Posts tagged: disa

2016, Independence Day: Introducing the Gotcha-Free Incredible PBX for XiVO

True story. What became a major career move for us began in the disco era about a block away from the Lincoln Memorial. It was during a meeting with another lawyer and a federal judge at my Watergate apartment that I altered my appellate legal career aspirations to focus more on technology in the legal marketplace. So it seems only fitting, after nearly a decade supporting the FreePBX® platform, to return to those roots once again to celebrate our independence as we kick off a new Asterisk® adventure with the introduction of Incredible PBX™ for XiVO®. This pure GPL implementation of Asterisk has no strings, no gotchas, no hidden agenda, and no primadonnas. It’s open source code with no prohibitions on redistribution. The XiVO developers actively participate in the XiVO and PBX in a Flash™ communities and actually listen to constructive suggestions to improve their product. Changes happen in days, not years. Today we celebrate the return of true GPL project development and the end of closed-source ISOs and commercial modules with costly annual support contracts. Join us!

If you’ve been following Nerd Vittles these past two months, then you already know there is literally nothing in the open source Unified Communications world that you can’t do faster, better, and cheaper with XiVO: automatic backups every night, seamless upgrades every three weeks, uncrippled endpoint provisioning for dozens of phones, powerful call centers, high availability redundant servers, real-time Asterisk technology out of the box, flexible SDK and APIs, and much more.

XiVO Installation Methodology

There are two ways to build XiVO servers. You can start with a minimal install of Debian 8 (64-bit), or you can use the 64-bit XiVO ISO. The advantage of the XiVO ISO is that building a system from the ISO gets you BOTH Debian 8 AND the basic XiVO install. However, you can only use the XiVO ISO on platforms that you own, not on virtual machines controlled by somebody else. Stated another way, if you plan to use dedicated hardware or VirtualBox or VMware ESXi, use the XiVO ISO. Otherwise, install a minimal Debian 8 (64-bit) operating system and nothing else on your platform of choice. Now you’re ready to choose your Incredible PBX installer. Install time: about 5-20 minutes depending upon the platform.

IMPORTANT: When you build your Debian 8 platform on either stand-alone hardware or as a virtual machine, use a fully-qualified domain name for your server’s hostname, e.g., NOT xivo. Disaster awaits if you forget this! But, don’t worry. If you do forget, the install will blow up, and you’ll get to start over. But you’ll remember the next time. 😉

Incredible PBX Feature Set

If you’ve been sleeping under a rock for the last few years, you may be wondering what the Incredible PBX offering includes. We’ve tried to preserve much of the functionality of prior releases in the XiVO implementation, and there is still more to come. Here’s a quick summary of two dozen features and applications that Incredible PBX offers for XiVO today:

Recent Additions: Skype Connect, Port Knocker, PPTP VPN, Pico TTS, A La Carte installer, Telephone Alarms.

The 3 Flavors of Incredible PBX for XiVO

To kick off our Independence Day celebration, we introduced three new Incredible PBX turnkey installers for XiVO because of the numerous platforms on which XiVO will run. We’ve now combined all three of the original installers into a single script for ease of use.

For those new to XiVO, there are three steps in getting a XiVO PBX up and running: (1) Debian 8 OS installation, (2) XiVO installation, (3) and XiVO basic configuration (typically using a web browser). The Incredible PBX installer has different tasks based upon how far along in this installation process you happen to be on a particular platform. Our special thanks to Sylvain Boily for his Python wizard to assist us in providing turnkey installs to the greatest extent possible. So here’s the new installer, but you are well advised to actually follow the platform tutorial (below) for your provider because of special quirks that are provider-specific: – Suitable for Debian 8 (32-bit or 64-bit) minimal platform where XiVO is not installed. Use with Cloud VMs. Also works with Debian 8 (32-bit or 64-bit) platform with XiVO installed but not configured. This is typically the situation if you built your server using the XiVO ISO. And the new installer works with Debian 8 (32-bit and 64-bit) platform with XiVO installed and configured.

WARNING: Incredible PBX erases and replaces stuff as part of its installation procedure. NEVER install Incredible PBX over the top of an existing production server!

Incredible PBX Installation Procedure

We’ve taken the guesswork out of this for a number of platforms by providing detailed tutorials that you can follow:

Choosing a XiVO Hardware Platform

If your situation falls somewhere in between all of these, here’s a quick summary. For stand-alone systems and virtual machine platforms that you own (such as VirtualBox and VMware ESXi), download and install the 64-bit version of XiVO using the XiVO ISO. For most other virtual machine platforms in the Cloud, you’ll start by creating a 64-bit Debian 8 virtual machine with at least 1GB of RAM and a 20GB drive. For turnkey cloud servers such as RentPBX, simply choose the VM option that already has Debian 8 and XiVO preinstalled.

Once you have your platform up and running, simply download and run the Incredible PBX installer:

cd /root
chmod +x

Incredible PBX Initial Configuration

Here are the first steps to complete after you have finished your initial XiVO and Incredible PBX installation. Log into the web interface at the IP address of your server using username root and the web password you created during installation.

All of this initial setup will be completed under the IPBX option of the Services tab as shown below. For each of the categories below, click on the matching section and tab in XiVO’s IPBX toolbar and fill in the properties as indicated.

General Settings:SIP Protocol

WARNING: If your XiVO server is running as a virtual machine behind a hardware-based NAT router and the virtual host also is sitting behind the same router, you may experience failed calls by setting the external IP address and local network addresses in the following screen. Try calls first without these settings, and add them only if you experience calling issues such as failed calls or one-way audio.

General Settings:SIP Protocol:Signaling (Default Codecs)

In order of priority, move desired Codecs from right to left by clicking on + icons. If you plan to use the IAX or SCCP protocol for phones and/or trunks, also select Default Codecs under General Settings:IAX Protocol:Default and General Settings:SCCP Protocol tabs, respectively.

General Settings:SIP Protocol:Signaling (DNS Manager/srvlookup)

For DNS Manager and Server Lookup support (required for some SIP providers), enable the DNS Request field:

IPBX Configuration:Contexts

XiVO differs from some other Asterisk implementations in the way it manages the routing of calls. XiVO uses Contexts to define what constitute Internal calls (Default), External calls (Outcalls), and Incoming calls (Incalls). Think of these contexts as dialing rules. They define how the three categories of calls are managed internally by the XiVO PBX and determine which callers can do what with your PBX resources. XiVO uses dial strings and ranges of phone numbers to manage and constrain how various classes of calls are routed. The reason for these call specifications is pretty simple. You don’t want outside callers dialing into your PBX and making outbound calls using your PBX trunks on your nickel.

Some basic settings to enable internal calls and allow creation of user accounts were configured when you set up your XiVO PBX by running the configuration script. However, before anyone can make or receive calls to/from outside the XiVO PBX, you’ll need some additional specifications.

Edit the from-extern (Incalls) context and click Incoming Calls tab then the + icon. Add a range of DID numbers for incoming calls that will be allowed. These are the phone numbers assigned to SIP and IAX trunks that were acquired through commercial providers such as Vitelity. Note that the example below assumes that your incoming DID trunks deliver calls with 10-digit numbers. If you’re using a service such as Google Voice that delivers calls with 11-digit numbers starting with a 1, then add an additional range of numbers starting with a 1. If the provider delivers calls with +44, then you’d add an additional range with that prefix. Click Save once you’ve entered your settings.

Let’s also modify the Default context to support MeetMe conferencing for your server. Edit the default context and click Conference Rooms tab then + icon. For the extension range, enter 2663-2665. 2663 spells C-O-N-F by the way. Then click Save. If you have a DAHDI timing source on your server, you then can add conferences: IPBX Setting:Conference Rooms. If you don’t have a DAHDI timing source or you don’t know what any of this means, keep reading. There’s an easier way to set up a conference room for your users.

While you’re still in the (2) Default context, click on the (3) General tab and (4) move all of the sub-contexts to the left (Selected) column. (5) Then click the Save button.

General Settings:Advanced (Time Zone)

IPBX Settings:Users (Creating a Default User Account)

Before you can actually make or receive calls with XiVO PBX, you’ll first need at least one User, Extension, and Line. So click on the (1) Users tab and then (2) the + icon and Add option (as shown below) to get started.

Use the General tab entries below as a guide to create your first user account. You only need to fill in options (1) and (2) if you would like this user to receive a simultaneous call on a mobile phone whenever this user’s internal phone rings.

In the Lines tab, assign an internal phone number for this user. By default, the initial configuration script created a range of extension numbers for you: 701-799. This can be changed in the next section to meet your specific requirements.

Once you’ve chosen an extension, click the Save button and a Line will automatically be generated to associate with your new User account.

Next, goto IPX Settings:Lines and click the pencil icon to obtain your SIP username and password credentials. You’ll need these to connect a SIP phone or softphone to your user account.

While you’re obtaining your username and password SIP credentials, fill in the blanks for the Line and click Save:

IPX Settings:Users (Voicemail Setup)

There are two steps to setting up voice mailboxes correctly. First, you need to configure the voicemail system defaults to accommodate your required time zones. The system only comes with support for Europe/Paris.

Go to (1) IPX General Settings:Voicemails and (2) click Time Zones tab and then (3) + Add. (4) Name your new time zone, (5) select the correct Time Zone from the pull-down list, and (6) add the following under Options and (7) Save your entry:

'vm-received' q 'digits/at' kM

Go to (1) IPX Settings:Users, edit your (2) User account, and click the (3) Voicemail tab. (4) Click the + icon to Add a new Voicemail account. (5) Check Enable Voicemail. (6) Fill in the form using the sample below. Be sure to choose the correct Time Zone for your voicemails. Uncheck Delete message after notification to retrieve voicemail messages by dialing *98 from an extension. (7) Click Save.

Setting Up Trunks and Routes for Outbound and Incoming Calls

Before you can make calls to phones outside your PBX or receive calls from outside your PBX, you’ll need one or more trunks. We’ve simplified the process of setting these up by providing step-by-step tutorials for the leading trunk providers. They are reproduced below for ease of reference:

XIVO Trunk Implementation Tutorials

Once you’ve added one or more trunks, you’ll need to tell XiVO how to route outgoing and incoming calls. Here are our step-by-step tutorials on setting up Outbound Calling Routes and Incoming Call Routes:

XIVO Call Routing Tutorials

Deploying Google Voice with OAuth on the XiVO Platform

Beginning in mid-August, 2016, native Google Voice with OAuth support became available on the Incredible PBX for XiVO platform. It supports deployment of multiple Google Voice trunks on any XiVO server. This new Nerd Vittles tutorial will walk you through implementation.

Getting Started with SQLite3 on the XiVO Platform

Here are a couple SQLite3 queries to get you started with syntax:

sqlite3 /var/lib/asterisk/agi-bin/zipcodes.sqlite "select zip,city,state from zipcodes where zip=29401;"
sqlite3 /var/lib/asterisk/agi-bin/asteridex.sqlite 'select name,out from user1 where name LIKE "%Airlines%";'

A bonus script in /root will let you convert existing MySQL databases to SQLite3. For example, if you’re currently using AsteriDex on another Incredible PBX platform, it only takes a couple seconds to convert your MySQL database to SQLite3. The syntax to run the script looks like this:

./ -u root -ppassw0rd yourdatabase | sqlite3 yourdatabase.sqlite

Move the script to the server on which your existing MySQL databases are stored and run it there using the above syntax. Then copy the asteridex.sqlite file to your XiVO server and save it in /var/lib/asterisk/agi-bin.

Getting Started with Incredible PBX Call Logs

To retrieve SQLite3 call log data, here are a few examples to get you started:

ALL: sqlite3 /var/log/asterisk/master.db "select * from cdr"
DATE: sqlite3 /var/log/asterisk/master.db "select * from cdr where calldate >= '2016-05-22'"
NPA: sqlite3 /var/log/asterisk/master.db "SELECT * from cdr WHERE clid LIKE '%<843%'"
DEST: sqlite3 /var/log/asterisk/master.db "SELECT * from cdr WHERE dstchannel LIKE '%411%'"
FLDS: sqlite3 /var/log/asterisk/master.db "PRAGMA table_info(cdr)"

To retrieve the CDR log in CSV format suitable for spreadsheets, download:


Managing Your Logs with XiVO

XiVO is a busy place especially on a busy PBX. Call logs and traditional Asterisk and Linux logs grow like crazy. We have added the following entries to /etc/crontab to assure that you don’t inadvertently run out of disk space on your server. Modify them to meet your own requirements.

10 1    * * *  root    rm -f /tmp/tts* > /dev/null 2>&1
11 1    * * *  root    rm -f /var/log/asterisk/*.gz > /dev/null 2>&1
11 2    * * *  root    rm -f /var/log/asterisk/*.1.gz > /dev/null 2>&1
12 1    * * *  root    rm -f /var/log/*.gz > /dev/null 2>&1
12 2    * * *  root    rm -f /var/log/*.1.gz > /dev/null 2>&1

Activating Voice Recognition for XiVO

Google has changed the licensing of their speech recognition engine about as many times as you change diapers on a newborn baby. Today’s rule restricts use to “personal and development use.” Assuming you qualify, the very first order of business is to enable speech recognition for your XiVO PBX. Once enabled, the Incredible PBX feature set grows exponentially. You’ll ultimately have access to the Voice Dialer for AsteriDex, Worldwide Weather Reports where you can say the name of a city and state or province to get a weather forecast for almost anywhere, Wolfram Alpha for a Siri-like encyclopedia for your PBX, and Lefteris Zafiris’ speech recognition software to build additional Asterisk apps limited only by your imagination. And, rumor has it, Google is about to announce new licensing terms, but we’re not there yet. To try out the Voice Dialer in today’s demo IVR, you’ll need to obtain a license key from Google. This Nerd Vittles tutorial will walk you through that process. Don’t forget to add your key to /var/lib/asterisk/agi-bin/speech-recog.agi on line 72.

Adding DISA Support to Your XiVO PBX

If you’re new to PBX lingo, DISA stands for Direct Inward System Access. As the name implies, it lets you make calls from outside your PBX using the call resources inside your PBX. This gives anybody with your DISA credentials the ability to make calls through your PBX on your nickel. It probably ranks up there as the most abused and one of the most loved features of the modern PBX.

We use two-step authentication with DISA to make it harder for the bad guys. First, the outside phone number has to match the whitelist of numbers authorized to use your DISA service. And, second, you have to supply the DISA password for your server before you get dialtone to place an outbound call. Ultimately, of course, the monkey is on your back to create a very secure DISA password and to change it regularly. If all this sounds too scary, don’t install DISA on your PBX.

1. To get started, edit /root/disa-xivo.txt. When the editor opens the dialplan code, move the cursor down to the following line:

exten => 3472,n,GotoIf($["${CALLERID(number)}"="701"]?disago1)  ; Good guy

2. Clone the line by pressing Ctrl-K and then Ctrl-U. Add copies of the line by pressing Ctrl-U again for each phone number you’d like to whitelist so that the caller can access DISA on your server. Now edit each line and replace 701 with the 10-digit number to be whitelisted.

3. Move the cursor down to the following line and replace 12341234 with the 8-digit numeric password that callers will have to enter to access DISA on your server:

exten => 3472,n,GotoIf($["${MYCODE}" = "12341234"]?disago2:bad,1)

4. Save the dialplan changes by pressing Ctrl-X, then Y, then ENTER.

5. Now copy the dialplan code into your XiVO setup, remove any previous copies of the code, and restart Asterisk:

cd /root
sed -i ':// BEGIN DISA:,:// END DISA:d' /etc/asterisk/extensions_extra.d/xivo-extrafeatures.conf
cat disa-xivo.txt >> /etc/asterisk/extensions_extra.d/xivo-extrafeatures.conf
/etc/init.d/asterisk reload

6. The traditional way to access DISA is to add it as an undisclosed option in an IVR that is assigned to one of your inbound trunks (DIDs). For the demo IVR that we installed last week, edit the ivr-1.conf configuration file and change the “option 0” line so that it looks like this. Then SAVE your changes.

exten => 0,1(ivrsel-0),Dial(Local/3472@default)

7. Adjust the inbound calls route of one of your DIDs to point to the demo IVR by changing the destination to Customized with the following Command:


Here’s how ours looks for the Nerd Vittles XiVO Demo IVR:

8. Now you should be able to call your DID and choose option 0 to access DISA assuming you have whitelisted the number from which you are calling. When prompted, enter the DISA password you assigned and press #. You then should be able to dial a 10-digit number to make an outside call from within your PBX.

SECURITY HINT: Whenever you implement a new IVR on your PBX, it’s always a good idea to call in from an outside number 13 TIMES and try every key from your phone to make sure there is no unanticipated hole in your setup. Be sure to also let the IVR timeout to see what result you get.

Setting Up a Softphone or WebRTC to Connect to XiVO

If you’re a Mac user, you’re lucky (and smart). Download and install Telephone from the Mac App Store. Start up the application and choose Telephone:Preference:Accounts. Click on the + icon to add a new account. To set up your softphone, you need 3 pieces of information: the IP address of your server (Domain), and your Username and Password. In the World of XiVO, you’ll find these under IPBX:Services:Lines. Just click on the Pencil icon beside the extension to which you want to connect. Now copy or cut-and-paste your Username and Password into the Accounts dialog of the Telephone app. Click Done when you’re finished, and your new softphone will come to life and should show Available. Dial the IVR (4871) to try things out. With Telephone, you can use over two dozen soft phones simultaneously on your desktop.

Prefer to use WebRTC from your browser as a softphone? XiVO has you covered. Complete setup instructions available here.

For everyone else, we recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the XiVO Line. You’ll need the IP address of your server plus your Line username and password associated with the 701 extension. On the XiVO platform, do NOT use an actual extension number for your username with XiVO. Go to IPBX Settings:Lines to decipher the appropriate username and password for the desired extension. Click OK to save your entries.

Taking the Sample Incredible PBX Apps for a Test Drive

Once your softphone is registered, you can try out some of the Incredible PBX sample applications:

  • 4871 (IVR1) – Allison’s Demo IVR
  • 411 (Voice Dialing) – Call by Name (try “Delta Airlines”)
  • 2663 (CONF) – Conference Room with Music on Hold
  • 951 – Yahoo! News Headlines (TTS)
  • 947 (ZIP) – NWS Weather by ZIP Code
  • 53669 (LENNY) – The Telemarketer’s Worst Nightmare

You can review the Dialplan code in the GUI by choosing IPBX Configuration:Configuration Files and clicking xivo-extrafeatures.conf. The sample IVR code is in ivr-1.conf. This Nerd Vittles tutorial will walk you through building your own IVRs for XiVO.

Using PBX Status with XiVO

For those that like to see how things are going from the Linux CLI, a modified version of pbxstatus is available for XiVO. From the Linux CLI, type: pbxstatus.

Using FQDNs with the Travelin’ Man 3 Firewall

If you plan to use FQDNs with your IPtables firewall or if your remote users will be using a Dynamic DNS provider to keep their IP addresses fresh, be sure to review Step #5 in the Travelin’ Man 3 tutorial which explains how to configure your firewall to automatically refresh IP addresses based upon changes in dynamic addresses. All of the necessary components already have been activated. Simply insert your FQDN entries using /root/add-fqdn and modify /root/ipchecker.

PortKnocker for XiVO: Your Firewall Safety Net

If you use a dynamic IP address for your local PC and that address changes, you may find yourself locked out of your own server unless you have heeded the advice in the preceding section. But there’s still hope. Incredible PBX for XiVO now includes the PortKnocker utility which lets you ping three predefined TCP ports in sequence to regain access to your server. You can read all about PortKnocker in this Nerd Vittles article. Unfortunately, PortKnocker doesn’t do you a bit of good if you haven’t deciphered what the three-port secret handshake is for your server. Before you forget, review /root/knock.FAQ and put the information in a safe place where you can retrieve it if the need should ever arise.

Adding a PPTP VPN to XiVO

Microsoft introduced the Point-to-Point-Tunneling-Protocol (PPTP) with Windows 95. Back then we knew it as Dial-Up Networking. Suffice it to say that, in those days, PPTP was anything but secure. Unfortunately, the bad name kinda stuck. For the most part, the security issues have been addressed with the possible exception of man-in-the-middle attacks which are incredibly difficult to pull off unless you are a service provider or have access to the wiring closets of your employer. You can read the long history of PPTP VPNs on Wikipedia for more background. If you’re traveling to China or other democracy-challenged destinations, you probably shouldn’t rely upon PPTP for network security. If these security considerations aren’t applicable in your situation, keep reading because PPTP VPNs are incredibly useful and extremely easy to deploy for an extra layer of VoIP and network security in most countries that have severe wiretapping penalties in place.

PPTP VPNs also provide home-away-from-home transparency to home office network services. Simply stated, with a PPTP VPN, you get a private IP address on the XiVO PBX that lets you do almost anything you could have done sitting at a desk in the home office. PPTP VPNs probably won’t work on most OpenVZ platforms such as Wable and ImpactVPS. But they work great on virtual machines such as CloudAtCost and Digital Ocean. For a quick-and-dirty back door into your server, a PPTP VPN is hard to beat. Here’s how to set one up on your XiVO PBX using 128-bit encryption. Make up a very obscure username and password in the first two lines below:

apt-get -y update
apt-get -y install pptpd
sed -i 's|#ms-dns|ms-dns|' /etc/ppp/pptpd-options
sed -i 's|#ms-dns|ms-dns|' /etc/ppp/pptpd-options
echo "localip" >> /etc/pptpd.conf
echo "remoteip" >> /etc/pptpd.conf
echo "$PPTPUSER pptpd $PPTPPASS *" >> /etc/ppp/chap-secrets
/etc/init.d/pptpd restart
# show logged in PPTP users
last | grep ppp

Connect to your PPTP server from a Windows or Mac in the usual PPTP way. Once connected, you will be assigned an IP address in the range of You then can access your XiVO PBX on the following IP address:

Everything You Need to Know About XiVO Backups

Another feature of XiVO that separates the men from the boys is its documentation. In the case of backups, you’ll find everything you need to know here. All backups are stored on your XiVO server’s local drive in /var/backups/xivo. Be sure you have ample storage space available and, if you’re smart, you’ll copy both data.tgz and db.tgz from the local drive to a safe remote location periodically just in case disaster strikes. The documentation shows you how to quickly restore a backup should that ever become necessary.

Upgrading XiVO to the Latest Release

The XiVO development cycle is nothing short of miraculous. A new version is released every three weeks! The average time to close a bug has dropped from 315 days in 2009 to 28 days in 2012! You’ll probably want to keep your system current. 🙂

Upgrading XiVO is even easier than restoring a backup. Upgrade documentation is available here. Because we’ve added the Travelin’ Man 3 firewall, we recommend stopping IPtables during an upgrade and then restarting it when you’re finished. Your phone system is disabled during the upgrade. When upgrading XiVO, remember to also upgrade all associated XiVO Clients. Be sure to verify that things are back to normal once the upgrade procedure is completed: xivo-service status.

The commands to upgrade your XiVO PBX are as follows:

/etc/init.d/netfilter-persistent stop
# restore Incredible PBX module and ODBC configuration
cp -p /etc/asterisk/modules.conf.dpkg-old /etc/asterisk/modules.conf
cp -p /etc/asterisk/res_odbc.conf.dpkg-old /etc/asterisk/res_odbc.conf
xivo-service restart
# code below reactivates Incredible PBX web apps
cd /
tar zxvf incredible-nginx.tar.gz
rm -f incredible-nginx.tar.gz
/etc/init.d/nginx restart

Incredible PBX Application Quick Start Guide

Here’s a quick refresher on some of the Incredible PBX applications that have been installed. There’s also a link for more information. This remains a work-in-progress so expect more applications in coming weeks.

XiVO and Incredible PBX Dial Code Cheat Sheets

Complete XiVO documentation is available here. But here are two cheat sheets in PDF format for XiVO Star Codes and Incredible PBX Dial Codes. See also the previous 7 Nerd Vittles XiVO tutorials, all of which are listed below. Enjoy!

Taking Nerd Vittles’ XiVO IVR for a Test Drive

There’s a Demo IVR running at on their XenServer virtualization platform. Scott McCarthy, a leading outside XiVO developer and a principal at PacificNX, advises they have a $50 a month GOLD platform specifically tailored to XiVO for those needing 99.999% reliability, 24/7 support with nightly backups and enterprise level firewalls that have intelligence to stop attacks and look for viruses, spyware and more. That’s what you’ll be hearing when you call the Nerd Vittles Demo IVR:

Nerd Vittles Demo IVR Options
1 – Call by Name (say “Delta Airlines” or “American Airlines” to try it out)
2 – MeetMe Conference
3 – Wolfram Alpha (Coming Soon!)
4 – Lenny (The Telemarketer’s Worst Nightmare)
5 – Today’s News Headlines
6 – Weather Forecast (enter a 5-digit ZIP code)
7 – Today in History (Coming Soon!)
8 – Speak to a Real Person (or maybe just Lenny if we’re out)

Published: Monday, June 27, 2016

Need help with Asterisk? Visit the PBX in a Flash Forum.

Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.

​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    The Perfect Threesome: iNum + + Google Voice

    We’ve got a terrific new VoIP development for you today especially for those who travel internationally. For several years, a VoIP company called VoxBone has been pushing hard to establish an International Number™ (iNum™) for every phone on the planet so that every telephone could call every other telephone at little or no cost. They’re not quite there, but two recent events will certainly hasten the implementation. The first was an announcement from that they would provide a free iNum DID and free iNum calling to every one of their customers with a credit balance in their account. The second was last week’s announcement from Google that they, too, would support free iNum calling worldwide using any Google Voice account. Today, we’ll show you how to take advantage of these two developments to begin making free calls worldwide using your PBX in a Flash™ server, a WiFi-enabled smartphone, and an available WiFi connection. Basically, the plan is to use free iNum calling to get back to your PBX for dial tone and then use DISA for free Google Voice calling in the U.S. and Canada.

    Until everyone has an iNum or Google opens up Google Voice outside North America, the hidden beauty of iNum for those of us who have both is the cost savings that can be achieved by phoning home with iNum from anywhere in the world for free. And, once the call hits your Asterisk® PBX, it’s incredibly simple to route the call to DISA, prompt for a password, and then place a call to anywhere in the U.S. or Canada at no cost with PIAF2™ and Google Voice.

    This can be accomplished in several ways. First, you can download a SIP phone and use it in conjunction with your account and a smartphone to make free iNum calls from any WiFi hotspot in the world. Bria is our favorite on both the iPhone/iPad and Android platforms. If $10 is too rich for your blood, there are some free alternatives: CSipSimple for Android and 3CXPhone for Android or iPhone. A second alternative is to use Google Voice or Gtalk to connect back to your PIAF2 server via iNum and then use DISA and your local trunks to place outbound calls. A final alternative is to take advantage of the numerous local numbers now available in many countries to phone home using iNum. The only cost of these calls is the cost associated with calling the local number. You’ll find a list of the local phone numbers to make these calls on the iNum web site or in the footnote to this article.1 So today we’ll show you how to set up your PIAF2 server to support free iNum calling. It’s a 15-minute project. Setup. To get started, if you’re not already a customer, register for a account by filling out their registration form.

    Once you submit the form, you’ll have to confirm your registration by clicking on the link that is emailed to you. Then you’re ready to login with your email address and the password you set up when you created your account. That’ll bring you to the Main Portal Page for your new account.

    You’ll need a positive balance in your account in order to create your free iNum account so deposit some money using PayPal or a credit card by clicking Finances, Add Funds. The minimum deposit is $25 which can be used to make penny a minute calls in the U.S. and Canada or equally reasonable calls to any phone number in the world. We won’t be doing any of that today. For today, all of our calls will be free thanks to iNum and the generous support of But the nest egg will be there as a backup to your other PIAF2 VoIP providers which is an excellent idea anyway.

    Like Vitelity, lets you create subaccounts to compartmentalize your VoIP services. This makes it easy to use on multiple PIAF2 servers or even standalone SIP telephones. It also provides added security by separating out account names and passwords for VoIP services from your main portal account that let’s you manage your settings and VoIP funding, a very good idea. So let’s first set up an account to use with Asterisk just to show you how easy it is.

    From the Main Portal Menu, click on Subaccounts, Create Subaccount. The Subaccount creation form will display. Fill it out so it looks something like this. Just click on the form below to enlarge it if you want a better view.

    Once you’ve clicked the button to create the subaccount, it takes about a minute for to activate it. Then click Main Menu, Portal Home. The bottom of the portal page will now show your subaccount.

    Let’s create one more subaccount. We’ll use this one so that we can access from a standard SIP app running on our iPhone or Android device. We can use the subaccount either to make outbound calls directly from on a pay per minute basis, or we can use it to make free iNum calls. To create the subaccount, repeat the process above and fill in the blanks using your own credentials and a very secure password. Be sure to choose ATA device, IP Phone or Softphone for the Device Type. We always leave International Calls Disabled unless we really plan to make international calls. This will not affect your ability to make iNum calls, and it reduces your financial exposure in the event your subaccount is compromised. Never, ever use auto-replenishment from your credit card on a VoIP provider account from any provider.

    Before we get too far along, let’s activate your new iNum DID. Click on DID Numbers, Order DID. When the DID Order Form displays, click on the iNum link to order your free iNum DID.

    When the iNum DID order form displays, fill out the form by clicking on the POP location nearest to your server. Then, in the SIP/IAX Routing column, be sure to select the Subaccount we created previously rather than the default Main Account. Finally click the Click Here to Order button.

    You’ll get a Confirmation display that shows your new iNum DID. Write it down! We’ve already set up the proper routing for your new iNum DID in the previous step so you can ignore the Managing Your DID message.

    That completes the setup of your account with your free iNum DID. Now let’s configure your PBX in a Flash server to support and iNum. We’re assuming you already have a PBX in a Flash server configured with at least one Google Voice account activated. If not, stop here and complete that step using the PIAF2 tutorial and optionally the Incredible PBX 3 and Incredible Fax 2 tutorial.

    Smartphone SIP Client Setup. We used the free cSipSimple Android app to set up a connection with our second subaccount at using cSipSimple’s Basic Setup Wizard. Here are the entries required to gain connectivity:

    Once your SIP client is connected to through your smartphone, you can make free iNum calls using this dial syntax: 0118835100xxxxxxxx where xxxxxxxx is the last 8 digits of your iNum beginning with 0. As noted previously, you do NOT have to enable international calls on your subaccount for these calls to go through.

    PBX in a Flash iNum Setup. We’ll be using the FreePBX GUI to configure PBX in a Flash to support iNum. Using your browser, log into the IP address of your server: http://ipaddress/admin. When prompted for your username and password, use maint and whatever FreePBX password you assigned when your server was set up.

    To simplify things, we’re going to set up 2 trunks: one for your subaccount and another for iNum. Begin by choosing Trunks, Add SIP Trunk in the FreePBX GUI. For Trunk Name, use voipms. For Maximum Channels, choose 2. For the Dial Pattern, enter 1 | NXXNXXXXXX and, in Outgoing Settings for the PEER Details, enter the following using your subaccount name and password as well as the POP you chose for your subaccount:


    Leave all the fields for Incoming Settings blank. For the Registration String, the syntax is Using our example and assuming you’re using the Atlanta POP, the entry would look like this where xxxxxxxx is your own 8-digit iNum beginning with 0:

    Verify that your server got a successful registration with your subaccount by clicking Tools, Asterisk Info, SIP Info.

    Now click Setup, Trunks, Add Custom Trunk. For Trunk Name, use iNum. For Maximum Channels, choose 5. For Dial Pattern, use 0XXXXXX. including the period! For Custom Dial String, use SIP/0118835100$OUTNUM$@voipms.

    Next, we need to create an Inbound Route. Use your full iNum DID number in the DID Number field, e.g. 8835100xxxxxxxx where xxxxxxxx is your personal iNum beginning with a 0. Activate CallerID Superfecta for the CID Lookup Source. And choose a Destination for the incoming iNum calls. This could be an extension, an IVR, or whatever else you’ve set up on your server. For now, route it to a working extension on your PBX so we can test it below. Then you can edit the inbound route and change it to any destination.

    Finally, create an Outbound Route. Name the route OutiNum. For the Dial Pattern, use 0XXXXXX. with the trailing period. For the Trunk Sequence for Matched Routes, choose inum. After you save the trunk settings, move it to the top of your trunk listing in the right column of FreePBX. What this route does is allow you to call other iNum numbers (including your own) by simply dialing the last 8-digits of any iNum that begins with 8835100 or 0118835100. These 8 digits will ALWAYS begin with a 0.

    Now let’s modify at least one of your existing Google Voice Outbound Routes so that you also can make iNUM calls with Google Voice by dialing from any extension using the full 8835100xxxxxxxx international number. Go to Outbound Routes and click on the name of one of your Google Voice trunks. Add the following new Dial Pattern and click Submit Changes: 8835100XXXXXXXX

    Taking iNum for a Spin. To test things out, use a phone connected to an extension other than the one you chose to route incoming iNum calls to above. Dial the last 8 digits of your own iNum DID, and that extension should begin ringing. Answer the other extension and make sure you have audio in both directions. Next, dial your complete iNum DID beginning with 8835100. This should also cause the other extension to ring even though the call was initiated through your Google Voice trunk. If you’d like to get a Weather Report by Zip Code, we’ve set up an iNum for you to try. Just dial 09901997.

    Originally published: Monday, February 27, 2012

    Need help with Asterisk? Visit the PBX in a Flash Forum.
    Or Try the New, Free PBX in a Flash Conference Bridge. If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.

    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    1. Local iNum Access Numbers include the following: []

    Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

    Here's a headline to wake up any CEO: "Small business gets $120,000 phone bill after hackers attack VoIP phone." actually ran this story on January 20. "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours... 115,000 international mobile calls were made using the small business's VoIP system over a six month period."

    News Flash: Be sure to read our latest article introducing Travelin' Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.

    For the latest Security Tips: See our most recent article.

    Sad to say that folks install VoIP phone systems to save money and then completely ignore tried-and-true network security principles: hardening your system, regularly watching your logs, and periodically changing your passwords. If PBX in a Flash were a commercial offering, we'd probably keep much of what follows to ourselves and start touting our PBX systems as the only Asterisk® offering with Secure-Wrap™. That's not our world, of course, nor is it what open source is all about... which turns out to be both a blessing and a curse. We openly and jointly figure out ways to secure our Asterisk systems as well as those of our competitors. Then the bad guys get to read all about it and come up with new, more creative "solutions." The silver lining is there are millions of insecure Asterisk systems so the creeps typically move on to easier targets.

    Today we'll walk you through our Top Ten Security Tips and Tricks. All of these can be implemented easily to harden your Asterisk PBX and lessen the chances of the bad guys transforming your VoIP system into a free, international payphone: you pay, they phone. In the process, we'll identify some common security blunders that accompany new system installs in hopes that you won't make the same mistakes. So let's start with the basics. If you plug your Asterisk PBX directly into the public Internet without carefully securing it, your chances of being hacked within the hour are pretty good.

    Rule #1: Protect Your PBX With IPtables. PBX in a Flash systems are delivered with the IPtables firewall enabled. Leave it that way! If your Asterisk implementation doesn't have IPtables support, demand that it be added immediately or ask for assistance in adding it yourself. There is no reason not to use a freely available, open source firewall, period! And there are many good tools including WebMin (also included in PBX in a Flash distributions) to get it configured properly. With PBX in a Flash, all of the grunt work has been done for you.

    Firewalls, of course, are only as good as the set of rules defined to secure your system. So only activate ports that are absolutely essential to run your PBX. For an excellent review of the ports that are opened by default in PBX in a Flash systems, see Joe Roper's summary. Think of an activated port as a hole in the dike. The more holes you add, the less secure your PBX will be. We'll leave it to you to count the holes in the dike if you choose to run your PBX without IPtables enabled. Our rule of thumb for PBX security goes something like this. If you don't need web access to your PBX, don't open ports 80 and 9080. If you don't need SSH, FTP, FOP, or WebMin access to your PBX, don't enable those ports. Better yet, don't even turn those services on unless there is a pressing need.

    All of the IPtables rules are stored in /etc/sysconfig/iptables. Don't edit this file unless you know what you're doing. If you need help with the rules, post a question on the PBX in a Flash Forum. Typical response time on posted questions is under an hour on our forum. And don't forget to restart IPtables if you make changes to any of the rules: service iptables restart.

    Rule #2: Protect Your PBX With A Hardware-Based Firewall. If one firewall is good protection, two firewalls are even better. As much as NAT-based firewall/routers get a bad rap, the extra layer of protection that a $50 hardware-based firewall/router delivers cannot be overstressed. Think of the software-based firewall as the tool of choice to secure your PBX on your internal LAN while the hardware-based firewall secures your system on the public Internet. We recommend the dLink WBR-2310 for home and SOHO use. It provides a reliable NAT-based router, a firewall, and excellent WiFi capability for under $50. If you've got some spare change, step up to one of dLink's Gaming Routers which we happen to use. They provide all the tools you'll need to prioritize your VoIP traffic. As with Rule #1, only open and redirect ports that are absolutely essential to use your PBX.

    Rule #3: Safeguard Against Random Password Hacks. There is no better tool to protect your PBX from random password attacks than Fail2Ban 0.8.3. Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful password attempts. It updates IPtables rules to reject those IP addresses for a period of time that you can set in /etc/fail2ban/jail.conf. Originally PBX in a Flash systems were shipped with an earlier version of Fail2Ban that provided only minimal protection. If your system doesn't include the jail.conf file above, you still have the older version. Simply run our update script to get the current release:

    cd /root
    mkdir fail2ban
    cd fail2ban
    chmod +x fail2ban-update
    service fail2ban restart

    As was true with IPtables, Fail2Ban is only as good as the rules which are defined to identify failed password attempts on your system. On PBX in a Flash systems, we now protect against web, FTP, SSH, SIP, and IAX password attempts.

    If your particular Asterisk implementation lacks Fail2Ban support, you're missing a critically important (free) tool to safeguard your system from random password attacks against SSH and your protected web sites as well as your SIP and IAX extension passwords. For tips on installation, review our script that is available on this thread in the PBX in a Flash Forum.

    Rule #4: Narrow Access With IP Address Restrictions. Security privileges in the U.S. government are based upon a "need to know." It's pretty simple. If you don't have a need to know the information to perform your duties, you don't get the privilege. You can use a similar technique to secure your PBX by implementing IP address restrictions. For example, if all of your extensions are housed on a private subnet of your internal LAN, then there is no reason to allow Internet access to those extensions. Similarly, for extensions outside your local network, you now can hardcode the IP address into the extension to restrict access. To implement this with Asterisk and FreePBX-based systems, you'll first need to upgrade FreePBX to at least version Once you've upgraded, go into each extension and enter either an IP address or an IP subnet for that extension in the permit field. For an IP address, the syntax is For an IP subnet, the syntax would look like this: This one tip would have been worth $120,000 to the Australian company referenced above. Yes, consultants can be worth their weight in gold. 🙂

    If you're as absent-minded as we are, you don't want to have to worry about remembering this each time you add a new extension to your system. So it's quite simple to change the default permit entry from to the subnet mask of your LAN. Then you only have to adjust this entry whenever you add an extension which is not on your internal LAN. For example, if your LAN subnet is 192.168.0, then we want to replace the default entry with The file to edit is /var/www/html/admin/modules/core/ Just search for $tmparr['permit'] in BOTH the iax2 and sip sections of the file and make the value substitution preserving the single quotes on both sides of your new entries.

    You also can implement both password and IP address restrictions to limit web access to your server. With Apache web servers, this is done through .htaccess files and directory restrictions in your Apache config files. On PBX in a Flash systems, htaccess password restrictions now are the default setup in all of our builds. Suffice it to say, if you can access the /admin directory on your web site from the Internet without being prompted for a password, your site probably has been compromised. Keep in mind that these passwords get cached so be sure you have cleaned out your browser cache before having a heart attack. Better yet, try this from a browser you don't ordinarily use (such as the one on your cellphone).

    For additional security, you can further restrict access to your web directories by adding a list of authorized IP addresses to the .htaccess file in each subdirectory. Here's what an .htaccess file with IP address restrictions might look like. The first Allow entry is the private LAN subnet, the second is a remote site, and the third is the Hamachi VPN subnet mask:

    Deny from All
    Allow from 192.168.0
    Allow from
    Allow from 5.67

    Rule #5: Don't Use 'Normal Ports' for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you've done. Read that last sentence again. It's important! With a hardware-based firewall such as the WBR-2310, this is incredibly easy. dLink calls them Virtual Servers. Here is a typical entry:

    HTTP   TCP 80/2319   Allow All   Always

    You can simply redirect common ports to different ports for Internet access. Don't do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. For example, port 80 typically is the default web server port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) web access, simply remap TCP port 80 to some obscure port and change it periodically. For example, you might redirect TCP port 80 to port 2319. Once the setting is saved, you access the web site with a browser entry like this: Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don't use these numbers obviously! Make up your own. The key here is that 5 minutes work every month will keep web access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 80 every night while you're sleeping. Incidentally, most of these routers also will let you block access to certain ports during certain hours of the day. If you're sleeping, there's really not much need to provide SSH and web access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world's best crackers reside in countries where daytime happens to be nighttime in the United States.

    Rule #6: Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our wild-assed guess (WAG) is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn't Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. The first five rules would have protected most Asterisk systems. But our WAG on the number of Asterisk PBX's that have implemented all five rules above would be less than one in a thousand. Part of that is because some of these tools weren't readily available until recently. But part of it is because most of us are just plain L-A-Z-Y.

    Really secure passwords really do matter. And it's more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, make certain it has a really, really secure password. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). You've been warned. It's your phone bill and bank account!
    <end of sermon>

    Rule #7: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn't begin to describe some of what lies under the FreePBX covers. Make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

    Our rule of thumb on Internet web accessibility to an Asterisk PBX goes like this. Don't! But, if you must, build as many layers of protection as possible to assure that your system is not compromised. If the bad guys get into FreePBX, the security of your PBX has been compromised... permanently! This means you need to start over with all-new passwords by installing a fresh system. You simply cannot fix every possible hole that has been opened on a FreePBX-compromised system!

    Rule #8: Implement VPNs for PBX Systems. PBX in a Flash has provided simple install scripts to deploy Hamachi VPNs on all of our current systems. Hopefully, the other aggregations will do likewise. In addition, we offer turnkey VPN in a Flash systems which provide this functionality out of the box. VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. We now are exploring other VPN solutions which would facilitate the use of VPN-enabled telephones such as the new offerings from SNOM.

    Rule #9: Check Your Logs Every Day. We're still dumbfounded by the following quote from the article above: "115,000 international mobile calls were made using the small business's VoIP system over a six month period." Six months and they never checked their call logs? Sounds like they earned this phone bill. FreePBX provides an incredibly simple way to review your call logs. Click the Reports tab at the top of the screen and look at the bar graph showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day! It also should be noted that Ethan Schroeder has released a beta of some new monitoring software which will provide more granular monitoring of daily call volumes. For additional information or to participate in the beta, visit this link.

    Rule #10: Do Some Reading... Regularly. No security implementation is complete without a little regular effort on your part: reading. If you're going to manage your own network or PBX, then you need to keep abreast of what's happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the trixbox Forum, and the FreePBX Forum. Aside from reviewing your call logs, it's the best 15 minutes you could spend to safeguard your system. We also have an RSS Feed which includes security alerts.

    Update #1: Be sure to read this great new article. It has two fresh ideas for securing your system!

    Update #2: Please also read this Nerd Vittles Alert about FreePBX backdoors and default passwords that was published on April 15, 2011.

    Some Other Suggestions. A couple other suggestions come to mind that don't involve securing your PBX per se but nevertheless will lessen your exposure in the event of a security breach. First, if your usual calling patterns don't involve international calling or if they're limited to one or two countries, tighten up your outbound dialplan and restrict calling to countries that you actually need. It can always be changed when the need to call elsewhere arises. Second, if you use pay-as-you-go providers, never use credit card auto-replenishment. Instead, add funds periodically using the provider's web interface. The advantage of this is that, if someone does manage to break into your system, your loss will be limited to the current balance in your provider account. You'll not only save a lot of money, but you'll also get a notification that something has gone horribly wrong. Finally, a forum user mentioned one we had overlooked. If you have a mix of POTS and VoIP lines, don't put the POTS lines in the default outbound pool for toll calls. This could potentially save you lots of money.

    Continue Reading Part II: The VoIP WhiteList for IPtables...

    Got Some Other Ideas? 50,000 heads always are better than one when it comes to network security. If there are things we've missed, take a minute to post a comment. It'll help all of us keep our systems more secure. Good luck!

    Digium® Weighs In. Since this article first appeared, Digium has released its own set of tips on SIP security. By all means, have a look!

    Security Alert of the Week. A trixbox user yesterday reported that he had discovered a rootkit exploit on his server. You can could read all about it here. The 6:03 a.m. (California time) post mysteriously disappeared a few hours later... soon after the trixbox staff got to work. Another darn computer failure according to Fonality staff. 😕 We've attempted to recreate the information from Google snippets. And here's a simple test to see if you have a similar rootkit problem:

    ls -all /sbin/init.zk

    Want a Bootable PBX in a Flash Drive? Our bootable USB flash installer for PBX in a Flash will provide all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and our flash installer in less than 15 minutes!

    If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.1

    Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next couple weeks. All of the individuals whose comments were used in today's story will automatically be included in the drawing as well. Good luck to everyone and Happy New Year!!

    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won't get the special pricing! Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.

    Some Recent Nerd Vittles Articles of Interest...

    1. This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. []