Top 3 Asterisk Security Tips for 2014: WhiteLists, WhiteLists, and WhiteLists

We’ve devoted a lot of energy to Asterisk security over the years with our Primer on Avoiding the $100,000 Phone Bill and our 20 Failsafe Tips and our SIP Navigation Guide plus numerous tutorials on deployment of Virtual Private Networks to secure your servers and phones including NeoRouter, PPTP, and Easy OpenVPN among others. But, when it comes to ease of installation and use with rock-solid security, nothing comes close to deployment of WhiteLists with the IPtables Linux firewall that’s included at no cost with every major Linux distribution and with all of the Asterisk® aggregations including PBX in a Flash™ and Incredible PBX™. So we’re kicking off the summer with a careful look at the methodology behind IPtables and the Travelin’ Man™ tools developed to reduce the learning curve for new users.

Security, of course, is all about the “bundle of sticks.” As we learned from Aesop’s Fables, the more sticks you bundle together, the more difficult it is to break the stick. We are by no means advocating that you drop all of the other tools at your disposal to improve the security of your Asterisk security. So, before we dive into WhiteLists, let’s spend a little time covering some of the other tools that are available and why those tools should not be relied upon exclusively.

1. Hardware-based Firewall. The PBX in a Flash project has cautioned users for years not to run Asterisk-based servers connected to the Internet without a hardware-based firewall between your server and the public Internet. Is it failsafe? No. Some hardware-based firewalls have been compromised either by the bad guys or by the NSA. Pardon the redundancy. The other problem with hardware-based firewalls is that they’re generally not available with cloud-based solutions. As the price of cloud computing has dropped and the cost and headaches of maintaining your own hardware has increased, more and more folks are considering cloud-based alternatives. Yes. Hardware-based firewalls should be deployed whenever possible. No. They won’t resolve all security concerns.

2. Fail2Ban. Once upon a time, a number of us thought that Fail2Ban was the answer to all security issues with Asterisk-based servers. In a nutshell, Fail2Ban scans your logs searching for failed attempts to log in to either SSH, FTP, Apache, SIP, or an email account. After a small number of failed attempts, Fail2Ban blocks further access from the IP address initiating the requests. There are two problems with Fail2Ban. First, software developers of the affected services continue to “improve” things with new and different error messages when login failures occur. Since Fail2Ban is searching for specific word matches to identify unsuccessful logins, the whole security mechanism fails when the “magic words” change unless everyone is extremely vigilant in maintaining the “magic word” lists AND updating the Fail2Ban rules on all of your servers. Our experience suggests that the bad guys find the new “magic words” long before everyone else which means there are gaping holes in Fail2Ban regularly. The other problem is supercomputers such as Amazon EC2 which makes enormous computing resources available to every Tom, Dick, and Harry. We’re mostly worried about the Dick that can hammer your little server every second with hundreds of thousands of attempts to crack your SIP or SSH passwords. The problem this poses is that most Linux servers never allocate a sufficient time slice to Fail2Ban to scan your Asterisk, Apache, and SendMail logs. Instead of blocking a bad guy after 3 failed login attempts, a bad guy using EC2 may be able to perform several hundred thousand login attempts before Fail2Ban ever detects a problem. Yes. Fail2Ban helps against the bad guy manually keying in passwords. No. Fail2Ban is all but worthless against a sophisticated denial of service attack on your server.

3. Virtual Private Networks. The beauty of virtual private networks (VPNs) is that all of your Internet traffic is encrypted and tunneled through private IP addresses that others can’t intercept. That was the theory until Edward Snowden came along and spoiled the NSA’s party. Yes. We’ve known that PPTP VPNs were vulnerable for a good long while. No. We didn’t know that the NSA (and presumably others) may have had the keys to your castle much longer… regardless of the VPN topology you may be using. The other problem with VPNs is that you need VPN connections for every device connecting to your server. Unfortunately, VPN technology is only available on a small number of SIP telephones, and the supported OpenVPN topology is one of the more difficult VPNs to deploy on a Linux server. Are VPNs better than nothing? Absolutely. Does a VPN provide failsafe communications security over the open Internet? Probably not.

4. Nothing Beats Secure Passwords. Amen. There was a time when some Asterisk-based servers were routinely set up with extension passwords of 1234 or the extension number itself. And outbound SIP trunks were deployed with no dialing rules. And administrators opened accounts with SIP providers with automatic credit card replenishment whenever the accounts ran out of money to cover calls. And no safeguards were put in place to restrict international calling. Little did these folks know that registering to a SIP extension on an Asterisk server provided a blank check for making unlimited calls to anywhere on the planet. Thus was born the $100,000 phone bill. Yes. Nothing Beats Secure Passwords for root, for SIP accounts, and for SIP and IAX trunks connected to commercial providers. But you also need to implement dialing rules for outbound calls that allow your callers to reach only the destinations desired, not the world. And your accounts with providers should always include limits and restrictions on international calls and should never include automatic credit card replenishment.

5. BlackLists. There was a time when blacklisting IP addresses was believed to be the ultimate solution to Internet security problems. Sounds great, doesn’t it? Just set up a database with the IP addresses of all the bad guys in the world, and all our problems will be solved. Problem #1: A new bad guy is born every minute. Problem #2: The bad guys learned how to use VPNs and other random IP address masquerading sites to disguise their true identity. Problem #3: Security vulnerabilities in many Windows-based machines allowed the bad guys to take control of these computers and do their dirty work from there. Problem #4: There are actually some good guys that live in Russia and China. Problem #5: The bad guys learned to poison the “bad guy list” to block essential services such as DNS, Google, Amazon, Netflix, Pandora, and your favorite bank and credit card companies. Yes. The theory of blacklists sounded great. No. Blacklists not only don’t work. They’re downright dangerous.

WhiteLists with IPtables: The Knight in Shining Armor

For the past few years, our Internet security focus has turned toward defining a methodology that works with all PBX in a Flash and Incredible PBX servers, whether they’re dedicated servers behind a hardware-based firewall or public on a cloud-based shared host. And the conclusion we’ve reached is that nothing beats the IPtables Linux firewall for rock-solid Internet security. The reason is its deep integration into the Linux kernel itself through Netfilter, “a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.” Wikipedia provides an excellent overview for those with an interest. For our purposes, suffice it to say that IPtables examines inbound and outbound packets before any further processing occurs on your server. With our default setup, we typically allow all outbound traffic from your server. For inbound traffic, if the iptables rules permit access, the packet comes in for processing. If not, the packet dies at the door with no acknowledgement that it was even received. In laymen’s terms, if someone attempts to scan your server to determine whether web or SIP services are available, there will be no response at all unless packets from the scanning server’s IP address are permitted in the iptables rules configured on your server. You can determine which rules are in force with this command: iptables -nL.

The basic configuration and syntax of iptables rules can be daunting to those unfamiliar with the territory. And thus was born Travelin’ Man 3, our open source tool to simplify configuration of IPtables by allowing administrators to define WhiteList entries describing the types of services that were allowed access to a server from specified external IP addresses. The basic rules of the Travelin’ Man 3 setup for iptables are these: (1) outbound packets are unrestricted, (2) forwarded, established, and related packets are permitted, (3) inbound packets from the private LAN are unrestricted, but (4) inbound packets from the public Internet are dropped unless permitted by a specific iptables rule. Those rules include certain basic services such as time synchronization (TCP 123) as well as WhiteListed IP address entries for specific or generic services.

Installation is easy. Log into your PBX in a Flash as root and issue the following commands. NOTE: Travelin’ Man 3 is optionally available as part of Incredible PBX installs on the CentOS, Scientific Linux, and PIAF OS platforms. It is preinstalled on the Raspberry Pi and BeagleBone Black platforms with RasPBX. You can determine if it’s already installed on your server with this command: ls /root/secure-iptables. If the script exists, you’ve already got Travelin’ Man installed, but it may not be running so keep reading…

cd /root
wget http://incrediblepbx.com/travelinman3.tar.gz
tar zxvf travelinman3.tar.gz
yum -y install bind-utils
./secure-iptables

Because PBX in a Flash and Incredible PBX servers are primarily designed to support telephony, Travelin’ Man 3 further simplifies the iptables setup by whitelisting the IP addresses of a number of the leading VoIP providers. These include Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. For the complete list: cat /etc/sysconfig/iptables (CentOS) or cat /etc/network/iptables (RasPBX).

The real beauty of Travelin’ Man 3 is you aren’t limited to our WhiteList. You can add your own entries easily using the TM3 scripts that are included in the /root directory. secure-iptables initializes your iptables setup and also lets you define a primary IP address or fully-qualified domain name (FQDN) that will always have access to your server. You must run this script at least once to activate IPtables on all platforms!

Once you have run secure-iptables, you can whitelist additional IP addresses by running add-ip. You can whitelist additional FQDNs by running add-fqdn. You can delete either IP addresses or FQDNs by running del-acct. As noted previously, you can check what’s authorized with the command: iptables -nL.

We’ve also included a custom script to restart IPtables gracefully: iptables-restart. The reason is because using the traditional restarting mechanism in IPtables will leave your server vulnerable (and IPtables inoperative) if a particular FQDN cannot be resolved. The iptables-restart script takes another approach and removes the offending rule from your whitelist, alerts you to the problem, and then restarts iptables without the offending entry. So all existing rules are put back in place and function as you would expect.

Finally, Travelin’ Man 3 includes a script that allows you to utilize FQDNs for users that may have ever-changing dynamic IP addresses. Steps #4, #5, and #6 in the original Travelin’ Man 3 tutorial will walk you through the Administrator set up which only takes a minute or two and never has to be touched again. Basically, a cron job script is employed to check for changes in the dynamic IP addresses you have identified with FQDNs. If changes are found, IPtables is restarted which updates the IP addresses accordingly.

Unfortunately, there was one group of end-users that weren’t covered by the Travelin’ Man 3 setup. This group included traveling salespeople or vacationing individuals that may land in a different city every night. Rather than relying upon an administrator to provide access to home base, these frequent travelers needed their own tool to manage their IP address as it changed. While this was supported through a web interface in Travelin’ Man 2, that setup exposed your web server to the public Internet and was burdensome for administrators to initially configure. Most importantly, it didn’t manage remote IP address access using IPtables which made coexistence with TM3 difficult. Thus was born Travelin’ Man 4.

Introducing Travelin’ Man 4: Managing WhiteList Access by Telephone

Travelin’ Man 4 is a new add-on for an existing Travelin’ Man 3 setup. It’s for those that wish to allow traveling individuals to manage their own whitelist access to PBX in a Flash or Incredible PBX using a telephone. An Administrator preconfigures accounts and passwords for the travelers together with the services to which they will have access on the server. Using any cellphone or hotel phone, the traveler simply dials a preconfigured number to access an IVR that will prompt the user for an account number and PIN. Unless you have a spare DID, you can grab a free one from IPkall.com to use with your Travelin’ Man 4 IVR. Once a user is successfully logged in, the IVR will prompt for the user’s IP address to be whitelisted on the server. Enter it using this format: 12*34*56*78.

Within a couple minutes, the new IP address will be properly formatted and then whitelisted in IPtables, and the traveler will be sent an email acknowledging that the account has been activated. Once the account is activated, the traveler can use a SIP softphone application such as Zoiper on any iPhone or Android phone or a softphone on any desktop computer to place and receive calls as well as to check voicemail on the remote PBX in a Flash server. For anyone that doesn’t know their current IP address, a quick visit to WhatIsMyIP.com will tell you. Travelin’ Man 4 is licensed under GPL2 so download a free copy. Then read the tutorial and give it a whirl. Enjoy!

Originally published: Wednesday, May 21, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

FMC: The Future of Telephony with Vitelity’s vMobile and Asterisk in the Cloud




If making phone calls from a web browser is what you’ve always longed for, then you’re in good company with Google and its future direction in the telephony space. Call us old fashioned but this strikes us as a solution in desperate need of a problem. What’s wrong with a Plain Old Telephone or a smartphone for making connections with friends and business associates? The real head scratcher is the fact that the WebRTC and Hangouts push demonstrates that the wizards at Google are seriously out of touch with the next generation. Will our 14-year-old daughter use Skype or Hangouts or FaceTime? Sure. About once a month to chat with Grandma or to interact with cousins scattered around the country, it’s a terrific option. And the same is true in the business community. When you need to collaborate with a half dozen colleagues, conferencing applications are invaluable. But to meet 95% of day in and day out business requirements, a telephone or smartphone is the clear device of choice. So join us today in celebrating the end of Google Voice XMPP service and the beginning of a new and even more exciting VoIP era… sans Google.


Of course, if it were up to the next generation, telephone calls might completely disappear in favor of text messaging, Snapchat, Instagram, and any other platform that includes recorded photos or videos. Note the subtle difference. Kids really are not interested in live video interaction. They find posed images that tell a story much more appealing. Why? Because recorded photos and videos let users present their best face, their movie star pose, and their expression of what they want others to perceive they’re really like. In short, live video is too much like real life. Our conclusion for those targeting the next generation is you’d better come up with something better and quite different than Skype, Hangouts, and FaceTime.

It’s Fixed-Mobile Convergence, Stupid!

Now let’s return to our primary focus for today, the current business community. Suffice it to say, there are a dwindling number of what we used to call “desk jobs” where an employee arrives at his or her desk at 9 a.m. and leaves at 5 p.m. As more and more jobs are headed off shore, the telephone and smartphone have replaced the corporate desk as the most indispensable corporate fixture. Particularly in the American marketplace, what we see with most businesses is a management layer and an (upwardly) mobile force of salespeople, consultants, and implementers that interact primarily through PBXs in an office headquarters or home office together with smartphones for those that generally are on the road. Many of these Road Warriors don’t even have a home phone any longer.


The telephony Holy Grail for this new business model is Fixed-Mobile Convergence (FMC). It’s the ability to transparently move from place to place while retaining your corporate identity. Every employee from the night watchman in Miami to the salesperson making calls from a Starbucks in California to the CEO in New York has an extension on a PBX in the cloud together with the ability to accept and place calls using the company’s CallerID name and number, transfer calls, and participate in conference calls regardless of whether the phone instrument happens to be a desktop phone or a smartphone. Is this even possible? Well, as of last week, the answer is ABSOLUTELY.

Vitelity has been a long-time corporate sponsor of both the Nerd Vittles and PBX in a Flash open source projects so we were thrilled when we were offered a free, Samsung Galaxy S III to try out the new (live) vMobile service that took Best in Show honors at ITEXPO Miami in January. As Vitelity’s Chris Brown would probably tell you, it’s one thing to demonstrate a new technology at a trade show and quite another to bring it into production. But Vitelity did it:

What we want to stress up front is that we’ve received no special treatment in getting this to work. We received the phone, opened a support ticket to register the phone on Vitelity’s vMobile network, and plugged our new credentials into the phone so that it could be integrated into our PBX in a Flash server. Once the smartphone became an extension on our PBX, we could place calls through our PBX with the S3 using both WiFi and Sprint 3G/4G service. Switching between WiFi and cellular is totally transparent. The CallerID for all outbound calls was our standard PBX CallerID. We also could place calls to other extensions on the PBX by dialing a 4-digit extension while connected to WiFi or the Sprint network virtually anywhere. If you have 3-digit extensions, those are a problem over the Sprint network but we’ll show you a little trick to get them working as well.

Keep in mind that every call from the S3 goes out through the PBX just as if you were using a standard desktop phone as a hardwired extension. And it really doesn’t matter whether the S3 has a WiFi connection or a pure cellular connection on Sprint’s network. You receive calls on the S3 in much the same way. It’s just another extension on your PBX. If you want to add it to a ring group to process incoming calls, that works. If other users on your PBX wish to call the S3 directly using the extension number, that works as well. If you want to transfer a call, pressing ## on the S3 initiates the transfer just as if you were using a phone on your desk. When we say transparent convergence, we really do mean transparent. No recipient of a call from the vMobile S3 would have any idea whether you were sitting at a desk in the corporate headquarters in New York or in a seat on a Delta jet after landing in San Francisco. Both the call quality and the corporate CallerID would be identical. And your secretary on maternity leave at Grandma’s house still could reach you using her vMobile S3 by simply dialing your corporate extension.

So that’s the Fortune 500 view of the new VoIP universe. How about the little guy with a $15 a month PBX in a Flash server in the RentPBX cloud1, a couple mobile sales people, and a handful of construction workers that build swimming pools for a living? It works identically. Each has an S3 connected as an extension on the PIAF cloud server. And calls can be managed in exactly the same way they would be handled if everyone were sitting side-by-side at desks in an office headquarters somewhere. The silver lining of cloud computing is that it serves as the Great Equalizer between SOHO businesses and Fortune 500 companies. Asterisk® paired with inexpensive cloud hosting services such as RentPBX lets you mimic the Big Boys for pennies on the dollar. We think Vitelity has hit a bases loaded, home run with vMobile.


vMobile Pricing

We know what you’re thinking. “Since you got yours for free, what does it really cost??” The Galaxy S3 (or S4) is proprietary running Trebuchet 1.0, a (rooted) CyanogenMod version of Android’s KitKat. You can purchase these devices directly from the Vitelity Store. Currently, you can’t bring your own device. The refurbished S3 is $189 including warranty. Works perfectly! That’s what we’re using. Next, you’ll need a vMobile account for each phone. Unless you’re a Nerd Vittles reader, it’s $9.95 per month. That gets you free WiFi calling and data usage anywhere you can find an available WiFi hotspot. And text messaging is free. For calls and data using Sprint’s nationwide network, the calls are 2¢ a minute and the data is 2¢ per megabyte ($20 per gigabyte). For us, a typical day of data usage with an email account and light web use costs about a quarter. YMMV! So long as you configure Android to download application updates when connected to WiFi, data usage should not be a problem unless you’re into photos and streaming video. Android includes excellent tools for monitoring and even curbing your data usage if this is a concern.

vMobile Gotchas

Before we walk you through the setup process, let’s cover the gotchas. The list is short. First, we don’t recommend connecting vMobile devices to a PBX sitting behind a NAT-based firewall, or you may end up with some calls missing audio. The reason is NAT and quirky residential routers. If you think about it, when your S3 is inside the firewall and connected to WiFi, it will have an IP address on your private LAN just like your Asterisk server. When your S3 is outside your firewall on either a cellular connection or someone else’s WiFi network, it will have an IP address that is not on your private LAN. Others may be smarter than we are, but we couldn’t figure a way to have connections work reliably in both scenarios using most residential routers. You can configure your S3’s PBX extension for NAT=No or NAT=yes, but you can’t tell Asterisk how to change it depending upon where you are. One simple solution is to deploy these phones with a VPN connection to your Asterisk server sitting behind a NAT-based firewall. The more reliable solution is to build your PBX in a Flash server in the cloud with no NAT-based firewall. Then use an IPtables WhiteList (aka Travelin’ Man 3) to protect your server. From there, you can either interconnect the cloud-based server with a second PBX behind your firewall, or you can dispense with the local PBX entirely. Either way will eliminate the NAT issues with missing audio. In both cases, use NAT=yes for the vMobile extension.

Another wrinkle involves text messaging. Traditional text messages work fine; however, MMS still is problematic unless you initiate the outbound MMS session with the other recipient. It’s probably worth noting that Google Voice never got MMS working at all despite years of promises. This wasn’t a deal breaker for us, but it’s a bug that still is being worked on.

Finally, there’s Sprint. You either love ‘em or hate ‘em. We really haven’t used Sprint service in about eight years. In the Charleston area, the barely 3G service still is just as lousy as it was eight years ago. But, if you live in an area with good Sprint coverage and performance, this shouldn’t be an issue for you. And vMobile works fine in Charleston. You just won’t be surfing the web very often unless you have hours to kill… waiting. Additionally, dialing numbers with less than 4 numbers is a non-starter with Sprint, but we’ll show you a simple workaround to reach 3-digit local extensions from your vMobile device below.

With a service as revolutionary as vMobile with Sprint’s new FMC architecture, we can’t help thinking there may be other cellular carriers with an interest in deploying this technology sooner rather than later. But, given the vMobile feature set, Sprint is good enough for now especially when WiFi connectivity is available almost everywhere.




vMobile Configuration at Vitelity

For the Vitelity side of the setup, you first configure your smartphone using the (included) My Phone app. When the application is run, your cellphone number will be shown. Tapping the display about a dozen times will cause the phone’s setup to be reconfigured. Vitelity will provide you the secret key to activate your account. Next, you’ll log into the Vitelity portal and choose vMobile -> My Devices under My Products and Services. The account for your vMobile device will already exist. Clicking on the pull-down menu beside your vMobile device will let you create your SIP account on Vitelity’s server. Enter the IP address or FQDN of your Asterisk server and set up a very secure password. Your username will be the 10-digit phone number assigned to your vMobile phone. Save your settings and then choose the Edit option to view your setup. The portal will display your Username, Password, and FreePBX/Asterisk Connect Host name. Write them down for use when you configure your new extension using FreePBX®.




vMobile Configuration for Asterisk and PBX in a Flash

On the PBX in a Flash server, use a browser to open FreePBX. Choose Applications -> Extensions and add a new generic SIP device. For Display Name and User Extension, enter the 10-digit phone number assigned to your vMobile device. Under Secret, enter the password you assigned in Vitelity’s vMobile portal. Click Submit and reload FreePBX when prompted. Then edit the extension you just created. Set NAT=yes and change the Host entry from dynamic to the FQDN entry that was shown in Vitelity’s vMobile portal, e.g. 7209876542.mobilet103.sipclient.org. Update your configuration and restart FreePBX once again. Finally, from the Linux command prompt, restart Asterisk: amportal restart. If you’re using a WhiteList with IPtables such as Travelin’ Man 3, be sure to add a new WhiteList entry for your vMobile Host entry. Finally, add your vMobile extension to any desired Inbound Routes to make certain your vMobile device rings when desired.

You now should be able to place and receive calls on your vMobile device. If you want to be able to call 3-digit Asterisk extensions on both WiFi and while roaming on the Sprint cellular network, then you’ll need to add a little dialplan code since Sprint reserves 3-digit numbers for emergency services and will reject other calls with numbers of less than 4 digits. Here’s the simple fix. Always dial 3-digit extensions with a leading 0, e.g. 0701 to reach extension 701. We’ll strip off the leading zero before routing the call. The dialplan code below works whether you’re calling a local 3-digit extension or a 3-digit extension on an interconnected remote Asterisk server. Simply edit extensions_custom.conf in /etc/asterisk and insert the following code at the top of the [from-internal-custom] context. Then restart Asterisk: amportal restart. Note that we’ve set this up so that, if you have an extension 701 on both the local server and a remote server, the call will be connected to the local 701 extension. If you have different extension prefixes for different branch offices (e.g. 7XX in Atlanta and 8XX in Dallas), then this dialplan code will route the calls properly assuming you’ve configured an outbound route with the appropriate dial pattern for each branch office.

exten => _0XXX,1,Answer
exten => _0XXX,n,Wait(1)
exten => _0XXX,n,Set(NUM2CALL=${CALLERID(dnid):1})
exten => _0XXX,n,Dial(sip/${NUM2CALL})
exten => _0XXX,n,Dial(local/${NUM2CALL}@from-internal)
exten => _0XXX,n,Hangup

Vitelity vMobile Special for Nerd Vittles Readers

Now for the icing on the cake… We asked Vitelity if they would consider offering special pricing to Nerd Vittles readers and PBX in a Flash users. We’re pleased to report that Vitelity agreed. By using this special link when you sign up, the vMobile monthly fee will be $8.99 instead of $9.95. In addition, your first month is free with no activation fee. We told you last week that there was a very good reason for choosing Vitelity as your SIP provider. Now you know why.

And, if you’re new to Cloud Computing, take advantage of the RentPBX special for Nerd Vittles readers. $15 a month gets you your very own PBX in a Flash server in the Cloud. Just use this coupon code: PIAF2012. Enjoy!

Originally published: Thursday, May 15, 2014





Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. RentPBX also is a corporate sponsor of the Nerd Vittles and PBX in a Flash projects. []

Beware the Ides of May: It’s Hammertime for Google Voice


You don’t have to be a soothsayer to appreciate what’s about to happen in the VoIP community. In just two weeks, millions of telephones in the United States are about to go silent. Let’s begin with what we know and don’t know about Google Voice and Google’s May 15 deadline. Google has made it crystal clear that XMPP connectivity to Google Voice is going away on May 15. What that means is that inbound and outbound calling using an XMPP connection to Google Voice will no longer work, period. And the platform really doesn’t matter. That includes Asterisk, FreePBX, FreeSwitch, Yate, and GrooVe IP as well as hardware ATAs such has ObiHai devices. Why? The short answer is because Google says so, and they are/were paying the bills. The longer answer is that companies such as Microsoft and Apple that have proprietary communications platforms were not reciprocating with free connectivity to their services in the same way that Google was providing XMPP service. Another probable reason is that Google was taking a financial bath on Google Voice services which were being abused by many commercial organizations. Reportedly, as many as three to five million DIDs have been handed out as part of the Google Voice project with very little return on investment.



Some have suggested this is just another tempest in a teapot like Y2K. After all, Y2K came and went without many catastrophes. The difference is that businesses spent hundreds of millions of dollars preparing for Y2K to make certain there were no train wrecks. With Google Voice, many individuals have taken the ostrich approach with their heads buried in the sand pretending things are just going to work out. Without some effort on the part of those still using Google Voice, May 15 will be their Julius Caesar moment.

What to Do? One school of thought is that the “old fashioned” Google Voice connections using Python which simulated a web call with Google Chat will still function. If receiving and placing calls using your existing Google Voice numbers matters to you, take the opinions of these self-proclaimed experts with a grain of salt. Here’s what you need to appreciate. First, nobody outside of Google actually knows whether the Python approach will continue to function or not. Second, even if it works on May 15, nothing would preclude Google from making “adjustments” at any time that would disable this functionality. They’ve done it before. They can do it again. And Google has made it abundantly clear that they’re putting an end to the free gravy train. Third, it doesn’t take a rocket scientist to deduce that PSTN call forwarding using Google Voice may be the next axe to fall. This probably won’t happen on May 15, but who knows. Finally, should you decide to go down this road, be aware that it is a major coding project regardless of your platform. But, if this is the road you wish to travel, you can find some tips on making the transition here. You’ve been warned.

The Smarter Approach. Our recommendations today are limited to those in the United States. Our apologies, but that’s two-thirds of our readership and roughly 95% of those that currently rely upon Google Voice. The same recommendations apply to those in Europe and South America and the Far East if calls to destinations in the U.S. are a major part of your VoIP traffic. What do we recommend? First, become VoIP savvy! The provider you use for outbound calls need not be the provider you use for incoming calls. Not putting all your eggs in one basket is a very good idea in the VoIP world.




Call us Chicken Little if you must, but Outbound Calling with Google Voice is going away on May 15. So, in the next two weeks, you definitely need to come up with an alternative for call terminations in the U.S./Canada market. We think you have two options: purchase an all-you-can-eat plan that includes sufficient outbound calling minutes to meet your existing requirements. Or you can select a provider that offers pay by the minute service for all of your outbound calls. One advantage with most of the pay-by-the-minute providers is that you can set your CallerID as desired. Don’t be misled by the all-you-can-eat claims. Every VoIP provider imposes some sort of cap on outbound calling even if their plan is advertised as “unlimited.” If your outbound calling minutes exceed 2000-3000 minutes a month, you’re going to be looking for a new provider within weeks because every provider that we know will drop you like a hot potato when you are no longer profitable in their business model. The other gotcha is that most, if not all, of the all-you-can-eat plans are restricted to residential (non-business) use.

Full Disclosure: We have a favorite all-you-can-eat provider (Vestalink) and a favorite pay-as-you-go provider (Vitelity), and both of them provide some financial support to the Nerd Vittles and PBX in a Flash projects; however, both were our favorites before they provided any support to our projects.

All-You-Can-Eat Calling Plans. We continue to like Vestalink (formerly Obivoice) even though their prices have increased since the release of our original article. That’s actually a good thing. There was no way they could have stayed in business with their original pricing model. On a new 2-year plan with unlimited U.S./Canada inbound AND outbound calls, E911 service, and a free DID in your choice of area codes, the current rate for 24 months is $89.99 which works out to roughly $3.50 a month. The service comes with a 30-day money-back guarantee.

Another option which we previously have covered is a hardware device such as the netTALK Duo. With an upfront $100 hardware investment, you get the same features as Vestalink for $30 a year which works out to less than 10¢ a day. With both services, you have the option of porting your existing Google Voice number for a one-time fee. With Vestalink, you also have the option of spoofing your outbound CallerID number with your existing Google Voice number once it is verified as belonging to you. We prefer the latter approach at least until Google gives some hint that their call forwarding of incoming Google Voice calls is going away. Both services are bargains in our view. But, as we noted, for residential service we still prefer the pure VoIP solution provided by Vestalink.

Pay-As-You-Go Call Terminations. Most of the reputable pay-by-the-minute providers charge between 1¢ and 2¢ a minute for outbound calls with charges billed in 6 to 10-second increments. Unless you make an enormous number of lengthy calls, these rates are a bargain. Vitelity remains our favorite provider primarily because of the flexibility their service offers in setting up multiple sub-accounts for use with Asterisk or FreeSwitch. A sign-up link with a 50% discount on most DIDs is provided here and at the end of this article. We appreciate your support of our VoIP projects!!


While it is not yet officially available, the most compelling reason to switch to Vitelity is vMobile, a new $9.99/month cellphone plan that will integrate your Vitelity cellphone (actually a Samsung Galaxy S III) directly into your Asterisk setup. What that means is calls to extensions on your Asterisk server will also ring on your cellphone. And your cellphone functions exactly like any other extension on your Asterisk server whether you’re operating on 3G, 4G, or LTE networks as well as on WiFi at your home or office. You’ll be able to park calls, transfer calls, set up call monitoring, conferencing, and recording just as if you were on a standard VoIP phone in your home or office. And you can’t beat the price. Inbound and outbound calls on WiFi are totally free. Calls received or placed over what appears to be Sprint’s nationwide network are 2¢ a minute, about the same cost as pure VoIP calls.

For pay-by-the-minute terminations, we always recommend you set up accounts with multiple providers. Then, by setting multiple trunk sequences in your outbound routes, you’ll always have successful calls even when a particular provider happens to have an outage. Other than perhaps a small deposit, redundancy costs you nothing since you only pay for calls that you actually place through each provider. For a current list of our favorite termination providers in both the U.S. and Canada, see this thread on the PIAF Forum.

Handling Incoming VoIP Calls. Here’s the bottom line. The one thing you don’t want to do is risk losing your phone number because of the Google Voice train wreck. We have noticed a dramatic difference in call reliability for incoming calls over the past few months. Perhaps it’s an upstream provider problem… and perhaps not. Whatever the reason, get your phone numbers ported out of Google Voice as quickly as you can. It doesn’t have to be in the next two weeks, but you are well advised to begin the porting process soon. The Nerd Vittles Vitelity link will get you a monthly rate of $3.95 for a Tier A DID with unlimited incoming calls each month and automatic server failover. There are a few less expensive DID providers but, when it comes to our phone number, we’ve always wanted a provider with rock-solid reliability, flexibility, and a proven track record. Vitelity meets those requirements in spades. As we noted at the outset, the other advantage in separating out your inbound and outbound trunks is that, when service gets disrupted (and it happens to the best of providers), you’re not completely dead in the water.

For the short term, so long as you have an existing DID in the U.S. or Canada, you can forward your incoming Google Voice calls to that DID by simply adding it as a call forwarding destination in your Google Voice profile. We also recommend adding your cellphone as an additional call forwarding destination. Finally, be sure to disable the Google Chat option in your Google Voice setup and remove the Google Voice trunk in your FreePBX Google Voice/Motif setup. Good luck!

Originally published: Thursday, May 1, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Ringbinder theme by Themocracy