisted for access to the server… with appropriate admin or root passwords, of course. The knocking can be accomplished with either a command line tool or an iOS or Android app using your smartphone or tablet. As noted above, it’s a terrific stopgap tool to let you or your users gain quick access to your server. For the reasons we’ve documented, don’t forget that it’s a stopgap tool. Don’t use it as a replacement for Travelin’ Man 3 whitelists unless you don’t plan to deploy dynamic IP address automatic updating. Just to repeat, PortKnocker whitelists get destroyed whenever IPtables is restarted or your server is rebooted. You’ve been warned.

    4. TM4 WhiteListing by Telephone. Newer releases of Incredible PBX are preconfigured with ODBC support for telephony applications. One worth mentioning is our new Travelin’ Man 4 utility which lets a remote user dial into a dedicated DID and register an IP address to be whitelisted on the server. Within a couple minutes, the user will be sent an email confirming that the IP address has been whitelisted and remote access is now enabled. For phone systems and administrators supporting hundreds of remote users, this new feature will be a welcome addition. It can be configured in a couple minutes by following the Installation instructions in the Travelin’ Man 4 tutorial. Unlike PortKnocker, whitelisted IP addresses added with TM4 are permanent until modified by the remote user or deleted by the administrator.

    5. Fail2Ban. We’ve never been a big fan of Fail2Ban which scans your logs and blacklists IP addresses after several failed attempts to log in or register with SSH or Apache or Asterisk. The reason is because of documented cases where attacks from powerful servers (think: Amazon) completely overpower a machine and delay execution of Fail2Ban log scanning until tens of thousands of registration attempts have been launched. The FreePBX folks are working on a methodology to move failed login attempts to a separate (smaller) log which would go a long way toward eliminating the log scanning bottleneck. In the the meantime, Fail2Ban is included, and it works when it works. But don’t count on it as your only security layer.

    6. Randomized Passwords. With the new security model described above, we’ve dispensed with Apache security to protect FreePBX® access. These new Incredible PBX releases rely upon the FreePBX security model which uses encrypted passwords stored in MySQL or MariaDB. As part of the installation process, Incredible PBX randomizes ALL FreePBX passwords including those for the default 701 extension as well as the admin password. When your new Incredible PBX install completes, the most important things to remember are your (randomized) FreePBX admin password AND the (randomized) 3 ports required for Port Knocker access. Put them in a safe place. Sooner or later, you’ll need them. You can review your PortKnocker settings in /root/knock.FAQ. We’ve also included admin-pw-change in the /root folder for those that are too lazy to heed our advice. With the new security model, there is no way to look up your admin password. All you can do is change it… assuming you haven’t also forgotten your root password. 😉

    7. Automatic Update Service. All new Incredible PBX builds include an automatic update service to provide security patches and bug fixes whenever you log into your server as root. It saved you just last week! If you don’t want the updates for some reason, you can delete the /root/update* file from your server. If the cost of maintaining this service becomes prohibitive, we may implement a pay-for-service fee, but it presently is supported by voluntary contributions from our users. It has worked extremely well and provided a vehicle for pushing out updates that affect the reliability and security of your server.

    A Word About IPv6. Sooner or later Internet Protocol version 6 will be upon us because of the exhaustion of IPv4 IP addresses. Incredible PBX is IPv6-aware and IPtables has been configured to support it as well. As deployed, outbound IPv6 is not restricted. Inbound access is limited to localhost. You, of course, are free to modify it in any way desired. Be advised that disabling IPv6 localhost inbound access will block access to the FreePBX GUI. Don’t ask us how we know. 🙂

    Originally published: Monday, April 18, 2016





    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    It’s Back: $10.50 Buys an Incredible PBX in the Cloud For Life… If You Hurry

    In January, we began our new series on Cloud Computing by documenting how to build an awesome LAMP server in the Cloud using Linux. Today we’re again going to show you how to use the same Cloud platform and take advantage of the $10.50 coupon code TAKE70 to build an Incredible PBX in the Cloud FOR LIFE. When you’re finished, you’ll have a state-of-the-art Incredible PBX 13 server with hundreds of PBX features including free calling to the U.S. and Canada using any (free) Google Voice account. Keep in mind this isn’t $10.50 a month for your cloud server. It’s $10.50, period! The whole project takes less than an hour. Before we begin, let’s revisit our cautionary note for those that missed it in the previous article. It’s important.

    There’s lots to hate at Cloud At Cost, a Canadian provider that offers virtual machines in the cloud for a one-time fee with no recurring charges. For $35 $10.50, you get a virtual machine with 512MB of RAM, 10GB of storage, and a gigabit Internet connection FOR LIFE. We haven’t seen a week go by when Cloud at Cost didn’t offer some sort of discount. Today it’s 70% which brings the total cost down to $10.50. That’s less than a burger at Five Guys. That’s the good news. But, if security, 99.999% reliability, performance, and excellent customer support are your must-haves, then look elsewhere. So why would anyone in their right mind sign up for a cloud solution that didn’t offer those four things? Did we mention it’s $10.50 for a lifetime cloud server?

    If you take our recommendation and plunk down your $10.50, you’ll need to go into this with the right attitude. It’s not going to be flawless perfection computing. It’s a sandbox on which to experiment with [VoIP] and Cloud Computing. Will your virtual machine disintegrate at some juncture? Probably. Our experience is that the first couple days are critical. If you start seeing sluggish performance which degenerates to zero, don’t waste your time. Take good notes as you go along, delete the virtual machine, and rebuild a new one. It won’t cost you a dime, and it’ll save you hours of frustration. We suspect that bad folks get onto some of the servers and delight in bringing the machines to their knees. So the quicker you cut your losses, the better off you will be. Is CloudAtCost a good solution for production use? Absolutely Probably not so don’t try to fit a square peg in the round hole. It’s not gonna work, and you WILL be disappointed.

    Today’s experiment will give you a platform on which to learn before you decide upon a more permanent deployment solution. And it will give you a terrific home for a backup server once you do move to a long-term solution so your $10.50 won’t be wasted.


    The objective today is to show you how to build a rock-solid, secure VoIP server in the Cloud with all the bells and whistles you’d typically find on a PBX costing tens of thousands of dollars. Incredible PBX is pure GPL, open source code with one major difference. It’s FREE! And it’s supported by thousands of users on the PIAF Forum that started just like you.

    Some of you are probably wondering why you would want a PBX at all. Hearing is believing as they say. Spend a couple minutes and call our CloudAtCost demo server. We preconfigured it using everything provided in today’s tutorial. It’ll let you play with some of the features that a PBX offers such a voice dialing from a directory, news and weather forecasts, and much more. And, in case you’re wondering, it’s been running 24/7 for two full months without a single hiccup. To try it for yourself, just dial:

    Nerd Vittles Demo IVR Options
    1 – Call by Name (say “Delta Airlines” or “American Airlines” to try it out)
    2 – MeetMe Conference (password is 1234)
    3 – Wolfram Alpha (say “What planes are flying overhead now?”)
    4 – Lenny (The Telemarketer’s Worst Nightmare)
    5 – Today’s News Headlines
    6 – Weather Forecast (Just enter your ZIP Code!)
    7 – Today in History
    8 – Speak to a Real Person (or maybe just voicemail if we’re out)

    For long time readers of Nerd Vittles, you already know that the component we continually stress is security. Without that, the rest really doesn’t matter. You’ll be building a platform for someone else to hijack and use for nefarious purposes. When we’re finished today, you’ll have a cloud-based VoIP server that is totally invisible to the rest of the world except a short list of VoIP providers that have been thoroughly vetted by Nerd Vittles staff. You can whitelist additional locations and phones to meet your individual needs without worrying about your server being compromised.

    Creating Your Virtual Machine Platform in the Cloud

    To get started, you’ve got to cough up your $10.50 at Cloud at Cost using coupon code TAKE70. Once you’ve signed up, CloudAtCost will send you credentials to log into the Cloud at Cost Management Portal. Change your portal password IMMEDIATELY after logging in. Just go to SETTINGS and follow your nose. HINT: DC2 is the preferred data center!

    To create your virtual machine, click on the CLOUDPRO button and click Add New Server. If you’ve only purchased the $10.50 CloudPRO 1 platform, then you’ll need all of the available resources shown in the pick list. Leave CentOS 6.7 64bit selected as the OS Type and click Complete. Depending upon the type of special pricing that Cloud at Cost is offering when you sign up, the time to build your virtual machine can take anywhere from a minute to the better part of a day. Things have settled down since the 90% off week so new servers typically are ready in a few minutes. However, we’ve learned to build new virtual machines at night where possible. Then they’re usually available for use by the next morning. Luckily, this slow performance does not impact existing virtual machines that already are running in the CloudAtCost hosting facilities.

    Initial Configuration of Your CentOS 6.7 Virtual Machine

    With a little luck, your virtual machine soon will appear in your Cloud at Cost Management Portal and look something like what’s shown above. The red arrow points to the i button you’ll need to click to decipher the password for your new virtual machine. You’ll need both your IP address and the password for the new virtual machine in order to log into the server which is now up and running with a barebones CentOS 6.7 operating system. Note the yellow caution flag. That’s telling you that Cloud at Cost will automatically shut down your server in a week to save (them) computing resources. You can change the setting to keep your server running 24/7. Click Modify, Change Run Mode, and select Normal – Leave Powered On. Click Continue and OK to save your new settings.

    Finally, you’ll want to change the Host Name for your server to something more descriptive than c7…cloudpro.92… Click the Modify button again and click Rename Server to change it. IncrediblePBX13 has a nice ring to it, but to each his own.

    Logging into Your New CentOS 6.7 Virtual Machine

    In order to configure and manage your new CentOS 6.7 virtual machine, you’ll need to log into the new server using either SSH or, for Windows users, Putty. After installing Putty, run it and log in to the IP address of your VM with username root and the password you deciphered above. On a Mac, open a Terminal session and issue a command like this using the actual IP address of your new virtual machine:

    ssh root@12.34.56.78
    

    Before you do anything else, reset your Virtual Machine’s root password to something very secure: passwd

    Next, let’s address a couple of CloudAtCost quirks that may cause problems down the road. CloudAtCost has a nasty habit of not cleaning up after itself with fresh installs. The net result is your root password may get reset every time you reboot even though you changed it.

    sed -i '/exit 0/d' /etc/rc.local
    killall plymouthd
    echo killall plymouthd >> /etc/rc.local
    rm -f /etc/rc3.d/S97*
    echo "exit 0" >> /etc/rc.local
    

    Installing Incredible PBX 13 with CentOS 6.7

    Now we’re ready to build your VoIP server platform. There aren’t many steps so just cut-and-paste the code into your SSH or Putty session and review the results to make sure nothing comes unglued. If something does, the beauty of virtual machines is you can delete them instantly within your management portal and just start over whenever you like. So here we go…

    We’ll begin by permanently turning off SELINUX which causes more problems than it solves. The first command turns it off instantly. The second line assures that it’ll stay off whenever you reboot your virtual machine.

    setenforce 0
    sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config
    

    Now let’s bring CentOS 6.7 up to current specs and add a few important applications:

    yum -y update
    yum -y install net-tools nano wget tar
    reboot
    

    Once your server reboots, we’re ready to kick off the Incredible PBX 13 install:

    cd /root
    wget http://incrediblepbx.com/incrediblepbx13-12.2-centos.tar.gz
    tar zxvf incrediblepbx*
    ./IncrediblePBX*
    

    When the install begins, read the license agreement and press ENTER to agree to the terms and get things rolling. Now would be a great time to go have breakfast or lunch. Come back in about an hour and your server should be ready to go.

    Implementing Dynamic DNS Service on Your Client Machines

    Unlike some other PBX offerings that leave your server exposed to the Internet, Incredible PBX is different. Unless the IP address from which you are accessing the server has been whitelisted, nobody on the Internet can see your server. The only exception is the preferred providers list and those on the same local area network (which is nobody in the case of CloudAtCost). As part of the Incredible PBX install, the IP address of the computer you used to perform the install was whitelisted automatically. But there may be other computers from which you wish to allow access to the PBX in order to deploy telephones at remote sites. Some of these sites may have dynamic IP addresses that change from time to time. Or you may have traveling salesman that land in a new hotel almost every night with a new IP address. Fortunately, there are a number of free and paid Dynamic DNS providers. For sites with dynamic IP addresses, simply choose a fully-qualified domain name (FQDN) to identify each location where you need computer access or need to deploy a phone. Then run a dynamic DNS update utility periodically from a computer or router at that site. It reports back the current public IP address of the site and your DNS provider updates the IP address assigned to that FQDN whenever there are changes.

    DNS update clients are available for Windows, Mac OS X, and many residential routers. They’re also available for Android devices. Then it’s just a matter of plugging in the remote users’ FQDNs so Incredible PBX knows to give them server access via the whitelist. You implement this in seconds using the add-ip and add-fqdn utilities in the /root directory.

    There are other ways to gain access as well using the PortKnocker utility or Travelin’ Man 4 from a telephone. Both of these are covered in the Incredible PBX 13 tutorial so we won’t repeat it here.

    Incredible PBX Preliminary Setup Steps

    First, let’s check things out and make sure everything is working as it should. With your favorite web browser, visit the IP address of your new server. You should see the default Incredible PBX page, the Kennonsoft Menu. It’s divided into two parts, a Users tab (shown below) and an Admin tab with additional options that we’ll cover shortly.

    Now we need to jump back to SSH or Putty and log back into your server as root. You’ll note that the Incredible PBX Automatic Update Utility is run each time you log in. This is how important security updates are pushed to your server so do it regularly. And, no, you don’t need to contribute to our open source projects unless you want to. You’ll still get the updates as they are released.

    After the Automatic Update Utility runs, the login script will execute status which tells you everything you need to know about the health of your server. After the initial install, it will look something like this with your server’s IP address obviously. We’ll cover the RED items down the road a bit.

    For now, we need to complete a few preliminary setup steps for Incredible PBX to make sure you can log into the various components which have been installed on your computer. There are several different credentials you will need. Most of these are configured using scripts in the /root folder of your server. First, you need your root password for the server itself, and you should have already set that up with a very secure password using passwd. These same credentials are used to login to WebMin.

    Next you’ll need an admin password for the Incredible PBX GUI. This is the management utility and Asterisk® code generator which consists of FreePBX® GPL modules that are open source and free to use. The admin password is set by running admin-pw-change in the /root directory.

    There are also a number of web-based applications such as Telephone Reminders, AsteriDex, phpMyAdmin, and VoiceMail & Recordings (User Control Panel). You obviously don’t want everyone with a telephone using all of these applications so they are protected using a couple different Apache web server credentials. First, you set up an admin password for the administrator-level applications using the htpasswd utility. Then you set up an end-user account and password for access to AsteriDex, Reminders, and the User Control Panel. With the User Control Panel, end users also will need a username and password for their particular phone extension and this is configured with the Incredible PBX GUI using Admin -> User Management -> Add New User. If this sounds convoluted, it’s really not. Apache credentials can be entered once in an administrator’s or end user’s browser and they’re stored permanently.

    Here is a checklist of the preliminary steps to complete before using your server:

    Make your root password very secure: passwd
    Create admin password for Incredible PBX GUI access: /root/admin-pw-change
    Create admin password for web apps: htpasswd /etc/pbx/wwwpasswd admin
    Create joeuser password for web apps: htpasswd /etc/pbx/wwwpasswd joeuser
    Set up UCP accounts for Voicemail & Recordings access using Incredible PBX GUI
    Make a copy of your Knock codes: cat /root/knock.FAQ
    Decipher IP address and other info about your server: status
    Set your correct time zone: /root/timezone-setup

    Activating Incredible Fax on Your Server

    Incredible PBX also includes an optional (and free) faxing component that lets you send and receive faxes that are delivered to your email address. To activate Incredible Fax, run the following script and plug in your email address for delivery of incoming faxes: /root/incrediblefax11.sh. After entering your email address, you’ll be prompted for all sorts of additional information. Unless you have unusual requirements, pressing the ENTER key at every prompt is the appropriate response. You’ll need to reboot your server again when the fax installation is complete. Once you log back into your server as root, the bottom line of the status display should now be green UP entries.

    Managing Your Server with the Incredible PBX GUI

    About 99% of your time managing your server will be spent in the Incredible PBX GUI. To access it, fire up your browser and point to the IP address of your server. At the Kennonsoft menu, click on the Users tab which will change to Admin and bring up the Admin menu shown here:

    From the Administrator menu in the Kennonsoft GUI, click on Incredible PBX Administration. This will bring up the following menu:

    Click on the first icon to access the Incredible PBX GUI. You’ll be prompted for your credentials. For the username, enter admin. For the password, enter the password you set up using admin-pw-change above. You should then be greeted by the main status display in the Incredible GUI:

    If you’re new to Asterisk and FreePBX, here’s the one paragraph primer on what needs to happen before you can make free calls with Google Voice. You’ll obviously need a free Google Voice account. This gets you a phone number for people to call you and a vehicle to place calls to plain old telephones throughout the U.S. and Canada at no cost. You’ll also need a softphone or SIP phone (NOT a regular POTS telephone) to actually place and receive calls. YATE makes a free softphone for PCs, Macs, and Linux machines so download your favorite and install it on your desktop. Phones connect to extensions to work with Incredible PBX. Extensions talk to trunks (like Google Voice) to make and receive calls. We use outbound routes to direct outgoing calls from extensions to trunks, and we use inbound routes to route incoming calls from trunks to extensions to make your phones ring. In a nutshell, that’s how a PBX works. There are lots of bells and whistles that you can explore down the road.

    As configured after installation, you have everything you’ll need except a Google Voice trunk, and we’ll cover that next. Then we’ll add a softphone with your extension 701 credentials, and you’ll be ready to make and receive calls. Before we move on, let’s decipher your extension 701 password so that you’ll have it for later. Choose Applications -> Extensions -> 701 and scroll down the screen to the Secret field and write down your password. You can also change it if you like and click Submit and then the Red button to update your settings. While you’re here, write down your extension 701 Voicemail Password.

    Deploying Google Voice on Your Server

    That leaves one RED entry on your status display, GV OAUTH. Whether to use plain text passwords or OAUTH 2 credentials with Google Voice accounts presently is a matter of choice although Google regularly threatens to discontinue access to Google Voice without OAUTH authentication. We suggest you play with Google Voice using plain text passwords just to get your feet wet because OAUTH implementation gets complicated. When you get ready to deploy a permanent Incredible PBX server, that would be the appropriate time to switch to OAUTH. This tutorial (beginning at step 1b) will guide you through the process.

    If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

    We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX. It’s free at least through 2013. Google Voice no longer is by invitation only so, if you’re in the U.S. or have a friend that is, head over to the Google Voice site and register.

    You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. Google used to permit outbound Gtalk calls using a fake CallerID, but that obviously led to abuse so it’s over! You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

    IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

    While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

    • Call ScreeningOFF
    • Call PresentationOFF
    • Caller ID (In)Display Caller’s Number
    • Caller ID (Out)Don’t Change Anything
    • Do Not DisturbOFF
    • Call Options (Enable Recording)OFF
    • Global Spam FilteringON

    Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

    One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

    Once you have your Google Voice account properly configured with Google, here is the proper sequence to get a Google Voice account working with Incredible PBX. First, using a browser, login to your Google Voice account. Second, make sure that Google Chat is activated in your Phone -> Settings. Third, in a separate browser tab, enable Less Secure Apps for your Google account. Fourth, in another separate browser tab, activate the Google Voice reset procedure. Fifth, in the Incredible PBX GUI, choose Connectivity -> Google Voice (Motif) and enter your Google Voice credentials:

    Sixth, save your settings by clicking Submit and the Red Button to reload the GUI. Finally, using SSH or Putty, log into your server as root and restart Asterisk: amportal restart.

    Setting Up a Soft Phone to Use with Incredible PBX

    Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and your extension 701 password. Click OK.

    Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:


    DEMO - Allison's IVR Demo
    947 - Weather by ZIP Code
    951 - Yahoo News
    *61 - Time of Day
    *68 - Wakeup Call
    TODAY - Today in History

    Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use the free Google Voice account we set up above. Unlike traditional telephone service where you were 100% dependent upon MaBell, there is no such limitation with VoIP. The smarter long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started. Here are a few of our favorites:

    Originally published: Friday, January 29, 2016   Republished: Monday, March 14, 2016





    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    Mobile WiFi Shootout: Torture Testing the Best WiFi HotSpots for Your Vehicle

    What a difference a few years make. Bringing Internet connectivity to those in a vehicle who need Internet access but lack cellular data connectivity now is at the top of virtually every Road Warrior’s Wish List. Today we embark on our first major road trip of 2016 to test mobile WiFi hotspots from the four major carriers in the United States: AT&T, Verizon, Sprint, and T-Mobile. We’ve decided to use a variety of devices with the carriers in order to give you a good picture of what’s now available in the marketplace. One reason we decided to mix apples and oranges was because few providers actually manufacture their own devices, and the actual manufacturers (Netgear and Novatel among others) tend to produce almost identical devices for every carrier.

    You’ve got a number of options to set up a WiFi Hotspot in your vehicle. Here are the main ones:

    • Tethering through an existing Smartphone
    • Connecting through a dedicated MiFi device
    • Connecting through a 4G LTE router
    • Connecting through a vehicle’s 4G LTE service

    As long as you’re paying by the byte, virtually all of the cellphone providers now support tethering on a wide variety of smartphones. The major drawbacks are you’ll want a high performance smartphone if you plan to use it for tethering. And tethering eats through battery life in a hurry. Unless your phone is connected to a charger or wireless charging pad in the vehicle, this can be problematic on a long trip.

    Virtually all of the car manufacturers, domestic and foreign, now offer some sort of WiFi connectivity in their higher end vehicles. But you’ll typically pay a fee for their middleware plus the cost of your actual Internet usage using either your existing smartphone plan or a dedicated 4G connection in the vehicle. If you remember the price gouging on cellular calling directly from your vehicle, you’re going to love Mobile HotSpot pricing. It’s worse.

    With the Audi Mobile Internet Plan, we can sum it up in five words: Hold On to Your Wallet!

    Ford takes a different approach and uses your existing smartphone via Bluetooth as a Mobile HotSpot with SYNC® and MyFord Touch® (for a fee).

    Chrysler’s UConnect® takes the Ford approach and is offered on about two dozen new vehicles including the popular Jeep Cherokee and Grand Cherokee.

    Choosing WiFi Hotspot Platforms for Our Road Test

    For AT&T, we’ve chosen the integrated hotspot that is featured in many of the latest GM vehicles from Chevy, Buick, GMC, and Cadillac. For the complete 2015 and 2016 vehicle list, visit this GM site. Yes, trucks are included. On a monthly hotspot plan through GM’s OnStar service, 5 gigs of data runs $50 whether you subscribe to OnStar or not. Another option is to purchase a bucket of data which must be used within a year (which won’t be difficult). That runs $150 for 10 gigs of data with OnStar, or $200 without an OnStar subscription. A third option is the daily plan which costs $5 for each 250MB of data. Luckily, there is a more sane option for those that already have an AT&T Value Plan for one or more phones. You can add the hotspot in your vehicle for $10 a month, and it uses your existing bucket of data from your plan. The AT&T unlimited data plans for those with DirecTV service are not available for vehicle hotspots or any other hotspots or tethering for that matter. The two main advantages of the GM approach over many of the competitors are you’re not dependent upon a smartphone for your hotspot and there is a cellular antenna mounted on your roof which will generally provide better performance.

    StraightTalk’s Mobile HotSpot which also uses the AT&T network flunked on the basis of cost. $75 buys you 7GB of service for up to 60 days.

    For Verizon, we’ll be using the Verizon 4G LTE Mobile Hotspot MiFi® 5510L (aka JetPack) from Novatel Wireless. An excellent review of the device is available at PC Mag. For those that travel internationally, you may prefer the 4620LE which reportedly has double the battery life. We leave ours plugged into a USB port in the car so battery life is not really a concern. We’ve previously written about Verizon’s grandfathered unlimited 4G data plans and, if you’re lucky enough to have one, this option can’t be beat. Otherwise, like all things Verizon, data plans are expensive. $100 gets you 10GB which must be used within two months. $60 gets you 5GB for use within the same period. Although pricey, it’s half the cost of the GM plan without OnStar. And, trust us, Road Warriors won’t have to worry about not using up their bucket of data in two months.

    We’ve previously tested Verizon’s Tasman T1114 Verizon Wireless 4G LTE Broadband Router with Voice which is manufactured by Novatel. The main drawback of this device was that it required a 110 volt connection using a beefy 3 amp power brick. Our testing and that of PC Mag suggests it isn’t the best choice on the basis of performance either. Preliminary testing suggests the 5510L provides almost triple the data performance under identical conditions. And we found that to be true even after we added dual external antennas to the T1114. Don’t waste your money.

    For Sprint, we initially chose one of their MVNOs, Karma Go. And we were looking forward to giving it a workout on the highway. But it was not meant to be. If you follow the trade rags, you know that they originally promised unlimited data with their WiFi hotspot for $50 a month. That lasted about 45 days, and they cut the data rate from 5 Mbit to 1.5 claiming that some folks were using too much data. Duh! That approach lasted about two more weeks, and they implemented a 15GB cap on 4G service with throttled service thereafter that would have you yearning for your old 28.8 modem. Generally speaking, Sprint’s network isn’t that bad from a performance standpoint IF you have service at all. But, in light of all the bad karma surrounding this service, we wouldn’t recommend it to anyone at this juncture. We returned our device within the 45 day trial period for a refund. We’d suggest you do the same. In its place, we’ll be trying out the RingPlus phone that we wrote about last week and that also uses the Sprint network. Unfortunately, our phone lacks tethering capability.

    Boost Mobile’s MiFi offering which also uses the Sprint network didn’t make the cut either. It only supports 4G LTE which means you’re dead in the water once you’re out of range of a 4G LTE tower.

    An unlimited* 4G LTE data service on the T-Mobile network which we first considered was MetroPCS at $60/month ($55/month on a Family Plan). However, MetroPCS pulls the same stunt as AT&T in the fine print of their so-called “unlimited” plan. It indicates that your service will be “deprioritized” after reaching 23GB of LTE data usage. That’s the new word for crippled and throttled which these providers just can’t quite bring themselves to say.

    We saved the best for last. If you do have T-Mobile 4G service in your area (and most folks do as of the 2015 expansion), here’s a deal you can’t refuse. For $35 a month on the Simple Choice (post-paid) Plan, you get 6GB of data at 4G speeds and unlimited (throttled) data for the balance of the month. But there’s a silver lining with a 6GB or greater post-paid plan, you also get unlimited video streaming at DVD quality without additional cost for a couple dozen services including Netflix, Amazon Prime Video, ESPN, HBO, and numerous other providers. If you have kids and travel, this is a no-brainer! The complete list of BingeOn providers is available here. For our WiFi device, we chose the ZTE Z915 4G LTE Hotspot (above).

    HINT: Use our referral link and we both get $25 when you sign up. 🙂

    Data Usage in a Nutshell

    Before we hit the road, let’s provide some points of reference on data usage. The simplest to understand is NetFlix. At their lowest streaming video rate, you will burn through .3GB per hour. At the medium SD rate, it’s .7GB per hour. At the best video HD rate, you’ll burn through 3GB per hour. And Ultra HD gobbles up 7GB per hour. You can set the playback rate in your account under Profile -> Playback Settings. At the very lowest data rate, you’ll get about 11 movies out of 5GB of data. With a 4G connection and the NetFlix automatic data settings, you’re unlikely to make it through 2 movies with a 5GB plan. So you’re well advised to hard-code your playback rate before you hit the road if your family is into movies… unless you choose the BingeOn option with T-Mobile.

    A Few Words About T-Mobile’s Binge On Service

    The reported Gotchas with the Binge On feature are that it’s a lower quality video stream and once you use up your 4G data allowance for the month, the Binge On feature ceases to function. So you’d want to carefully choose your plan and monitor your data usage to avoid any surprises. As for the quality of the video stream, we’ve read the complaints about this. But it’s a red herring in our testing. Video playback is at DVD quality, and we’re having a hard time believing most folks need something better for a ride in the car, particularly on smartphones and tablets. And we noticed no appreciable degradation even on a 13″ notebook. There’s also been some squealing that BingeOn violates the FCC’s Network Neutrality rule. Our reading of the rule suggests otherwise. First and foremost, BingeOn is an optional service. Any consumer that doesn’t want it can turn it off. Second, for anyone that has ever managed a network with limited bandwidth, the first thing you come to appreciate is the need to control streaming media content. T-Mobile is well within the network neutrality guidelines in doing so, and they’ve done it in a vendor-neutral manner by applying a throttling mechanism to all streaming content that can be identified as such. For those that use encrypted communications for streaming, T-Mobile has offered to work with them to find a way to identify their streaming content so that they, too, can be included in the BingeOn program. Others have suggested that providing video streaming for free while charging for data associated with web browsing also violates network neutrality. We believe the clear intent of the rule was to outlaw discrimination in favor of particular vendors with regard to similar types of Internet content. Any other interpretation would mean that services such as free calling and free text messaging would also violate network neutrality. While this might thrill the Bell Sisters (Verizon and AT&T), it’s difficult to see how this benefits any consumer using the Internet.

    Ready, Set, Go: Let the Journey Begin

    For our 300-mile trip today, we’ve chosen a travel path that provides a good mix of interstate highways and less traveled state highways. The topography ranges from flat terrain to sparsely populated mountain areas where cellphone towers are few and far between. In between, there are a few metropolitan areas including Charleston, Columbia, Spartanburg, and Asheville. These are mixed with tiny towns including Waynesville and Sylva, North Carolina near our destination. Interestingly, these small towns reportedly boast some of the best cellular data performance in the country. We shall see.

    At the Nerd Vittles home base in Charleston, South Carolina, the data performance of the four major carriers is fairly consistent depending upon the time of day and day of the week. During business hours, a typical 4G LTE speed test looks something like this, not great but not that bad either. It’s certainly adequate for any type of activity one would typically need while traveling in a vehicle:

    We’ll be heading up I-26 from Charleston for over three hours before making a left turn in Asheville, North Carolina to head west via the Great Smoky Mountain Expressway. During the 300 mile journey, we’ll have non-stop movies playing with our T-Mobile BingeOn account in the back seat while the other cellular services are used for more mundane (and less costly) tasks such as checking email and surfing the net. From point A to point B, it’s all four-lane highways or better, quite a change from 30 years ago. In fact, you can even make the trip in a Tesla with a one-hour free charging detour:

    We’re big Spotify fans so most of our AT&T testing will involve listening to the latest Spotify playlists using Apple CarPlay. If the music hiccups, we’ll know we have an AT&T problem. From time to time, we’ll activate a WiFi network connection on our iPhone to check out performance of the Verizon and T-Mobile HotSpots. One of our travelers is a big Facebook gaming enthusiast and, to support that endeavor, we’ll configure her tablet to use the AT&T WiFi HotSpot built into the vehicle.

    Mobile Internet Scorecard

    Well, the results were pretty much what we expected. Sprint calling and T-Mobile streaming worked well along the interstates and went from bad to worse once we hit the state highways. AT&T and Verizon didn’t miss a beat door to door.

    T-Mobile remains the best bargain for streaming unless you have an unlimited data plan without throttling. Even then, the cost difference is staggering. Our unlimited Verizon plan now runs over $100 a month while T-Mobile is a flat $35. There were some random hiccups in the T-Mobile streaming from time to time which we never experienced with Verizon. But you can’t beat the price! Both AT&T and Verizon have dramatically improved their “mountain coverage” in the past year. In the past, Verizon coverage at our cabin was non-existent and AT&T only worked by strategically placing your smartphone on the outdoor fireplace mantle. Now both have reliable 4G service. Our Verizon HotSpot provides consistent 10Mb download and 5 Mb upload speeds, about 5 times the performance of the DSL connection provided by the local telephone company.

    Originally published: Monday, February 15, 2016






     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…