Posts tagged: asterisk

A Night with the Stars: The Future of Asterisk and Open Source Telephony

We recently had an opportunity to spend one of Charleston’s coldest nights with David Duffett and Mark Spencer solving most of the world’s problems. For those of you that don’t know, Mark was the creator of Asterisk® and the founder and current CTO of Digium® while David is the Director of the Worldwide Asterisk Community which means he’s never seen an airplane he didn’t like. As it happens, Mark shares a passion for aviation, and we’ll get to that.

Mark and David flew into Charleston’s “international airport” on one of my favorite airplanes. It speaks volumes about our small aviation hub when there are only a handful of reserved parking places and the names of two car dealers and Darius Rucker appear on three of them. Welcome to Charleston. For those that are airplane buffs, if you haven’t heard of the Very Light Jet revolution in commercial aviation, take a look at this article and then go talk to your boss about ditching commercial aircraft travel. “The variable operating cost per hour of the Eclipse 500 (insurance, maintenance, fuel, and replacement parts) is estimated at $372.” That’s less than 25% of the typical operating cost of most private jets. To give you another point of reference, the Eclipse made the trip in one hour and one minute. The 500-mile, 8-hour trip from Huntsville to Charleston in a rented SUV is over $200 a day. One-way, refundable commercial airfare from Huntsville to Charleston is $842.10 per person and takes roughly four hours. Life’s too short! Now where were we?

Our reading of the tea leaves suggests that the days of using copper for communications are coming to a close which means the sales of analog cards for PSTN connectivity will continue to diminish. Since this has been Digium’s bread and butter for many years, we were curious about the future direction of the company. To his credit, Mark was smart enough to appreciate early on that being a great programmer doesn’t necessarily provide the skill set needed to manage a technology business. That responsibility has been turned over to Danny Windham, who has done a terrific job in positioning Digium for future growth with a broad mix of products. In the hardware department, Digium’s new line of high-end “smart” phones and failover appliances are a big hit. Digium’s commercial unified communications system aka Switchvox has perhaps the best graphical user interface of any commercial product on the market at a fraction of the cost. Then there are new cloud offerings including Respoke which brings communications to your web site with zero hardware costs. And finally there is Digium’s new SIP trunking which offers extremely competitive pricing for commercial enterprises. Whew!

On the open source front, Digium continues to lead the Asterisk charge with the release of Asterisk 13 last month. To its credit, Digium was smart enough to appreciate its development limitations even though Matt Jordan and his team have done a masterful job advancing Asterisk to a whole new level. The kludgey SIP days are officially over. Unfortunately, what was left by the wayside was Mark’s open source Asterisk-GUI which was incorporated into AsteriskNOW for many years. The latest releases now include a rebranded version of FreePBX®.

When Mark inquired about what we had been up to lately, we couldn’t help but chuckle in acknowledging that we’d been playing with Asterisk-GUI. While we don’t typically dig up bones in the graveyard, Asterisk-GUI is a little different. It’s a product that was dropped from the Digium lineup not because of its technical shortcomings but because of a lack of resources to properly support and further develop it as a Digium-funded open source product. Other companies have wasted little time incorporating Asterisk-GUI into their commercial PBX offerings. That includes Grandstream as well as Yeastar and ATCOM. And, of course, Digium’s AA50 also uses Asterisk-GUI. We’ve been looking at Asterisk-GUI as a low overhead alternative to FreePBX that could better support hobbyist platforms running Asterisk: the Raspberry Pi, BeagleBone Black, CuBOX, and even old Pogoplug hardware.

What’s different about Asterisk-GUI compared to FreePBX is its memory footprint and performance. Reloading FreePBX after making changes in the GUI is a laborious process on these tiny devices. On the other hand, reloading Asterisk-GUI is virtually instantaneous. Is it as feature-rich as FreePBX? No. Do most hobbyists and SOHO businesses need the product sophistication of FreePBX? Probably not.

Our focus with Asterisk-GUI is to develop a secure hobbyist platform which others then can embellish to keep the product current in the traditional open source manner. We plan to start with Asterisk 11 and see how it goes. We also plan to encourage participation by lots of current Asterisk-GUI development partners including Grandstream. Technical assistance still could be provided through the existing PBX in a Flash Forum for those that want to participate in development or just like to play. We got into open source telephony to experiment as a hobbyist, not to make money. We have been enormously successful… at least with respect to our financial objective.

To make a long story short, we sent Mark and David packing with Pogoplugs in their bags. So who knows what the future holds? Perhaps it will rekindle the development spirit that first led to Asterisk and Asterisk-GUI. And, whether it does or not, suffice it to say the Asterisk-GUI is an impressive software product and one we hope to tame in coming weeks for use with some of our favorite hardware.

In the meantime, Mark is busy bringing his open source enthusiasm to the aviation world. But, as I joked to Mark, there are a lot more telephones in the world than there are airplanes. So we’ll see what we see. One thing is for sure. We all can expect great things in coming years from Mark. He remains one of the most talented and prolific programmers in the country, and we’re looking forward to spending some time with his next creation regardless of the platform.

Originally published: Wednesday, November 19, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Midnight Madness: Introducing Incredible PBX 12 with Asterisk 12 and FreePBX

The number “12” always has held mystical prominence in our culture and so it is with Asterisk®. Just over 12 months ago, Digium first introduced Asterisk 12 at AstriCon in Atlanta and heralded a major change in the direction of the product. It was more than a wholesale revamping of the Asterisk feature set. There was a revolutionary new development methodology thanks to the untiring efforts of Matt Jordan and his incredibly talented development team. Unlike Asterisk releases of old, there were no serious breakages in existing applications and, where there were changes, they were carefully documented for all the world to see. Thank you, Matt & Co.

The release of Asterisk 12 also set in motion the development of FreePBX® 12 by the equally talented FreePBX Dev Team. What began as an effort simply to integrate all of the new components in Asterisk 12 quickly evolved into a major rewrite of the graphical user interface for Asterisk, no small feat given its history of starts and stops spanning nearly a decade of development. Just last week, FreePBX 12 was pronounced stable and production ready. If you thought Asterisk 12 was revolutionary, just wait until you try FreePBX 12. Simply amazing work by the FreePBX Development Team. Thank you.

While PBX in a Flash has offered a preview edition of Asterisk 12 and FreePBX 12 for quite a while, we’ve held off releasing the stand-alone Incredible PBX 12 for a number of reasons. First and foremost, we wanted Incredible PBX 12 to remain pure open source to point the way for others that want to enhance Asterisk 12 and FreePBX 12. Second, there were more than a few rough edges with both products that simply needed some time to evolve. The one year anniversary of Asterisk 12 and the stable release of FreePBX 12 seemed a fitting occasion to add our turnkey implementation of Incredible PBX to the mix.

The real beauty of Incredible PBX: there is no smoke and there are no mirrors. What you see is what you get. You begin with a base install of the Linux operating system. And then the open source Incredible PBX installer adds all of the pieces to integrate air-tight security with Asterisk 12, FreePBX 12, text-to-speech technology and dozens of applications for Asterisk into a seamless platform for either experimentation or production use. You can review the source code and embellish it as you see fit! Protecting your deployment is the IPtables firewall with a WhiteList for authorized user access coupled with Fail2Ban to monitor access attempts. This isn’t merely a security toolkit. Your server is actually locked down from the moment you complete the Incredible PBX install. Authorizing additional users is accomplished using simple administrator scripts. Or end-users can employ PortKnocker and Travelin’ Man 4 to simplify remote access. Automatic updates for security fixes and enhancements are an integral component of Incredible PBX. If the security alerts of the past month haven’t convinced you that updates are critically important, you probably should stop hosting your own PBX. Backups and restores also are simple. And the complete open source feature set of both Asterisk and FreePBX is activated to facilitate your development efforts. In short, you gain nothing by installing the individual components yourself, and you may lose a lot. With Incredible PBX, the heavy lifting has all been done for you with documented, open source code that makes it simple to add your own tweaks as desired. That’s what open source is all about!

We’ve chosen Ubuntu 14.04 as the platform on which to begin the Incredible PBX 12 adventure. More releases will follow in due course. But Ubuntu 14.04 is an extremely stable and well-supported LTS release of Linux that warrants a careful look. After all, the primary objective here is a stable telephony platform. The Ubuntu 14.04 LTS platform offers that in spades.

Building an Ubuntu 14.04 Platform for Incredible PBX 12

As a result of the trademark and copyright morass, we’ve steered away from the bundled operating system in favor of a methodology that relies upon you to put in place the operating system platform on which to run PBX in a Flash or Incredible PBX. The good news is it’s easy! With many cloud-based providers1, you can simply click a button to choose your favorite OS flavor and within minutes, you’re ready to go. With many virtual machine platforms such as VirtualBox, it’s equally simple to find a pre-built Ubuntu 14.04 image or roll your own.

If you’re new to VoIP or to Nerd Vittles, here’s our best piece of advice. Don’t take our word for anything! Try it for yourself in the Cloud! You can build an Ubuntu 14.04 image on Digital Ocean in under one minute and install Incredible PBX 12 for Ubuntu 14.04 in under 30 minutes. Then try it out for two full months. It won’t cost you a dime. Use our referral link to sign up for an account. Enter a valid credit card to verify you’re who you say you are. Create an Ubuntu 14.04 (not 14.10!) 512MB droplet of the cheapest flavor ($5/mo.). Go to the Billing section of the site, and enter the following promo code: UBUNTUDROPLET. That’s all there is to it. A $10 credit will be added to your account, and you can play to your heart’s content. Delete droplets, add droplets, and enjoy the free ride!

For today, we’ll walk you through building your own stand-alone server using the Ubuntu 14.04 mini.iso. If you’re using Digital Ocean in the Cloud, skip down to Installing Incredible PBX 12. If you’re using your own hardware, to get started, download the 32-bit or 64-bit Ubuntu 14.04 “Trusty Tahr” Minimal ISO from here. Then burn it to a CD/DVD or thumb drive and boot your dedicated server from the image. Remember, you’ll be reformatting the drive in your server so pick a machine you don’t need for other purposes.

For those that would prefer to build your Ubuntu 14.04 Wonder Machine using VirtualBox on any Windows, Mac, or existing Linux Desktop, here are the simple steps. Create a new virtual machine specifying either the 32-bit or 64-bit version of Ubuntu. Allocate 1024MB of RAM (512MB also works fine!) and at least 20GB of disk space using the default hard drive setup in all three steps. In Settings, click System and check Enable I/O APIC and uncheck Hardware Clock in UTC Time. Click Audio and Specify then Enable your sound card. Click Network and Enable Network Adapter for Adapter 1 and choose Bridged Adapter. Finally, in Storage, add the Ubuntu 14.04 mini.iso to your VirtualBox Storage Tree as shown below. Then click OK and start up your new virtual machine. Simple!

Here are the steps to get Ubuntu 14.04 humming on your new server or virtual machine once you’ve booted up. If you can bake cookies from a recipe, you can do this:

UBUNTU mini.iso install:
Choose language
Choose timezone
Detect keyboard
Hostname: incrediblepbx < continue >
Choose mirror for downloads
Confirm archive mirror
Leave proxy blank unless you need it
< continue >
** couple minutes of whirring as initial components are loaded **
New user name: incredible
< continue >
Account username: incredible
< continue >
Account password: makeitsecure
< continue >
Encrypt home directory < no >
Confirm time zone < yes >
Partition disks: Guided - use entire disk and set up LVM
Confirm disk to partition
Write changes to disks and configure LVM
Whole volume? < continue>
Write changes to disks < yes> < -- last chance to preserve your disk drive!
** about 15 minutes of whirring during base system install ** < no touchy anything>
** another 5 minutes of whirring during base software install ** < no touchy anything>
Upgrades? Install security updates automatically
** another 5 minutes of whirring during more software installs ** < no touchy anything>
Software selection: *Basic Ubuntu server (only!)
** another couple minutes of whirring during software installs ** < no touchy anything>
Grub boot loader: < yes>
UTC for system clock: < no>
Installation complete: < continue> after removing installation media
** on VirtualBox, PowerOff after reboot and remove [-] mini.iso from Storage Tree & restart VM
login as user: incredible
** enter user incredible's password **
sudo passwd
** enter incredible password again and then create secure root user password **
su root
** enter root password **
apt-get update
apt-get install ssh -y
sed -i 's|without-password|yes|' /etc/ssh/sshd_config
sed -i 's|yes"|without-password"|' /etc/ssh/sshd_config
ifconfig
** write down the IP address of your server from ifconfig results
reboot
** login via SSH to continue **

Installing Incredible PBX 12 on Your Ubuntu 14.04 Server

Adding Incredible PBX 12 to a running Ubuntu 14.04 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your new server as root at the IP address you deciphered in the ifconfig step at the end of the Ubuntu install procedure above.

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that their Ubuntu setup does NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX 12 install. Log back in as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx12.tar.gz
tar zxvf incrediblepbx12.tar.gz
rm incrediblepbx12.tar.gz
#./create-swapfile-DO
./IncrediblePBX12.sh

The installer will first upgrade your Ubuntu 14.04 build to the latest modules. Then it will reboot. Rerun the installer again to kick off the Incredible PBX 12 installation process. Once you have agreed to the license agreement and terms of use, press Enter and go have a 30-minute cup of coffee. The Incredible PBX 12 installer runs unattended so find something to do for a bit unless you just like watching code compile. When you see “Have a nice day”, your installation is complete. Write down your your three “knock” ports for PortKnocker. You can retrieve your PortKnocker setup like this: cat /root/knock.FAQ. Next, set your admin password for FreePBX 12 by running /root/admin-pw-change. Set your correct time zone by running /root/timezone-setup.

Log out and back in as root and the automatic update utility will bring your system current with security fixes and enhancements. Then you will be greeted with a status display shown at the top of this article.

You can access the Asterisk 12 CLI by typing: asterisk -rvvvvvvvvvv

You can access the FreePBX 12 GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display. The default username is admin with the admin password you set up above. If desired, you also can change it in FreePBX Administration by clicking Admin -> Administrators -> admin. Enter a new password and click Submit Changes then Apply Config. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for default 701 extension and voicemail: Applications -> Extensions -> 701.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX 12. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

123 - Reminders
222 - ODBC Demo (use acct: 12345)
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use an existing (free) Google Voice account. Google has threatened to shut this down but as this is written, it still works with previously set up Google Voice accounts. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX 12. If you want to use the inbound fax capabilities of Incredible Fax, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using FreePBX. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Google Voice account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Use a previously configured and dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX 12.

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you’re probably out of luck. Google has disabled the option in newly created accounts as well as some old ones that had Google Chat disabled. Now go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in FreePBX 12. After logging into FreePBX with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. If you want unanswered calls to be routed to Google Voice for transcription, check the box. Be advised that IVR calls typically are not “answered” so check that box as well if you plan to use an IVR to respond to incoming Google Voice calls.

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems.

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work with these simple settings in FreePBX: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

Adding Speech Recognition to Incredible PBX 12

To support many of our applications, Incredible PBX has included Google’s speech recognition service for years. These applications include Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), and Wolfram Alpha for Asterisk (4747), all of which use Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for “personal and development use.” If you meet those criteria, keep reading. Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

1. Using an existing Google/Gmail account to join the Chrome-Dev Group.

2. Using the same account, create a new Speech Recognition Project.

3. Click on your newly created project and choose APIs & auth.

4. Turn ON Speech API by clicking on its Status button in the far right margin.

5. Click on Credentials in APIs & auth and choose Create New Key -> Server key. Leave the IP address restriction blank!

6. Write down your new API key or copy it to the clipboard.

7. Log into your server as root and issue the following commands:

# for Ubuntu and Debian platforms
apt-get clean
apt-get install libjson-perl flac -y
# for RedHat and CentOS platforms
# yum -y install perl-JSON
# for all Linux platforms
cd /var/lib/asterisk/agi-bin
mv speech-recog.agi speech-recog.last.agi
wget --no-check-certificate https://raw.githubusercontent.com/zaf/asterisk-speech-recog/master/speech-recog.agi
chown asterisk:asterisk speech*
chmod 775 speech*
nano -w speech-recog.agi

8. When the nano editor opens, go to line 70 of speech-recog.agi: my $key = "". Insert your API key from Step #6 above between the quotation marks and save the file: Ctrl-X, Y, then Enter.

Now you’re ready to try out the speech recognition apps. Dial 949 and say the name of a city and state/province/country to get a current weather forecast from Yahoo. Dial 411 and say “American Airlines” to be connected to American.

To use Wolfram Alpha by phone, you first must install it. Obtain your free Wolfram Alpha APP-ID here. Then run the one-click installer: /root/wolfram/wolframalpha-oneclick.sh. Insert your APP-ID when prompted. Now dial 4747 to access Wolfram Alpha by phone and enter your query, e.g. “What planes are overhead.” Read the Nerd Vittles tutorial for additional examples and tips.

A Few Words about the Incredible PBX 12 Security Model for Ubuntu

Incredible PBX 12 for Ubuntu 14.04 is an extremely secure turnkey PBX implementation. As configured, it is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. As installed, nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. Incredible PBX 12 is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking.

You can whitelist additional IP addresses for remote access in several ways. First, you can use the command-line utilities: /root/add-ip and /root/add-fqdn. You can also remove whitelisted IP addresses by running /root/del-acct. Second, you can dial into extension 864 (or use a DID pointed to extension 864 aka TM4) and enter an IP address to whitelist. Before Travelin’ Man 4 will work, you’ll need to add credentials for each caller using the tools in /root/tm4. You must add at least one account before dial-in whitelisting will be enabled. Third, you can temporarily whitelist an IP address by successfully executing the PortKnocker 3-knock code established for your server. You’ll find the details and the codes in /root/knock.FAQ. Be advised that IP addresses whitelisted with PortKnocker (only!) go away whenever your server is rebooted or the IPtables firewall is restarted. For further information on the PortKnocker technology and available clients for iOS and Android devices, review the Nerd Vittles tutorial.

HINT: The reason that storing your PortKnocker codes in a safe place is essential is because it may be your only available way to gain access to your server if your IP address changes. You obviously can’t use the command-line tools to whitelist a new IP address if you cannot gain access to your server at the new IP address.

We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. If you use a hardware-based firewall, be sure to map the three PortKnocker ports to the internal IP address of your server!

The NeoRouter VPN client also is included for rock-solid, secure connectivity for remote users. Read our previous tutorial for setup instructions.

As one would expect, the IPtables firewall is a complex piece of software. If you need assistance configuring it, visit the PIAF Forum for some friendly assistance.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX 12 server, simply copy the image to a server running Asterisk 12 and FreePBX 12 and run /root/incrediblerestore. Doesn’t get much simpler than that.

A Word About FreePBX Module Signatures

FreePBX 12 has implemented a new checksum mechanism to assure that FreePBX-developed modules are intact. As of this writing, there is not yet a procedure in place to register non-FreePBX modules and check their validity. Because Incredible PBX adds a number of unsigned modules, you will need to change Enable Module Signature Checking to False in Advanced Settings from time to time until we get this sorted out with the FreePBX Development Team. Otherwise, you will get an ugly message in System Status alerting you to the fact that a number of modules are not signed. The default Incredible PBX install has signature checking disabled. Don’t be alarmed if it changes after adding new FreePBX modules or updates. The affected Incredible PBX modules include AsteriDex, ConfigEdit, Reminders, SysInfo, and phpMyAdmin. If other modules (other than ODBC configuration files) show invalid or missing signatures, you should do some investigating promptly! Otherwise, simply disable signature checking again, and all will be well. You will need to do this if you install Incredible Fax in the next step.

Adding Incredible Fax to Your Server

Once you’ve completed the Incredible PBX install, log out and log back in to load the latest automatic updates. Then reboot. Now you’re ready to continue your adventure by installing Incredible Fax for Ubuntu. Special thanks to Josh North for all his hard work on this!

cd /root
./incrediblefax11_ubuntu14.sh

Just plug in your email address for delivery of your incoming faxes in PDF format. Then accept all of the defaults during the installation process. Once you complete the install, reboot your server. Then log in as root again and set your AvantFax admin password: /root/avantfax-pw-change. Now you can access both FreePBX 12 and AvantFax by pointing your browser to the IP address of your server. Please note that we’ve had problems logging into AvantFax with some versions of the Chrome browser. Works great with Firefox!

Next, log into FreePBX and set an Inbound Route for incoming faxes to Custom Destination: Fax (hylafax). Then try sending a fax to the phone number and be sure it arrives in your email.

You also can try enabling fax detection with any Google Voice number. Just edit the inbound route for the DID and make it look like this:

Incredible PBX 12 Automatic Update Utility

Every time you log into your server as root, Incredible PBX 12 will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along (again).

Where To Go Next?

Once you get Incredible PBX installed, you’ll want to read up on the dozens of applications for Asterisk which are included in the Incredible PBX feature set. We’ve previously covered this in a separate article for the Raspberry Pi platform, but the applications are the same. Here’s a link to the tutorials.

You can follow updates to Incredible PBX 12 in this thread on the PIAF Forum.

We would also encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie. Come join us!

Originally published: Monday, November 3, 2014


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. With some providers including ones linked in this article, Nerd Vittles receives referral fees which assist in keeping the Nerd Vittles lights burning brightly. []

30 Minutes to Paradise: Incredible PBX for Ubuntu 14.04 is Ready for Primetime

A few months ago, we introduced a preview of Incredible PBX for Ubuntu 14. And now we’re pleased to release the latest production-ready version with all the bells and whistles including Incredible Fax featuring HylaFax and AvantFax.

Introducing Incredible PBX 11 for Ubuntu 14.04

Today’s plan is to build a production-ready version of Incredible PBX with Ubuntu 14.04 that mimics the functionality of our previous builds with literally dozens of turnkey applications that show off the very best features of Asterisk®. If you believe in the open source community, this build is for you. No strings, no gotchas, and no quirky licenses!

Six months ago, we could barely spell Ubuntu. Then an enterprising young programmer named Eric Teeter shot us a script to install Ubuntu with Asterisk and FreePBX® and encouraged us to embellish it and to share the results with our Nerd Vittles audience. Having rarely met an operating system we didn’t like, we jumped at the opportunity knowing full well that Billy Chia at Digium and Tony Lewis at Schmooze Com had reported impressive results with Ubuntu years ago. It seemed like a good fit for Incredible PBX as well. Unlike CentOS, Ubuntu also was a platform that was easily transferable to the new $50 BeagleBone Black and the CuBox-i.

Our special thanks to Lefteris Zafiris for cleaning up all of the text-to-speech incompatibilities with Ubuntu. Within minutes from the other side of the world, Lefteris had logged into our Ubuntu Server in the Cloud and tamed the TTS beast. If ever there was an unsung hero in the Asterisk community, it’s Lefteris Zafiris. He has single-handedly kept all of the speech applications humming along through countless versions of Asterisk. We would have quit long ago without his untiring assistance. Thank you (again), Lefteris, for coming to the rescue.

Building an Ubuntu 14.04 Platform for Incredible PBX

As a result of the trademark and copyright morass, we’ve steered away from the bundled operating system in favor of a methodology that relies upon you to put in place the operating system platform on which to run PBX in a Flash or Incredible PBX. The good news is it’s easy! With many cloud-based providers1, you can simply click a button to choose your favorite OS flavor and within minutes, you’re ready to go. With many virtual machine platforms such as VirtualBox, it’s equally simple to find a pre-built Ubuntu 14.04 image or roll your own.

If you’re new to VoIP or to Nerd Vittles, here’s our best piece of advice. Don’t take our word for anything! Try it for yourself in the Cloud! You can build an Ubuntu 14.04 image on Digital Ocean in under one minute and install Incredible PBX for Ubuntu 14.04 in about 15 minutes. Then try it out for two full months. It won’t cost you a dime. Use our referral link to sign up for an account. Enter a valid credit card to verify you’re who you say you are. Create an Ubuntu 14.04 (not 14.10!) 512MB droplet of the cheapest flavor ($5/mo.). Go to the Billing section of the site, and enter the following promo code: UBUNTUDROPLET. That’s all there is to it. A $10 credit will be added to your account, and you can play to your heart’s content. Delete droplets, add droplets, and enjoy the free ride!

For today, we’ll walk you through building your own stand-alone server using the Ubuntu 14.04 mini.iso. If you’re using Digital Ocean in the Cloud, skip down to Installing Incredible PBX 11. If you’re using your own hardware, to get started, download the 32-bit or 64-bit Ubuntu 14.04 “Trusty Tahr” Minimal ISO from here. Then burn it to a CD/DVD or thumb drive and boot your dedicated server from the image. Remember, you’ll be reformatting the drive in your server so pick a machine you don’t need for other purposes.

For those that would prefer to build your Ubuntu 14.04 Wonder Machine using VirtualBox on any Windows, Mac, or existing Linux Desktop, here are the simple steps. Create a new virtual machine specifying either the 32-bit or 64-bit version of Ubuntu. Allocate 1024MB of RAM (512MB also works fine!) and at least 20GB of disk space using the default hard drive setup in all three steps. In Settings, click System and check Enable I/O APIC and uncheck Hardware Clock in UTC Time. Click Audio and Specify then Enable your sound card. Click Network and Enable Network Adapter for Adapter 1 and choose Bridged Adapter. Finally, in Storage, add the Ubuntu 14.04 mini.iso to your VirtualBox Storage Tree as shown below. Then click OK and start up your new virtual machine. Simple!

Here are the steps to get Ubuntu 14.04 humming on your new server or virtual machine once you’ve booted up. If you can bake cookies from a recipe, you can do this:

UBUNTU mini.iso install:
Choose language
Choose timezone
Detect keyboard
Hostname: incrediblepbx < continue >
Choose mirror for downloads
Confirm archive mirror
Leave proxy blank unless you need it
< continue >
** couple minutes of whirring as initial components are loaded **
New user name: incredible
< continue >
Account username: incredible
< continue >
Account password: makeitsecure
< continue >
Encrypt home directory < no >
Confirm time zone < yes >
Partition disks: Guided - use entire disk and set up LVM
Confirm disk to partition
Write changes to disks and configure LVM
Whole volume? < continue>
Write changes to disks < yes> < -- last chance to preserve your disk drive!
** about 15 minutes of whirring during base system install ** < no touchy anything>
** another 5 minutes of whirring during base software install ** < no touchy anything>
Upgrades? Install security updates automatically
** another 5 minutes of whirring during more software installs ** < no touchy anything>
Software selection: *Basic Ubuntu server (only!)
** another couple minutes of whirring during software installs ** < no touchy anything>
Grub boot loader: < yes>
UTC for system clock: < no>
Installation complete: < continue> after removing installation media
** on VirtualBox, PowerOff after reboot and remove [-] mini.iso from Storage Tree & restart VM
login as user: incredible
** enter user incredible's password **
sudo passwd
** enter incredible password again and then create secure root user password **
su root
** enter root password **
apt-get update
apt-get install ssh -y
sed -i 's|without-password|yes|' /etc/ssh/sshd_config
sed -i 's|yes"|without-password"|' /etc/ssh/sshd_config
ifconfig
** write down the IP address of your server from ifconfig results
reboot
** login via SSH to continue **

Installing Incredible PBX on Your Ubuntu 14.04 Server

Adding Incredible PBX to a running Ubuntu 14.04 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your new server as root at the IP address you deciphered in the ifconfig step at the end of the Ubuntu install procedure above. First, make sure to run the update step for Ubuntu before you begin the install. This is especially important if using a cloud-based Ubuntu 14 server.

apt-get update && apt-get upgrade -y && reboot

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that their Ubuntu setup does NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX install. Log back in as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx11.4.ubuntu14.tar.gz
tar zxvf incrediblepbx*
#./create-swapfile-DO
./Incredible*

Once you have agreed to the license agreement and terms of use, press Enter and go have a 30-minute cup of coffee. The Incredible PBX installer runs unattended so find something to do for a bit unless you just like watching code compile. When you see “Have a nice day”, your installation is complete. Write down your admin password for FreePBX as well as your three “knock” ports for PortKnocker. If you forget them, you can reset your admin password by running /root/admin-pw-change. And you can retrieve your PortKnocker setup like this: cat /root/knock.FAQ.

Log out and back in as root and you should be greeted with a status display that looks something like this:

You can access the Asterisk CLI by typing: asterisk -rvvvvvvvvvv

You can access the FreePBX GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display. The default username is admin with the randomized password you wrote down above. If desired, you can change them in FreePBX Administration by clicking Admin -> Administrators -> admin. Enter a new password and click Submit Changes then Apply Config. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for default 701 extension and voicemail: Applications -> Extensions -> 701.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

123 - Reminders
222 - ODBC Demo (use acct: 12345)
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use an existing (free) Google Voice account. Google has threatened to shut this down but as this is written, it still works with previously set up Google Voice accounts. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax 11, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using FreePBX. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Google Voice account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Use a previously configured and dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX 11.

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you’re probably out of luck. Google has disabled the option in newly created accounts as well as some old ones that had Google Chat disabled. Now go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in FreePBX. After logging into FreePBX with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems.

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work with these simple settings in FreePBX: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

Adding Speech Recognition to Incredible PBX

To support many of our applications, Incredible PBX has included Google’s speech recognition service for years. These applications include Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), and Wolfram Alpha for Asterisk (4747), all of which use Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for “personal and development use.” If you meet those criteria, keep reading. Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

1. Using an existing Google/Gmail account to join the Chrome-Dev Group.

2. Using the same account, create a new Speech Recognition Project.

3. Click on your newly created project and choose APIs & auth.

4. Turn ON Speech API by clicking on its Status button in the far right margin.

5. Click on Credentials in APIs & auth and choose Create New Key -> Server key. Leave the IP address restriction blank!

6. Write down your new API key or copy it to the clipboard.

7. Log into your server as root and issue the following commands:

# for Ubuntu and Debian platforms
apt-get clean
apt-get install libjson-perl flac -y
# for RedHat and CentOS platforms
yum -y install perl-JSON
# for all Linux platforms
cd /var/lib/asterisk/agi-bin
mv speech-recog.agi speech-recog.last.agi
wget --no-check-certificate https://raw.githubusercontent.com/zaf/asterisk-speech-recog/master/speech-recog.agi
chown asterisk:asterisk speech*
chmod 775 speech*
nano -w speech-recog.agi

8. When the nano editor opens, go to line 70 of speech-recog.agi: my $key = "". Insert your API key from Step #6 above between the quotation marks and save the file: Ctrl-X, Y, then Enter.

Now you’re ready to try out the speech recognition apps. Dial 949 and say the name of a city and state/province/country to get a current weather forecast from Yahoo. Dial 411 and say “American Airlines” to be connected to American.

To use Wolfram Alpha by phone, you first must install it. Obtain your free Wolfram Alpha APP-ID here. Then run the one-click installer: /root/wolfram/wolframalpha-oneclick.sh. Insert your APP-ID when prompted. Now dial 4747 to access Wolfram Alpha by phone and enter your query, e.g. “What planes are overhead.” Read the Nerd Vittles tutorial for additional examples and tips.

A Few Words about the Incredible PBX Security Model for Ubuntu

Incredible PBX for Ubuntu 14 is our most secure turnkey PBX implementation, ever. As configured, it is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. As configured, nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. Incredible PBX is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking.

You can whitelist additional IP addresses for remote access in several ways. First, you can use the command-line utilities: /root/add-ip and /root/add-fqdn. You can also remove whitelisted IP addresses by running /root/del-acct. Second, you can dial into extension 864 (or use a DID pointed to extension 864 aka TM4) and enter an IP address to whitelist. Before Travelin’ Man 4 will work, you’ll need to add credentials for each caller using the tools in /root/tm4. You must add at least one account before dial-in whitelisting will be enabled. Third, you can temporarily whitelist an IP address by successfully executing the PortKnocker 3-knock code established for your server. You’ll find the details and the codes in /root/knock.FAQ. Be advised that IP addresses whitelisted with PortKnocker (only!) go away whenever your server is rebooted or the IPtables firewall is restarted. For further information on the PortKnocker technology and available clients for iOS and Android devices, review the Nerd Vittles tutorial.

HINT: The reason that storing your PortKnocker codes in a safe place is essential is because it may be your only available way to gain access to your server if your IP address changes. You obviously can’t use the command-line tools to whitelist a new IP address if you cannot gain access to your server at the new IP address.

We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. If you use a hardware-based firewall, be sure to map the three PortKnocker ports to the internal IP address of your server!

The NeoRouter VPN client also is included for rock-solid, secure connectivity for remote users. Read our previous tutorial for setup instructions.

As one would expect, the IPtables firewall is a complex piece of software. If you need assistance configuring it, visit the PIAF Forum for some friendly assistance.

Adding Incredible Fax 11 to Your Server

Once you’ve completed the Incredible PBX install, log out and log back in to load the latest automatic updates. Then reboot. Now you’re ready to continue your adventure by installing Incredible Fax 11 for Ubuntu. Special thanks to Josh North for all his hard work on this!

cd /root
wget --no-check-certificate https://raw.githubusercontent.com/joshnorth/UbuntuPIAF/master/incrediblefax11_ubuntu14.sh
chmod +x incrediblefax11_ubuntu14.sh
./incrediblefax11_ubuntu14.sh

Just accept all of the defaults during the installation process. Once you complete the install, reboot your server and then set your AvantFax admin password: /root/avantfax-pw-change. Now you can access both FreePBX and AvantFax by pointing your browser to the IP address of your server. Please note that we’ve had problems logging into AvantFax with the most recent version of the Chrome browser. Works great with Firefox!

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX 11 server, simply copy the image to a server running Asterisk 11 and FreePBX 2.11 and run /root/incrediblerestore. Doesn’t get much simpler than that.

NEWS FLASH: More good news. If you decide you’d prefer another Linux platform, Incredible Backup and Restore will now let you migrate from one operating system to another. For details on the procedure, see this message thread.

Incredible PBX Automatic Update Utility

Every time you log into your server as root, Incredible PBX will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along.

In the meantime, we encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie. Come join us!

Originally published: Monday, June 30, 2014    Updated: Friday, October 24, 2014


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. With some providers including ones linked in this article, Nerd Vittles receives referral fees which assist in keeping the Nerd Vittles lights burning brightly. []

A Firsthand Look at Disaster Recovery: Tethering and IAX with Asterisk

One of the exciting challenges of building a swimming pool is knowing that it’s just a matter of time until your Internet connection dies. As you might imagine, swimming pools are major construction and involve a lot of digging. And digging usually means some oops moments when cables get cut. In our case, we had watched the folks digging the trenches for all of the pool plumbing to be sure they didn’t accidentally whack one of three coax cables coming into our house. And, when it came time to cover up the trenches, we pointed out the orange cables to the Bobcat driver knowing we were finally home free. Not so fast! Two minutes later, Mario had driven the Bobcat right over the primary Internet cable leaving the shredded remains sticking up through the dirt. Oops. Sorry. Shit happens!

Looking on the positive side, we chuckled, “What a perfect opportunity to test our backup Asterisk® system!” Our backup system is pretty clever if we do say so. It relies upon a Verizon WiFi HotSpot running on our Galaxy smartphone and a duplicate of our Asterisk-based PBX in a Flash™ server running as a virtual machine under VirtualBox on an iMac desktop. The entire setup takes less than a minute to activate. Well, that was the plan anyway.

It turns out that Verizon does SIP a little differently with a SIP ALG in the path so Asterisk couldn’t register with all but one of our dozen SIP providers. Congratulations, CallCentric! The workaround is to enable STUN. That is now possible with Asterisk 11. Short of that, you’re left with CallCentric. Unfortunately for us, we don’t do much SIP trunking with CallCentric, and none of our primary DIDs are connected through them. The other option is to add port=5080 to your trunk setup with any SIP trunks you register with VoIP.ms using a username and password. Our attention span was too short to tackle STUN in the middle of this crisis. But there’s good news. Verizon doesn’t mess with IAX network traffic at all. Since a couple of our primary DIDs are registered with VoIP.ms using IAX trunks, restoring these IAX trunks to full functionality took less than a minute. That is step one of a three-step process. You need inbound trunks, phones, and outbound trunks to get your redundant VoIP server back in business.

Getting phones to function on what is now a purely WiFi network (through the Verizon HotSpot) can be problematic unless you’ve done your homework and sprinkled a few WiFi-capable SIP phones around your home or office. In our case, we still have Grandstream’s GXP2200 Android phones scattered everywhere so it was just a matter of plugging in the WiFI adapters and rebooting. The newer GXV3240 would work just as well.1

All that remained was enabling several trunks for outbound calls. Since VoIP.ms IAX trunks support both incoming and outgoing calls, we were home free. And, with Google Voice trunks, it was simply a matter of jumping through Google’s security hoops to reenable the connections on a new IP address.

Lessons Learned. Here’s a quick checklist for those of you that think about disaster recovery for your home or for clients and businesses. Nothing beats some advance planning. If money is no object, then WiFi tethering from a smartphone with one of the major providers whose service works well in your home or office environment is the way to go. 4G is a must!

In our case, money was an object so we had the foresight to acquire a Verizon SIM card from eBay that included an unlimited data plan. With this setup, it costs only $1 a day extra to add WiFi tethering, and you can turn it off and on as often as you like without any additional fees or surcharges. There also are no additional charges for using boatloads of data! We’re actually writing this column with a tethered connection from a hotel in Washington (results above). To give you some idea of why an unlimited data plan is important, our home operation burned through 4 gigs of data in less than 24 hours once we activated WiFi tethering. Of course, there were people doing things other than making phones calls, but tethering enables 5 connections to function just about like the cable modem service you originally had in place. So expect the data usage to be substantial. Everybody likes 24/7 Internet service.

Loss of phone calls through a PBX is more of an annoyance than a crisis these days because almost everyone also has a smartphone. Even so, the SIP gotcha with Verizon Wireless was a surprise because we hadn’t really tested our super-duper emergency system in advance. That wasn’t too smart obviously. The old adage applies. Do as we say, not as we do. Unplug your cable modem or DSL connection and actually test your backup system before D-Day arrives.

On the VoIP provider end, now is the time to set up an account with a provider that offers both SIP and IAX connectivity. Step 2 is to actually configure an IAX trunk (as a subaccount to use VoIP.ms parlance) and test it. IAX trunks actually have fewer headaches with NAT, but there are only a handful of providers that still provide the service. Find one now and make certain that your primary DIDs will roll over to the IAX trunk in case of an outage. I’m always reminded that we have Mark Spencer to thank for IAX. It was his brainchild. Thank you, Mark! With VoIP.ms, you also can spoof your CallerID so that calls will still appear to originate from your primary Asterisk PBX.

Keep in mind that a VirtualBox-based Asterisk virtual machine and a Desktop computer both need an IP address and will have to be started on WLAN0 rather than ETH0. Remember, your wired connection is now dead.

You’re also going to want to acquire at least a couple of WiFi-capable SIP phones that can be connected with your Asterisk server using your WiFi HotSpot. Also make certain that you have a preconfigured IPtables firewall on your backup system. Remember, your hardware-based firewall connected to your cable modem won’t provide any protection once you switch to HotSpot operation. Lucky for you, Incredible PBX™ servers come preconfigured with a locked-down IPtables firewall and a WhiteList. Just add the new IP addresses of your server and phones, and you’re secure on the public Internet.

Finally, let’s do the HotSpot connection math. You’ll need an IP address for your desktop computer running VirtualBox. You’ll need a second IP address for the Asterisk virtual machine. Then you’ll need an IP address for every WiFi-enabled SIP phone. If the maximum number of connections is five on your HotSpot, that means you’ve got the necessary capacity for at most 3 WiFi SIP phones assuming you don’t enable a WiFi printer and if nobody else wants to use a computer during the outage. The other option is to add an inexpensive travel router with bridge mode to your mix of 5 devices. We always keep one handy for extended trips. A properly configured travel router provides an additional WiFi network with some extra WiFi connections. Good luck!



Security Alerts. Serious SSL and FreePBX security vulnerabilities have been discovered AND patched during the past week. If you have not patched your server and Asterisk, FreePBX, Apache, and/or WebMin are exposed to the public Internet, you have a serious problem on your hands. See this thread for details on the FreePBX vulnerability. And see this thread for the steps necessary to patch SSL in Asterisk, Apache, and Webmin. While Incredible PBX servers were automatically patched for the FreePBX vulnerability, the SSL issues require manual patching and an Asterisk upgrade. A script for upgrading Asterisk 11 servers is included in the message thread linked above. ALWAYS run your VoIP server behind a firewall with no Internet port exposure to Asterisk, FreePBX, SSH, or the Apache and Webmin web servers! And, if you think all of this security stuff is just a silly waste of your time, then read about the latest lucky recipient of a $166,000 phone bill.

Originally published: Monday, October 20, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Zero Day Vulnerability Protection and More: Introducing Cover Your Asterisk


It’s been a difficult couple of weeks for the Linux® and Asterisk® communities with the back-to-back disclosures of the BASH Shellshock bug and then the FreePBX® Asterisk Recording Interface (ARI) bug a few days later. Both of these vulnerabilities have been circulating in the wild for years. We won’t repeat Wikipedia’s Zero Day Attack analysis other than to note that what makes these particular bugs so scary is not only the fact that both went undetected and unpatched for years but also that the attack vectors for both bugs were so simple. Anyone with a web server exposed to the Internet that was running any flavor of Linux or any Asterisk server with the FreePBX GUI was fair game for a seriously compromised server.

For those with shared servers in a hosted environment running under cPanel, your web platform typically runs with the equivalent of root privileges which means that any web intrusion inherits the same server privileges that you as the administrator had. This is similar to the way FreePBX runs with Asterisk. The same user account used for web access controls all of the Asterisk assets on your server. While it’s convenient, it’s also dangerous whenever there’s a web vulnerability because the entire Asterisk platform has exposure.

We always chuckle when one of the anonymous forum trolls launches a tirade claiming that these alerts are nothing more than Monday morning quarterbacking disguised as Chicken Little. What’s more amazing is that anyone would take the comments of an anonymous poster seriously especially on a matter involving server security. It’s one thing to label folks as alarmists for suggesting that the sky is falling when it isn’t. It’s quite another to launch these anonymous personal attacks even when there is documented evidence that the Internet sky was indeed caving in. Kinda reminds us of the global warming naysayers when the polar ice caps are melting beneath their feet.

According to the naysayers, we’re all doomed when it comes to cyberterrorism so why fight it. Here’s why. While reacting to security vulnerabilities has always been a defensive game of cat and mouse, that doesn’t mean you shouldn’t proactively do what you can to patch serious security holes in your servers. The alternative is to give cybercriminals a blank check to launch bots from your server that generate spam or participate in large-scale zombie attacks on our most trusted resources whether they’re DNS root servers, utility infrastructure and our electric grid, banking assets, and even national security resources. So let’s circle back and address what you can do to assure that you’re part of the solution rather than part of the problem.

The Way It Is: Do I Need a Public Web Server with Asterisk?

For purposes of this discussion, our focus today is Asterisk server security. And the number one thing you can do to insulate your server from these vulnerabilities is to make certain that your web server is not exposed to Internet access by the general public. Neither Asterisk nor FreePBX requires public web server access to manage your server. In fact, neither Asterisk nor FreePBX requires any public access to your server to properly perform all required telecommunications functions. And the second paragraph above explains why this is especially dangerous with servers running both Asterisk and FreePBX.

So why do people still publicly expose their web servers and UDP ports 5060 and 10000-20000 to the Internet? As much as we hate to say it, it’s because it’s always been done that way. It’s also because there are a handful of SIP providers that still require UDP 5060 access to make and receive calls. Most do not! And even for those that do require UDP 5060 access, their requirements can be satisfied with a properly configured firewall that supports whitelisting of “safe” IP addresses for limited access. Incredible PBX comes preconfigured with a locked down WhiteList. The same can be added to PBX in a Flash by installing Travelin’ Man 3. We hope the other aggregations will follow suit. It’s long overdue.

Public web server access often is because there are more than a few (lazy) VoIP providers that install systems in a way that makes it easy for them to manage remote sites. Of course, a VPN would provide secure access to the same resources but that’s a little more work on the deployment end. With NeoRouter VPN, it’s a 5-minute job!

There also are companies with remote users or traveling salesmen that claim their servers must be open to the Internet to keep the company running. First, it’s hard to imagine a company whose salespeople don’t have cellphones that require no link to home base. Second, there are numerous solutions for safe connectivity with a home office: VPNs, FQDNs with dynamic DNS support, Port Knocker, and Travelin’ Man 4 to name just a few of the ones we previously have recommended. With the exception of the lazy VoIP installer, you will note that none of the above scenarios ever require web access to a VoIP server. So the rationale for public exposure of an Asterisk web server is all but non-existent.

The bottom line is that, if your server is not and has never been accessible from the Internet by typing its IP address into a public web browser and assuming your root password has not been compromised, then the BASH and ARI vulnerabilities are purely an academic discussion from your vantage point. Should you apply the patches anyway? Absolutely. Will your server be compromised if you don’t? Probably not… at least not from these two vulnerabilities.

Life Is Good: Why Do I Need ‘Cover Your Asterisk’

That brings us to our topic for today. Having said all of the above, how do you really know if your server has been compromised by some zero day attack vector that none of us yet know about? After all, there are tens of thousands of applications installed on a typical Linux server. And a zero day vulnerability could be hiding almost anywhere.

First, a few words about what Cover Your Asterisk is not. This application won’t detect previously compromised servers! Wearing a condom the day after your wild night on the town isn’t all that helpful. If your server has been running as a public web server for the last 5 years, then our best advice is to start with a fresh install to a new, secured server. Then manually copy the settings (not the files!) from your old server to the new platform. Now you’re ready to protect your server.

Second, more than a few words about the VoIP environment in which we find ourselves. If you’re running any of the so-called Asterisk aggregations including PBX in a Flash, Incredible PBX, AsteriskNOW, FreePBX Distro, or Elastix, then your server includes some flavor of the FreePBX GUI, a web-based application to manage and configure Asterisk. As part of the FreePBX GUI setup, you give FreePBX 2.11 and beyond an expansive set of privileges on your server. These include read, write, and delete access to all of your web assets, all of your VoIP-related MySQL database assets, and all of your Asterisk assets. You also grant FreePBX rights to inventory and monitor critical pieces of information about your server so that you can be informed about pertinent FreePBX updates. We don’t see this as a bad thing. But, even with the incredibly talented FreePBX development team, this application design can be dangerous for a number of reasons not the least of which is the events of the past week. Consider for a moment a scenario in which a disgruntled employee or a web vulnerability allows somebody to modify a critical Asterisk configuration file such as manager.conf which controls access to the Asterisk Manager Interface, or to adjust MySQL’s admin.ampusers table which controls web access to the FreePBX GUI, or even to insert a malicious module into FreePBX which “looks and feels” like part of FreePBX. When you don’t know what you’re looking for, detecting subtle changes can be extremely difficult even for the most talented people in the business. For everyone else, it’s next to impossible. This is especially true when the changes aren’t noticeable in the standard day-to-day operation of your server. That was what led us to conclude that an additional detection mechanism was essential to highlight hidden changes made to any of the critical components that make up the Asterisk platform. Thus was born Cover Your Asterisk.

The Elastix folks apparently weren’t comfortable with this arrangement and forked FreePBX years ago and moved to a self-managed environment. The drawback has been their pace of releasing updates and patches, and that apparently applies to the unaddressed ARI bug as well.

The remaining aggregations all function as we’ve described. Before we delve into Cover Your Asterisk, here’s a little known tip. On the output side, FreePBX is basically a code-generator for Asterisk. Once you’ve configured your server using the FreePBX GUI, there is no Asterisk-FreePBX linkage of which we’re aware that requires your web server to remain operational. That turns out to be a good thing. What this means is you can shut down Apache and still have a fully functional Asterisk server with all of the functionality of your FreePBX-designed configuration. Given the times in which we live, that may not be such a bad idea.

An Overview of Cover Your Asterisk

So what does Cover Your Asterisk do? What we’ve sought to do with this GPL2 application is to take a snapshot of your most valuable Asterisk and FreePBX assets and then create checksums of all the individual components. This includes the /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directories as well as the Asterisk DB and MySQL’s asterisk database. Periodically, you then run another script which compares your current setup to the previous snapshot and identifies the changes for further examination. Once you are satisfied that any reported changes are legitimate, you then take a new snapshot of your server and periodically check it to make certain no unexpected modifications have crept into your system. A duplicate of these production assets is always maintained in a separate directory structure (/etc/asterisk.snapshot) accessible only by root. It can easily be converted into a gzipped tarball: tar -cvzf cya.tar.gz /etc/asterisk.snapshot. Then simply store the tarball off site for a rainy day emergency… when the sky falls once again.

Because this application was designed for production servers, its testing and scope have been limited to the Asterisk 11 and FreePBX 2.11 platform. For our installed base, that translates into PIAF-Green with FreePBX 2.11 and all flavors of Incredible PBX 11 running atop CentOS, Scientific Linux, Ubuntu 14, Debian, and Raspbian platforms on both Intel and ARM hardware including the Raspberry Pi, BeagleBone Black, CuBox, and PogoPlug.

Installation and Operation of Cover Your Asterisk

Log into your Asterisk 11 server as root and issue the following commands to install the Cover Your Asterisk software:

cd /root
wget http://incrediblepbx.com/cover-your-Asterisk.tar.gz
tar zxvf cover-your-Asterisk.tar.gz
rm -f cover-your-Asterisk.tar.gz

To take the original snapshot of your server, run: /root/protect-your-ASSets.sh

To check your current setup against the snapshot, run: /root/check-your-ASSets.sh

To compare a file with its snapshot, run: diff /dirpath/filename /etc/asterisk.snapshot/dirpath/filename

To restore a snapshot file to your current Asterisk configuration, run these commands:

cp -p /etc/asterisk.snapshot/etc/asterisk/filename /etc/asterisk/filename
amportal restart

For Raspberry Pi and BeagleBone Black users, change the MySQL root password in both scripts:

sed -i 's|passw0rd|raspberry|' /root/protect-your-ASSets.sh
sed -i 's|passw0rd|raspberry|' /root/check-your-ASSets.sh

Finally, let us close with several recommendations. First, before making changes to your server with FreePBX, always run check-your-ASSets.sh, correct any detected problems, and then run protect-your-ASSets.sh to create a new snapshot of your server. After making any changes with the FreePBX GUI, run check-your-ASSets.sh again to verify that the changes you sought to make were, in fact, the changes that actually were made to your server. Then finish up by taking a new snapshot. These scripts take less than 30 seconds to run on a typical server so this is not a cumbersome process.

Before you restore any snapshot file or if you are puzzled by any changes you see listed after running check-your-ASSets.sh, we strongly recommend that you first seek advice from the gurus on the PIAF Forum. They can help you identify the severity of the problem, if any, and recommend an appropriate course of action for correction of the problem.

Finally, a cautionary note. Cover Your Asterisk is still a project in development. This means there will be changes/improvements as the coming weeks go by. One wrinkle with updates is your previous snapshots will have to be checked before you update. And then the newest protect-your-ASSets.sh script will need to be run following the update. To keep track of future releases and what’s included, visit this development thread on the PIAF Forum. Enjoy!

Originally published: Monday, October 6, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Hold On to Your Wallet: Another Huge VoIP Phone Bill May Be Lurking


We interrupt our regularly scheduled content to bring you an urgent security alert. A couple days ago, a FreePBX® user reported unusual call activity. He traced the calls to a System Admin Dashboard module that was linked back to an IP address in the Netherlands. When the problem was reported, the FreePBX Community Manager quite accurately noted that it wasn’t FreePBX code. When a second user reported the exact same exploit, alarm bells apparently went off.

Further digging by the FreePBX Dev Team found that the legacy ARI module (once again) had been compromised, this time with a Remote Code Execution and Privilege Escalation exploit. Previous security vulnerabilities in this module led the PBX in a Flash developers many years ago to abandon the FreePBX security model in favor of Apache security so that we could totally block ARI access unless the user had administrator privileges. We want to stress that this wasn’t the fault of any of the current FreePBX developers. Instead, our move to Apache security was based upon our realization that this old legacy code was difficult to maintain because none of the original developers were still around. To their credit, the FreePBX developers have introduced a new User Control Panel with the strongest recommendation that the older ARI module be abandoned. Unfortunately, it still exists on all but the very latest FreePBX 12 systems including FreePBX 12 systems which were upgraded from a previous release. In addition, FreePBX 12 now provides checksum protection for all registered modules which will go a long way toward eliminating attacks such as this. So what can you do to protect your servers and your wallet today? For openers, upgrade your FreePBX fw_ari module NOW and clean the malicious module off your server:

rm -rf AMPWEBROOT/admin/modules/admindashboard
amportal a ma upgrade fw_ari

If you encounter an error that FreePBX cannot connect to the Asterisk Manager, do the following from the Linux CLI:

sed -i 's|localhost|127.0.0.1|' /etc/freepbx.conf
amportal restart
amportal a r

Protecting Your Server from Remote VoIP Attacks

Let’s approach the long-term solution on several levels starting with vulnerability exposure. If you can access TCP ports 22 (SSH) and 80 (HTTP) and TCP/UDP port 5060 (SIP) of any of your Asterisk® and FreePBX-based servers anonymously from the Internet, you’re either nuts or rich.

We’ve cautioned against this for nearly a decade and yet even some developers still configure Asterisk and FreePBX-based servers with port 80 Internet exposure. Why? We can only assume it’s because it makes their job of accessing and maintaining these systems easy. Don’t do it! There still are numerous ways to gain access to the FreePBX GUI on any server. Here’s our short list…

Safest. Put your server behind a hardware-based firewall with no Internet port exposure. Then use a VPN to access the FreePBX GUI. In a perfect world, you can run a VPN on all of your VoIP phones so that you have end-to-end protection for your server and all of your users.

Safer. If a hardware-based firewall isn’t possible, use the Linux IPtables firewall and lock down all the ports on your server, especially TCP ports 22 and 80 and TCP/UDP port 5060. Then create a WhiteList of IP addresses that need access privileges. It’s worth stressing that Fail2Ban is completely worthless when it comes to security vulnerabilities such as the ARI RCE flaw because the bad guys walk right in without even being challenged for a password.

Safe. If you need remote access from various remote locations and these sites have dynamic IP addresses, then deploy the Port Knocker technology in addition to locking down your server with the IPtables firewall. This lets you gain temporary access to your server without providing a blank check (literally) to everybody on the Internet. There’s a reason it’s called the World Wide Web and not the Good Guys Web!

Worse. Exposing TCP port 5060 and UDP port 5060 to public Internet access is dangerous. Some providers unfortunately still require direct access to 5060 to make VoIP calls with SIP. TIP: Switch to a provider that allows SIP registrations so that you don’t have to expose port 5060 directly to the Internet EVER!

Worser. Pardon our grammar, but exposing TCP port 22 to public Internet access is a bad idea. At the very least, change the SSH port so that typical port scanners don’t discover your open SSH port. SSH has been compromised in the past. It probably will happen again, or it may have already happened and we just don’t (yet) know about it. Fail2Ban helps with SSH attacks, but it’s not infallible particularly when high performance servers are used in the attacks. Fail2Ban has to scan your logs and, before it can do that, it has to have a sufficient time slice to accomplish the scan, something that may never happen with an attack launched from a platform such as Amazon EC2.

Worst. Never expose TCP port 80 to public Internet access. If you do, then you obviously haven’t had the pleasure of trying to maintain a public web server. TIP: Unless you are a web expert or sleep with one, don’t do it EVER! Earlier this week BASH provided a revolving door to your Internet assets using simple web requests. Earlier this year, OpenSSL was compromised. There will be another vulnerability because it’s the easiest attack target. So it’s just a matter of time until your server is compromised unless you deploy an effective firewall that blocks public access to port 80.

Server Design Still Matters

For our own PBX in a Flash and Incredible PBX users, you can sleep well tonight. Today’s vulnerability is mostly academic for you. PBX in a Flash blocks all access to ARI without the maint password. Incredible PBX blocks all access to ARI through its IPtables WhiteList. It’s still a good idea to apply the FreePBX update just to be double-safe. And Incredible PBX users will have the patch applied the next time they log into their server as root. For everyone else using FreePBX, keep reading.

With our Incredible PBX open source project, we provide state-of-the-art security methodology. While it is not infallible, all of the code is freely available for any and all VoIP developers to review, improve, and deploy. We would encourage our fellow VoIP developers to do so. There were reasons in the past for not deploying Apache security. After all, it lacks the flexibility of the FreePBX security model, and Apache also can be compromised. But we can’t think of any reason today for not deploying a hardened, preconfigured IPtables firewall AND a functional WhiteList as an integral component in every VoIP server install. This is especially important for any product deployed with the FreePBX GUI. Our Travelin’ Man 3 WhiteList implementation has been available for more than 2½ years! While there are downsides to any sort of push technology, we also believe the Incredible PBX (opt-in) update service is worth a careful look. It has been a godsend for us. With every new login, the server checks for important updates and processes them unless the administrator chooses not to use the service.

Keep in mind that FreePBX masquerading as the asterisk user has complete read/write privileges to virtually every Asterisk and web asset on your server. Any compromise is extremely dangerous because the asterisk user on these platforms has such expansive privileges. We recently encountered a trojan authorization lurking inside the permissions list of Asterisk’s manager.conf table. The matter is still under investigation so we can’t reveal much more other than to note that the entry was harmless on the few affected Incredible PBX servers because of the hardened IPtables WhiteList which is a key component of every Incredible PBX server. Had this happened on a server with no firewall protection, the intruder would have had complete access to the Asterisk AMI which pretty much gives the intruder a blank check to Asterisk… using your checkbook. The silver lining was the Incredible PBX update utility which provided a quick way to remove the vulnerability.

The FreePBX Dev Team’s efforts to design and deploy a checksum-based system for FreePBX 12 modules is certainly a step in the right direction. We think more safeguards are warranted. We already are exploring new ways to provide alerts when critical Asterisk or FreePBX resources are modified on PBX in a Flash and Incredible PBX servers. Something akin to the Mac’s admin authorization requirement before critical Asterisk or FreePBX changes are made would be ideal, but we have some other ideas as well. Stay tuned!

Originally published: Wednesday, October 1, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Ringbinder theme by Themocracy