Safely deploying a public-facing Asterisk® server with full FreePBX® functionality has become the Holy Grail for Nerd Vittles in 2019. Today we tackle it on our new Incredible PBX® 16-15 platform featuring the latest releases of Asterisk 16 and FreePBX 15. The icing on today’s cake is a terrific new offer from Skyetel that supplements the current Nerd Vittles BOGO offer of up to $500 in half-priced VoIP services. Beginning today, Skyetel also will start you off with a $10 credit just for opening an account here. Then, after you have had an opportunity to kick the tires and perhaps purchase a DID for a buck, you can make $9 worth of phone calls before deciding whether to take advantage of the BOGO special by making a purchase of up to $250 and having Skyetel match your contribution. Once you have funded your account, you then can also take advantage of Skyetel’s free number porting offer for the next 60 days. To get your $10 credit, just open a ticket and request the $10 Nerd Vittles credit once you’ve signed up. To get the Nerd Vittles BOGO price match and take advantage of free number porting, simply open another ticket once you have added up to $250 to your account.

Making the Case for a Public-Facing PBX

We’ve had some of our pioneers trying out the new Incredible PBX 16-15-PUBLIC implementation this past week, and the question arose as to why anyone would want to do this. After all, PBX in a Flash 3 and Incredible PBX for the better part of a decade have been deployed with a whitelist using the Travelin’ Man 3 firewall, and there’s never been a security issue. So why switch horses now? The short answer is mobile users with dynamic IP addresses. If all the users of your PBX are sitting behind the same NAT-based router with static IP addresses, the Travelin’ Man 3 design is perfect. The bad guys could never even see your server. But if some of your users either reside or travel outside your home base or if you want calls to follow you on your smartphone when you leave home or the office, then Travelin’ Man 3 blocked SIP access from these remote phones until their new IP addresses were whitelisted. Multiply this by dozens or hundreds of users, and network management suddenly became a full-time job. Yes, we’ve had tools such as dynamic DNS and PortKnocker to ease the pain, but it still was a knuckle-drill for mobile users. And, in today’s world, much of the workforce is quickly morphing into mobile users without a traditional desk at an office.

The world also is becoming more SIP savvy. Just as folks are learning that a $35 antenna can provide an awesome collection of 4K Ultra HD TV channels without the expense of a monthly cable bill, others are learning that a SIP telephone or softphone app on your smartphone can provide free calls to and from anybody with a SIP URI without sharing your communications with Facebook or Microsoft. Today’s PUBLIC PBX makes free worldwide SIP calling a reality.

Building the Base Platform for Incredible PBX PUBLIC

To get started today, you need to begin by installing Incredible PBX 16-15 using the latest tutorial. There still are a few bugs in the FreePBX 15 fax module so you won’t be able to successfully install and use Incredible Fax for the time being. We’ll let everyone know when the issues have been resolved.

Once you have set up your Incredible PBX 16-15.2 server, the next step is to assign one or two fully-qualified domain names (FQDNs) to your server. You can have one FQDN for registering SIP extensions and a different one for anonymous SIP (invites) access to your server, or you can use the same FQDN for both. Security through obscurity provides an extra layer of protection for your server so choose your FQDNs carefully. sip.yourname.com provides almost no protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with the FQDN for SIP registrations because registered extensions on your PBX can obviously make phone calls that cost money.

By default, Incredible PBX 16-15 configures five extensions (701-705) and a Ring Group for those extensions (777) as well as four trunks including Skyetel. It’s ready to make and receive calls as soon as you sign up with one of the four providers listed in the tutorial. You can add as many additional providers and extensions as you like and modify the ring group to meet your needs. To get started, be sure to configure the correct time zone for your server as this affects delivery of reminders. Run /root/timezone-setup. Next, set a secure password for admin access to the FreePBX GUI modules. Run /root/admin-pw-change. Then set a secure password for admin access to web applications such as AsteriDex, Reminders, and User Control Panel. Run /root/apache-pw-change. In addition to reviewing your extensions and ring group, review the default inbound route and choose the destination for the incoming calls from your provider. Finally, configure the outbound route to use the provider sequence desired. By default, it uses Skyetel for outbound calls.

Going Public with Incredible PBX 16-15

Once you’ve tested making and receiving calls with your new server, you’re ready to convert it into a public-facing PBX. In order to run the install script below, you’ll need your FQDNs that you chose above, plus a port number for future SSH/Putty access to your server, plus a list of the extensions you wish to make available for public access to your PBX. These whitelisted extensions can be reached via SIP URI from anywhere in the world by anybody. It works just like your old MaBell phone. Anybody, anywhere can dial your number. What’s changed is now the calls are free. So choose your list carefully. We recommend using the year you were born for your SSH port to keep things simple for you. Once the GO-PUBLIC-16-15 script has been run, you can only access your PBX via SSH/Putty at the new port, e.g. SSH -p 1990 root@yourFQDN.com

Now we’re ready to run the install script. It takes less than a minute. Before you begin, log out of ALL SIP extensions you have previously registered with Incredible PBX and change the server destination from an IP address to the FQDN you plan to assign to SIP registrations. Otherwise, these IP addresses will get banned while the install script is running below!

cd /root
wget http://incrediblepbx.com/go-public-16-15.tar.gz
tar zxvf go-public-16-15.tar.gz
rm -f go-public-16-15.tar.gz
./GO-PUBLIC-16-15

A Few Words About Incredible PBX PUBLIC Security

As with all Incredible PBX servers, Incredible PBX 16-15-PUBLIC includes the Automatic Update Utility. Please don’t disable it. It’s our only way to push updates to you if some vulnerability is discovered down the road. It gets run whenever you login to your server as root using SSH/Putty. Do so regularly and follow us on Twitter for security alerts. There’s also an Incredible PBX RSS Feed that is displayed when you login to the Incredible PBX GUI with a browser. It, too, includes security alerts and should be checked regularly. It’s your phone bill.

Incredible PBX 16-15-PUBLIC uses the ipset utility in conjunction with the IPtables firewall to block several countries that have inordinately high concentrations of folks that try to break into VoIP servers. In addition, your public PBX includes the VoIP Blacklist which includes another 100,000 bad guys from around the globe. These blacklists get updated every night by a script which is run from /etc/crontab. For your own safety, don’t disable or delete /etc/update-voipbl.sh or the other components upon which it relies.

Here are some other things you should do regularly to assure that your server remains secure. Login via SSH/Putty as root and check pbxstatus after the Automatic Update Utility is run. With the exception of the fax components, all the other items should be green all the time. From the Linux CLI, run: iptables -nL. This will show your firewall rules and whether any IP addresses have been banned by Fail2Ban. If there are banned IP addresses that are not your own, please open a thread on the PIAF Forum and let us know about it. If there are dozens of banned IP addresses, shutdown your server immediately until the problem is identified and resolved. If the IP addresses happen to be your own users because of using incorrect passwords or because of using a server IP address instead of its FQDN for SIP registrations, unban the IP address: fail2ban-client set asterisk unbanip xxx.xxx.xxx.xxx
Finally, watch the Asterisk CLI periodically for abnormal activity: asterisk -rvvvvvvvvvv

Tightening Up SSH Server Access

You obviously need a very secure root password for access to your server using SSH/Putty. Changing the TCP port for SSH access avoids the script kiddies, but it doesn’t offer much protection from a determined cracker. SSH login attempts are monitored by Fail2Ban, but Fail2Ban has issues when a determined intruder is using a powerful computing platform such as Amazon EC2. The more prudent solution is to disable SSH port access and use SSH Public Key Authentication as documented in the linked tutorial. Always, always use ssh-copy-id to copy your credentials to more than one desktop machine so that you don’t inadvertently lock yourself out of your PBX in the case of a hardware failure.

Introducing the VitalPBX Communicator

Our previous article offered some suggestions for SIP softphones. These become more important once you deploy a public-facing PBX and want to stay connected while you’re away from home or the office. If you’re using an Android smartphone even without a SIM card and provider, there is no finer softphone than the new VitalPBX Communicator. Using the Account Assistant, enter the SIP extension of your PBX as the Username. Enter the SIP extension password as the Password. For the Domain, enter the SIP registration FQDN you specified above (not the IP address of your server!). Choose UDP for the Transport. And click Login to begin. In the Network Settings, turn OFF WiFi only. If you enable Background Mode and Start At Boot Time in Advanced Settings, the softphone will remain registered and available even when you’re using other applications. On a Google Pixel 3, this consumes about 20% of the phone’s battery life from a full charge. A similar app is available for Windows-based PCs. An iPhone app is under development.

For other platforms, the Linphone application is an excellent alternative. See our previous Linphone tutorial for details. Here are the download links for each supported platform:

A Word to the Wise. Our experience suggests that SIP communications with an iPhone is notoriously awful. Under identical conditions using the same application on both an iPhone and an Android phone typically results in calls failing or experiencing one-way or no audio on the iPhone. Save yourself some frustration and purchase ANY Android phone for SIP communications (HINT: With the exception of the camera, the Moto g6 is virtually identical in shape and performance to Google’s Pixel 3 at less than one-third the cost). As noted, no SIM card is required. WiFi works perfectly. If you want a cell phone provider, check out Mint Mobile’s dirt cheap offering ($15/mo. for unlimited calls and text plus 3GB of LTE data). Nerd Vittles (and you) receive a perk when you use our link to sign up for service.

Special Thanks: We want to give an extra special tip of the hat to the PIAF Forum members who assisted in working the kinks out of the last two weeks’ Incredible PBX 16-15 offerings. We also wish to thank JavaPipe LLC for a number of DDOS tips and tricks in securing CentOS 7 with IPtables.

Originally published: Monday, July 22, 2019



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Amazon, Skyetel, Vitelity, DigitalOcean, Vultr, Digium, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls plus quadruple data center redundancy assures that you’ll never have a failed call. Tutorial and sign up details are here.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Print Friendly, PDF & Email

Be Sociable, Share!

Tags:

This article has 1 comment

  1. Ward Great to see your website active after following you for many years. Seems I only find time to drop in every now and again these days…. Seems like yesterday I was reading as you retire in Atlanta, Ga. I myself retired from CSX (Tilford Yard) last year. Hunter Harrison scrapped Tilford Hump Yard and it was probably over 100 yrs old!! I do some volunteering for the Red Cross EUS dept these days…… You take care! …and keep giving us nerds this food for thought!!!

Leave a comment

Your email address will not be published. Required fields are marked *

*