AstriCon 2012: Digium at the Crossroads

We’ve just returned from AstriCon 2012 in Atlanta. What a show! Not only were the exhibits plentiful and eye-opening for the breadth of coverage that Asterisk® has garnered, but the dozens of sessions on virtually every facet of Asterisk were first-class. If you haven’t been, I would encourage you to clear your calendar for a few days next October. Mark Spencer was a proud papa as, indeed, he should be.

There’s been a good bit of turnover at Digium® in the past year, and it was great to finally put names with faces. The new blood is a welcome addition. To a person, they were professional, personable, and all about making Asterisk a better product. They fully appreciate that Asterisk’s future success hinges on broader community participation. David Duffett became the Community Director last June and wasted little time mending fences. Not only did he reach out to those of us that package Asterisk distributions (PBX in a Flash, Elastix, and FreePBX® Distro to name a few), but he also put together the first (ever) face-to-face meeting between the distribution players and the Asterisk developers. It was time well spent and provided all of us a better appreciation for the challenges in managing a project as complex as Asterisk. Matt Jordan, who now heads up the open source development group, has broad experience from the commercial sector, and it showed. It was crystal clear that the days of the core development train wrecks that blew everyone’s Asterisk dialplans out of the water were little more than a historical footnote.

While there is a core development team that extends beyond Digium, make no mistake. Where Digium goes, so goes Asterisk. When you peel away the management, marketing, and support layers at Digium, what struck me was how thin these folks really are spread. While there are upwards of 100 employees at Digium, the staff is fairly evenly split between two organizational units, Asterisk and Switchvox. The staff is also divided geographically with the Switchvox team still operating out of California while the Digium headquarters remains in Huntsville, Alabama. Our educated guess is about 10% of that staff is actually dedicated to software development. You may recall driving down the highway and seeing a road construction crew of 10 people where only one guy had a shovel. Digium clearly isn’t that model. Management, sales, and support really matter in the software and hardware development business. It’s the way every successful technology business operates… if you want to survive. Infrastructure matters! Insofar as Asterisk is concerned, it reinforces the critical necessity of focus and prioritizing objectives.

With that in mind, Digium has made what we believe was a wise decision in scrapping the Asterisk SCF project. You may recall this was the engineering effort to build a fully-redundant Asterisk platform so that, when one server failed, another took over without missing a beat. Out of a million Asterisk production servers, the question becomes how many sites really need this level of redundancy if a spare server is sitting in the rack. Suffice it to say, SCF was consuming enormous programming resources for a project with must-have appeal to an infinitesimally small segment of Asterisk’s installed base. The good news is that it frees more programmers to work directly on Asterisk 11 and 12 while bringing some of the SCF technology into the main Asterisk project. Think SIP!

And, speaking of Asterisk 11 and 12, Asterisk 11 is officially on the street. As with Asterisk 1.8, it’s another release with long-term support. The good news for us is that Jingle, Jabber, and Gtalk have been reworked into a new, integrated channel driver: chan_motif. And it works! Full support for Google Voice in FreePBX will be available very, very soon. In fact, Andrew Nagy had it humming along while we were at AstriCon.

More good news from AstriCon 2012 was the arrival of Digium’s Application Development Toolkit for Digium Phones. As promised, this new firmware lets developers build customized JavaScript applications to run on the Digium Phones themselves. Digium has even built several samples to get everyone started. We were lucky enough to snag one of the new phones during the random drawing so we’ll build you a couple of additional apps in coming weeks just for fun.

Last, but not least, on the hardware front… Raspberry Pi’s were everywhere. The recent addition of a 512MB Raspberry Pi at the same $35 price point is going to make this device a real contender in the SOHO Asterisk market. We actually had ours running with a Verizon MiFi device during the show. You could make calls, play an IVR, and get a weather report in the basement of a hotel in downtown Atlanta. Impressive! So get yours ordered and come join the party.

Finally, a word about the AstriCon audience. It looked to us to be a crowd of close to 1,000 people. We spoke to dozens and dozens of in-house developers both from large corporations as well as Asterisk support organizations that maintain thousands of Asterisk servers throughout the world. We were impressed by the scope and sheer magnitude of this untapped expertise with a treasure trove of Asterisk code. If it were somehow made available to the community, it instantly could propel Asterisk to the next plateau without Digium having to lift a finger. Now all we need to do is figure out how to harness that talent pool and their code for the benefit of everyone that depends upon Asterisk to meet their communications needs. Happy Halloween!

Originally published: Wednesday, October 31, 2012  



Need help with Asterisk? Visit the PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Practicing Safe SIP: Adding SIP URI Connectivity with a Zero Internet Footprint

PBX in a Flash™ has a long (safe) history in the VoIP community, and the major reason is that we constantly preach never directly exposing any ports on your Asterisk® server to the Internet without implementing a WhiteList of safe IP addresses. This Zero Internet Footprint™ design keeps everybody out except a trusted, defined group on your WhiteList. For everyone else, they never see your server. So how do you receive calls? You do it with phone numbers (DIDs) tied to registered Google Voice, SIP, and IAX trunks from reputable providers. Because these trunks have constant registrations with safe service providers on the Internet, calls to these DIDs can flow in and out of your server without exposing your server directly to the Internet.

The drawback of this design is that it rules out inbound SIP URI calls to your server, and these calls typically are free. If you do a lot of international business or have family in far away places, that matters. Using a SIP proxy with Asterisk means anybody with a SIP telephone or a SIP-enabled web app anywhere in the world can punch in a SIP URI such as 1234567@nerdvittles.com, and your phones start ringing.

Practice Safe SIP! Today we’ll show you how easy it is to set up a hybrid SIP URI facility for your server while totally preserving your server’s Zero Internet Footprint. It’s not quite free, but it’s close. If paying 6¢ an hour for incoming calls is too rich for your blood, then stop reading now. For us, it’s a small price to pay to sleep well and avoid a $100,000 phone bill because someone hacked your server through an anonymous SIP attack in the middle of the night. There’s more good news. You may not even be charged the 6¢ an hour tariff.

How It Works. Today’s design works like this. We’ll set up an account with VoIP.ms and then create a standard SIP subaccount. As part of that setup, you can create a random extension on their server and tie that extension to a SIP URI for your subaccount. On our server, we’ll create a new SIP trunk and register to the voip.ms SIP subaccount we just created. This gets us a safe tunnel to make and receive calls using this trunk OR the SIP URI we just created. With this 2-layer SIP design, we’re basically using voip.ms as our anonymous SIP firewall. They get to worry about anonymous SIP attacks, and we pay them 6¢ an hour for inbound SIP URI calls that they pass along and we choose to answer.

There are also some collateral benefits using the hybrid SIP URI approach. First, it means that, instead of paying $1 a month and a penny a minute for calls using an actual DID from voip.ms, you now can take advantage of IPkall’s free DIDs in Washington state. By signing up for one of these, you now have a regular phone number that people can call to reach your server without your having to pay a monthly fee for the DID. In this cellphone era, it doesn’t much matter what the area code of your number happens to be since nationwide cellphone calls are all priced the same. The only cost to you is 6¢ an hour for the inbound calls. Oddly enough, VoIP.ms hasn’t been charging for the calls at least during the last couple weeks of our testing. Don’t count on it forever, but it is good to see they are at least considering a different pricing structure for SIP URI calls.

There’s a security advantage with hybrid SIP URIs as well. By never activating auto-replenishment on a VoIP provider account, your maximum financial exposure if something goes horribly wrong is limited to the prepay balance in your account. Finally, for those that want multiple SIP URIs and multiple DIDs, nothing precludes your repeating this drill. Just add another subaccount to your voip.ms account. So let’s get started.

VoIP.ms Setup. Register for a new account at VoIP.ms if you don’t already have one. This gets you an account with an account number such as 1234567. Don’t ever use your main account. Instead, create a subaccount:

Create a username for this subaccount. It will be your account number, an underscore, and a name of your choosing (up to 12 characters). Make up a very secure password. These are the two pieces you will need to create a SIP trunk on your server so write them down. Leave CallerID Number blank. We can handle that on your Asterisk server. Be sure to select Asterisk for the Device Type. The remaining entries at the top of the form are self-explanatory. Just make your settings match ours.

The bottom section of the form needs to be filled out to create a SIP URI. Make up an extension number for this subaccount, 1010 in our example. Ignore the leading 10 which is only used to make calls between voip.ms subaccounts. This would mean your SIP URI for this subaccount is 12345671010@atlanta.voip.ms where 1234567 is your account number, 1010 is your extension, and atlanta.voip.ms is one of the voip.ms POPs. For the list of available POPs, go to Main Menu -> Account Settings -> Default DID Routing in your Customer Portal. Click Create Account when you’re finished and wait a minute for your settings to propagate to all of the voip.ms servers.

FreePBX 2.10 Setup. Using a web browser, log into FreePBX® on your server. We’ll need to create three items to get everything working. First, we’ll add a new SIP trunk with your voip.ms credentials. Second, we’ll add an Inbound Route to process incoming calls. Third, we’ll add an Outbound Route so that you can make calls using your voip.ms trunk.

  1. Connectivity -> Trunks -> Add SIP Trunk
  2. Connectivity -> Inbound Routes -> Add Incoming Route
  3. Connectivity -> Outbound Routes -> Add Route

Adding VoIP.ms SIP Trunk. While logged into FreePBX 2.10, choose Connectivity -> Trunks -> Add SIP Trunk. Fill out the form like this using your correct subacctname, subacctpassword, desired VoIP.ms host, and whatever 10-digit number you’d like your server to use to identify inbound calls from this VoIP.ms subaccount (12345671010 in the example below). If you plan to use this trunk for outbound calls, enter a CallerID number. Legally, it must be a number that you own, i.e. don’t use the White House number or you may get a call you don’t want. Also be aware that for outbound calls, VoIP.ms rejects 10-digit numbers so you must prepend a 1 to 10-digit calls destined for the U.S. and Canada.

  1. Trunk Name: VoIPms
  2. Outbound Caller ID: any number you own
  3. Dial Pattern: Prepend: 1  Match Pattern: NXXNXXXXXX
  4. Trunk Name: voipms
  5. Trunk Details:
    • canreinvite=nonat
    • nat=yes
    • context=from-trunk
    • host=atlanta.voip.ms
    • secret=yourpassword
    • type=friend
    • username=1234567_subacctname
    • disallow=all
    • allow=ulaw
    • fromuser=1234567_subacctname
    • trustrpid=yes
    • sendrpid=yes
    • insecure=port,invite
    • qualify=yes
  6. Register String: 1234567_subacctname:yourpassword@atlanta.voip.ms/12345671010

Adding VoIP.ms Inbound Route. While logged into FreePBX 2.10, choose Connectivity -> Inbound Routes -> Add Incoming Route. The only trick to this is the DID Number you enter must match the 10-digit number you chose for the end of the SIP registration string in the last step. The numbers really don’t matter, but they must match because this is what FreePBX uses to identify calls as originating from this SIP Trunk. You use the Inbound Route to tell FreePBX how to route the incoming calls once they hit your PBX. For example, you could ring an extension, a ring group, or route the call to an IVR where the caller was given a list of choices from which to pick their own call routing option. Don’t put your CallerID Number in here or only calls from your number would be accepted! Here’s a typical setup to route the calls to an IVR. Leave the other options at their defaults.

  1. Description: VoIPms
  2. DID Number: 12345671010
  3. CallerID Number: leave blank
  4. CID Source: Caller ID Superfecta
  5. Destination:
    • IVR: nv-ivr

Adding VoIP.ms Outbound Route. How you set up the Outbound Route to handle outgoing calls depends upon what you already have in place. Unless you don’t already have outbound trunks on your PBX, our recommendation is to add a prefix to force certain calls to go out through your VoIP.ms trunk. For example, a caller might dial 9-1-404-555-1212 or 9-404-555-1212 to force the call out through VoIP.ms. We’ll strip off the 9 before passing the number to VoIP.ms, and our Trunk setup will take care of adding the 1 if only 10-digits are dialed. Here’s how to set that up. While logged into FreePBX 2.10, choose Connectivity -> Outbound Routes -> Add Route.

  1. Route Name: VoIPms
  2. Dial Pattern: Prefix: 9  Match Pattern: NXXNXXXXXX
  3. Trunk Sequence: 0 VoIPms

If you have a default Outbound Route that already uses another Trunk such as Google Voice or Vitelity, then you can add a little redundancy to your system by adding VoIPms as an additional option at the end of the Default Trunk Sequence. Then, if the primary outbound route is out of service, the calls will automatically be routed out through VoIP.ms.

Adding an IPkall DID for Your SIP URI. We’ve now completed all the steps necessary to receive incoming SIP URI calls using our example VoIP.ms SIP URI: 12345671010@atlanta.voip.ms. Anyone in the world can dial that SIP URI from a SIP phone, and the calls will be answered by our sample IVR, nv-ivr. But suppose we’d also like folks to be able to pick up a Plain Old Telephone and call us using VoIP.ms to route the incoming call through our SIP URI at the 6¢ per hour calling rate. Here’s the easy way to do it. Just sign up for a free DID at www.ipkall.com. After choosing an area code for your free number, you’ll be prompted for the following information. Here’s what you’d enter using today’s example:

  • SIP Phone Number: 12345671010
  • SIP Proxy: atlanta.voip.ms
  • Email Address: your-email-address
  • Password: some-password-to-get-back-into-your-account

Once you’ve completed the form, submit it and wait for your new phone number to be delivered in your email. You should get it within a couple minutes so check your spam folder if you don’t see it. Congratulations! You’ve done everything you need to do for anyone to call you using either your SIP URI or your new DID number from IPkall.

It’s worth noting that IPkall recycles DIDs that aren’t used for 30 days. If you use Incredible PBX, the easiest way to assure that you don’t lose your number is to set up a recurring Telephone Reminder that calls your own number once a week.

Free iNum DID. There’s another important benefit from signing up for a VoIP.ms account. You’re also eligible for a free iNum DID. This lets people around the world call you by dialing a local number in most countries. And iNum calls are always free with Google Voice. You can read all about how it works and how to set up your free iNum DID in this Nerd Vittles article.

Test Drive. The proof is in the pudding, as they say. So we invite you to take our SIP URI, iNum DID, and IPkall DID for a test drive. They’re all running on a $35 Raspberry Pi with Incredible PBX 3.3 with its Applications AutoAttendant. You can try a news, weather, or stock report as well as checking the current East Coast time. Or you can try a text-to-speech call from the AsteriDex phone book by choosing option 5 and saying one of the airlines in the default install, e.g. American Airlines. Enjoy!

  • SIP URI: 10159521010@raspi.mundy.org
  • iNum DID: 883510009901997
  • IPkall DID: 1-425-998-2778
  • GVoice DID: 1-843-284-6844

Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number.

Originally published: Thursday, 10/11/12



Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.




Need help with Asterisk? Visit the PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Sleep Like a Baby: 20 Failsafe Tips to Enhance Asterisk PBX Security

We often tell the tale of the early Asterisk@Home days when almost every server was configured with no firewall, unlimited web access, and a 201 extension with a password of either 201 or 1234. What could possibly go wrong? Remember this Monday morning newspaper headline? “Small business gets $120,000 phone bill after hackers attack VoIP phone.” News.com.au ran this story back in 2009: “Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours… 115,000 international mobile calls were made… over a six month period.”

Much has changed over the past ten years in Asterisk® Land. And, to get everyone in the football mood, today we want to do a little sofa quarterbacking and take a fresh look at security applying some 20-20 hindsight to everything we’ve all learned over the years. Whether you’re running PBX in a Flash or Incredible PBX in your basement or on a virtual machine in the cloud somewhere, security matters and the checklist that follows hopefully will assist everyone in tightening up your systems so that you or your company aren’t the next headline waiting to happen.

PBX in a Flash Security Alert: Run upgrade-programs then upgrade-fixes to secure your server today!

1. Review PIAF Security Alerts Daily. We devote a lot of time to making sure PBX in a Flash and Incredible PBX are secure. But stuff happens! For privacy and security reasons, we don’t push fixes to your server. You have to go get them. If you never see the alerts, our attention to security is for naught. Here are 3 Easy Ways to Keep Informed:

  1. Subscribe to the PBX in a Flash RSS Security Feed
  2. Follow @NerdUno on Twitter
  3. Review the RSS Feed in the PIAF Dashboard with a browser

Every security alert has a link to a solution. Finally, visit the PIAF Forums and click on the What’s New link. It only takes a minute to scan the list for security issues.

2. Hardware-Based Firewall Protection. Unless your PBX is operating on a shared server in the cloud, always run it on a private LAN behind a hardware-based firewall with no Internet port exposure. The one exception would be for those with remote telephone extensions, and we’ll get to that in a minute. The cheapest consumer grade router/firewall provides more security for your server than all of the other security mechanisms combined. Use it!

3. The Linux iptables Firewall. All PBX in a Flash and Incredible PBX servers have the iptables firewall in place. With PBX in a Flash, you have to configure it yourself unless you deploy Travelin’ Man 3. With Incredible PBX, iptables is preconfigured if you opt to install Travelin’ Man 3 as part of the installation process. It doesn’t do much good to have iptables if it’s not functioning. So check it regularly and especially after rebooting your server. On CentOS-based systems, issue the command: iptables -nL. On the Raspberry Pi, type: iptables-save. You should see a list with a lot of permitted IP addresses for preferred providers. If not, restart iptables and then check it again. To restart iptables on CentOS: service iptables restart. On the Raspberry Pi, issue the command: iptables-restore /etc/network/iptables. If you discover that your iptables firewall was not functioning and you’re running PBX in a Flash or Travelin’ Man 3, a security alert has been issued to address the problem. You can get the security fix here.

4. IP Address Filtering. Even with remote phones and dynamic IP addresses, it often is relatively easy to narrow down the range of permissible IP addresses that should have access to your server. With the Linux iptables firewall, you can implement dynamic DNS FQDNs for your remote users. With many hardware-based firewalls, you can’t. But often you can limit remote access to a range of IP addresses. A little protection is still better than none. With a hardware-based firewall, these IP address ranges usually can be changed via web access to your firewall. The minute it takes to make necessary changes is well worth the effort. Just make sure your hardware-based firewall has a long password with upper and lower case letters as well as numbers and non-alphanumeric characters if your firewall supports them.

5. Fail2Ban Access Monitoring. On PBX in a Flash and CentOS-based Incredible PBX servers, fail2ban is activated to limit access attempts to protected resources such as SIP extensions, SSH, and Apache. It is not infallible particularly in this age of megaservers such as Amazon’s S3 service. Because fail2ban reads your logs looking for failed login attempts, it can be defeated with powerful servers attempting thousands of access attempts simultaneously because fail2ban never gets sufficient Linux resources to read logs and block access. It’s better than nothing, but not by much.

6. Deploy WhiteLists for Remote Access. If your server is in the Cloud (meaning it is directly exposed to the Internet) or if you have remote extensions directly connected to your server, your primary line of defense against the bad guys is your iptables firewall. We’ve tried many designs with the objective of letting the good guys in while keeping the bad guys out. The one failsafe solution is IP address WhiteLists. What this means is, if an IP address is listed as safe in iptables, then connections to certain resources from that IP address are permitted. Otherwise, your server remains invisible to the outside world. We have a couple of tools to assist you in setting this up. Travelin’ Man 2 lets authorized users manage their remote IP addresses themselves through a simple browser interface to your server. Travelin’ Man 3 lets a system administrator manage remote IP addresses using both permitted IP addresses and fully-qualified domain names. In the case of remote users with dynamic IP addresses, DynDNS management tools can be deployed on Macs, Windows machines, and Android devices to automatically update FQDNs used in conjunction with Travelin’ Man 3. As noted previously, a security alert has been issued with Travelin’ Man 3. You can get the security fix here.

7. Remote Access with User Agent Knocking. A new approach to remote user access uses a derivative of the original Sunshine Networks port knock utility. With jeffmac’s new design, you define a customized “User Agent” string on your remote phones and then define iptables rules that permit access from SIP devices that attempt server connections using one of these obscure user agent strings. Here’s how to deploy it. To use this approach you’ll need remote phones that permit customization of the user agent string or that have sufficiently obscure, predefined user agent strings that wouldn’t lend themselves to dictionary-style, brute force hacking attempts by the bad guys.

8: Implement VPNs for PBX Systems. There are install scripts for PBX in a Flash to deploy a NeoRouter VPN or a PPTP VPN. Either or both of them can be installed and configured in minutes! VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. Encourage remote users to deploy softphones on their Windows and Mac machines, and use secure, VPN access to connect to your server using these softphones.

9. Don’t Use ‘Normal Ports’ for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you’ve done. Read that last sentence again. It’s important! With a hardware-based firewall, this is easy. dLink routers call them Virtual Servers. Other routers have similar functionality. Here is a typical entry:

HTTP 192.168.0.150 TCP 22/2319 Allow All Always
This entry redirects a specified port to a different port for Internet access. Don’t do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. WE STRONGLY DISCOURAGE EVER OPENING HTTP ACCESS TO YOUR SERVER FROM THE INTERNET. But you may need SSH access from remote locations. For example, port 22 typically is the default SSH port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) SSH access, simply remap TCP port 22 to some obscure port and change it periodically. For example, you might redirect TCP port 22 to port 2319. Once the setting is saved, you access SSH like this from the Internet: ssh -p 2319 root@pbx.mydomain.com. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don’t use these numbers obviously! Make up your own.

The key here is that 2 minutes work every month will keep SSH access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 22 every night while you’re sleeping. As previously mentioned, most of these routers also will let you block access to certain ports during certain hours of the day. If you’re sleeping, there’s really not much need to provide SSH access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world’s best crackers reside in countries where daytime happens to be nighttime in the U.S.

10. Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our guess is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn’t Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. It may seem obvious but really secure passwords really do matter. And it’s more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, multiply this advice by 10. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). Remember, it’s your phone bill.

11: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn’t begin to describe some of what lies under the FreePBX covers. While the FreePBX Dev Team is vigorously rewriting much of this old code, some of it still lingers. Our recommendation is to make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to any Asterisk PBX goes like this. Don’t! And, for FreePBX web access from the Internet. Never! If the bad guys ever get into FreePBX, the security of your PBX has been compromised… permanently! This means you need to start over with all-new passwords and install a fresh system. You can’t fix every possible hole that has been opened on a FreePBX-compromised system!

12. Choosing VoIP Providers. So long as you use reputable VoIP providers that support registration of your SIP and IAX accounts, NO INTERNET PORT EXPOSURE TO YOUR SERVER IS EVER REQUIRED! If a VoIP provider doesn’t support SIP/IAX account registration, don’t use them! Add your public and private IP addresses in FreePBX’s Asterisk SIP Settings module to eliminate one-way audio issues.

13. Never Activate Auto-Replenishment. If you’re using VoIP providers that you pay by the minute, do your wallet a favor. Never, ever activate auto-replenishment on your accounts. By manually controlling the money flow to your accounts, you automatically insulate yourself from a huge phone bill. If something does come unglued, your financial exposure is limited to the preauthorized amount in each of your VoIP provider accounts.

14. Tighten Up International Calling. Almost every VoIP provider gives you the option of restricting international calls. If you don’t make international calls, use it! If you do make international calls, implement Outbound Routes in your FreePBX® dial plan with designated country codes. If you never call Africa, China, or cruise ships in international waters, make sure your dialplan doesn’t allow these calls.

15. Time of Day Calling Restrictions. Whether your server is for business or home use, time of day restrictions can save you a bundle. If remote telephone extensions are a must have for your server, chances are that those extensions don’t place calls in the middle of the night. Almost every hardware-based router/firewall allows creation of time of day rules for access. Implement these restrictions to minimize exposure to those that are hacking while you’re sleeping.

16. Minimize Simultaneous Calls. Especially with pay-as-you-go VoIP providers, often there is no limit to the number of simultaneous calls that can be placed from a trunk on your server. If someone manages to gain access to your accounts or your server, that can be really bad news. Some providers offer tools to restrict the number of simultaneous calls that can be placed. Take advantage of it to limit your financial exposure. Similarly, FreePBX includes a Maximum Channels option when you configure a Trunk. Don’t leave it blank. Set it to what you need to meet your needs.

17. Outbound Route Passwords. For outbound routes to international numbers and 900 numbers, always take advantage of the FreePBX Outbound Route option to prompt for a password. Just enter a numeric Route Password when you configure these outbound routes, and FreePBX will handle the rest.

18. IP Address Filtering with Asterisk Extensions. With the number of Asterisk SIP vulnerabilities reported over the years, suffice it to say IP address filtering at the Asterisk extension level is not something you should rely upon exclusively to protect your server. But it’s better than nothing. And, when used in conjunction with the other security mechanisms we’ve outlined, it provides another layer of security for your server. The extension setup in FreePBX includes the permit field which can be used to limit connections to a particular extension based upon an IP address or range of IP addresses. In addition, Travelin’ Man 2 deploys additional permit tables using an include list in sip_custom_post.conf in conjunction with include files for specified extensions, e.g. 701.inc, to define additional authorized IP addresses.

To restrict an extension to a private LAN address with a FreePBX extension entry in permit like this: 192.168.0.0/255.255.255.0. Then you can broaden this restricted access with specified WhiteList addresses using an include file in /etc/asterisk that looks like this:

[701](+)
permit=150.155.90.143/255.255.255.255

You, of course, would also have to authorize the specified IP address in your iptables configuration as well. That’s essentially how Travelin’ Man 2 works.

19: Check Your Logs Every Day. We’re still dumbfounded by the following quote from the article we cited above: “115,000 international mobile calls were made using the small business’s VoIP system over a six month period.” Six months and they never checked their call logs? FreePBX provides an incredibly simple way to review your call logs. Click the CDR Reports link and look at your call log showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day!

20: Do Some Reading… Regularly. No security implementation is complete without a little regular effort on your part: reading. If you’re going to manage your own network or PBX, then you need to keep abreast of what’s happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the FreePBX Forum, and Asterisk News. Aside from reviewing your call logs, it’s the best 15 minutes you could spend to safeguard your system.

Originally published: Monday, October 1, 2012



Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.




Need help with Asterisk? Visit the PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Ringbinder theme by Themocracy