Category: Networking

Firewalls 101: Why Every Asterisk Server Should Have a Functioning Firewall


Part of our fundamental disagreement with the FreePBX® design can be summed up in one word: FIREWALL or the lack of a functioning firewall in the FreePBX Distro and in the functionally identical Digium product, AsteriskNOW®.1 Most of the other design choices including the controversial, non-GPL compliant Module Signature Checking mechanism are touted as failsafe ways to detect altered systems even though changes in FreePBX MySQL tables and Asterisk config files can be modified easily without triggering alerts. In short, the Band-Aid® approach to module tampering does nothing to address the fundamental problem, prevention of unauthorized intrusions in the first place.

Some would contend that the included Fail2Ban product is specifically designed to prevent unauthorized intrusions by locking out the bad guys after a certain number of failed login attempts. Assuming Fail2Ban were functioning properly, which does not appear to be the case, putting all your eggs in the Fail2Ban basket also ignores several critical shortcomings in Fail2Ban. First, it has been documented that powerful servers such as Amazon EC2 and Twitter botnets give hackers almost unlimited intrusion attempts before Fail2Ban ever gets a time slice sufficient to scan logs for intrusion attempts. Second, Fail2Ban provides no protection against stealthy distributed bruteforcing activity. For example, if a botnet with 770,000 PCs attacked your server and each PC executed only two login attempts, Fail2Ban never gets triggered even assuming your server could handle the load and Fail2Ban got sufficient server resources to actually scan your logs. Finally, Fail2Ban provides no protection against Zero Day vulnerabilities where an intruder basically walks right into your server because of an unidentified vulnerability lurking in the existing code. Unfortunately, these are not hypothetical situations but regular occurrences over the past 10 years of Asterisk and FreePBX development. In a nutshell, that’s why you need a real firewall. It completely blocks all access to your server by unauthorized users all of the time.

Numerous companies have intentionally exposed Asterisk® servers to the public Internet in a continuing effort to identify problems before they affect “real servers.” We know of no similar efforts with a platform that includes FreePBX as an integral component of the server. Why? Because the potential for Zero Day Vulnerabilities in a platform of modular design is enormous. One vulnerable component in FreePBX and the entire house of cards collapses because of the blank check server access that a compromised FreePBX asterisk user account gives to an intruder. It’s the fundamental reason that services such as Apache were engineered to run with different user credentials than a root user in the real world. In essence, the current FreePBX design with Asterisk has elevated asterisk user credentials to allow root-like access to almost every server file and function with the exception of SSH access. And SSH access becomes all but unnecessary given the scope of the GUI functionality provided within FreePBX and the escalated privileges it enjoys.

On FreePBX-based Asterisk servers, the absence of any user account separation means Asterisk, Apache, and FreePBX services all operate under the single asterisk user account. If any piece collapses due to a vulnerability, the intruder gets the keys to the castle including read/write access to Asterisk and FreePBX manager credentials and config files as well as broad MySQL access. This, in turn, exposes your VoIP account credentials in addition to facilitating SQL injection into any and all FreePBX database tables. Because FreePBX “hides” numerous settings in over a hundred MySQL tables, the Asterisk DB, and dozens of Asterisk config files, once the asterisk user account access is compromised, many of the major components on your server could be cleverly reconfigured without leaving much of a hint that your server had been compromised. In fact, VoIP account credentials could be extracted and used elsewhere with no traceable footprint back to your server. For all you would know, your provider compromised your credentials rather than the other way around. Just another reminder that keeping a credit card on file for automatic replenishment with VoIP providers is a very bad idea!

Providing the asterisk user with these broad permissions was a (poor) design choice. Why was it done? To make it easy for the developers to alter virtually everything on your Asterisk server using FreePBX’s integrated Module Admin component. Root user permissions are never required to do much of anything other than server platform upgrades once the FreePBX Distro or AsteriskNOW product is installed. That’s exactly the design one would expect to find in a commercial, closed source software platform. But it’s unusual in the open source community to put it charitably. We trust we’ve made the case why a rock-solid firewall with any product that uses FreePBX modules is absolutely essential. FreePBX is a wonderful GUI, but use of the platform without a properly configured, fully functional firewall could be financially catastrophic not to mention the serious damage it could cause to others including the good reputation of Asterisk in the Internet community.

Our objective next week will be to help you implement a functioning Linux-based software firewall on the FreePBX Distro and AsteriskNOW platforms. It’s FREE! Not only will this improve the security of your server, but it will deny the bad guys a platform from which to launch mischievous acts against the rest of us. Unless you’re running Asterisk on a Cloud-based platform, do all of us a favor NOW! Run, don’t walk, to your nearest electronics store (including WalMart and BestBuy) and purchase one of the dozens of inexpensive NAT-based routers. Install it between the Internet and your server TODAY! This is the one we use, but there are plenty from which to choose including our refurbished one.2


NEWS FLASH:
Download the new FUD-Free Firewall for FreePBX Distro and AsteriskNOW.

Originally published: Monday, August 3, 2015




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Technically, IPtables is running on the FreePBX Distro and AsteriskNOW platforms; however, it’s sole function is to act as the shutdown mechanism for Fail2Ban-detected breaches. It does not independently examine packets. There is no functioning iptables config file. From our vantage point, serving as the Fail2Ban traffic cop doesn’t qualify as a functioning firewall since it lacks any of the traditional IPtables rules that manage PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING of packets. []
  2. Where prices are competitive or availability is a factor, we often recommend Amazon because Amazon provides financial support to Nerd Vittles through our referral links. We encourage everyone to shop independently and purchase products from suppliers that best meet your own requirements. []

View from the Trenches: A Fresh Look at VoIP Project Development in the Cloud

The world of cloud-based computing has profoundly changed over the past year. And today we want to take a fresh look at the cloud landscape for those of you that spend considerable time experimenting or tweaking software applications either for customers or for your own organization.

First, a brief paragraph of history. We began our cloud experiments almost seven years ago when Amazon S3 was still in its infancy. At the time, Amazon S3 was a real bargain even with all its development quirks. The adventure continued when we moved some production level systems to Amazon’s EC2 cloud in early 2013. What we quickly learned was just how expensive cloud computing could be once you reached the end of your “free year” with Amazon. As the cloud options continued to bloom, RentPBX began providing technical and financial assistance to our projects while also offering inexpensive, production-quality VoIP services in the cloud at truly bargain basement prices: $15 a month. That barely covers the electric bill for many folks hosting their own local servers. And RentPBX servers are unique. They don’t commingle other processor-intensive applications on their servers. All of their servers are pure VoIP which makes for an incredibly reliable cloud-based platform. Our special pricing still is available for those using PBX in a Flash and Incredible PBX. Just sign up with the coupon code: NOGOTCHAS. So that’s a little background.

But there are many of us that develop systems and experiment with new offerings as part of our daily routine. We build systems. We tweak systems. We blow up systems. And we start over, sometimes dozens (hopefully not hundreds) of times. To give you an example, our typical Incredible PBX build to support a new platform goes through twenty to thirty iterations before all of the kinks are worked out of the code. And that’s before the software development teams for CentOS, Ubuntu, Asterisk, Apache, SendMail, MySQL, and the Raspberry Pi “improve” anything. A production-quality cloud service really isn’t flexible enough to support this type of activity, and an affordable local server lacks the horsepower to keep setup times reasonable. On occasion, we use a high performance iMac coupled with VirtualBox for development, but that introduces some quirks that typically aren’t found on real world servers.

The good news is that there are two relatively new cloud offerings that fit very well with the requirements needed for rapid application development. We use both of them in slightly different ways so let us share our experience in hopes that it will save many of you some time experimenting.

We can’t say enough good things about Digital Ocean. Despite a few growing pains from time to time, Digital Ocean provides a vast assortment of cloud-based servers scattered all around the world. There are servers in New York, San Francisco, Amsterdam, London, Frankfurt, and even Singapore. You can size your development platform to meet almost any requirement with prices starting at about 5¢ for a 7-hour day of development. That buys you a speedy 512MB/single-CPU platform with 20 gigs of storage and a terabyte of monthly bandwidth. Add a (free) 1GB cache to your build, and it’s the performance equivalent of our $3,000 standalone Dell servers. You can scale up from there to a platform with 64GB of RAM, 20 CPUs, 640GB SSD drive, and 9 terabytes of monthly data transfer for less than $1 an hour. The difference with this platform is you can create a CentOS, Ubuntu, Fedora, FreeBSD, or Debian server of any recent vintage in about one minute. There’s also a vast array of preconfigured applications for the specialists of the world:

Using our referral code, you get $10 of free service while we get a little spiff down the road to keep the Nerd Vittles lights on. Tear down of servers is almost instantaneous, and you simply pay for the time you used. Using the small platform for 90 minutes will set you back a whole penny. Some of our PBX in a Flash users are actually running production-level servers on this platform (which we don’t recommend), and the monthly cost is capped at $5. One of the best kept secrets at Digital Ocean is that you can take snapshots of your builds and store them at little to no cost. We have a dozen of them and have never paid a penny in storage fees. You also have the option of off-site backups for production platforms.

The new kid on the block is CloudAtCost.com. If you’re not into bleeding edge, this probably isn’t the offering for you. But it is dirt cheap. While you can pay by the month, CloudAtCost also has a revolutionary marketing strategy. You can pay for your virtual machine once (almost always at a substantial discount off the listed prices), and you get to use “your server” forever at no additional cost… at least as long as CloudAtCost stays in business. If this sounds like a pyramid scheme, you probably wouldn’t be the first to suggest that. Suffice it to say, their business has grown geometrically over the past year. And they recently announced CloudPRO which lets you pool resources from servers you previously have bought, and use them in much the same way as Digital Ocean but with no additional charges. So here’s today’s pricing:

To put things in perspective, the virtual machine equivalent of Digital Ocean’s smallest setup costs $17.50, ONE TIME! The Big Dog 3 platform with a one-time fee of $560 migrated to CloudPRO would provide you with the capability to create 8 smaller systems (1 CPU, 1GB RAM, and 10GB storage) as desired with no bandwidth limitations forever.1 Download and upload performance is fairly impressive using speedtest-cli:

So what’s the catch. Well, there are some. First, as you might imagine, these folks are much like the fella laying track in front of the steaming locomotive. Will that ever end? You’d better hope not because, when it does, the entire house of cards may come down. While Digital Ocean typically builds virtual machines in under a minute, CloudAtCost turnaround times are close to a day. Once your server is actually working, we’ve had a pretty good experience with the performance quality although there can be rough spots that usually are resolved within a day. The promise, of course, is to get build times down to a minute or two. But, frankly, we’re not holding our breath. As for platform support, there are plenty of options just like with Digital Ocean:

What is this platform good for? In our case, it’s almost perfect for off-site backups. You can judge the web performance for yourself by visiting the backup site for Nerd Vittles, or the PIAF Forum, or Incredible PBX, or PBX in a Flash. Would we use CloudAtCost for production? Not a chance. But for backups and demo servers, it’s AWESOME and CHEAP! If you’re a Nerd Vittles early bird, you can use our coupon code for an additional 20% off: Zu2eXYDYtU.

DEMO SERVER. We’ve actually set up an Incredible PBX server with Google Voice and an IVR of sample applications so you can judge the CloudAtCost performance for yourself. You can even try hacking the IP address if that’s your thing. We always love to test our firewall: nmap -sT -O 162.252.242.229. To try out Allison’s IVR, enter your 10-digit callback number below and then click the Click Here button once. Count to 10 and your phone should be ringing. After you answer the call and press 1, you’ll be connected to the IVR Demo in Canada. Don’t be shy.



Nerd Vittles IVR Demo Options
1 – Call by Name (say “Delta Airlines” or “American Airlines” to try it out)
2 – MeetMe Conference (password is 1234)
3 – Wolfram Alpha (say “What planes are overhead?”)
4 – Lenny (The Telemarketer’s Worst Nightmare)
5 – Today’s News Headlines
6 – Weather Forecast (say the city and state, province, or country)
7 – Today in History
8 – Speak to a Real Person (or maybe just Lenny if we’re out)

Originally published: Cinco de Mayo, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. forever: as long as CloudAtCost.com stays in business []

Firewalls and Internet Security: Separating FUD and Fiction in the VoIP World

Some of us have spent years developing secure VoIP solutions for Asterisk® that protect your phone bill while bringing Cloud-based solutions within reach of virtually anyone. So it’s particularly disappointing when a hardware manufacturer spreads fear, uncertainty, and doubt in order to peddle their hardware. In this case, it happens to be Session Border Controllers (SBCs). We want you to watch this latest “infomercial” for yourself:



To hear Sangoma tell it, every VoIP server protected by merely a firewall is vulnerable to endless SIP attacks unless, of course, you purchase an SBC. And since implementation of Cloud-based servers traditionally limits the ability to deploy an SBC, most Cloud-based VoIP solutions would become vulnerable to SIP attacks. In the words of Sangoma:

And with telecom fraud and PBX hacking on the rise, it’s important to keep your network secure. For most enterprises, it’s not a matter of if-but-when their [sic] network experiences an attack, potentially costing you valuable time and money.

Now Sangoma is touting an article in a blog from the U.K. that begins with the headline “Why Firewalls are not Enough.” The purported author is Jack Eagle, who is otherwise unidentified. Not surprisingly, the owner of the blog happens to be a reseller of Sangoma hardware. Here’s what Jack Eagle suggests:

In addition, the inherent function of firewalls is to deny all unsolicited traffic. Whereby, the act of making a phone call is an unsolicited event, thus, firewalls can be counterproductive to an effective VoIP deployment by denying VoIP traffic.

For the benefit of those of you considering a VoIP deployment either locally or in the Cloud using Asterisk, let’s cut to the chase and directly address some of the FUD that’s been thrown out there.

FUD #1: Internet SIP Access Exposes Asterisk to Attack

False. What is true is that unrestricted SIP access to your server from the Internet without a properly secured firewall may expose Asterisk to attack. Perhaps it’s mere coincidence but the only major Asterisk aggregation that still installs Asterisk with an unsecured firewall and no accompanying script, tutorial, or even recommendation to properly lock it down and protect against SIP attacks happens to be from the same company that now wants you to buy a session border controller.

FUD #2: Firewalls Aren’t Designed to Protect Asterisk from SIP Attacks

False. What is true is that the base firewall installation provided in the FreePBX® Distro does not protect against any attacks. In a Cloud-based environment or with local deployments directly exposed to the Internet, that could very well spell disaster. And it has on a number of occasions. The Linux IPtables firewall is perfectly capable of insulating your Asterisk server from SIP attacks when properly configured. With PBX in a Flash and its open source Travelin’ Man 3 script, anonymous SIP access is completely eliminated. The same is true using the tools provided in the latest Elastix servers. And, Incredible PBX servers have always included a secured firewall with simple tools to manage it. Of course, with local VoIP hardware and a hardware-based firewall, any Asterisk server can be totally insulated from SIP attacks whether IPtables is deployed or not. Just don’t open any ports in your firewall and register your trunks with your SIP providers. Simple as that.

FUD #3: SIP Provider Access to Asterisk Compromises Your Firewall

False. Registering a server with SIP or IAX trunk providers is all that is required to provide secure VoIP communications. Calls can flow in and out of your Asterisk PBX without compromising your server or communications in any way. Contrary to what is depicted in the infomercial, there is no need to poke a hole in your firewall to expose SIP traffic. In fact, we know of only one SIP provider that requires firewall changes in order to use their services. Simple answer: use a different provider. Consider how you access Internet sites with a browser from behind a firewall. The connection from your browser to web sites on the Internet can be totally secure without any port exposure in your firewall configuration. Registering a SIP trunk with a SIP provider accomplishes much the same thing. All modern firewalls and routers will automatically handle the opening and closing of ports to accommodate the SIP or IAX communications traffic.

FUD #4: Remote Users Can’t Access Asterisk Without SIP Exposure

False. Over the past several years, we have written about a number of methodologies which allow remote users to securely access an Asterisk server. That’s what Virtual Private Networks and Port Knocking and Remote Firewall Management are all about. All of these solutions provide access without exposing your server to any SIP vulnerabilities! We hope the authors of this infomercial will give these open source tools a careful look before tarnishing the VoIP brand by suggesting vulnerabilities which any prudent VoIP deployment can easily avoid without additional cost. Just use the right products!

Originally published: Thursday, April 23, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

The Gotcha-Free PBX: Harnessing SIP URIs for Free Worldwide Calling

We continue the Incredible PBX for Asterisk-GUI adventure today with a close look at SIP URIs, those email-like addresses that are the fundamental building blocks for VoIP technology. Consider this. If everyone in the world had a SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends a bit upon your platform. In the Asterisk® world, they look like this: SIP/somenameORnumber@FQDN.yourdomain.com. On many SIP phones, you enter SIP URIs in the following format: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have “dialed” a SIP URI, the destination SIP device will ring just as if they had a POTS phone. And Asterisk processes SIP URIs in much the same way as other calls originating from trunks. As noted, SIP URI calls of any duration to anywhere are free. And, of course, Incredible PBX is also free with No Gotchas!

In our original articles on Incredible PBX for Asterisk-GUI, we covered outbound calls to SIP URIs, and we’ll briefly review that procedure today. Then we’ll move on to setting up one or more SIP URIs for your own server so that you can receive incoming SIP URI calls. We’ll show you how to route them to any destination you like, both internal and external. We’ll also address the security implications of enabling SIP URI calling on your server. You don’t want the whole world calling into your server to make outbound calls on your nickel. We’ll also walk you through a safer SIP methodology in which you use a service provider as a SIP intermediary to better protect the security of your server. And finally, we’ll show you how to interconnect your new SIP URIs to real telephone numbers at zero cost. Then your friends without a SIP URI still can call you from any POTS or cellphone in the world.

SIP URI Calling with Incredible PBX for Asterisk-GUI

With one line of dialplan code, you can add Speed Dials for free SIP URI calling worldwide. The dialplan code is stored in the [CallingRule_SIP_URI] context in extensions_custom.conf. Just clone one of the existing entries, designate a speed dial number to connect to the SIP URI, and enter the SIP URI for the destination. Numerous SIP providers support assignment of SIP URI’s to existing DIDs for unlimited free calling from anywhere in the world. Here’s a sample using a speed dial code of 53669 (L-E-N-N-Y). Use it for your telemarketers: exten = 53669,1,Dial(SIP/2233435945@sip2sip.info).

Choosing a SIP URI Strategy with Incredible PBX for Asterisk-GUI

Before we actually create SIP URIs on your own server to receive anonymous calls, let’s walk through the available implementation strategies so that you can make an informed choice on how best to proceed. Keeping in mind that SIP URIs consist of an identifier and a fully-qualified domain name (FQDN) or IP address, one option is to use the same domain that you use for your company. We don’t recommend this approach because it makes it easy to guess where your SIP resources reside. Another option is to use a really obscure FQDN with your SIP URIs. Something like k43X20.mycompany.com or, for dynamic addresses, something like k43X20.dyndns.org makes more sense. In the next section, we’re going to lock down SIP access to your server to this FQDN so the more obscure the FQDN the safer you will be. Security through obscurity still works wonders. A third option is to use the IP address of your server instead of an FQDN. That’s a bad choice because of programs like SIPVicious that the bad guys use to scan the Internet for potential SIP targets to be hacked.

An alternative approach worth considering is to use a provider such as VoIP.ms as a SIP intermediary. In this scenario, you create a sub-account and assign an obscure extension number to that account. This in turn generates a SIP URI that can be used to connect to that account from your server by simply registering a VoIP.ms trunk in Incredible PBX. Once the trunk is registered, incoming SIP URI calls to your VoIP.ms sub-account will be forwarded (without cost) to your server without exposing Asterisk to SIP guest access at all. The wrinkle with this option is that VoIP.ms has often indicated that they plan to charge a reduced fee for these connections at some point. However, to date, they’ve never done it. If VoIP.ms shifts gears down the road, you obviously can as well. For the time being, we would encourage you to take advantage of this free service option. It remains our first choice for SIP URI implementation because there is no need to expose SIP resources on your server at all. VoIP.ms takes care of all the SIP security headaches leaving you to enjoy free calling. In the screenshot we’ve shown above, assuming your VoIP.ms account number was 12345, the SIP URI to connect to this sub-account would be 123458005551212@houston.voip.ms assuming you registered your trunk with the houston.voip.ms server.

Creating Your Own SIP URIs with Incredible PBX for Asterisk-GUI

The procedure for creating one or more SIP URIs on your own Incredible PBX server is straight-forward:

  1. For servers behind a hardware-based firewall, map UDP 5060 (SIP) to your server
  2. Enable allowguest access in [general] context of sip.conf
  3. Create desired SIP URIs in [public] context of extensions.conf

1. Unless your server is sitting on the public Internet without a hardware-based firewall, you’ll need to map UDP port 5060 (SIP) from the firewall to the private LAN address of your server. Otherwise incoming SIP calls will never reach Incredible PBX. Most routers have a Port Forwarding tab in which you designate the port to be forwarded, the type of port, and the destination IP address. Consult the manual for your router/firewall for detailed instructions.

2. Changing the allowguest setting in the [general] context of sip.conf is mandatory since the purpose of SIP URI calling is to accept calls from unregistered users. The risk, of course, is that anyone in the world with an Internet connection can attempt to connect to your server. More on that later. For now, issue this command after logging into your server as root:

sed -i 's|allowguest=no|allowguest=yes|' /etc/asterisk/sip.conf

Once you issue this command and restart Asterisk, the setup of Incredible PBX for Asterisk-GUI is to route anonymous SIP calls to the [public] context in extensions.conf. Only extensions in this context will be exposed to anonymous callers. This is important. NEVER change the destination context for these calls to one that provides unrestricted access to the calling resources on your server. The reason should be obvious. But, in case it isn’t, this would permit anonymous callers to use all of your trunks to place outbound calls to anywhere… on your nickel. $100,000 phone bills are the usual result.

3. There are two important facets in creating your own SIP URIs for anonymous access to your server. As touched upon previously, the first is choosing an obscure FQDN for your server. This is a really important layer of security for a couple of reasons: (1) your anonymous caller has to know the actual FQDN of your server in order to reach you and (2) in the next step we’re going to lock down your server to only allow anonymous SIP access from this FQDN. So choose carefully. The second consideration is deciding which server resources you wish to expose for SIP URI access. Do you wish to permit SIP URI calls only to a specific extension or ring group, or perhaps a custom IVR just for SIP URI callers, or perhaps a conference or DISA access (very dangerous)?

You can deploy more than one SIP URI. For each one, you’ll need a destination for the incoming call and an identifier or extension. Identifiers could be numeric, alphanumeric, or pure alpha characters. For example, 8005551212, joe6001, and accounting are all perfectly acceptable. The resultant SIP URI would be something like joe6001@k43X20.mycompany.com.

As noted, for each destination on your server that you wish to enable for SIP URI access, you add a line of dialplan code to the [public] context in extensions.conf. The syntax is identical to what you’ve previously used in routing incoming trunk calls to a destination except we’ll restrict connections to those matching the identifier you’ve chosen for each SIP URI. Here are some examples to get you started.

To route SIP URI accounting@k43X20.mycompany.com to Ring Group #1:
exten = accounting,n,Goto(ringroups-custom-1,s,1)

To route SIP URI joe6001@k43X20.mycompany.com to Extension 6001:
exten = joe6001,n,Goto(default,6001,1)

To route SIP URI demo@k43X20.mycompany.com to the Nerd Vittles demo IVR:
exten = demo,n,Goto(voicemenu-custom-2,s,1)

To route SIP URI lenny@k43X20.mycompany.com to an outside SIP URI:
exten = lenny,1,Dial(SIP/2233435945@sip2sip.info)

To route SIP URI conference@k43X20.mycompany.com to the default conference at extension 2663:
exten = conference,1,Goto(conf_bridge,2663,1)

To route SIP URI weather@k43X20.mycompany.com to the Weather by ZIP Code application:
exten = weather,1,Goto(CallingRule_extensions_custom,947,1)

To route SIP URI 800directory@k43X20.mycompany.com to Directory Assistance using Google Voice trunk:
exten = 800directory,1,Dial(Motif/GoogleVoice/18005551212@voice.google.com)

Securing Your Server with SIP URI Implementations

There are two important security steps once you have enabled anonymous SIP URI calling to your server. The first line of defense is to harden the IPtables Firewall to only permit anonymous SIP access to the specific FQDN you plan to use for your SIP URI callers. The second is to harden Asterisk to disallow requests for domains not serviced by your server.

1. Edit the IPv4 rules for your operating system. On the CentOS-compatible platforms, it’s /etc/sysconfig/iptables. On the Debian/Ubuntu/Raspbian platforms, it’s /etc/iptables/rules.v4. Toward the end of the file and just above the final fail2ban entries, insert the following code using your actual FQDN in the first line:

-A INPUT -p udp --dport 5060 -m string --string "@k43X20.mycompany.com" --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
-A INPUT -p udp -m udp --dport 5060 -j DROP

2. Run the following commands substituting your actual FQDN in the first line to lock down Asterisk to only your FQDN for anonymous SIP connections:

sed -i '/\[general\]/a ;domain=k43X20.mycompany.com' /etc/asterisk/sip.conf
sed -i '0,/;domain/s/;domain/domain/' /etc/asterisk/sip.conf
sed -i '0,/;allowtransfer=no/s/;allowtransfer=no/allowtransfer=no/' /etc/asterisk/sip.conf
sed -i '0,/; allowexternaldomains=no/s/; allowexternaldomains=no/allowexternaldomains=no/' /etc/asterisk/sip.conf

3. Restart your firewall: iptables-restart

4. Restart Asterisk: asterisk-restart

5. Done!

Interconnecting a SIP URI with a Free PSTN Phone Number

Wouldn’t it be nice if all your friends and business associates without SIP URI capability could still call you using a traditional PSTN number? Well, it’s your lucky day because www.ipkall.com provides just what you need, a free phone number in the Seattle area that you can connect to an existing SIP URI on your server.

When folks call the Seattle number, they will be connected to your server using whatever routing you chose for the SIP URI in the previous section. So sign up for a number, enter your email address and the SIP URI for the calls, and wait for the confirmation email identifying your new telephone number. The only catch is that you need to receive at least one call a month to keep the number. Aside from that, there are no restrictions on use of the PSTN numbers. Enjoy!


Don’t forget to List Yourself in Directory Assistance with your new IPkall PSTN number so everyone can find you by dialing 411. And be sure to add your new number to the Do Not Call Registry to block telemarketing calls.

Originally published: Wednesday, March 25, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Santa’s Technology Roundup: The Best Products of 2014 with Some Surprises

Once a year we like to pause and take a look back at 10 technology products that really grabbed our attention. 2014 will be remembered as a spectacular year. So here’s what made the Nerd Vittles short list for 2014…

Smartphone of the Year: It’s a 5-Way Tie

And the winners in no particular order… Galaxy Note 4, iPhone 6+, LG G3, HTC One M8, and Moto X.1 So which should you choose if you can only have one? Visit AndroidHeadlines.com for a detailed feature comparison. You can’t go wrong with any of them. In our family, there’s one of almost all of them.

Desktop Computer of the Year: Apple’s 27‑inch iMac with Retina 5K display

If you work with a computer for a living, there is no competition. It scales to any feature set you may need. Run, don’t walk, to your nearest Apple Store and get in line. We waited two months for ours!

Portable Computer of the Year: Apple’s MacBook Air with Retina Display

Hah. Just kidding. It would have been the hands-down favorite in 2014 except for one minor detail. It hasn’t been released… yet. If you absolutely have to have a retina display-quality notebook, then you’ll have to settle for the slightly thicker Macbook Pro this Christmas. For us, we’re waiting for 2015 and what will surely be the MacBook Air with Retina Display.

Tablet of the Year: iPad Air 2

If you’re starting to think we’re charter members of the Apple FanBoy Club, then you haven’t been following Nerd Vittles for very long. We can be one of their harshest critics. But the bottom line is that Apple products are compelling because of their tight integration to Apple’s closed society. If you’re a member of that club, then you’ll want the iPad Air 2 to add to your collection. It’s a terrific tablet at a compelling price.

Multimedia Device of the Year: Roku 3

If you’re into Netflix and Amazon Prime and movies, nobody needs to tell you that the streaming device hardware market is a crowded place. The Roku 3 isn’t the cheapest device in the market, but it’s still the one we always drop into our suitcase when we hit the road. It’s simple to configure and supports WiFi almost anywhere. It just works!

VoIP Product of the Year: Vitelity’s vMobile

It’s taken a few starts and stops to get the kinks out, but Vitelity’s vMobile smartphone is a truly revolutionary offering. It provides seamless integration of the smartphone into your PBX infrastructure. The phone becomes “just another extension” on your PBX except the device is 100% mobile which means it works with WiFi or it works anywhere Sprint has a tower. For any organization with staff that travels, this is a must-have device. Anything you can do with a traditional PBX extension, you can do with your smartphone using the vMobile technology. It’s the hands-down winner as VoIP Product of the Year. Use our special signup link and help support the Nerd Vittles, PBX in a Flash, and Incredible PBX projects.

VoIP SOHO Hardware of the Year: CuBox-i

We’ve tested lots of small footprint hardware in search of the perfect VOIP platform for the home or SOHO office. The search is over. The hands-down winner is the CuBox-i. It’s tiny, powerful, quiet, and has every feature you could possibly want in a VoIP server. Read our full review here. They’re 25% at NewEgg if you hurry.

VoIP Deal of the Year: $15 Pogoplug with Incredible PBX

If there’s one thing all of us have in common, it’s a burning desire to find the best bargain on the planet. In the VoIP marketplace, look no further than here. Repurposing a PogoPlug for less than $20 (and some of them went for $5), is the perfect way to learn about VoIP without breaking the bank. Our tutorial on the VoIP Deal of the Year will tell you everything you need to know to get started.

Must-Have Product of the Year: Amazon Echo

The Amazon Echo is still an invitation-only device, but you need to get in line NOW. During the introduction, Amazon is selling them for $99. Or you can get one on eBay for about triple that amount. It’s money well spent. Think of it as a desktop version of Siri. But it’s so much more. With Amazon Prime and Prime Music accounts plus a free iHeartRadio account, you get access to a collection of over a million songs just by saying the name of the artist or song or playlist or radio station of interest. You also can upload 250 of your own songs not purchased through Amazon Music at no charge. Or, for $25 a year, you can upload up to 250,000 tracks much like iTunes Match. The sound quality of the device is nothing short of spectacular. My teenage daughter and I spent over two hours playing with it the first night it arrived. And the excitement hasn’t waned. It’s the go-to device for all of our visitors to explore new and old music. And, yes, Amazon Echo knows the weather, the time, and just about anything else you care to ask about. You’ll have it in your living room in no time. Not only will it speak the results while playing your favorite song, it’ll send the results and to-do list to your smartphone.

2014: Cloud Computing Reinvented

Over the past few years, we’ve seen a gradual migration of server platforms to the cloud thanks in large part to ever falling prices on the Amazon EC2 platform. But 2014 saw some new cloud strategies. First came the pay-once-use-it-forever platform of CloudAtCost.com. Wait for the next sale and save half on almost any of their server platforms. If you follow us on Twitter, we’ll let you know when it happens. We’ve had several servers for almost a year with no hiccups. In fact, we now keep backup images of the Nerd Vittles, PBX in a Flash, and Incredible PBX web sites running 24/7 on these Canadian servers. Check out the performance for yourself.

Then there was Digital Ocean with its pay-by-the-hour pricing coupled with the ability to create virtual machines for almost any platform in under a minute. It truly is a developer’s dream come true. Frankly, it’s our platform of choice for development of all the great software you read about here. Use our signup link and get a $10 credit to try things out. The beauty of the technology is you can create a server with 512MB of RAM and a 20GB drive, work for a half a day, take a snapshot of your project, and then delete the server until you feel like working again. Total cost for use of the platform and storage of your snapshot: about 2¢.

With any great new technology, of course, competition is not far behind. Meet Vultr, the Digital Ocean knock-off promising more memory, more server locations, and more features for less money. Is Vultr really better? We’ll let you know after we’ve had more time to play. Our first look uncovered a few wrinkles. First, you had to request enabling of port 25 for outbound SMTP mail support. Not a big deal if it were documented that you had to request it, but it isn’t mentioned anywhere on the site. Second, virtual machines take a bit longer to create and much longer to become fully functional on Vultr. We got spoiled by the one-minute spin up at Digital Ocean. But, the good news is a penny-an-hour server gets you a gig of RAM, 20 gigs of storage, and 2 terabytes of data transfer a month for $7. And it is fast! So stay tuned for a full review and…

Merry Christmas!

Originally published: Monday, December 22, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Some of our purchase links refer users to Amazon and other sites when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from merchants to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support Amazon and other merchants because they support us. []

A Firsthand Look at Disaster Recovery: Tethering and IAX with Asterisk

One of the exciting challenges of building a swimming pool is knowing that it’s just a matter of time until your Internet connection dies. As you might imagine, swimming pools are major construction and involve a lot of digging. And digging usually means some oops moments when cables get cut. In our case, we had watched the folks digging the trenches for all of the pool plumbing to be sure they didn’t accidentally whack one of three coax cables coming into our house. And, when it came time to cover up the trenches, we pointed out the orange cables to the Bobcat driver knowing we were finally home free. Not so fast! Two minutes later, Mario had driven the Bobcat right over the primary Internet cable leaving the shredded remains sticking up through the dirt. Oops. Sorry. Shit happens!

Looking on the positive side, we chuckled, “What a perfect opportunity to test our backup Asterisk® system!” Our backup system is pretty clever if we do say so. It relies upon a Verizon WiFi HotSpot running on our Galaxy smartphone and a duplicate of our Asterisk-based PBX in a Flash™ server running as a virtual machine under VirtualBox on an iMac desktop. The entire setup takes less than a minute to activate. Well, that was the plan anyway.

It turns out that Verizon does SIP a little differently with a SIP ALG in the path so Asterisk couldn’t register with all but one of our dozen SIP providers. Congratulations, CallCentric! The workaround is to enable STUN. That is now possible with Asterisk 11. Short of that, you’re left with CallCentric. Unfortunately for us, we don’t do much SIP trunking with CallCentric, and none of our primary DIDs are connected through them. The other option is to add port=5080 to your trunk setup with any SIP trunks you register with VoIP.ms using a username and password. Our attention span was too short to tackle STUN in the middle of this crisis. But there’s good news. Verizon doesn’t mess with IAX network traffic at all. Since a couple of our primary DIDs are registered with VoIP.ms using IAX trunks, restoring these IAX trunks to full functionality took less than a minute. That is step one of a three-step process. You need inbound trunks, phones, and outbound trunks to get your redundant VoIP server back in business.

Getting phones to function on what is now a purely WiFi network (through the Verizon HotSpot) can be problematic unless you’ve done your homework and sprinkled a few WiFi-capable SIP phones around your home or office. In our case, we still have Grandstream’s GXP2200 Android phones scattered everywhere so it was just a matter of plugging in the WiFI adapters and rebooting. The newer GXV3240 would work just as well.1

All that remained was enabling several trunks for outbound calls. Since VoIP.ms IAX trunks support both incoming and outgoing calls, we were home free. And, with Google Voice trunks, it was simply a matter of jumping through Google’s security hoops to reenable the connections on a new IP address.

Lessons Learned. Here’s a quick checklist for those of you that think about disaster recovery for your home or for clients and businesses. Nothing beats some advance planning. If money is no object, then WiFi tethering from a smartphone with one of the major providers whose service works well in your home or office environment is the way to go. 4G is a must!

In our case, money was an object so we had the foresight to acquire a Verizon SIM card from eBay that included an unlimited data plan. With this setup, it costs only $1 a day extra to add WiFi tethering, and you can turn it off and on as often as you like without any additional fees or surcharges. There also are no additional charges for using boatloads of data! We’re actually writing this column with a tethered connection from a hotel in Washington (results above). To give you some idea of why an unlimited data plan is important, our home operation burned through 4 gigs of data in less than 24 hours once we activated WiFi tethering. Of course, there were people doing things other than making phones calls, but tethering enables 5 connections to function just about like the cable modem service you originally had in place. So expect the data usage to be substantial. Everybody likes 24/7 Internet service.

Loss of phone calls through a PBX is more of an annoyance than a crisis these days because almost everyone also has a smartphone. Even so, the SIP gotcha with Verizon Wireless was a surprise because we hadn’t really tested our super-duper emergency system in advance. That wasn’t too smart obviously. The old adage applies. Do as we say, not as we do. Unplug your cable modem or DSL connection and actually test your backup system before D-Day arrives.

On the VoIP provider end, now is the time to set up an account with a provider that offers both SIP and IAX connectivity. Step 2 is to actually configure an IAX trunk (as a subaccount to use VoIP.ms parlance) and test it. IAX trunks actually have fewer headaches with NAT, but there are only a handful of providers that still provide the service. Find one now and make certain that your primary DIDs will roll over to the IAX trunk in case of an outage. I’m always reminded that we have Mark Spencer to thank for IAX. It was his brainchild. Thank you, Mark! With VoIP.ms, you also can spoof your CallerID so that calls will still appear to originate from your primary Asterisk PBX.

Keep in mind that a VirtualBox-based Asterisk virtual machine and a Desktop computer both need an IP address and will have to be started on WLAN0 rather than ETH0. Remember, your wired connection is now dead.

You’re also going to want to acquire at least a couple of WiFi-capable SIP phones that can be connected with your Asterisk server using your WiFi HotSpot. Also make certain that you have a preconfigured IPtables firewall on your backup system. Remember, your hardware-based firewall connected to your cable modem won’t provide any protection once you switch to HotSpot operation. Lucky for you, Incredible PBX™ servers come preconfigured with a locked-down IPtables firewall and a WhiteList. Just add the new IP addresses of your server and phones, and you’re secure on the public Internet.

Finally, let’s do the HotSpot connection math. You’ll need an IP address for your desktop computer running VirtualBox. You’ll need a second IP address for the Asterisk virtual machine. Then you’ll need an IP address for every WiFi-enabled SIP phone. If the maximum number of connections is five on your HotSpot, that means you’ve got the necessary capacity for at most 3 WiFi SIP phones assuming you don’t enable a WiFi printer and if nobody else wants to use a computer during the outage. The other option is to add an inexpensive travel router with bridge mode to your mix of 5 devices. We always keep one handy for extended trips. A properly configured travel router provides an additional WiFi network with some extra WiFi connections. Good luck!



Security Alerts. Serious SSL and FreePBX security vulnerabilities have been discovered AND patched during the past week. If you have not patched your server and Asterisk, FreePBX, Apache, and/or WebMin are exposed to the public Internet, you have a serious problem on your hands. See this thread for details on the FreePBX vulnerability. And see this thread for the steps necessary to patch SSL in Asterisk, Apache, and Webmin. While Incredible PBX servers were automatically patched for the FreePBX vulnerability, the SSL issues require manual patching and an Asterisk upgrade. A script for upgrading Asterisk 11 servers is included in the message thread linked above. ALWAYS run your VoIP server behind a firewall with no Internet port exposure to Asterisk, FreePBX, SSH, or the Apache and Webmin web servers! And, if you think all of this security stuff is just a silly waste of your time, then read about the latest lucky recipient of a $166,000 phone bill.

Originally published: Monday, October 20, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Ringbinder theme by Themocracy