Home » Posts tagged 'fail2ban'

Tag Archives: fail2ban

The Most Versatile VoIP Provider: FREE PORTING

The Big 30: Incredible PBX 2020 Application User’s Guide

For those just beginning the Incredible PBX® 2020 adventure, start here for CentOS 7 or here for the Raspberry Pi. Once your system is up and running, you’ll be ready to kick the tires. And today we’ll cover 30 applications for Asterisk® and FreePBX® that are included in the latest and greatest Incredible PBX server. Now that you have some time on your hands, continue learning about this powerful platform by reading this documentation. If you still have questions, post them on the PIAF Forum for some quick and friendly assistance.

Here’s a Table of Contents to the Incredible PBX 2020 Applications with hotlinks. Enjoy!

  1. Checking System Status
  2. Enabling Speech Recognition for Asterisk
  3. Wolfram Alpha for Siri-like queries by phone*
  4. Automatic Update Utility
  5. Resetting Incredible PBX Passwords
  6. Apache Authentication for Apps
  7. IPtables Firewall WhiteList
  8. PortKnocker Remote Access
  9. Travelin’ Man 4 Remote Access by Phone
  10. Conference Bridge
  11. CallerID Name (CNAM) Lookups
  12. Faxing with Incredible PBX
  13. Voicemail 101 with Incredible PBX
  14. Email Delivery of MP3 Voicemails
  15. Reconfiguring SendMail for SmartHosts
  16. SMS Messaging with VoIP.ms
  17. SIP URI Calling with Speed Dials
  18. IVR Demo of Incredible PBX Applications*
  19. Backup and Restore Options
  20. AsteriDex – The Poor Man’s Rolodex®
  21. Voice Dialing with AsteriDex*
  22. Speed Dialing with AsteriDex
  23. Scheduling Reminders by Phone or Web
  24. DISA Access with Incredible PBX
  25. Yahoo! News Headlines
  26. Weather Forecasts with Incredible PBX*
  27. ODBC Application Support
  28. Today in History
  29. Time of Day
  30. WebMin

* Requires Voice Recognition implementation. See #2 above.

1. Checking Current Status of Incredible PBX

There are several ways to check the status of your server. First, log into your server as root and type: pbxstatus. You can even add the default phone number for your server by inserting it in /etc/pbx/.phone.

The second option is to use a browser to access your server. Choose the Incredible PBX Admin option after pointing a browser to the IP address of your server:

Once you log in with your admin password, the Dashboard of your server will display the status of trunks, users, and active calls on your server. In addition, you can review the latest news and security alerts from the RSS Feeds of Nerd Vittles, Incredible PBX, FreePBX, and Asterisk. For additional status information, choose Reports:Asterisk Info.

2. Adding Speech Recognition to Asterisk

We no longer recommend Google Speech Recognition because of the licensing issues and Google’s propensity to break things regularly. Instead, we recommend IBM’s Speech Recognition and TTS engines. For most users, there will be no cost. And the services are second to none. For a complete installation and setup tutorial, see our tutorial. Once speech recognition is enabled, the Incredible PBX 2020 feature set grows exponentially. You’ll have access to the Voice Dialer for AsteriDex as well as SMS Voice Messaging and Wolfram Alpha for a Siri-like encyclopedia.

3. Using Wolfram Alpha with Incredible PBX

Ever wished your Asterisk server could harness the power of a 10,000 CPU Supercomputer to answer virtually any question you can dream up about the world we live in? Well, so long as it’s for non-commercial use, today’s your lucky day. Apple demonstrated with Siri™ just how amazing this technology can be by coupling Wolfram Alpha® to a speech-to-text engine on the iPhone. Now you can do much the same thing using voice recognition with Incredible PBX 2020.

Before using Wolfram Alpha from any phone connected to your PBX, you first must configure it by obtaining and adding a Wolfram Alpha application ID to Incredible PBX. Here are the simple steps:

1. Obtain your free Wolfram Alpha APP-ID here.

2. Log into your server as root and issue the following command:

nano -w /var/lib/asterisk/agi-bin/wolfram.sh

3. When the nano editor opens, insert your IBM STT and Wolfram APP-ID credentials in the spaces provided. Then save the file.

To use Wolfram Alpha, dial 4747 (that’s S-I-R-I backwards) from any extension.

Here are some sample queries to get you started:

Weather in Charleston South Carolina
Weather forecast for Washington D.C.
Next solar eclipse
Otis Redding
Define politician
Who won the 1969 Superbowl? (Broadway Joe)
What planes are flying overhead now?
Ham and cheese sandwich (nutritional information)
Holidays 2015 (summary of all holidays for 2015 with dates and DOW)
Medical University of South Carolina (history of MUSC)
Star Trek (show history, air dates, number of episodes, and more)
Apollo 11 (everything you ever wanted to know)
Cheapest Toaster (brand and price)
Battle of Gettysburg (sad day 🙂 )
Daylight Savings Time 2015 (date ranges and how to set your clocks)
Tablets by Samsung (pricing, models, and specs)
Doughnut (you don’t wanna know)
Snickers bar (ditto)
Weather (local weather at your server’s location)

4. Automatic Update Utility for Incredible PBX

A key security component of Incredible PBX is its Automatic Update Utility. Each time you log into your server as root, the Automatic Update Utility is run. It installs the latest fixes and security patches for your server. Don’t disable it! In fact, don’t delete anything from the /root folder. You’ll need all of it sooner or later.

We recommend you log into your server as root at least once a week to keep your server current. Ditto for the web interface to Incredible PBX. Insofar as security is concerned, we make a best effort to keep the components of Incredible PBX up to date. The Linux operating system was installed by you before the Incredible PBX install began. That’s a nice way of saying Linux security is primarily your responsibility. When an egregious Linux vulnerability comes along that we know about, we will try to notify you of the issue on the PIAF Forum and on the RSS Feed that is part of the Incredible PBX GUI. Check the RSS Feeds at least once a week as well. As a condition of use of the free Incredible PBX product, you accepted ultimate responsibility for the security and reliability of your server. Be SAFE!

5. Resetting Incredible PBX Passwords

Yes. It happens to all of us. We forget our passwords. Incredible PBX includes a convenient utility that lets you reset many of the passwords associated with Incredible PBX. Just log into your server as root and issue the command: /root/update-passwords

To reset Incredible PBX GUI admin password, issue command: /root/admin-pw-change

To reset Apache admin password, issue command: /root/apache-pw-change. Apache credentials control access to the web interface of Telephone Reminders and AsteriDex from within the web GUI.

To reset the AvantFax admin password which is accessible within the Incredible PBX GUI, issue the following command: /root/avantfax-pw-change

6. Apache Authentication with Incredible PBX

With the exception of the Admin GUI and WebMin, all web-based applications included in Incredible PBX require successful Apache authentication to gain access. When you installed Incredible PBX, you should have created an admin account for Apache. If not, issue the following command using a secure password after logging in as root:

htpasswd -cb /etc/pbx/wwwpasswd admin newpassword

With the exception of AsteriDex and Reminders, you gain access to other Incredible PBX applications with the admin Apache account. For the remaining apps, you may wish to (but don’t have to) assign different account names and passwords to various departments in your organization. To set up these accounts, use the syntax above substituting the name of the department for "admin" and the department password for "newpassword."

7. Managing the IPtables Linux Firewall

As installed, Incredible PBX includes a preconfigured, locked-down Linux firewall that restricts incoming IPv6 traffic to localhost and, via a Travelin’ Man 3 WhiteList application, limits incoming IPv4 traffic to your server’s public and private IP addresses, your desktop computer’s IP address (that was used for the install), private LAN and NeoRouter VPN traffic, and a collection of our favorite VoIP providers. You can WhiteList additional IP addresses for additional providers or for SIP and IAX phones located outside your firewall. The following firewall management scripts are accessible from the /root directory:

  • ./add-ip — WhiteList an additional IP address or IP address range (CIDR)
  • ./add-fqdn — WhiteList a site using a fully-qualified domain name (FQDN)
  • ./del-acct — Remove previously designated entry from the WhiteList
  • ./ipchecker — Check whether specified FQDNs have changed & update IPtables
  • iptables-restart — Used exclusively to restart IPtables and test for failed FQDNs
  • iptables -nL — Check the current status of your IPtables firewall

On CentOS platforms, IPtables can be manually configured (if you know what you’re doing) by editing iptables and ip6tables in /etc/sysconfig. On the Raspberry Pi, the rules are stored in /etc/iptables/rules.v4. Additional IPtables rules are included and managed in /usr/local/sbin/iptables-custom. All FQDN entries must be entered in iptables-custom. The reason is because a failed FQDN entry in the main IPtables config file will cause the firewall to fail on startup. Also, NEVER use traditional iptables commands such as iptables save to update your IPtables configuration, or you will permanently delete all of your FQDN entries! Instead, use the provided utilities to whitelist additional sites and then restart IPtables using iptables-restart. This protects the FQDN entries in your setup while also checking for invalid FQDN entries and removing them temporarily so that IPtables will successfully restart. If you use service iptables restart to restart IPtables and there happens to be an FQDN entry for a host that is either down or has disappeared, IPtables will fail to restart and your server will be left with NO firewall protection! Using the traditional IPtables mechanisms also will disable Fail2Ban and the rules in iptables-custom will never be loaded. Incredible PBX periodically checks for changed FQDN entries using the ipchecker script as configured in /etc/crontab.

If you elect to integrate Facebook into your Incredible PBX setup, you will need to manually uncomment the last 3 lines in /usr/local/sbin/iptables-custom in order to whitelist the Facebook servers. Then restart the firewall: iptables-restart

WARNING: By default, Incredible PBX whitelists all of the non-routable LAN subnets including 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. If you elect to install Incredible PBX in the Cloud, be advised that some cloud platforms including Amazon treat the 172.16.0.0/12 subnet as routable IP addresses. This means that anyone in the Amazon Cloud (including the bad guys) will have direct access to your server. While they still need a password or vulnerability to gain access, it nevertheless exposes your server to needless hacking attempts. We strongly recommend that you comment out the 172.16.0.0/12 entry in /usr/local/sbin/iptables-custom if you intend to deploy your server in the Amazon Cloud. Then restart the firewall: iptables-restart

8. PortKnocker Remote Access

IPtables is a powerful firewall that keeps the bad guys out. It also will keep legitimate users (including you) from gaining remote access to your server unless you had the forethought to WhiteList your remote IP address before you left on that family vacation. Unfortunately, you don’t always know your IP address in advance. And dynamic IP addresses assigned with hotel WiFi frequently change. To address this problem, Incredible PBX includes a preconfigured PortKnocker utility. This lets you send three secret "knocks" on random TCP ports to your server to tell it to let you in either temporarily (until IPtables is restarted) or permanently.

To reconfigure PortKnocker to permanently whitelist IP addresses from which you issue a successful knock, login as root and issue the command: iptables-knock activate

For PortKnocker to work, you obviously need to know the secret knocks. You’ll find them in /root/knock.FAQ. Record them in your wallet or inside your suitcase for that rainy day! There are PortKnocker apps for almost all smartphones as well as for Windows, Mac, and Linux computers. Install your favorite AND test access before you leave town. You can change the ports by editing /etc/knockd.conf. Then restart PortKnocker: service knockd restart

Finally, be aware that PortKnocker does not need any special access to your server to work; however, if your server is behind a hardware-based firewall, then you must map the three PortKnocker TCP ports to the private IP address of your server, or the knocks obviously will never get delivered to your server.

If you installed Incredible PBX 2020 on a cloud platform, then your server may use a network port other than eth0. Typically, it’s venet0:0 on OpenVZ servers. You can decipher the name of your network port for your public IP address by issuing the command: ifconfig. In this case, the CentOS config file needs to be modified and then PortKnocker needs to be restarted. Edit /etc/sysconfig/knockd and insert the following: OPTIONS="-i venet0:0". Restart PortKnocker with the command: service knockd restart

Review our PortKnocker tutorial for additional configuration tips.

9. Travelin’ Man 4 Remote Access (dial TM4)

In addition to PortKnocker, Incredible PBX also includes a telephone-based solution to temporarily gain remote access to your server. This does require a bit of preplanning since you must create account credentials for the person to whom you wish to give remote access via a phone call. The complete tutorial for Travelin’ Man 4 is available on the PIAF Forum. All of the pieces already are in place on your server so skip down to the Configuration & Operation sections for details on implementation.

10. Using the Conference Bridge (dial CONF)

A turnkey Conference Bridge is included in Incredible PBX 2020. A conference bridge allows a group of people to participate in a joint phone call. Typically, participants dial into a virtual meeting room from their own phone. This virtual meeting room supports dozens or even hundreds of participants depending upon server capacity.

You do not need a timing source for conferencing with Incredible PBX 2020! Old-style Asterisk Conference Rooms which required a timing source are disabled.

To access the Conference Bridge, dial C-O-N-F (2663) from any phone connected to your server. Remote users can be added to a conference by providing a DID that points to an IVR which includes Conference Bridge access. Once connected to the conference bridge, a caller is prompted for the Conference Bridge PIN and his or her name. The user and admin access PINs are randomly generated when you install Incredible PBX. You can decipher or modify the user and admin passwords to access the Conference Bridge in the Incredible PBX GUI: Applications:Conferences. Then edit 2663 and review or change the User and Admin PINs.

11. CallerID Name (CNAM) Lookups

By default, Incredible PBX is configured to automatically provide OpenCNAM CallerID name lookups for the first ten calls received each hour. These lookups are only from cached entries in the OpenCNAM database; however, you can enable the commercial lookup service if desired. The cost is four tenths of a cent per successful query.

To enable the OpenCNAM Professional Tier, set up an account at OpenCNAM.com. Once you’ve obtained your credentials, edit the OpenCNAM entry in Admin:CID Superfecta:Default. You may also wish to enable AsteriDex lookups and move the scheme to the top of your list of lookup schemes.

To activate CallerID Superfecta for incoming calls, edit each of your Inbound Routes and Enable Superfecta Lookup with the Default Scheme in the Other tab.

12. Faxing with Incredible PBX 2020

If you can press the ENTER key 25 times, you are fully capable of installing Incredible Fax on your new server. On the latest Raspberry Pi builds of Incredible PBX 2020, Incredible Fax is preinstalled. On other platforms, log into your server as root and run /root/incrediblefax2020.sh. Provide an email address for delivery of incoming faxes and press ENTER each time you are prompted to make a selection. Once you reboot your server, you’re all set. As part of the install, you provided an email address for delivery of incoming faxes. That’s all the setup that is required to have incoming faxes sent to most of your DIDs delivered via SendMail in PDF format. The best way to figure out whether a particular provider supports fax technology on their DIDs is to send a test fax to yourself. FaxZERO lets you send 5 free (in the U.S. only) faxes of up to 3 pages every day. Give it a whirl.

You also can send faxes using standard document types with the AvantFax web application. Log into AvantFax from the main Incredible PBX GUI by clicking on the AvantFax icon. The default credentials are admin:password. Choose the Send a Fax option from the main menu, fill in the blanks, and attach your document. AvantFax uses the default dialplan so use the prefix desired to send the fax using your preferred provider.

With the latest release of Incredible PBX 2020, fax recognition is supported on incoming calls. Edit each of your Inbound Routes and enable Detect Faxes with Detection Type=SIP, Fax Ring=Yes, Fax Detection Time=4, and Fax Destination=Custom Destination:Fax (HylaFax) in the Fax tab.

On the Raspberry Pi platform, you can change the destination email address for incoming faxes by issuing the command: /root/avantfax-email-change.

Copies of all incoming faxes also are available for retrieval within AvantFax.

13. Voicemail 101 for Incredible PBX 2020

Voicemail functionality is enabled on an extension-by-extension basis as part of the extension setup under the Voicemail tab. Once enabled, you can set up your mailbox and retrieve your messages by dialing *97 from the mailbox extension, or dial *98 to retrieve messages from any extension. Shortcut dialing is also supported, e.g. *98707 would retrieve messages for extension 707. You can leave a message for or forward calls to any extension’s mailbox without actually calling the extension. Just prepend * to any extension number before dialing, e.g. *701. A number of the system settings for voicemail can be tweaked under the Voicemail tab as well. For example, you can automatically delete voicemails once they have been delivered by email. Voicemail Blasting to multiple mailboxes is also supported. Just choose this option under the Applications tab and follow your nose.

14. Email Delivery of MP3 Voicemails

Speaking of email delivery, your voicemails also can be delivered to any email address of your choosing. For every extension under the Voicemail tab for the Extension, simply add an Email Address and enable the Email Attachment. With Incredible PBX 2020, the voicemail message will be attached to the email in MP3 format so it’s suitable for playback with most email clients on desktop PCs, Macs, and smartphones. Be advised that some Internet service providers (such as Comcast) block downstream SMTP servers. You can check whether your outbound email is flowing by issuing the command mailq from the Linux command line. Issuing the command mail will tell you whether outgoing emails are bouncing. You can test sending an email by issuing the following command using your destination email address:

echo "test" | mail -s testmessage your-name@your-email-provider.com

If you find outbound mail is accumulating, add your ISP’s SMTP server address as a SmartHost for SendMail as documented in the next section.

15. Reconfiguring SendMail for a SmartHost

Many residential Internet service providers block downstream SMTP servers such as the SendMail server running with Incredible PBX 2020. If you’re sending emails but they never arrive and you’ve checked your SPAM folder, then chances are your ISP is the culprit. The simple solution is to add your ISP’s SMTP server as a SmartHost for SendMail. This means outbound emails will be forwarded to your ISP for actual email transmission over the Internet. Here’s how. On CentOS platforms, edit /etc/mail/sendmail.cf and search for DS. Immediately after DS, add the FQDN of your ISP’s SMTP server, e.g. DSsmtp.comcrap.net (no spaces!). Save the file and then restart SendMail: service sendmail restart. Your email and voicemail messages with attachments should begin flowing without further delay.

On Raspberry Pi platforms, here’s how to set it up using a Gmail account without two-step authentication. Log into your server as root and run dpkg-reconfigure exim4-config. Choose "mail sent by smarthost; received via SMTP or fetchmail." Accept all the defaults until you get to Outgoing Smarthost prompt. Enter: smtp.gmail.com::587. At the following prompts, choose NO, NO, mbox, and NO. When the setup completes, edit /etc/exim4/passwd.client and insert the following line using your Gmail AcctName and AcctPW. NOTE: If you are using a Gmail account with 2-step verification enabled, you MUST use a Gmail App Key instead of your Gmail account password. You also must enable Less Secure Apps access to your Gmail account.

smtp.gmail.com:AcctName@gmail.com:AcctPW

Save the file and then issue the following commands to complete the setup:

update-exim4.conf
systemctl restart exim4
exim4 -qff

Now send yourself a test email message to make sure things are working properly:

echo "test" | mail -s testmessage yourname@yourmailprovider.com

16. SMS Messaging with VoIP.ms

Incredible PBX 2020 supports SMS messaging through VoIP.ms if you have an account and an SMS-enabled DID. See the VoIP.ms wiki for setup info on the VoIP.ms side.

To install the VoIP.ms SMS scripts, follow these steps:

cd /root
mkdir sms-voip.ms
cd sms-voip.ms
wget http://incrediblepbx.com/voipms-SMS.tar.gz
tar zxvf voipms-SMS.tar.gz

Edit voipms-sms.php and insert your VoIP.ms number that supports SMS messaging (no spoofing allowed!):

$SMSsender="8005551212";

Edit class.voipms.php and insert your VoIP.ms API credentials:

    /*******************************************\
     *  VoIPms - API Credentials
    \*******************************************/
    var $api_username   = 'yourname@youremail.com';
    var $api_password   = 'yourpassword';

Send an SMS message through VoIP.ms with the following command where smsnumber is the 10-digit number of the SMS recipient and "sms message" is the text message surrounded by quotes:

/root/sms-voip.ms/voipms-sms.php smsnumber "sms message"

NOTE: VoIP.ms has indicated that sooner or later there will be a penny per message charge for SMS messages; however, as of today, they’re still free.

17. SIP URI Calling with Incredible PBX

With one line of dialplan code, you can add Speed Dials for free SIP URI calling worldwide. The dialplan code is stored in the [CallingRule_SIP_URI] context in extensions_custom.conf. Just clone one of the existing entries, designate an extension to dial to connect to the SIP URI, and enter the SIP URI for the destination. Numerous SIP providers support assignment of SIP URI’s to DIDs for unlimited free calling from anywhere in the world. Here’s a sample using a speed dial code of 53669 that connects you to SIP URI 2233435945@sip2sip.info: exten = 53669,1,Dial(SIP/2233435945@sip2sip.info)

18. IVR Demo of Incredible PBX Apps

The easiest way to try out a number of the Incredible PBX applications is to take the IVR Demo for a spin. Just pick up any phone on a CentOS-based platform and dial 3366 (D-E-M-O). The sample code for the IVR is available for review and modification in the IVR section of the GUI. There’s also a sample Stealth AutoAttendant. This plays a brief greeting and then rings an extension or ring group. During the greeting, you could configure the application to allow button presses to branch to other applications on your PBX, hence the Stealth name since the codes are not disclosed to callers.

On the Raspberry Pi platform, our detailed tutorial will walk you through setting up the Demo IVR application.

19. Backup & Restore with Incredible PBX

Incredible Backup and Restore scripts are provided in the /root folder. In addition, the FreePBX GUI also provides Backup and Restore utilities under the Admin tab. If backups are important to you, we strongly recommend you consider a $3/month cloud server at Vultr using our referral code. For an additional 20% per month (60 cents), you get weekly image backups of your server that can be restored with a couple of button clicks. It’s the cheapest insurance you can buy for your PBX!

20. AsteriDex – The Poor Man’s Rolodex

AsteriDex is a web-based phonebook application for Incredible PBX. You can access it from the main web menu. Scripts are also available to import your contacts from Outlook and Google Contacts.

21. Voice Dialing with AsteriDex (dial 411)

If you have voice recognition enabled on your server, you can call anyone in your AsteriDex database by dialing 411.

22. Speed Dialing with AsteriDex (dial 000+)

For those without voice recognition, Incredible PBX 2020 includes two speed dialing utilities. The first is accessed by dialing 412. Then enter any 3-digit dialcode from your AsteriDex database to complete the call. If you’d prefer to skip the intermediate step, dial 000 + the 3-digit speed dial code desired. The call will be placed immediately using your default outbound routes.

For a complete listing of your AsteriDex dial codes, execute this query:

mysql -u root -ppassw0rd asteridex -e "select name,dialcode from user1 order by name"

To automatically generate the 3-digit speed dial codes for everyone in your AsteriDex database using the first three letters of each name, run the following script from your web browser: http://your-server-ip/asteridex4/dialcode.php.

23. Telephone Reminders (dial 123)

Incredible PBX 2020 includes a sophisticated reminders system that lets you schedule individual or recurring reminders using your phone by dialing 123 or a web browser. A complete tutorial is available here. For phone reminders, a password is required to access the reminder system. Typically, these reminders set up a return call at a scheduled time that then plays back either a recorded message or a TTS message generated from the text you entered in the browser application. Incredible PBX also includes a new addition that lets you schedule web reminders that are delivered by email or SMS message.

24. DISA Access with Incredible PBX 2020

Direct Inward System Access (aka DISA) is one of the great PBX inventions of the last 50 years. It’s also one of the most dangerous. It lets someone connect to your PBX and obtain dial tone to place an outbound call using your trunks… on your nickel. Typically, it is offered as an option with an IVR or AutoAttendant. The DISA extension is not preconfigured with Incredible PBX; however, you can easily set it up in the GUI by choosing Applications:DISA. Make up a very secure PIN before exposing DISA access to the outside world. It’s your phone bill.

25. Yahoo! News (Dial 951)

Yahoo! news headlines are available by dialing 951. The news option also is included in the sample IVR application.

26. Weather Forecasts by Phone (dial 947)

You can obtain a current weather forecast for most zip codes by dialing 947 (Z-I-P) and entering the 5-digit zip code.

27. ODBC Application Support for Asterisk

If you’ve recently logged into your server as root, Automatic Update #4 added ODBC/MySQL application support for Asterisk. You can try out a few sample applications that are included to get you started. Dial 222 and enter 12345 for the employee number. This retrieves an employee name from the MySQL timeclock database using Asterisk. Dial 223 to retrieve an AsteriDex name and phone number by entering the 3-character dialcode. You then have the option of placing the call by pressing 1. Once you have created accounts for Travelin’ Man 4, you can dial 864 (T-M-4) to WhiteList an IP address for that account after entering the account number and matching PIN. Use the * key for periods in the IP address.

28. Today in History (Dial T-O-D-A-Y)

It’s always interesting to find out what happened Today in History. And Incredible PBX now delivers it by phone. Just dial 86329 (T-O-D-A-Y) for a walk down memory lane.

29. Time of Day

Speaking of yesteryear, if you grew up dialing TI-4-1212 for the time of day, Ma Bell may have discontinued the service, but we haven’t. Now you can do it on your very own PBX.

If you want your users to be able to dial in for the time directly by dialing extension, here’s how. In the GUI, choose Admin:Custom Destinations:Add Destination. Set up a Time of Day description with a target of new-time,s,1 and save your entry. Now Enable an Application:Misc Application:Add Application with a Feature Code of 8463, Time of Day description, and point it to Custom Destination:Time of Day. Save your entry and then dial 8463 (T-I-M-E) for the Time of Day.

30. WebMin: The Linux Swiss Army Knife

There is no finer Linux application than WebMin. There is no more dangerous Linux application than WebMin. You’ve been warned. We heartily recommend WebMin as a tool to LOOK at your server’s settings. We strongly discourage changing anything in WebMin unless you totally know what you are doing. This is especially true with management of Linux applications that make up the core of Incredible PBX: the Linux kernel, SendMail, IPtables, Apache, MySQL, PHP, and…

To access WebMin on the CentOS platform, visit the following link with a web browser using the actual IP address of your server: https://ip-address:9001/. The username is root. The password is your root password. WebMin has root privileges to your server. Reread paragraph 1 and act accordingly.

Due to space and performance constraints, WebMin is no longer installed by default on the Raspberry Pi platform. To install WebMin, follow these steps after logging into your Raspberry Pi as root:

cd /root
apt-get update
apt-get install python perl openssl libnet-ssleay-perl 
apt-get install libauthen-pam-perl libio-pty-perl libpam-runtime
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.941_all.deb
dpkg --install webmin_1.941_all.deb

For an exhaustive tutorial on WebMin, download The Book of WebMin by Joe Cooper. For a more recent commercial offering, take a look at Michal Karzyński’s WebMin Administrator’s Cookbook.

Originally published: Monday, April 13, 2020



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Tips & Tricks to Supercharge Incredible PBX 16-15



As September comes to a close, we wanted to offer up some simple tips and tricks to get the most out of Incredible PBX® 16-15. Many of these already have been covered on the PIAF Forum so, if you’re not already a subscriber, sign up to keep up with the latest information. Perhaps the most frequently asked question concerns the painfully slow restarts that some folks experience with SendMail and/or Fail2Ban. So let’s start there.

Assigning an FQDN to Your Server

Many system services depend upon identification of the fully-qualified domain name (FQDN) assigned to your server. If you don’t have one, services such as Fail2Ban and SendMail have a difficult time starting and restarting. This includes the iptables-restart script which includes a restart of the Fail2Ban service. With SendMail, you not only will have difficulty restarting the service, but outbound email delivery also will fail since SendMail always checks for a valid sender email address before sending out a message.

If you don’t have a domain that you control, you can always use a free dynamic DNS service such as No-IP which has the added advantage of managing changes in your host’s IP address if you don’t have a static IP address.

Once you have an FQDN for your server, here are the simple steps to assign it to your server. First, edit /etc/hosts, add the FQDN immediately after 127.0.0.1, and then save the file. Next, edit /etc/hostname and replace the default entry with your FQDN. Finally, issue the following command using your actual FQDN: hostname FQDN.

Now you can test restarting Fail2Ban and SendMail with the following commands:

systemctl restart sendmail
systemctl restart fail2ban

And you can check the status of the two services with the following commands:

systemctl status sendmail
systemctl status fail2ban

Configuring SendMail/Exim with Incredible PBX 16-15

You’re not out of the woods yet if you wish to use SendMail (CentOS) or Exim (Raspbian) to deliver email and voicemail messages. Unless your PBX is in the Cloud with a public IP address on the Internet, be advised that many hosting providers such as Comcast, Spectrum, and AT&T block downstream mail servers from sending email. If you’re using one of these services in your home or office, the solution is to use Gmail or your local ISP as a smart relay host to send mail from your server. Setup instructions for SendMail on the CentOS 7 platform are available here. Setup instructions for Exim on the Raspberry Pi are available here.

Blocking Call Scammers and Robocalls

As election season kicks into high gear, expect robocalls to go through the roof. Not that the diehard scammers care but Congress exempted all politicians from the rules pertaining to robocalls. And then there are those that spoof a phone number similar to yours in order to treat you to the latest car warranty deal or Caribbean vacation. So here’s a way to block 99% of these callers, almost all of whom depend upon autodialers and call center software to distribute calls to live operators once you answer the call.

The design is simple to implement with Incredible PBX. Instead of answering incoming calls with a standard AutoAttendant or IVR, we’ll play a brief announcement followed by a request that the caller "press 7″ or some other number to be connected. When the caller doesn’t press the requested number within a brief number of seconds, Incredible PBX will hangup the call.

Many SIP providers support the early media feature which lets two SIP user agents communicate before a call is actually answered. If your provider supports this and you pay by the minute for inbound call traffic, then we’ll show you how to use the early media feature to block these callers without ever answering the calls and incurring charges. The easiest way to determine whether your SIP provider supports early media is to implement the early media code below and try a test call. If you hear the greeting message after dialing your own number, then early media is supported. If not, use the other dialplan code.

Incredible PBX already includes all the tools you’ll need to implement this. We’ll use a little modified Announcement dialplan code to greet the caller with Allison’s Generic Welcome message: "Thank you for calling. Please hold a moment while we locate someone to take your call." Then we’ll tack on an extra message which says: "To continue in English, press 7." If you’d prefer a different number, you can modify the dialplan code below accordingly.

Add this early media dialplan code to the end of /etc/asterisk/extensions_custom.conf. If you prefer a number other than 7, then replace "7″ in both lines 4 and 6 below:

[hello-caller]
exten => s,1,Progress
exten => s,n(begin),Noop(Playing announcement Howdy as Early Media)
exten => s,n,Set(TIMEOUT(response)=10)
exten => s,n,Playback(custom/nv-GenericWelcome&silence/1&continue-in-english&press-7,noanswer)
exten => s,n,WaitExten(,)
exten => 7,1,Goto(ivr-1,s,1)
exten => t,1,Hangup
exten => i,1,Hangup
exten => fax,1,Noop(Fax detected!)
exten => fax,2,Goto(custom-fax-iaxmodem,s,1)
;--== end of [hello-caller] ==--;

In the FreePBX GUI, add a new Custom Destination:

Target: hello-caller,s,1
Description: Scam Blocker

In the FreePBX GUI, modify the Inbound Route for each DID and set the Destination to Custom Destination: Scam Blocker. Save your settings and reload your dialplan.

Now place a test call to your DID and see if you hear the greeting message. If so, you’re done.

If not, edit /etc/asterisk/extensions_custom.conf and replace the [hello-caller] context at the bottom of the file with the following. You can replace "7″ on lines 6 and 8, if desired. Then reload your dialplan: asterisk -rx "dialplan reload". Then place another test call.

[hello-caller]
exten => s,1,GotoIf($["${CHANNEL(state)}" = "Up"]?begin)
exten => s,n,Answer
exten => s,n,Wait(1)
exten => s,n(begin),Noop(Playing announcement Howdy)
exten => s,n,Set(TIMEOUT(response)=10)
exten => s,n(play),Background(custom/nv-GenericWelcome&silence/1&continue-in-english&press-7,nm)
exten => s,n,WaitExten(,)
exten => 7,1,Goto(ivr-1,s,1)
exten => t,1,Hangup
exten => i,1,Hangup
exten => fax,1,Noop(Fax detected!)
exten => fax,2,Goto(custom-fax-iaxmodem,s,1)
;--== end of [hello-caller] ==--;

Separating Friends from Foes with Fail2Ban

If you’ve ever locked yourself out of your server when Fail2Ban mistakenly believed you were one of the bad guys, welcome to the club. Here’s the simple way to make sure it never happens again. First, deploy a NeoRouter Server and activate the NeoRouter Client on both your PBX and desktop machines. Always login to your PBX using the 10.0.0.x NeoRouter Client IP address of your PBX. Next, edit /etc/fail2ban/jail.conf. Scroll down to the [DEFAULT] section and edit the line which begins with ignoreip. Make certain the line includes the following entries. Then save the file and restart Fail2Ban: systemctl restart fail2ban

ignoreip = 127.0.0.1/8 10.0.0.0/24

You can always check who is currently banned with the command: iptables -nL

And you can unban an IP address by logging in to SSH from a different IP address and using the chain name and banned IP address shown in iptables -nL with the following command:

fail2ban-client set apache-forbidden unbanip xx.xx.xx.xx

Adding Outbound CNAM Data to CDRs

In many implementations, it’s useful in Call Detail Records (CDRs) to be able to associate names (CNAM) with outbound calls just as we do with incoming calls. One of our earliest Asterisk applications, CallerID Superfecta, provides an easy way to do that with just a little tweaking in Incredible PBX 16-15.

1. Open the FreePBX GUI in a browser and go to Admin -> CID Superfecta. There should be one Default setup but it’ll show as disabled. For some quirky reason, you can’t make enabling it stick so click on the third (COPY) option under Actions to create a second setup. Then go down to that one and click the first button (Enable) under Actions. Make future setup changes to CallerID Superfecta by clicking on that setup.

2. Next, log into your server as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/dialout-cnam.tar.gz
tar zxvf dialout-cnam.tar.gz
rm -f dialout-cnam.tar.gz

3. Run the script: /root/install-dialout-cnam.sh. Choose the number of the new CID Superfecta setup (probably will be a negative number which is fine). No idea why.

4. Once the script completes, make a call from extension 701 to an outside number. The new CNAM info should be shown in the ACCOUNT column of your CDR listing.

Originally published: Monday, September 30, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



A Golden Newbie: Incredible PBX 13-13.10 for Ubuntu 18.04.2


If you’re as big a fan of Ubuntu as we are, then you’ll be pleased to know that the month-old update to Ubuntu 18.04 LTS is rock-solid. It takes a brave soul to name anything Bionic Beaver, but Ubuntu pulls it off and makes you want to meet one face-to-face, just not in a bar after midnight. Well, St. Paddy would be proud. Today’s new Incredible PBX® 13-13.10 release brings you everything you could want in a PBX, and the icing on the cake is Ubuntu 18.04.2. The only drawback to Ubuntu 18.04 is that none of our $1/month VPS cloud providers support the platform just yet. But have no fear, both Digital Ocean and Vultr already do.1

Introducing 2019 Edition of Incredible PBX

This is our third major release of our flagship Incredible PBX 13-13 platform. In addition to today’s release for Ubuntu 18.04.2, it’s also available for Raspbian 8 as well as CentOS 6 and 7. It features 70+ new FreePBX® GPL modules plus all the latest components for OSS Endpoint Manager making SIP phone deployment with Asterisk® 13 a breeze. There also are terrific new backup and restore utilities which make migration and restoration of Incredible PBX platforms a snap. Finally, we’ve incorporated Skyetel SIP trunking in the build. It literally makes configuration of outbound and incoming calling a one-minute process. On the Skyetel side, create an Endpoint Group pointing to the IP address of your PBX, order one or more DIDs and point them to the new EndPoint Group. Done. On the Incredible PBX side, add Inbound Routes specifying the 11-digit numbers of your Skyetel DIDs and point each of them to the desired destination for incoming calls. Done. Outbound calls are automatically configured to use your Skyetel account. Our complete Skyetel tutorial is available here and includes up to a $250 usage credit with Skyetel’s new BOGO deposit match.2 Effective 10/1/2023, $25/month minimum spend required.

Creating an Ubuntu 18.04.2 Platform

If you plan to install Incredible PBX 13-13.10 using a cloud provider that supports Ubuntu 18.04.2, then creation of the Ubuntu 18.04.2 platform is as simple as clicking on the 64-bit OS as part of the creation of your 1GB RAM virtual machine. If you plan to use your own hardware, then any modern desktop computer will suffice. Begin by downloading the Ubuntu 18.04.2 ISO from here. Then create a bootable USB stick or assign the ISO as the boot device on your virtual machine platform. Here are steps for Ubuntu install using the server console:

  • Preferred language: English
  • Keyboard: English (US)
  • Install Ubuntu
  • Network interface (eth or wlan) from DHCP
  • Proxy (leave blank)
  • Ubuntu mirror (accept default entry)
  • Partitioning: Use Entire Disk
  • Choose Disk for Install (accept default usually)
  • File System Setup (choose Done)
  • Confirm Disk Install (Continue)
  • Profile Setup (create a username and password)
  • Install OpenSSH server (press Space Bar then Done)
  • Featured Server Snaps (leave blank)
  • Reboot Now (when prompted)
  • Remove installation media
  • Login using username created above
  • sudo passwd root
  • exit
  • Login as root with new root password
  • userdel username (that you created above)
  • nano -w /etc/ssh/sshd_config
  • Add: PermitRootLogin yes
  • save file
  • exit
  • Login as root using SSH or Putty

CAUTION: Don’t make any "improvements" to Ubuntu 18.04.2 after the initial install, or the Incredible PBX install may fail. It is designed for a base platform only!

Installing Incredible PBX 13-13.10

If you haven’t already done so, log into your Ubuntu 18.04.2 server as root using SSH or Putty. It’s important to log in from a desktop computer that you will be using to make changes on your server since this IP address will be whitelisted in the firewall as part of the installation process. Do NOT use the server console to install Incredible PBX, or you may not be able to log in from your desktop computer thereafter.

Before we begin the install procedure, let’s determine whether a swap file exists on your platform. If not, you’ll need to create one below as one of the first steps after downloading the Incredible PBX installer. Issue this command to determine if you have swap space: free -h

Now let’s download and install Incredible PBX 13-13.10. There are two flavors: the base install with the 70+ FreePBX GPL modules that comprise the web-based GUI to manage your PBX and the Whole Enchilada which adds 30+ Asterisk applications to the base install to provide TTS support, voice recognition, news and weather TTS apps, AsteriDex, telephone reminders, and much more. Here are the steps. Be sure to uncomment the create-swapfile-DO entry if you are lacking a swapfile.

cd /root
wget http://incrediblepbx.com/incrediblepbx-13-13.10U-LEAN.tar.gz
tar zxvf incrediblepbx-13-13.10U-LEAN.tar.gz
rm -f incrediblepbx-13-13.10U-LEAN.tar.gz
#./create-swapfile-DO
./Incredible*

There are two phases to the base install. You’ve just completed Phase #1. After your server reboots, log back in and kick off the Incredible PBX installer a second time. Don’t disappear immediately. On some cloud platforms, you may be asked whether to preserve your existing SSH setup. Choose the Keep Local Version default. On all platforms, you’ll be prompted for two additional responses in the first few minutes. At the first prompt, simply press ENTER to continue. At the second prompt, enter the country code to associate with your PBX. For those in the United States, the code is 1. We assume others are more familiar with their country code than Americans are. 😉

cd /root
./Incredible*

Make some careful notes when the install finishes. Then press ENTER to reboot your server.

If you don’t plan to use the Incredible PBX applications, then your install is complete after the reboot. Each time you log in to your server, the Automatic Update Utility will run to provide late-breaking updates that may affect the security of your server. So make sure you log in to the Linux CLI at least once a week to stay safe!

Assuming you’ve already created a very secure root password (update it by running passwd), perform the following 5 Steps to get everything locked down:

  1. Create an admin password for GUI access: /root/admin-pw-change
  2. Create an admin password for Apache web access: htpasswd /etc/pbx/wwwpasswd admin
  3. Configure the correct timezone for your server: /root/timezone-setup
  4. Retrieve your PortKnocker setup like this: cat /root/knock.FAQ
  5. Add IPtables WhiteList entries for remote access: /root/add-ip or /root/add-fqdn

Most of the configuration of your PBX will be performed using the web-based Incredible PBX GUI with its FreePBX 13 GPL modules. Use a browser pointed to the IP address of your server and choose Incredible PBX Admin. Log in as admin with the password you configured in the first step above. HINT: You can always change it if you happen to forget it.

To get a basic system set up so that you can make and receive calls, you’ll need to add a VoIP trunk, create one or more extensions, set up an inbound route to send incoming calls to an extension, and set up an outbound route to send calls placed from your extension to a VoIP trunk that connects to telephones in the real world. You’ll also need a SIP phone or softphone to use as an extension on your PBX.

Continue Reading: Configuring Extensions, Trunks & Routes

Installing Incredible PBX 13-13 Whole Enchilada

There now are two more pieces to put in place. The sequence matters! Be sure to upgrade to the Whole Enchilada before you install Incredible Fax. If you perform the steps backwards, you may irreparably damage your fax setup by overwriting parts of it.

The Whole Enchilada upgrade script now is included in the Incredible PBX LEAN tarball. To run it, issue the following commands:

cd /root
./Enchilada*

If you accidentally installed Incredible Fax before upgrading to the Whole Enchilada, you may be able to recover your Incredible Fax setup by executing the following commands. It’s worth a try anyway.

amportal a ma install avantfax
amportal a r



Installing Incredible Fax with HylaFax/AvantFax

You don’t need to upgrade to the Whole Enchilada in order to use Incredible Fax; however, you may forfeit the opportunity to later upgrade to the Whole Enchilada if you install Incredible Fax first. But the choice is completely up to you. To install Incredible Fax, log into your server as root and issue the following commands:

cd /root
./incrediblefax13_ubuntu18.sh

After entering your email address to receive incoming faxes, you’ll be prompted several times to choose options as part of the install. Simply press the ENTER key at each prompt and accept all of the defaults. When the install finishes, make certain that you reboot your server to bring Incredible Fax on line. There will be a new AvantFax option in the Incredible PBX GUI. The default credentials for AvantFax GUI are admin:password. Be advised that there remain a couple of quirks on the Ubuntu 18.04 platform. First, after entering your credentials, you may get a timeout error with your browser. Simply press the Reload/Refresh icon in your browser, and the default AvantFax menu will appear. Second, you will need to set your email delivery address and a new password for AvantFax manually. Click on the Settings option in the upper right corner of the dialog. When you save your settings, you may again experience a timeout event. Click the Reload/Refresh button on your browser again, and AvantFax will come back to life.

NAT-Based Router and Dynamic IP Wrinkles

If your PBX is sitting behind a NAT-based router, you’ll need to redirect incoming UDP 5060 traffic to the private IP address of your PBX. While this isn’t technically necessary to complete calls with registered trunk providers, there are others such as Skyetel that don’t use SIP registrations where failure to redirect UDP 5060 would cause inbound calls to fail.

The Incredible PBX GUI is accessed using a web browser pointed to the IP address of your server. As part of the password setup, you created an admin password for the Incredible PBX GUI, a.k.a. FreePBX GUI. Login now using your favorite browser. If you have forgotten your admin password, you can reset it by logging into your server as root using SSH: /root/admin-pw-change. Once you’ve logged into the GUI, your first task is to record the public and private IP addresses for your server. This eliminates 99% of the problems with one-way audio on calls where your server is sitting behind a NAT-based router. Navigate to Settings -> SIP Settings and click on Detect Network Settings in the NAT Settings section of the template. Verify that the entries shown are correct and then click Submit followed by Apply Config.

Many Internet service providers assign dynamic IP addresses to customers. This poses issues with a PBX because SIP phones positioned outside your LAN need to be able to connect to the PBX. It also complicates SIP routing which needs both the public IP address and the private IP address of the PBX in order to route calls properly. In the previous section, you configured your PBX with these two IP addresses. The problem, of course, is that this public IP address may change when your ISP assigns dynamic IP addresses. Luckily, many ISPs rarely update dynamic IP addresses of their customers. For example, our home network has had the same dynamic IP address for more than four years. If this is your situation, then you have little to worry about. If the IP address ever changes, you can simply repeat the steps in the previous section. However, if your ISP regularly changes your public IP address, then you need an automatic way to keep your PBX configured properly. Otherwise you will start experiencing calls with one-way audio or no audio, and remote phones will no longer be able to connect to the PBX. We’ve developed a script to update the public IP address of your PBX. Depending upon your situation, all you need to do is run it hourly or daily to keep your PBX configured properly. To begin, first download the updater script after logging into your server as root:

cd /root
wget http://incrediblepbx.com/update-externip.tar.gz
tar zxvf update-externip.tar.gz
rm -f update-externip.tar.gz

Try running the script once to make sure it correctly identifies the public IP address of your server: /root/update-externip. Then add an entry to the end of /etc/crontab that schedules the script to run at 12:30 a.m. each night:

30 0 * * * root /root/update-externip > /dev/null 2>&1

Configuring Trunks with Incredible PBX

Before you can actually make and receive calls, you’ll need to add one or more VoIP trunks with providers, create extensions for your phones, and add inbound and outbound routes that link your extensions to your trunks. Here’s how a PBX works. Phones connect to extensions. Extensions connect to outbound routes that direct calls to specific trunks, a.k.a. commercial providers that complete your outbound calls to any phone in the world. Coming the other way, incoming calls are directed to your phone number, otherwise known as a DID. DIDs are assigned by providers. Some require trunk registration using credentials handed out by these providers. Others including Skyetel use the IP address of your PBX to make connections. Incoming calls are routed to your DIDs which use inbound routes telling the PBX how to direct the calls internally. A call could go to an extension to ring a phone, or it could go to a group of extensions known as a ring group to ring a group of phones. It could also go to a conference that joins multiple people into a single call. Finally, it could be routed to an IVR or AutoAttendant providing a list of options from which callers could choose by pressing various keys on their phone.

We’ve done most of the prep work for you with Incredible PBX. We’ve set up an Extension to which you can connect a SIP phone or softphone. We’ve set up an Inbound Route that, by default, sends all incoming calls from registered trunks to a Demo IVR. And we’ve built dozens of trunks for some of the best providers in the business. Sign up with the ones you prefer, plug in your credentials, and you’re done. The next section of this tutorial will show you the easier way, using Skyetel.

Unlike traditional telephone service, you need not and probably should not put all your eggs in one basket when it comes to telephone providers. In order to connect to Plain Old Telephones, you still need at least one provider. But there is nothing wrong with having several. And a provider that handles an outbound call (termination) need not be the same one that handles an incoming call (origination) and provides your phone number (DID). Keep in mind that you only pay for the calls you make with each provider so you have little to lose by choosing several. The PIAF Forum also has dozens of recommendations on VoIP providers.

With the preconfigured trunks in Incredible PBX, all you need are your credentials for each provider and the domain name of their server. Log into Incredible PBX GUI Administration as admin using a browser. From the System Status menu, click Connectivity -> Trunks. Click on each provider you have chosen and fill in your credentials including the host entry. Be sure to uncheck the Disable Trunk checkbox! Fill in the appropriate information for the Register String. Save your settings by clicking Submit Changes. Then click the red Apply Config button.

Using Skyetel with Incredible PBX

On the Raspberry Pi platform, all of the Skyetel trunks are preconfigured. All you need to do is sign up for Skyetel service in March to take advantage of the $50 Nerd Vittles special offer. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request a $50 credit for your account by referencing the Nerd Vittles special offer. Greed will get you nowhere. Credit is limited to one per person/company/address/location. You can also take advantage of a 10% discount on your current service. Just open another ticket and attach a copy of your last month’s bill. See footnote 3 for the fine print.3 If you have high call volume requirements, document these in your Prequalification Form, and we will be in touch.

Unlike many VoIP providers, Skyetel does not use SIP registrations to make connections to your PBX. Instead, Skyetel utilizes Endpoint Groups to identify which servers can communicate with the Skyetel service. An Endpoint Group consists of a Name, an IP address, a UDP or TCP port for the connection, and a numerical Priority for the group. For incoming calls destined to your PBX, DIDs are associated with an Endpoint Group to route the calls to your PBX. For outgoing calls from your PBX, a matching Endpoint Group is required to authorize outbound calls through the Skyetel network. Thus, the first step in configuring the Skyetel side for use with your PBX is to set up an Endpoint Group. A typical setup for use with Incredible PBX®, Asterisk®, or FreePBX® would look like the following:

  • Name: MyPBX
  • Priority: 1
  • IP Address: PBX-Public-IP-Address
  • Port: 5060
  • Protocol: UDP
  • Description: server1.incrediblepbx.com

To receive incoming PSTN calls, you’ll need at least one DID. On the Skyetel site, you acquire DIDs under the Phone Numbers tab. You have the option of Porting in Existing Numbers (free for the first 60 days after you sign up for service) or purchasing new ones under the Buy Phone Numbers menu option.

Once you have acquired one or more DIDs, navigate to the Local Numbers or Toll Free Numbers tab and specify the desired SIP Format and Endpoint Group for each DID. Add SMS/MMS and E911 support, if desired. Call Forwarding and Failover are also supported. That completes the VoIP setup on the Skyetel side. System Status is always available here.

Configuring a Skyetel Inbound Route

Because there is no SIP registration with Skyetel, incoming calls to Skyetel trunks will NOT be sent to the Default Inbound Route configured on your PBX because FreePBX treats the calls as blocked anonymous calls without an Inbound Route pointing to the 11-digit number of each Skyetel DID. From the GUI, choose Connectivity -> Inbound Routes. You will note that we already have configured a Skyetel template for you. Simply edit the existing entry and plug in the 11-digit phone number (beginning with a 1) of your Skyetel DID . Set the Destination for the incoming DID as desired and click Submit. It defaults to extension 701.

If your PBX is sitting behind a NAT-based router, you’ll need to redirect incoming UDP 5060 traffic to the private IP address of your PBX. Then place a test call to each of your DIDs after configuring the Inbound Routes.

If you have installed the Incredible Fax add-on, you can enable Fax Detection under the Fax tab. And, if you’d like CallerID Name lookups using CallerID Superfecta, you can enable it under the Other tab before saving your setup and reloading your dialplan.

Configuring a Skyetel Outbound Route

If Skyetel will be your primary provider, it is preconfigured by default on the Raspberry Pi platform so you can use both 10-digit and 11-digit dialing to process outbound calls through your Skyetel account. If you prefer another setup, choose Connectivity -> Outbound Routes.

There are a million ways to design outbound calling schemes on PBXs with multiple trunks. One of the simplest ways is to use no dial prefix for the primary trunk and then use dialing prefixes for the remaining trunks.

Another outbound calling scheme would be to assign specific DIDs to individual extensions on your PBX. Here you could use NXXNXXXXXX with the 1 Prepend as the Dial Pattern with every Outbound Route and change the Extension Number in the CallerID field of the Dial Pattern. With this setup, you’d need a separate Outbound Route for each group of extensions using a specific trunk on your PBX. Additional dial patterns can be added for each extension designated for a particular trunk. A lower priority Outbound Route then could be added without a CallerID entry to cover extensions that weren’t restricted or specified.

HINT: Keep in mind that Outbound Routes are processed by FreePBX in top-down order. The first route with a matching dial pattern is the trunk that is selected to place the outbound call. No other outbound routes are ever used even if the call fails or the trunk is unavailable. To avoid failed calls, consider adding additional trunks to the Trunk Sequence in every outbound route. In summary, if you have multiple routes with the exact same dial pattern, then the match nearest to the top of the Outbound Route list wins. You can rearrange the order of the outbound routes by dragging them into any sequence desired.

Audio Issues with Skyetel

If you experience one-way or no audio on some calls, make sure you have filled in the NAT Settings section in the GUI under Settings -> Asterisk SIP Settings -> General. In addition to adding your external and internal IP addresses there, be sure to add your external IP address in /etc/asterisk/sip_general_custom.conf like the following example and restart Asterisk:

externip=xxx.xxx.xxx.xxx

If you’re using PJSIP trunks or extensions on your PBX, implement this fix as well.

Receiving SMS Messages Through Skyetel

Most Skyetel DIDs support SMS messaging. Once you have purchased one or more DIDs, you can edit each number and, under the SMS & MMS tab, you can redirect incoming SMS messages to an email or SMS destination of your choice using the following example:



Sending SMS Messages Through Skyetel

We’ve created a simple script that will let you send SMS messages from the Linux CLI using your Skyetel DIDs. In order to send SMS messages, you first will need to create an SID key and password in the Skyetel portal. From the Settings icon, choose API Keys -> Create. Once the credentials appear, copy both your SID and Password. Then click SAVE.

Next, from the Linux CLI, issue the following commands to download the sms-skyetel script into your /root folder. Then edit the file and insert your SID, secret, and DID credentials in the fields at the top of the script. Save the file, and you’re all set.

cd /root
wget http://incrediblepbx.com/sms-skyetel
chmod +x sms-skyetel
nano -w sms-skyetel

To send an SMS message, use the following syntax where 18005551212 is the 11-digit SMS destination: sms-skyetel 18005551212 "Some message"

Configuring a Softphone for Incredible PBX

We’re in the home stretch now. You can connect virtually any kind of telephone to your new PBX. Plain Old Phones require an analog telephone adapter (ATA) which can be a separate board in your computer from a company such as Digium. Or it can be a standalone SIP device such as ObiHai’s OBi100 or OBi110 (if you have a phone line from Ma Bell to hook up as well). SIP phones can be connected directly so long as they have an IP address. These could be hardware devices or software devices such as the YateClient softphone. We’ll start with a free one today so you can begin making calls. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum when you’re ready to get serious about VoIP telephony.

We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Applications _> Extensions -> 701 and write down your SIP/IAX Password. You can also reset it by running /root/update-passwords. Fill in the blanks using the IP address of your Server, 701 for your Username, and whatever Password you assigned to the extension when you installed Incredible PBX. Click OK to save your entries.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

DEMO - Apps Demo
123 - Reminders
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
TODAY - Today in History

If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store.

Upgrading to IBM Speech Engines

If you’ve endured Google’s Death by a Thousand Cuts with text-to-speech (TTS) and voice recognition (STT) over the years, then we don’t have to tell you what a welcome addition IBM’s new speech utilities are. We can’t say enough good things about the new IBM Watson TTS and STT offerings. With IBM’s services, you have a choice of free or commercial tiers. Let’s put the pieces in place so you’ll be ready to play with the Whole Enchilada.

Getting Started with IBM Watson TTS Service

We’ve created a separate tutorial to walk you through obtaining and configuring your IBM Watson credentials. Start there.

Next, login to your Incredible PBX server and issue these commands to update your Asterisk dialplan and edit ibmtts.php:

cd /var/lib/asterisk/agi-bin
./install-ibmtts-dialplan.sh
nano -w ibmtts.php

Insert your credentials in $IBM_username and $IBM_password. For new users, your $IBM_username will be apikey. Your $IBM_password will be the TTS APIkey you obtained from IBM. Next, verify that $IBM_url matches the entry provided when you registered with IBM. Then save the file: Ctrl-X, Y, then ENTER. Now reload the Asterisk dialplan: asterisk -rx "dialplan reload". Try things out by dialing 951 (news) or 947 (Weather) from an extension registered on your PBX.

Getting Started with IBM Watson STT Service

Now let’s get IBM’s Speech to Text service activated. Log back in to the IBM Cloud. Click on the Speech to Text app. Choose a Region to deploy in, choose your Organization from the pull-down menu, and select STT as your Space. Choose the Standard Pricing Plan. Then click Create. When Speech to Text Portal opens, click the Service Credentials tab. In the Actions column, click View Credentials and copy down your STT username and password.

Finally, login to your Incredible PBX server and issue these commands to edit getnumber.sh:

cd /var/lib/asterisk/agi-bin
nano -w getnumber.sh

Insert apikey as your API_USERNAME and your actual STT APIkey API_PASSWORD in the fields provided. Then save the file: Ctrl-X, Y, then ENTER. Update your Voice Dialer (411) to use the new IBM STT service:

sed -i '\\:// BEGIN Call by Name:,\\:// END Call by Name:d' /etc/asterisk/extensions_custom.conf
sed -i '/\\[from-internal-custom\]/r ibm-411.txt' /etc/asterisk/extensions_custom.conf
asterisk -rx "dialplan reload"

Now try out the Incredible PBX Voice Dialer with AsteriDex by dialing 411 and saying "Delta Airlines."

Transcribing Voicemails with IBM Watson STT Service

We’ve included the necessary script to transcribe your incoming voicemails using IBM’s STT service. Navigate to the /usr/local/sbin folder and edit sendmailmp3.ibm. Insert your APIKEY in the password field and save the file. Now copy the file to sendmailmp3 and make the file executable: chmod +x sendmailmp3.

Using Gmail as a SmartHost for SendMail

Many Internet service providers block email transmissions from downstream servers (that’s you) to reduce spam. The simple solution is to use your Gmail account as a smarthost for SendMail. Here’s how. Log into your server as root and issue the following commands:

cd /etc/mail
hostname -f > genericsdomain
touch genericstable
makemap -r hash genericstable.db < genericstable
mv sendmail.mc sendmail.mc.original
wget http://incrediblepbx.com/sendmail.mc.gmail
cp sendmail.mc.gmail sendmail.mc
mkdir -p auth
chmod 700 auth
cd auth
echo AuthInfo:smtp.gmail.com \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" > client-info
echo AuthInfo:smtp.gmail.com:587 \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" >> client-info
echo AuthInfo:smtp.gmail.com:465 \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" >> client-info
nano -w client-info

When the nano editor opens the client-info file, change the 3 user_id entries to your Gmail account name without @gmail.com and change the 3 password entries to your actual Gmail password. Save the file: Ctrl-X, Y, then ENTER.

Now issue the following commands. In the last step, press ENTER to accept all of the default prompts:

chmod 600 client-info
makemap -r hash client-info.db < client-info
cd ..
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.mc
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.mc
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/Makefile
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.cf
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/databases
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.mc.gmail
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.cf.errors
make
sendmailconfig

Finally, stop and restart SendMail and then send yourself a test message. Be sure to check your spam folder!

/etc/init.d/sendmail stop
/etc/init.d/sendmail start
apt-get install mailutils -y
echo "test" | mail -s testmessage yourname@yourdomain.com

Check mail success with: tail /var/log/mail.log. If you have trouble getting a successful Gmail registration (especially if you have previously used this Google account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

Configuring a SIP URI Address for Your PBX

Setting up a SIP URI is a simple way to let anyone with a SIP phone call you from anywhere in the world and talk for as long and as often as you like FOR FREE. The drawback of SIP URIs is typically the security risk accompanying the SIP exposure you must provide to receive these calls. Here's the safe way using what we call a hybrid SIP URI. It works like this. Sign up for a VoIP.ms account and create a subaccount that you will register using the VoIPms trunk included in Incredible PBX. As part of the setup in the VoIP.ms portal, assign an Internal Extension Number to your subaccount, e.g. 789123. Make it random so you don't get surprise calls from anonymous sources. The extension can be up to 10 digits long. Next, sign up for a free iNUM DID, e.g. 883510009901234, in your VoIP.ms account. Using Manage DIDs in the portal, link the iNUM DID to your subaccount and assign one of the VoIP.ms POP locations for incoming calls, e.g. atlanta.voip.ms. Next, write down your VoIP.ms account number, e.g. 12345. Once you've completed these three steps and registered the VoIP.ms subaccount on your PBX, you now have two SIP URIs that are protected by your VoIP.ms credentials and don't require you to expose your SIP port to the outside world at all. These SIP URIs can be pointed to different destinations by setting up Inbound Routes using your VoIP.ms account number as one DID and setting up your iNUM number as the second DID. To reach your PBX via SIP URI, callers can use 12345789123@atlanta.voip.ms to reach the DID you set up for your VoIP.ms subaccount where 12345 is your VoIP.ms account number and 789123 is the Internal Extension Number for your subaccount. Or callers can use 8835100099012234@inum.net to reach the DID you set up using your iNUM number that was assigned by VoIP.ms. Don't forget to whitelist the VoIP.ms POP's FQDN for SIP UDP access to your PBX:

/root/add-fqdn voipms atlanta.voip.ms

If you wish to make SIP URI calls yourself, the easiest way is to first set up a free LinPhone SIP Account. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we'll get you started with one of our favorite (free) softphones, YateClient. It's available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for your LinPhone account. You’ll need LinPhone's FQDN (sip.linphone.org) plus your LinPhone account name and password. Fill in the Yate Client template and click OK to save your entries. Once the Yate softphone shows that it is registered, try a test call to one of our demo SIP URIs: sip:weather@demo.nerdvittles.com or sip:news@demo.nerdvittles.com.

Adding the NeoRouter Virtual Private Network

We've made it easy to set up a virtual private network between your PBX and your other computers. NeoRouter is a free VPN for up to 256 machines. It requires that you first set up a server for NeoRouter using a static IP address and preferably a fully-qualified domain name. This is covered in this Nerd Vittles tutorial. Once you have your NeoRouter server operational, adding your PBX to the VPN is easy. Simply run nrclientcmd and enter the FQDN of your VPN server together with your credentials. All clients on the VPN have an encrypted tunnel with private LAN addresses in the 10.0.0.x range. HINT: Setting up a NeoRouter VPN provides an easy way to get back into your server if the firewall ever locks you out since the 10.0.0.x subnet is automatically whitelisted as part of the initial install.

Using PortKnocker to Regain Access to Your PBX

And speaking of getting locked out of your server because you've forgotten to whitelist the IP address of your computer, there's another easy way to regain access: PortKnocker. The way the service works is you send sequential pings to 3 randomized TCP ports that are known only by you. They are listed in /etc/knock.FAQ. When your server detects a match, it will whitelist your new IP address allowing you to login using SSH or Putty. There also are PortKnocker utilities for both iOS and Android devices. Complete implementation details are available in this Nerd Vittles tutorial. If your PBX is sitting behind a router or firewall, don't forget to forward the three TCP ports from your router to the private LAN address of your PBX.

Planning Ahead for That Rainy Day

If you haven't already learned the hard way, let us save you from a future shock. Hardware fails. All of it. So spend an extra hour now so that you'll be prepared when (not if) disaster strikes. First, once you have your new PBX configured the way you plan to use it, make a backup of your PBX by running the Incredible Backup script: /root/incrediblebackup13

Copy down the name of the backup file that was created. You'll need it in a few minutes.

Second, build yourself a VirtualBox platform on your desktop PC using the Ubuntu ISO you previously downloaded. Once you complete the identical Incredible PBX install plus the Whole Enchilada upgrade and Incredible Fax (if used on your primary server), fire up the virtual machine and login as root with password as your password.

Next, create a /backup folder on your new VirtualBox PBX and copy the backup file from your main server to your VirtualBox server and restore it while logged into the VirtualBox PBX as root:

mkdir /backup
scp root@main-pbx-ip-address:/backup/backup-file-name.tar.gz /backup/.
/root/incrediblerestore13 /backup/backup-file-name.tar.gz

Verify that everything looks right by using a browser to access and review the settings in your new VirtualBox PBX. At a minimum, verify extensions, trunks, and routes.

Last but not least, if you're running Incredible PBX in the Cloud on Digital Ocean or Vultr, you can set up automatic backups of your server for only an extra dollar a month. It's the cheapest insurance your can buy. Enjoy!

Continue Reading: Configuring Extensions, Trunks & Routes

Don't Miss: Incredible PBX Application User's Guide covering the 31 Whole Enchilada apps

Originally published: Monday, March 18, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. With some providers including Digital Ocean and Vultr, Nerd Vittles receives referral credits when you sign up for service. This assists in keeping the Nerd Vittles lights burning brightly. So... thank you. []
  2. Skyetel is a Platinum Sponsor of Nerd Vittles and open source projects of Ward Mundy & Associates, LLC. []
  3. In the unlikely event that Skyetel cannot provide a 10% reduction in your current origination rate and/or DID costs, Skyetel will give you an additional $50 credit to use with the Skyetel service. []

One Minute Wonder: Introducing VitalPBX for VirtualBox




Last week we took VitalPBX to the Cloud with our rock-solid firewall. And this week we’ll show you how to get VitalPBX up and running on any desktop computer in less than a minute using VirtualBox®. If you’ve followed Nerd Vittles over the years, you already know that VirtualBox from Oracle® is one of our favorite platforms. Almost any desktop computer can serve as a VirtualBox hosting platform. And once VirtualBox is installed, adding VitalPBX is a snap. Download the VitalPBX image, initialize your MAC address, start up the VM, and boom. Instant PBX perfection! The really nice thing about our tutorials is it doesn’t cost you a dime to try things out for yourself. And the Incredible PBX® feature set is included as well. Just add your credentials and speech-to-text, voice recognition, and a Siri-like interface are as close as your nearest SIP phone. Splurge with a $4.99 one-time purchase to add Google Voice, and you’ve got unlimited free calling in the U.S. and Canada. So why wait? Let’s get started.

Installing Oracle VM VirtualBox

Oracle’s virtual machine platform inherited from Sun is amazing. It’s not only free, but it’s pure GPL2 code. VirtualBox gives you a virtual machine platform that runs on top of any desktop operating system. In terms of limitations, we haven’t found any. We even tested this on an Atom-based Windows 7 machine with 2GB of RAM, and it worked without a hiccup. So step #1 today is to download one or more of the VirtualBox installers from VirtualBox.org or Oracle.com. Our recommendation is to put all of the 100MB installers on a 4GB thumb drive.1 Then you’ll have everything in one place whenever and wherever you happen to need it. Once you’ve downloaded the software, simply install it onto your favorite desktop machine. Accept all of the default settings, and you’ll be good to go. For more details, here’s a link to the Oracle VM VirtualBox User Manual.

Installing Incredible PBX for VitalPBX VM

To begin, download the Incredible PBX for VitalPBX .ova image (1.0 GB) to the computer on which you installed VirtualBox.

Next, double-click on the VitalPBX .ova image on your desktop. Be sure to check the box to initialize the MAC address of the image and then click Import. Once the import is finished, you’ll see a new VitalPBX virtual machine in the VM List of the VirtualBox Manager Window. Let’s make a couple of one-time adjustments to the VitalPBX configuration to account for differences in sound and network cards on different host machines.

(1) Click once on the VitalPBX virtual machine in the VM List. Then (2) click the Settings button. In the Audio tab, check the Enable Audio option and choose your sound card. In the Network tab for Adapter 1, check the Enable Network Adapter option. From the Attached to pull-down menu, choose Bridged Adapter. Then select your network card from the Name list. Then click OK. That’s all the configuration that is necessary for VitalPBX.

Running VitalPBX in VirtualBox

Once you’ve imported and configured the VitalPBX Virtual Machine, you’re ready to go. Highlight the VitalPBX virtual machine in the VM List on the VirtualBox Manager Window and click the Start button. The standard CentOS boot procedure will begin and, within a few seconds, you’ll get the familiar Linux login prompt. During the bootstrap procedure, you’ll see a couple of dialogue boxes pop up that explain the keystrokes to move back and forth between your host operating system desktop and your virtual machine. Remember, you still have full access to your desktop computer. Incredible PBX for VitalPBX is merely running as a task in a VM window. Always gracefully halt VitalPBX just as you would on any computer.

Here’s what you need to know. To work in the VitalPBX virtual machine, just left-click your mouse while it is positioned inside the VM window. To return to your host operating system desktop, press the right Option key on Windows machines or the left Command key on any Mac. For other operating systems, read the dialogue boxes for instructions on moving around. To access the Linux CLI, login as root with the default password: password. Change your root password immediately by typing: passwd.

VitalPBX comes preconfigured so we need to login to the virtual machine for one primary reason, to obtain the IP address of VitalPBX. Once you’ve deciphered the IP address, point your favorite web browser at the IP address you wrote down. You’ll be prompted to create an admin password for your PBX and then you’ll be asked to register the PBX with Telesoft.

We’re assuming your VitalPBX VM is set up behind a hardware-based firewall. If not, you should immediately configure the firewall as documented in our VitalPBX in the Cloud article.

First, you’ll need to change the password for Extension 701: PBX:Extensions:Edit:701. The Edit option is the four-bar icon in the upper right corner of the VitalPBX dialog window. Click Save and Reload your Dialplan.

Next, you’ll need to register a Google Voice trunk with the Simonics SIP/GV Gateway for a one-time fee of $4.99. This gets you unlimited incoming and outgoing calls to the U.S. and Canada if you live in the U.S. Otherwise, set up a SIP trunk and enter your credentials in PBX:External:Trunks:SIP. If you’re using the Simonics gateway, the SIP trunk already has been set up. Just enter your credentials and change Disable Trunk to NO as shown below:



CAUTION: In choosing a DID for outbound calls with Incredible PBX, we strongly recommend that you use a Google Voice trunk. The reason is that, as long as your Google Voice account has no money allocated to it, Google will manage outbound calls to 10 and 11-digit phone numbers and block those that may incur enormous long distance charges from unscrupulous "merchants" in certain Caribbean countries. If you don’t heed our recommendation, we urge you NOT to link an Inbound Route to the Incredible PBX custom context. It’s your phone bill.

If you plan to use VitalPBX for "real work," then you’ll also want to change the Conference credentials for 2663 (C-O-N-F): PBX:Applications:Conference.

The VitalPBX virtual machine comes preconfigured to direct all incoming calls to Allison’s Demo IVR for Incredible PBX. If you’d prefer some other setup, change the Destination of the Default Inbound Route: PBX:External:Inbound Route:Default.

Configuring Incredible PBX for VitalPBX

In order to take advantage of all the Incredible PBX applications, you’ll need to obtain IBM text-to-speech (TTS) and speech-to-text (STT) credentials as well as a (free) Application ID for Wolfram Alpha.

NOV. 1 UPDATE: IBM has moved the goal posts effective December 1, 2018:

This Nerd Vittles tutorial will walk you through getting your IBM account set up and obtaining both your TTS and STT credentials. Be sure to write down BOTH sets of credentials which you’ll need in a minute. For home and SOHO use, IBM access and services are FREE even though you must provide a credit card when signing up. The IBM signup process explains their pricing plans.

To use Wolfram Alpha, sign up for a free Wolfram Alpha API account. Just provide your email address and set up a password. It takes less than a minute. Log into your account and click on Get An App ID. Make up a name for your application and write down (and keep secret) your APP-ID code. That’s all there is to getting set up with Wolfram Alpha. If you want to explore costs for commercial use, there are links to let you get more information.

In addition to your Wolfram Alpha APPID, there are two sets of IBM credentials to plug into the Asterisk AGI scripts. Keep in mind that there are different usernames and passwords for the IBM Watson TTS and STT services. The TTS credentials will look like the following: $IBM_username and $IBM_password. The STT credentials look like this: $API_USERNAME and $API_PASSWORD. Don’t mix them up. 🙂

All of the scripts requiring credentials are located in /var/lib/asterisk/agi-bin so switch to that directory after logging into your server as root. Edit each of the following files and insert your TTS credentials in the variables already provided: nv-today2.php, ibmtts.php, and ibmtts2.php. Edit each of the following files and insert your STT credentials in the variables already provided: getquery.sh, getnumber.sh, and getnumber2.sh. Finally, edit 4747 and insert your Wolfram Alpha APPID.

Using Asteridex with VitalPBX

AsteriDex is a web-based dialer and address book application for Asterisk and VitalPBX. It lets you store and manage phone numbers of all your friends and business associates in an easy-to-use SQLite3 database. You simply call up the application with your favorite web browser: http://vitalpbx-ip-address/asteridex4/. When you click on a contact that you wish to call, AsteriDex first calls you at extension 701, and then AsteriDex connects you to your contact through another outbound call made using your default outbound trunk that supports numbers in the 1NXXNXXXXXX format.

Before AsteriDex Click-to-Call will work, you must authorize AsteriDex to access Asterisk from your browser. After logging into your server as root, edit the following file in /etc/asterisk/ombutel: manager__50-ombutel-user.conf. For each public IP address you wish to authorize, add an entry like the following immediately below the existing permit entry in the file. The non-routable IP address subnets already have been configured so, if you’re using a browser behind the same firewall as VitalPBX, you can skip this step. Otherwise reload the dialplan after adding public IP addresses: asterisk -rx "dialplan reload"

permit=12.34.56.78

Taking Incredible PBX for a Test Drive

You can take Incredible PBX for VitalPBX on a test drive in two ways. You can call our server, and then you can try things out on your own server and compare the results. Call our IVR by dialing 1-843-606-0555. For our international friends, you can use the following SIP URI for a free call: 10159591015959@atlanta.voip.ms. For tips on setting up your own secure, hybrid SIP URI with VitalPBX, see our original tutorial. The FreePBX® setup is virtually identical except for the location of the custom SIP setting for match_auth_username=yes. On a VitalPBX server, you will enter it here: Settings:Technology Settings:SIP Settings:CUSTOM.

With Allison’s Demo IVR, you can choose from the following options:

  • 0. Chat with Operator — connects to extension 701
  • 1. AsteriDex Voice Dialer – say "Delta Airlines" or "American Airlines" to connect
  • 2. Conferencing – log in using 1234 as the conference PIN
  • 3. Wolfram Alpha Almanac – say "What planes are flying overhead"
  • 4. Lenny – The Telemarketer’s Worst Nightmare
  • 5. Today’s News Headlines — courtesy of Yahoo! News
  • 6. Weather by ZIP Code – enter any 5-digit ZIP code for today’s weather
  • 7. Today in History — courtesy of OnThisDay.com
  • 8. Chat with Nerd Uno — courtesy of SIP URI connection to 3CX iPhone Client
  • 9. DISA Voice Dialer — say any 10-digit number to be connected
  • *. Current Date and Time — courtesy of VitalPBX

You can call your own IVR in two ways. From an internal VitalPBX phone, dial D-E-M-O (2663) to be connected. Or simply dial the number of the DID you routed to the Incredible PBX Custom Context. Either way, you should be connected to the Incredible PBX IVR running on your VitalPBX server. Be sure that you heed AND test the CAUTION documented above. Enjoy!

Originally published: Monday, April 9, 2018





Need help with VitalPBX? Visit the VitalPBX Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Many of our purchase links refer users to Amazon when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from Amazon to help cover the costs of our blog. We never recommend particular products solely to generate Amazon commissions. However, when pricing is comparable or availability is favorable, we support Amazon because Amazon supports us. []

VitalPBX in the Cloud: Providers, Backups, & Airtight Security

Last month we introduced VitalPBX, a terrific new (free) VoIP platform that’s about as intuitive as software can get. We followed up with a dozen Incredible PBX applications that really showed off the flexibility of this new Asterisk® platform. And today we’re pleased to introduce two new cloud solutions that offer our whitelist firewall design for security plus automatic backups. Both Digital Ocean and Vultr offer terrific performance coupled with a $5/month price point that is easy on your wallet. Our tip of the hat goes to Digital Ocean this month because they are again offering a $10 credit on new accounts while also generously supporting Nerd Vittles. That translates into two free months of VitalPBX in the Cloud service for you to kick the tires. If you like what you see, you can spring for the extra $1 a month and add automatic backups to your $5/mo. bill going forward. With a $10 credit, what’s to lose?

To get started, set up an account with one of these cloud providers and create a $5 a month server with 64-bit CentOS 7 in your choice of cities. Once you have your root password, log into your new server as root using SSH or Putty. On Digital Ocean, you will be prompted to change your password the first time you login. On Vultr, you have to manually do it by issuing the command: passwd. Then you’re ready to begin the VitalPBX install. Just issue the following commands and then grab a cup of coffee.

cd /root
yum -y install wget nano tar
wget https://raw.githubusercontent.com/wardmundy/VPS/master/vps.sh
chmod +x vps.sh
./vps.sh

The base install takes less than 15 minutes to complete. When it’s finished, use a web browser from your desktop PC and log into the IP address of your new VitalPBX server. You’ll be prompted to set up an admin password for GUI access and then you register your server with Telesoft. Should you ever forget your admin password, here’s how to force a reset on your next login from a browser:

mysql ombutel -e 'update ombu_settings set value = "yes" where name = "reset_pwd"'

After logging in, you’ll be presented with the VitalPBX Dashboard:



From here, the drill is pretty much the same as what was outlined in our original VitalPBX tutorial. So jump over there to complete your set up and configure extensions, trunks, routes, and a few other settings for your new PBX. Then pick back up here to secure your server!

Security Methodology. What is different on the cloud platform is you don’t have a hardware-based firewall to protect your server. So we’ll need to configure VitalPBX using its built-in firewalld and Fail2Ban applications. Our preference is to use a whitelist of IP addresses to access your server and its resources. In that way, the Bad Guys never even see your server on the Internet. Our security philosophy is simple. If you can’t see it, you can’t hack it.

In addition to a WhiteList of public IP addresses, we also will enable a secure NeoRouter VPN front door to your server as well as a PortKnocker backdoor thereby providing three separate and secure ways to gain server access without publicly exposing VitalPBX to the Internet. If you have a better way, by all means go for it. After all, it’s your phone bill.

Firewall and Fail2Ban Setup. To begin, login to the VitalPBX GUI with a browser using your admin credentials. Then do the following:

(1.) Add NeoRouter VPN Protocol TCP Port 32976 in Admin:Security:Firewall:Services.

(2.) Add NeoRouter VPN Action ACCEPT rule in Admin:Security:Firewall:Rules.

(3.a.) WhiteList your client and server IP addresses in Admin:Security:Firewall:WhiteList.
(3.b.) WhiteList 127.0.0.1 (for localhost) and 10.0.0.0/24 (for NeoRouter VPN).
(3.c.) WhiteList the IP addresses of any potential unregistered trunk providers.
(3.d.) WhiteList the public IP addresses of any extensions you plan to install.

(4.) Enable Fail2Ban in Admin:Security:Intrusion Detection.

(5.a.) WhiteList your client IP address(es) in Admin:Security:Intrusion Detection:Whitelist.
(5.b.) WhiteList the NeoRouter VPN subnet, 10.0.0.0/24, as well.

(6.) Remove the following rules from Admin:Security:Firewall:Rules

SIP
HTTP
HTTPS
SSH
IAX2
PJSIP

(7.) Reload the VitalPBX dialplan by clicking the Red indicator (upper right of the GUI).

(8.) Verify IPtables WhiteList: iptables -nL | grep ACCEPT

(9.) Verify Fail2Ban WhiteList: grep -r ignoreip /etc/fail2ban/jail.d/*

Travelin’ Man 3 Addition. One of the major shortcomings in the firewalld implementation of IPtables is the lack of any support for fully-qualified domain names in their WhiteList. For those that want to use dynamic DNS updating services with custom FQDNs to manage remote user access to your server, this is a serious limitation even though PortKnocker alleviates some of the misery. So here’s our solution. We have reworked the Travelin’ Man 3 toolkit for VitalPBX so that you can use command line scripts to add (add-ip and add-fqdn), remove (del-acct), and manage (ipchecker) your WhiteList using either IP addresses (add-ip) or FQDNs (add-fqdn). The automatic update utility (ipchecker) will keep your FQDNs synchronized with your dynamic IP address service by updating the WhiteList every 10 minutes between 5 a.m. and 10 p.m. daily. Keep in mind that this is a supplement to the existing VitalPBX firewall setup documented above. And we only recommend that you add it if you plan to implement automatic management of dynamic IP addresses with FQDNs for your extensions and remote users.

If you plan to use the TM3 addition, you are strongly urged to not make further firewall changes using the VitalPBX GUI unless (1) you can also remember to keep your desktop PC’s IP address whitelisted in VitalPBX and (2) you remember to restart IPtables (iptables-restart) in the CLI after having made firewall changes in the VitalPBX GUI. Otherwise, you will lose your Travelin’ Man 3 WhiteList entries which means folks will get locked out of your server until the TM3 WhiteList is updated by running iptables-restart. All TM3 WhiteListed entries are stored and managed in individual text files in /root with a file extension of .iptables. Do not manually delete them!

To install the TM3 addition, issue the following commands:

cd /
wget http://incrediblepbx.com/tm3-vitalpbx.tar.gz
tar zxvf tm3-vitalpbx.tar.gz
rm -f tm3-vitalpbx.tar.gz
echo "/usr/local/sbin/iptables-boot" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
systemctl enable rc-local
echo "*/10 5-22 * * * root /usr/local/sbin/ipchecker > /dev/null 2>&1" >> /etc/crontab

Using DynDNS to Manage FQDNs. The key ingredient with Travelin’ Man 3 is automatic management of dynamic IP addresses. When a user or even the administrator moves to a different location or IP address, we don’t want to have to manually adjust anything. So what you’ll first need is a DynDNS account. Other free providers are available but are less flexible. For $40 a year, DynDNS lets you set up 30 FQDNs and keep the IP addresses for those hostnames current. That’s more than ample for almost any small business but, if you need more horsepower, DynDNS.com can handle it. What we recommend is setting up a separate FQDN for each phone on your system that uses a dynamic IP address. This can include the administrator account if desired because it works in exactly the same way. When the administrator extension drops off the radar, a refresh of IPtables will bring all FQDNs back to life including the administrator’s account. Sounds simple? It is.

Getting Started with Travelin’ Man 3. Here are the 5 tools that are included in the TM3 suite for VitalPBX:

  • add-ip some-label ip-address – Allows you to add an IP address to the WhiteList
  • add-fqdn some-label FQDN – Allows you to add an FQDN to the WhiteList
  • del-acct some-label.iptables – Deletes an IP address or FQDN from WhiteList
  • ipchecker – Runs every 10 minutes to synchronize FQDNs; do NOT run manually
  • iptables-restart – Restarts IPtables and adds TM3 WhiteListed IPs and FQDNs
  • iptables-boot – Loads TM3 WhiteListed IPs and FQDNs on boot only
  • show-whitelist – Displays contents of both VitalPBX and TM3 WhiteLists

Using Email to Manage Your WhiteList. We have one new addition to Travelin’ Man 3 for the VitalPBX platform. Now your authorized users can send an email to the VitalPBX server to whitelist an IP address and gain access. Two different passwords are supported and can be handed out to different classes of PBX users, e.g. administrators and ordinary users. Using the "permanent" password lets someone add an IP address to the VitalPBX whitelist permanently. Using the "temporary" password lets a user add an IP address to the whitelist until the next reboot or firewall restart. In both cases, the administrator gets an immediate email showing the whitelisted IP address, who requested it, and the type of whitelist entry that was requested. The syntax for the email request is straight-forward. Just send an email to the special email account set up to handle these requests and include a Subject for the message that looks exactly like this where 8.8.8.8 is the IP address to be whitelisted and some-password is one of the two passwords: WhiteList 8.8.8.8 PW some-password

As most of you know, we’re sticklers for security, and there’s plenty of it here. First, we recommend you use an obscure FQDN for your server so that it is not easily guessed by someone wanting to do harm. Second, we assume your IP address also won’t be published. Third, the email account name also should be obscure. Think of it as another password. For example, martin432 would be a good choice while whitelist would be pretty lousy. Keep in mind that the only people sending mail to this account will be folks that need immediate access to your PBX. Finally, BOTH of the passwords to use the email feature need to be long and difficult to decipher. A mix of alphanumeric characters and upper and lowercase letters is strongly recommended because it makes successful penetration nearly impossible.

To begin, we need to reconfigure your VitalPBX Firewall to accept incoming email on TCP port 25. In Admin:Security:Firewall:Services, Add a new service that looks like the following: Name: SMTP    Protocol: TCP    Port: 25. Then SAVE your entry.

Next, we need to add a VitalPBX Firewall Rule that allows incoming SMTP traffic. In Admin:Security:Firewall:Rules, Add a new rule: Service: SMTP    Action: Accept. Then SAVE.

Next, we need to log into the Linux CLI as root to do a couple of things. First, we need to reconfigure Postfix to accept emails from outside our server. Replace 8.8.8.8 with the actual IP address of your server. Replace smtp.myserver.com with the actual FQDN of your server. If you don’t have one, simply remove the FQDN from the command.

yum -y install mailx
postconf -e "mynetworks = 127.0.0.0/8, 8.8.8.8"
postconf -e "mydestination = smtp.myserver.com, localhost.localdomain, localhost"
postconf -e "inet_interfaces = all"
postconf -e "recipient_delimiter = +"
service postfix restart

Second, we need to add an email account to process the incoming emails. Replace someuser on each line with that obscure account name you plan to use for incoming emails. Then send yourself a test email and be sure it arrives. The last command cleans out the mail account.

adduser someuser --shell=/bin/false --no-create-home --system -U 
echo "test" | mail -s "Hello World" someuser
mail -u someuser
> /var/mail/someuser

Finally, we need to set up your passwords and admin email address in /root/mailcheck. To begin, insert your actual mail account name in the following command by replacing realuser and then execute the command:

sed -i 's|someuser|realuser|' /root/mailcheck

Now edit /root/mailcheck with nano or your favorite editor and change the TempPW, PermPW, and MyEMail entries. Then save the file and add the following entry to /etc/crontab:

*/3 5-22 * * * root /root/mailcheck > /dev/null 2>&1
 

CAUTION: Because of the bifurcated nature of the integration of TM3’s WhiteList into the VitalPBX firewall setup, be advised that you never want to make a change in the VitalPBX GUI’s firewall configuration without assuring that the desktop machine from which you are making that change is already included in the VitalPBX Whitelist (see #3.a., above). The same applies to issuing an iptables-restart from the Linux CLI. The reason is there are two separate whitelists and either of these actions would temporarily disable the TM3 WhiteList until the iptables-restart procedure was executed AND completed. In both situations, you most probably would be locked out of web and SSH access to your own server. A VitalPBX firewall reload only restarts firewalld with the VitalPBX WhiteList, and an iptables-restart from the CLI first restarts firewalld without the TM3 WhiteList rules and then adds the TM3 WhiteList rules after the firewalld reload is completed. We have added safeguards to some of the TM3 utilities to keep you from shooting yourself in the foot by requiring the VitalPBX WhiteList addition before you can use the TM3 iptables-restart and del-acct utilities; however, this is not the case with ipchecker which typically runs as a cron job from localhost. Because there is no safeguard mechanism, do NOT run it manually unless you’re sure you first have whitelisted your desktop PC’s IP address in the VitalPBX GUI (see #3.a., above). Without getting down in the weeds, we also have no ability to control the internal workings of the VitalPBX firewall. Should you get locked out of your server, there are three remedies. The first is the email solution documented above. The second is to use PortKnocker to regain access. The third is to use the localhost console in the Digital Ocean or Vultr control panel to issue the iptables-restart command. You might want to print this out for a rainy day. 🙂

PortKnocker Installation. You may not know the remote IP addresses of everyone using your PBX, and some of your users may travel to different sites and need a temporary IP address whitelisted while using a WiFi hotspot. And, not that it would happen to you, but once in a while an administrator locks himself out of his own server by changing IP addresses without first whitelisting the new address. The solution to all of these problems is easy with PortKnocker. The user simply sends three sequential pings to ports known only by you and your users using the machine or smartphone that needs access. You can read our original tutorial for more detail. For today, let’s get PortKnocker installed and configured with your three random ports. You can review the assignment at any time by displaying /root/knock.FAQ which also explains how to send the knocks using a desktop machine or a smartphone.

cd /root
wget http://incrediblepbx.com/knock-vitalpbx.sh
chmod +x knock-vitalpbx.sh
./knock-vitalpbx.sh

As with other Incredible PBX Travelin’ Man 3 implementations, IP addresses whitelisted using PortKnocker only last until the next reboot, or until you issue the following command firewall-cmd --reload (does not reload TM3 WhiteList), or until you execute a firewall update from within the VitalPBX GUI (does not reload TM3 WhiteList), or until you issue the command iptables-restart which restarts the firewall AND loads the TM3 WhiteList entries. To permanently WhiteList IP addresses, follow the procedure in Step #3 above or add the entries using the TM3 utilities documented in the previous section.

NeoRouter Installation. A virtual private network (VPN) is perhaps the safest way to access any server including VitalPBX. All of your communications is securely encrypted and you connect to the server through a network tunnel using a non-routable, private IP address. There are many VPNs from which to choose. Our personal favorite is NeoRouter because up to 256 devices can be interconnected at zero cost, and you can set the whole thing up in minutes with virtually no networking expertise. If you want all of the background on NeoRouter, see our latest tutorial.

NeoRouter uses a star topology which means you must run the NeoRouter Server application on a computer platform that is accessible over the Internet all the time. Then each of the remote devices or servers runs the NeoRouter Client application, connects to the server to obtain a private IP address, and then can communicate with all of the other devices connected to the VPN. If you already have a NeoRouter Server in place, then you can skip the server installation step and skip down to installing the NeoRouter Client on your VitalPBX server.

NeoRouter Server Setup. If you’re just getting started with NeoRouter, the first step is setting up the NeoRouter Server on a platform of your choice. If you’re using the Automatic Backup feature of Digital Ocean or Vultr, then your VitalPBX server is probably as good a site as any. NeoRouter Server uses minimal resources, and outages shouldn’t be a problem except for hurricanes, tornados, and bombs. But, just so you know, if the NeoRouter Server is down, none of the NeoRouter Clients can access the VPN or any other clients so you’d have to resort to public IP addresses for network access.

To install NeoRouter Server on your VitalPBX platform, log into your server as root and issue the following commands:

cd /root
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrserver-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrserver-2.3.1.4360-free-centos-x86_64.rpm

Next, create at least one account with administrator privileges and one account with user privileges to your NeoRouter VPN:

nrserver -adduser admin-name admin-password admin
nrserver -adduser user-name user-password user

The commands to manage NeoRouter Server are a little different on the CentOS 7 platform. Here’s what you’ll need:

Start on boot: systemctl enable nrserver.service
Check status: systemctl status nrserver.service
Restart server: systemctl restart nrserver.service
Change settings: nrserver -help

NeoRouter Client Setup. Whether you’re running NeoRouter Server on your VitalPBX platform or not, you’ll still need to install and configure the NeoRouter Client software in order to access the server through the VPN using a remote computer, smartphone, or tablet. NeoRouter Clients for Linux, Windows, Macs, FreeBSD, Mobile, OpenWRT, Tomato, and HTML5 are available here. Be sure to choose the NRFree V2 platform tab before downloading a client, or you’ll get the wrong client software and nothing will work! Ask us how we know.

To install NeoRouter Client on your VitalPBX platform, log into your server as root and issue the following commands:

cd /root
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrclient-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrclient-2.3.1.4360-free-centos-x86_64.rpm

As with NeoRouter Server, the commands to manage NeoRouter Client are a little different on the CentOS 7 platform. Here’s what you’ll need:

Start on boot: systemctl enable nrservice.service
Check status: systemctl status nrservice.service
Restart client: systemctl restart nrservice.service
Login to VPN: nrclientcmd

The main requirement after installing the software is to login to your VPN: nrclientcmd. You’ll be prompted for the FQDN or IP address of your NeoRouter Server and then the admin or user credentials. If successful, you’ll get a display of all the machines logged into the VPN, including the VitalPBX server.

NeoRouter Network Explorer – somebody@vultr.guest

> My Computers
10.0.0.2 vultr.guest

Available Commands: changeview, wakeonlan, setproxy, changepassword, quit
Enter command:

The next step is to download and install NeoRouter Client software on your desktop computer and smartphone. Then you can remotely connect to your VitalPBX server from those platforms. In our example above, you could login to 10.0.0.2 with either SSH or your web browser and never have to worry about whitelisting your remote machines with VitalPBX.

Checking VitalPBX Status. As with other Incredible PBX platforms, we have reworked the pbxstatus utility to support VitalPBX. Running it from the command prompt will display the status of all of the key services on your PBX. Note the addition of the VPN’s IP address which tells you that NeoRouter Client is alive and well:



Configuring Automatic Backups. When you’re ready to enable backups for a Digital Ocean droplet, navigate to the list of droplets for your account. Click the Droplet name for which you’d like to enable backups, and then click the Backups menu item. This will display the cost of backups for the given droplet. Click the Enable Backups button to enable backups.

The Vultr setup is similar. Automatic backup settings are managed through the Vultr control panel. Once you log into your account, visit the server’s management area, click on your server in the dialog, and then click on the "Backups" tab for your VPS. Click Enable Backups. On either platform, the backup option adds a $1 a month to the cost of the $5 server. That’s pretty cheap insurance.

Originally published: Monday, April 2, 2018





Need help with VitalPBX? Visit the VitalPBX Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Twofer Tuesday: 2 Cloud Servers for the Price of a RasPi




It’s been more than a year since we last chatted about Cloud At Cost. Because they’re in the midst of yet another 50% off Fire Sale and to close out February with a bang, it seemed like a good time to take a fresh look at a terrific way to get started with Linux. For today’s $35 cloud project, we’re going to build a free WordPress server and a free commercial PBX compliments of 3CX. For what it’s worth, we’ve been running a PIAF5 server at CloudAtCost for more than four months without a single hiccup. It provides flawless Google Voice calling from either a connected SIP phone or from the 3CX Client running on a SIM-free Android phone or iPhone. See our recent article for tips on setting up a SIM-free mobile phone.

For those coming from the Windows World, Linux can be a little intimidating. Learning with a Cloud-based server presents its own challenges because of the security issues when your server sits on the public Internet. And then there’s the cost factor. Not everyone has several hundred dollars to buy hardware and, frankly, learning about Linux on a $35 Raspberry Pi can drive most folks to drink. So today we’ll show you another way. It’s not necessarily a better way. But it’s different, and it’s loads of fun for not much money. Today’s project takes about an hour, and you’ll have two terrific Linux applications to play with for life when we’re finished.

There’s lots to hate at Cloud At Cost, a Canadian provider that offers virtual machines in the cloud for a one-time fee with no recurring charges. For $35, you currently get two virtual machine platforms, and each has 512MB of RAM, 10GB of storage, and a gigabit Internet connection FOR LIFE. We haven’t seen a week go by when Cloud at Cost didn’t offer some sort of discount. Today it’s 50% off which brings the per server cost down to $17.50 each. That’s less than most lunches these days. If you don’t like half off and would prefer to wait for a better discount, check their Twitter feed every few days. So that’s the good news. But, if 99.999% reliability, performance, and excellent customer support are your must-haves, then look elsewhere. So why would anyone in their right mind sign up for a cloud solution that didn’t offer those things? Did we mention it’s $17.50 for a lifetime cloud server!

If you take our recommendation, you’ll need to go into this with the right attitude. It’s not going to be flawless perfection computing. It’s a sandbox on which to experiment with Linux, and VoIP, and Cloud Computing. Will your virtual machine disintegrate at some juncture? Maybe so. We’ve had about a third of ours fail at some point. But you can rebuild them easily, especially if you keep a backup. Our experience is that the first couple days are critical. If you start seeing sluggish performance which degenerates to zero, don’t waste your time. Take good notes as you go along, delete the virtual machine, and rebuild a new one. It won’t cost you a dime, and it’ll save you hours of frustration. We suspect that bad folks get onto some of the servers and delight in bringing the machines to their knees. So the quicker you cut your losses, the better off you will be. Is CloudAtCost a good solution for production use? Don’t risk it unless waterboarding is your favorite sport. It’s probably not gonna work, and you WILL be disappointed. Repeat after me: IT’S A SANDBOX!

Building a LAMP Server in the Cloud

Our first objective today is to show you how to build a rock-solid, secure Linux server in the Cloud with all the bells and whistles that make Linux the server platform of choice for almost every organization in the world. We’ll continue by showing you how to embellish the platform with WordPress to do something that’s special for you whether it’s your own blog like Nerd Vittles, or a school newspaper, or an on-line shopping site to sell comic books. The basic foundation for most Linux platforms is called a LAMP server which stands for Linux, Apache, MySQL, and PHP. Linux is an open source operating system that includes contributions from thousands of developers around the world. Apache is the web server platform on which most commercial businesses stake their reputation. MySQL is the open source database management system now owned by Oracle. If it’s good enough for Facebook, it’s good enough for you. And PHP is THE web-based programming language that will let you build almost any application using Linux, Apache, and MySQL.

So what’s the big deal? There are thousands of online tutorials that will show you how to build a LAMP server. For long time readers of Nerd Vittles, you already know that the component we continually stress is security. Without that, the rest really doesn’t matter. You’ll be building a platform for someone else to hijack and use for nefarious purposes. When we’re finished with today’s Project #1, you’ll have a cloud-based LAMP server that is totally invisible to the rest of the world with the exception of its web interface. And we’ll show you a simple way to reduce the exposure of that web interface to some of its most likely attackers. Will it be 100% secure? Nope. If you have a web server on the public Internet, it’s never going to be 100% secure because there’s always the chance of a software bug that nobody has yet discovered and corrected. THAT’S WHAT BACKUPS ARE FOR!

Creating a CentOS Machine in the Cloud

To get started, you’ve got to plunk down your $35 at Cloud at Cost. This buys you two server platforms while they’re cheap! Once you’ve paid the piper, they will send you credentials to log into the Cloud at Cost Management Portal. Change your password IMMEDIATELY after logging in. Just go to SETTINGS and follow your nose.

To create your first virtual machine, click on the CLOUDPRO button and click Add New Server. If you’ve only purchased the $17.50 CloudPRO 1 platform, then you’ll need all of the available resources shown in the pick list. Otherwise, choose 1 CPU, 512MB RAM, and 10GB storage for your first server. Leave CentOS 6.7 64bit selected as the OS Type and click Complete. Depending upon the type of special pricing that Cloud at Cost is offering when you sign up, the time to build your virtual machine can take anywhere from a minute to the better part of a day. We’ve learned to build new virtual machines at night, and they’re usually available for use by the next morning. Luckily, this slow performance does not impact existing virtual machines that already are running in their hosting facility.

Initial Configuration of Your CentOS 6 VM

With a little luck, your virtual machine soon will appear in your Cloud at Cost Management Portal and look something like what’s shown above. The red arrow points to the i button you’ll need to click to decipher the password for your new virtual machine. You’ll need both the IP address and the password for your new virtual machine in order to log into the server which is now up and running with a barebones CentOS 6.7 operating system. Note the yellow caution flag. That’s telling you that Cloud at Cost will automatically shut down your server in a week to save (them) computing resources. You can change the setting to keep your server running 24/7. Click Modify, Change Run Mode, and select Normal – Leave Powered On. Click Continue and OK to save your new settings.

Finally, you’ll want to change the Host Name for your server to something more descriptive than c7…cloudpro.92… Click the Modify button again and click Rename Server to make the change. Your management portal then will show the new server name as shown above.

Logging into Your CentOS 6 VM

In order to configure and manage your new CentOS 6 virtual machine, you’ll need to log into the new server using either SSH or, for Windows users, Putty. After installing Putty, run it and log in to the IP address of your VM with username root and the password you deciphered above. On a Mac, open a Terminal session and issue a command like this using the actual IP address of your new virtual machine:

ssh root@12.34.56.78

Before you do anything else, reset your root password to something very secure: passwd

Installing the LAMP Server Basics

Now we’re ready to build your LAMP server platform. We’ve chopped this up into lots of little steps so we can explain what’s happening as we go along. There’s nothing hard about this, but we want to document the process so you can repeat it at any time. As we go along, just cut-and-paste each clump of code into your SSH or Putty session and review the results to make sure nothing comes unglued. If something does, the beauty of virtual machines is you can delete them instantly within your management portal and just start over whenever you like. So here we go…

We’ll begin by permanently turning off SELINUX which causes more problems than it solves. The first command turns it off instantly. The second line assures that it’ll stay off whenever you reboot your virtual machine.

setenforce 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

First, let’s address a couple of CloudAtCost quirks that may cause problems down the road. CloudAtCost has a nasty habit of not cleaning up after itself with fresh installs. The net result is your root password gets reset every time you reboot.

killall plymouthd
echo killall plymouthd >> /etc/rc.local
rm -f /etc/rc3.d/S97*

Now let’s bring CentOS 6.7 up to current CentOS 6.8 specs and add a few important applications:

yum -y update
yum -y install nano wget expect net-tools dialog git xz
yum -y install kernel-headers
yum -y install kernel-devel
reboot

After reboot, log back in as root. Now we’ll set up your Apache web server and configure it to start whenever you reboot your server:

yum -y install httpd
service httpd start
chkconfig httpd on

Next, let’s set up your MySQL server, bring it on line, and make sure it restarts after server reboots. Unless you plan to add Asterisk® and FreePBX® to your server down the road, you’ll want to uncomment the two commands that begin with # by removing the # symbol and replacing new-password with a very secure password for your root user account in MySQL. Be sure to run the last command to secure your server. After logging in, the correct answers are n,Y,Y,Y,Y.

yum -y install mysql mysql-server
service mysqld start
chkconfig mysqld on
#/usr/bin/mysqladmin -u root password 'new-password'
#/usr/bin/mysqladmin -u root -p -h localhost.localdomain password 'new-password'
mysql_secure_installation

Next, we’ll set up PHP and configure it to work with MySQL:

yum -y install php
yum -y install php-mysql
service httpd restart

Finally let’s get SendMail installed and configured. Insert your actual email address in the last line and send yourself a test message to be sure it’s working. Be sure to check your spam folder since the message will show a sender address of localhost which many email systems including Gmail automatically identify as spam.

yum -y install sendmail
rpm -e postfix
service sendmail restart
yum -y install mailx
echo "test" | mail -s testmessage youracctname@yourmailserver.com

Installing Supplemental Repositories

One of the beauties of Linux is not being totally dependent upon CentOS for all of your packaged applications. Let’s add a few other repositories that can be used when you need to add a special package that is not in the CentOS repository. Let’s start with EPEL. We’ll disable it by default and only use it when we need it.

yum -y install http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
sed -i 's|enabled=1|enabled=0|' /etc/yum.repos.d/epel.repo

We actually need the EPEL repo to install Fail2Ban for monitoring of attacks on certain Linux services such as SSH:

yum --enablerepo=epel install fail2ban -y
cd /etc
wget http://incrediblepbx.com/fail2ban-lamp.tar.gz
tar zxvf fail2ban-lamp.tar.gz

Another important repository is REMI. It is especially helpful if you decide to upgrade PHP from the default version 5.3 to one of the newer releases: 5.5 or 5.6. In this case, you’ll want to activate the specific repository to support the release you choose in /etc/yum.repos.d/remi-safe.repo.

yum -y install http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
sed -i 's|enabled=1|enabled=0|' /etc/yum.repos.d/remi-safe.repo

One final repository to have on hand is RPMForge, now renamed RepoForge. We’ll use it in a bit to install a dynamic DNS update utility which you actually won’t need at CloudAtCost since your server is assigned a static IP address. But it’s handy to have in the event you wish to assign a free FQDN to your server anyway.

yum -y install http://incrediblepbx.com/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
sed -i 's|enabled = 1|enabled = 0|' /etc/yum.repos.d/rpmforge.repo

Country Blocking with IPSET


We’ll use the EPEL repo to install ipset, a terrific addition to the IPtables Linux firewall that lets you quickly block entire countries from accessing your server:

yum --enablerepo=epel install ipset -y

Next, we’ll add a sample script that documents how the country blocking mechanism works with ipset. For a complete list of countries that can be blocked, go here. If you need a decoder badge to match abbreviations against country names, you’ll find it here. To add other countries, simply edit the shell script and clone lines 4-7 using the names of the countries and country zone files that you wish to add. Be sure to insert the new lines before the commands to restart iptables and fail2ban. This script will need to be run each time your server reboots and before IPtables is brought on line. We’ll handle that a little later.

echo "#\\!/bin/bash" > /etc/block-china.sh
echo " " >> /etc/block-china.sh
echo "cd /etc" >> /etc/block-china.sh
echo "ipset -N china hash:net" >> /etc/block-china.sh
echo "rm cn.zone" >> /etc/block-china.sh
echo "wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone" >> /etc/block-china.sh
echo "for i in \$(cat /etc/cn.zone ); do ipset -A china \$i; done" >> /etc/block-china.sh
echo "service iptables restart" >> /etc/block-china.sh
echo "service fail2ban restart" >> /etc/block-china.sh
sed -i 's|\\\\||' /etc/block-china.sh
chmod +x /etc/block-china.sh

Adding a Few Handy Utilities

If you’re like us, you’ll want to test the speed of your Internet connection from time to time. Let’s install a free script that you can run at any time by logging into your server as root and issuing the command: /root/speedtest.py. Here were our results from last year. Running speedtest on a new server we built today showed a vast improvement in performance. Downloads were over ten times as fast, and upload speeds more than tripled. In fact, we now are using two CloudAtCost servers to host the old PIAF3 repositories.

cd /root
wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
chmod +x speedtest.py

Next, let’s put in place a simple status display which will quickly tell you what’s running and what’s not. We’ve borrowed some GPL code from Incredible PBX to help you out. Run status-lamp at any time for a snapshot of your server.

cd /usr/local/sbin
wget http://incrediblepbx.com/status-lamp.tar.gz
tar zxvf status-lamp.tar.gz
rm -f status-lamp.tar.gz
sed -i 's|myip.pbxinaflash.com|myip.incrediblepbx.com|' /usr/local/sbin/status-lamp

Now we’ll put the Linux Swiss Army Knife in place. It’s called WebMin, and it provides a GUI to configure almost everything in Linux. Pick up a good WebMin book from your public library to get started. Once installed, you access WebMin from your browser at the IP address of your server on the default port of 10000: https://serverIPaddress:10000. It’s probably a good idea to change this port number and the commented out line shows how to do it with the new port being 9001 in the example. The way in which we typically configure the Linux firewall will block all access to WebMin except from an IP address which you have whitelisted, e.g. your home computer’s public IP address.

cd /root
yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty
yum -y install http://prdownloads.sourceforge.net/webadmin/webmin-1.831-1.noarch.rpm
#sed -i 's|10000|9001|g' /etc/webmin/miniserv.conf
service webmin restart
chkconfig webmin on

Configuring the Linux IPtables Firewall

RULE #1: DON’T BUILD SERVERS EXPOSED TO THE INTERNET WITHOUT SECURITY!

As installed by CloudAtCost, your server provides ping and SSH access from a remote computer and nothing else. The good news: it’s pretty safe. The bad news: it can’t do anything useful for anybody because all web access to the server is blocked. We want to fix that, tighten up SSH access to restrict it to your IP address, and deploy country blocking to show you how.

As we implement the firewall changes, you need to be extremely careful in your typing so that you don’t accidentally lock yourself out of your own server. A typo in an IP address is all it takes. The good news is that, if you do lock yourself out, you still can gain access via the CloudAtCost Management Portal by clicking the Console button of your virtual machine. Because the console is on the physical machine and the lo interface is whitelisted, you can log in and disable the firewall temporarily: service iptables stop. Then fix the typo and restart the firewall: service iptables start.

First, let’s download the new IPtables config file into your root folder and take a look at it.

cd /root
wget http://incrediblepbx.com/iptables-lamp.tar.gz
tar zxvf iptables-lamp.tar.gz

Now edit the /root/iptables-lamp file by issuing the command: nano -w /root/iptables-lamp

You can scroll up and down through the file with Ctl-V and Ctl-Y. Cursor keys work as well. Once you make changes, save your work: Ctl-X, Y, ENTER. You’re now an expert with the nano text editor, an absolutely essential Linux tool.

Here’s what that file actually looks like:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP
-A INPUT -p tcp -m set --match-set china src                    -j DROP
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A INPUT -s 12.34.56.78 -j ACCEPT
#-A INPUT -s yourFQDN.dyndns.org -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Reminder: If you add another country to your block-china script, don’t forget to add a corresponding new country entry to your iptables file. See line 17 above that includes the word "china" for the syntax. There’s nothing much else to tweak except the two commented out (brown) lines that begin with #. First, remove the # symbol by moving the cursor to the right of the first one and hitting the backspace/delete key on your keyboard. Replace 12.34.56.78 with the public IP address of the computer from which you will be accessing your virtual machine. If you need multiple entries for multiple computers at different addresses, clone the line by pressing Ctrl-K and then Ctrl-U twice. Yes, we know. Some folks IP addresses change from time to time. In the next section, we’ll show you how to set up a Dynamic DNS entry with a utility that will keep track of your current IP address. In this case, uncomment the second commented line and replace yourFQDN.dyndns.org with your dynamic DNS address. Be very careful to assure that your FQDN is always on line. If the firewall cannot verify your DNS entry when it starts, the IPtables firewall will not start which means your server will be left unprotected. HINT: IP addresses are much safer because they are never verified.

Once you have your whitelisted addresses configured, comment out the port 22 line to keep the bad guys from trying to break into your server with SSH. Then save the file: Ctl-X, Y, ENTER. Next, issue the following commands to copy everything into place and restart the firewall.

mv /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
cp -p /root/iptables-lamp /etc/sysconfig/iptables
echo "/etc/block-china.sh" >> /etc/rc.local
/etc/block-china.sh

Always, always, always check to be sure your firewall is functioning: iptables -nL. If you don’t see your desktop computer’s public IP address near the end of the listing, then the firewall is dead. status-lamp should also show IPtables down. Check for an error message which will tell you the problematic line so you can correct it.

Implementing Dynamic DNS Service

There are a number of free and paid Dynamic DNS providers. The way this works is you choose a fully-qualified domain name (FQDN) to identify your computer. Then you run a dynamic DNS update utility periodically from that computer. It reports back the current public IP address of your computer and your provider updates the IP address assigned to your FQDN if it has changed. In addition to supporting sites with ever changing IP addresses, it also allows you to permanently assign an FQDN to your computer or server so that it can be accessed without using a cryptic IP address.

If that computer happens to be an Incredible PBX server or a LAMP server that you’ve set up using this tutorial, then the following will get the DNS client update utility loaded using the RPM Forge repository that we previously installed:

yum --enablerepo=rpmforge install ddclient -y

Similar DNS update clients are available for Windows, Mac OS X, and many residential routers. Then it’s just a matter of plugging in the credentials for your dynamic DNS provider and your FQDN. In the case of the CentOS client, the config file is /etc/ddclient/ddclient.conf. Now reboot your server and pick up a good book on Linux to begin your adventure.

Now For Some Fun…

First, let’s check things out and make sure everything is working as it should. With your favorite web browser, visit the IP address of your new server. You should see the default Apache page:

Next, let’s be sure that PHP is working as it should. While still logged into your server as root using SSH or Putty, issue the following commands and make up some file name to replace test4567 in both lines. Be sure to keep the .php file name extension. Note to gurus: Yes, we know the second line below is unnecessary if you remove the space after the less than symbol in the first line. Unfortunately, WordPress forces the space into the display which left us no alternative.

echo "< ?php phpinfo(); ?>" > /var/www/html/test4567.php
sed -i 's|< |<|' /var/www/html/test4567.php

Now jump back to your web browser and access the new page you just created using the IP address of your server and the file name you made up: http://12.34.56.78/test4567.php

The PHPinfo listing will tell you everything you ever wanted to know about your web server setup including all of the PHP functions that have been enabled. That's why you want an obscure file name for the page. You obviously don't want to share that information with every bad guy on the planet. Remember. This is a public-facing web site that anyone on the Internet can access if they know or guess your IP address.

When you're ready to set up your own web site, just name it index.php and store the file in the /var/www/html directory of your server. In the meantime, issuing the following command will assure that anyone accessing your site gets a blank page until you're ready to begin your adventure:

echo " " > /var/www/html/index.php

Ready to learn PHP programming? There's no shortage of books to get you started.

Adding WordPress to Your LAMP Server

Where to begin with WordPress? What used to be a simple platform for bloggers has morphed into an all-purpose tool that makes building virtually any type of web site child's play. If you want to see what's possible, take a look at the templates and sample sites shown on WPZOOM. Unless you're an art major and savvy web designer, this will be the best $70 you ever spent. One of these templates will have your site up and running in minutes once we put the WordPress pieces in place. For the big spenders, $149 will give you access to over 50 gorgeous templates which you can download and use to your heart's content on multiple sites. And, no, your sites don't blow up after a year. You just can't download any additional templates or updates unless you renew your subscription. The other alternative is choose from thousands of templates that are provided across the Internet as well as in the WordPress application itself.

WordPress templates run the gamut from blogs to newsletters to photographer sites to e-commerce to business portfolios to video to travel to magazines to newspapers to education to food to recipes to restaurants and more. Whew! There literally is nothing you can't put together in minutes using a WordPress template. But, before you can begin, we need to get WordPress installed on your server. This is optional, of course. And, if you follow along and add WordPress, we've set it up in such a way that WordPress becomes the primary application for your site. Stated differently, when people use a browser to access your site, your WordPress template will immediately display. When we finish the basic WordPress setup and once you upload an image or two, you'll have a site that looks something like this:

Before you begin, we strongly recommend that you acquire a domain for your site if you plan to use it for anything but experimentation. The reason is because it can be complicated to migrate a WordPress site from one location to another.1 Once you've acquired your domain, point the domain to the IP address of your new server. With a dirt cheap registrar such as Omnis.com, it's easy:

Now let's get started. To begin, we need to load the WordPress application onto your server:

cd /root
mkdir wordpress
cd wordpress
wget http://wordpress.org/latest.tar.gz
tar -xvzf latest.tar.gz -C /var/www/html

Next, we'll configure MySQL to support WordPress. We're assuming that you have NOT already created root passwords for MySQL. If you have, you'll need to add -pYourPassword to the various commands below immediately after root. There is no space between -p and your root password. Also edit the first line and make up a new password (replacing XYZ below) for the wordpress user account that will manage WordPress on your server before you cut and paste the code:

mysql -u root -e 'CREATE USER wordpress@localhost IDENTIFIED BY "XYZ";'
mysql -u root -e 'CREATE DATABASE wordpress;'
mysql -u root -e 'GRANT ALL ON wordpress.* TO wordpress@localhost;'
mysql -u root -e 'FLUSH PRIVILEGES;'

Next, we need to configure WordPress with your new MySQL credentials. Before you cut and paste, replace XYZ in the fourth line with the password you assigned in the preceding MySQL step:

cp /var/www/html/wordpress/wp-config-sample.php /var/www/html/wordpress/wp-config.php
sed -i 's|database_name_here|wordpress|' /var/www/html/wordpress/wp-config.php
sed -i 's|username_here|wordpress|' /var/www/html/wordpress/wp-config.php
sed -i 's|password_here|XYZ|' /var/www/html/wordpress/wp-config.php
chown -R apache:apache /var/www/html/wordpress

Before you forget, take a moment and create a very secure password for your MySQL root user accounts. Here are the commands. Just replace new-password with your new password before you cut and paste. Note that you also will be prompted for this password when you execute the second command because you will now have a root user password in place from executing the first command.

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -p -h localhost.localdomain password 'new-password'

Finally, we need to modify your Apache web server to support WordPress as the primary application. Be sure to enter your actual email address in the third line before you cut and paste the code below:

echo " " >> /etc/httpd/conf/httpd.conf
echo "" >> /etc/httpd/conf/httpd.conf
echo 'ServerAdmin somebody@somedomain.com' >> /etc/httpd/conf/httpd.conf
echo "DocumentRoot /var/www/html/wordpress" >> /etc/httpd/conf/httpd.conf
echo "ServerName wordpress" >> /etc/httpd/conf/httpd.conf
echo "ErrorLog /var/log/httpd/wordpress-error-log" >> /etc/httpd/conf/httpd.conf
echo "CustomLog /var/log/httpd/wordpress-acces-log common" >> /etc/httpd/conf/httpd.conf
echo "" >> /etc/httpd/conf/httpd.conf
echo " " >> /etc/httpd/conf/httpd.conf
service httpd restart

That should do it. Open a browser and navigate to the IP address of your server. You should be greeted with the following form. Fill in the blanks as desired. The account you're setting up will be the credentials you use to add and modify content on your WordPress site when you click Log In (as shown above). Make the username obscure and the password even more so. Remember, it's a public web site accessible worldwide! When you click Install WordPress, you'll be off to the races.

After your server whirs away for a minute or two, you will be greeted with the WordPress login prompt. With the username and password you entered above, you'll be ready to start configuring your WordPress site.

Once you're logged in, navigate to Appearance -> Themes and click Add New Theme. There's you will find literally hundreds of free WordPress templates that can be installed in a matter of seconds if WPZOOM is too rich for your blood. For a terrific all-purpose (free) theme, try Atahualpa. We'll leave our actual demo site running for a bit in case you want to explore and check out its performance. Installing and configuring the new theme took less than a minute:

A Final Word to the Wise. WordPress is relatively secure but new vulnerabilities are discovered regularly. Keep your templates, plug-ins, AND the WordPress application up to date at all times! The WordFence plug-in is a must-have. And we strongly recommend adding the following lines to your WordPress config file which then will let WordPress update everything automatically. Microsoft has given automatic updates a bad name, but in the case of WordPress, they work well.

echo "define('WP_AUTO_UPDATE_CORE', true);" >> /var/www/html/wordpress/wp-config.php
echo "add_filter( 'auto_update_plugin', '__return_true' );" >> /var/www/html/wordpress/wp-config.php
echo "add_filter( 'auto_update_theme', '__return_true' );" >> /var/www/html/wordpress/wp-config.php

Building a 3CX Server in the Cloud

Now we're ready for our second cloud project. In less than 10 minutes, we're going to build a free 3CX commercial PBX using the remaining Cloud resources from our $35 purchase. To create your second virtual machine, click on the CLOUDPRO button in the CloudAtCost control panel and then click Add New Server. Choose 1 CPU, 512MB RAM, and 10GB storage for your second server. Choose Debian 8 64bit as the OS Type and click Complete.

Obtain a free license key for 3CX. Next, log in to your new Debian server as root using SSH or Putty and issue these commands. We'll begin by changing your root password.
NOTE: What appears as the fourth line below needs to be added to line #3!

passwd
wget -O- http://downloads.3cx.com/downloads/3cxpbx/public.key | apt-key add -
echo "deb http://downloads.3cx.com/downloads/3cxpbx/ /" | tee /etc/apt/sources.list.d/3cxpbx.list
apt-get update
rm -f /zang-debian.sh
apt-get -y install 3cxpbx
apt-get -y install sendmail sendmail-bin

When the initial setup finishes, choose the Web Interface Wizard and complete the install using your favorite web browser. Enter your 3CX license key when prompted. Make up a very secure Username and Password to access your 3CX portal. Specify that your IP address is Dynamic when prompted (even though it isn't). This tells 3CX to generate an FQDN for your server. Accept the default ports for HTTP (5000) and HTTPS (5001) access to your server. We recommend choosing 4-digit extensions numbers so you'll be ready for next week's project interconnecting your 3CX server to a Raspberry Pi for the best of both worlds. While logged into the 3CX management portal, adjust Settings → Email to Mail Server → 127.0.0.1 and Reply to → noreply@YourActual3CX-FQDN. Leave the other settings blank and click TEST then OK. Set up a SIP trunk with inbound and outbound call routes. Now download your favorite 3CX smartphone client, send yourself the Welcome Email for your default extension, and start calling. It really doesn't get much easier in the VoIP World. Come join the PIAF Forum if you need a helping hand!

Free Calling in the U.S. and Canada with PIAF5. We know our more frugal U.S. residents are wondering if there's a way to make free calls even with 3CX. You didn't really think there would be a release of PBX in a Flash without Google Voice support, did you? It's easy using the Simonics SIP to Google Voice gateway service. Setup time is about a minute, and the one-time cost is $4.99 using this Nerd Vittles link. Setup instructions for the 3CX side are straight-forward as well, and we've documented the procedure on the PIAF Forum.

Free Calling Worldwide with SIP URIs. There's another free calling option as well. PIAF5 and 3CX support worldwide SIP URI calling at no cost. As part of the PIAF5 install procedure, 3CX registers an FQDN for you with one of the 3CX domains if you indicate that your server has a dynamic IP address. Unless you really know what you're doing with DNS, it's a good idea to tell 3CX you have a dynamic IP address whether you do or not. Here's why. Once you have an assigned FQDN in the 3CX universe, one very slick feature is the ease with which you can publish a SIP URI address for any or all of your 3CX extensions thereby allowing PIAF5 users to receive calls from any SIP client worldwide at no cost. Setup takes less than a minute. It's as easy as 1-2-3. Here's how:

1. Login to the 3CX GUI and go to Settings → Network → FQDN. Tick "Allow calls from/to external SIP URIs" and make note of your FQDN, e.g. mypiaf5server.3cx.us. Click OK.

2. For an extension to enable (e.g. 001), go to Extensions → Edit 001 → Options → SIP ID and create any desired SIP URI alias for this extension, e.g. billybob. Click OK.

3. Anyone with a SIP client anywhere worldwide can now call extension 001 using SIP URI: billybob@mypiaf5server.3cx.us.

Special Thanks: Our special tip of the hat goes to a few web sites that we found helpful in putting this article together especially Unixmen and Matt Wilcox & friends and Programming-Review.

Originally published: Tuesday, February 28, 2017





Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest...

  1. Should you ever have to migrate your WordPress site from one domain to another, here are two helpful tools to consider: the Automatic Domain Name Changer Plugin and our favorite: WordPress-Domain-Changer. []

It’s Back: $10.50 Buys an Incredible PBX in the Cloud For Life… If You Hurry

In January, we began our new series on Cloud Computing by documenting how to build an awesome LAMP server in the Cloud using Linux. Today we’re again going to show you how to use the same Cloud platform and take advantage of the $10.50 coupon code TAKE70 to build an Incredible PBX in the Cloud FOR LIFE. When you’re finished, you’ll have a state-of-the-art Incredible PBX 13 server with hundreds of PBX features including free calling to the U.S. and Canada using any (free) Google Voice account. Keep in mind this isn’t $10.50 a month for your cloud server. It’s $10.50, period! The whole project takes less than an hour. Before we begin, let’s revisit our cautionary note for those that missed it in the previous article. It’s important.

There’s lots to hate at Cloud At Cost, a Canadian provider that offers virtual machines in the cloud for a one-time fee with no recurring charges. For $35 $10.50, you get a virtual machine with 512MB of RAM, 10GB of storage, and a gigabit Internet connection FOR LIFE. We haven’t seen a week go by when Cloud at Cost didn’t offer some sort of discount. Today it’s 70% which brings the total cost down to $10.50. That’s less than a burger at Five Guys. That’s the good news. But, if security, 99.999% reliability, performance, and excellent customer support are your must-haves, then look elsewhere. So why would anyone in their right mind sign up for a cloud solution that didn’t offer those four things? Did we mention it’s $10.50 for a lifetime cloud server?

If you take our recommendation and plunk down your $10.50, you’ll need to go into this with the right attitude. It’s not going to be flawless perfection computing. It’s a sandbox on which to experiment with [VoIP] and Cloud Computing. Will your virtual machine disintegrate at some juncture? Probably. Our experience is that the first couple days are critical. If you start seeing sluggish performance which degenerates to zero, don’t waste your time. Take good notes as you go along, delete the virtual machine, and rebuild a new one. It won’t cost you a dime, and it’ll save you hours of frustration. We suspect that bad folks get onto some of the servers and delight in bringing the machines to their knees. So the quicker you cut your losses, the better off you will be. Is CloudAtCost a good solution for production use? Absolutely Probably not so don’t try to fit a square peg in the round hole. It’s not gonna work, and you WILL be disappointed.

Today’s experiment will give you a platform on which to learn before you decide upon a more permanent deployment solution. And it will give you a terrific home for a backup server once you do move to a long-term solution so your $10.50 won’t be wasted.


The objective today is to show you how to build a rock-solid, secure VoIP server in the Cloud with all the bells and whistles you’d typically find on a PBX costing tens of thousands of dollars. Incredible PBX is pure GPL, open source code with one major difference. It’s FREE! And it’s supported by thousands of users on the PIAF Forum that started just like you.

Some of you are probably wondering why you would want a PBX at all. Hearing is believing as they say. Spend a couple minutes and call our CloudAtCost demo server. We preconfigured it using everything provided in today’s tutorial. It’ll let you play with some of the features that a PBX offers such a voice dialing from a directory, news and weather forecasts, and much more. And, in case you’re wondering, it’s been running 24/7 for two full months without a single hiccup. To try it for yourself, just dial:

Nerd Vittles Demo IVR Options
1 – Call by Name (say “Delta Airlines” or “American Airlines” to try it out)
2 – MeetMe Conference (password is 1234)
3 – Wolfram Alpha (say “What planes are flying overhead now?”)
4 – Lenny (The Telemarketer’s Worst Nightmare)
5 – Today’s News Headlines
6 – Weather Forecast (Just enter your ZIP Code!)
7 – Today in History
8 – Speak to a Real Person (or maybe just voicemail if we’re out)

For long time readers of Nerd Vittles, you already know that the component we continually stress is security. Without that, the rest really doesn’t matter. You’ll be building a platform for someone else to hijack and use for nefarious purposes. When we’re finished today, you’ll have a cloud-based VoIP server that is totally invisible to the rest of the world except a short list of VoIP providers that have been thoroughly vetted by Nerd Vittles staff. You can whitelist additional locations and phones to meet your individual needs without worrying about your server being compromised.

Creating Your Virtual Machine Platform in the Cloud

To get started, you’ve got to cough up your $10.50 at Cloud at Cost using coupon code TAKE70. Once you’ve signed up, CloudAtCost will send you credentials to log into the Cloud at Cost Management Portal. Change your portal password IMMEDIATELY after logging in. Just go to SETTINGS and follow your nose. HINT: DC2 is the preferred data center!

To create your virtual machine, click on the CLOUDPRO button and click Add New Server. If you’ve only purchased the $10.50 CloudPRO 1 platform, then you’ll need all of the available resources shown in the pick list. Leave CentOS 6.7 64bit selected as the OS Type and click Complete. Depending upon the type of special pricing that Cloud at Cost is offering when you sign up, the time to build your virtual machine can take anywhere from a minute to the better part of a day. Things have settled down since the 90% off week so new servers typically are ready in a few minutes. However, we’ve learned to build new virtual machines at night where possible. Then they’re usually available for use by the next morning. Luckily, this slow performance does not impact existing virtual machines that already are running in the CloudAtCost hosting facilities.

Initial Configuration of Your CentOS 6.7 Virtual Machine

With a little luck, your virtual machine soon will appear in your Cloud at Cost Management Portal and look something like what’s shown above. The red arrow points to the i button you’ll need to click to decipher the password for your new virtual machine. You’ll need both your IP address and the password for the new virtual machine in order to log into the server which is now up and running with a barebones CentOS 6.7 operating system. Note the yellow caution flag. That’s telling you that Cloud at Cost will automatically shut down your server in a week to save (them) computing resources. You can change the setting to keep your server running 24/7. Click Modify, Change Run Mode, and select Normal – Leave Powered On. Click Continue and OK to save your new settings.

Finally, you’ll want to change the Host Name for your server to something more descriptive than c7…cloudpro.92… Click the Modify button again and click Rename Server to change it. IncrediblePBX13 has a nice ring to it, but to each his own.

Logging into Your New CentOS 6.7 Virtual Machine

In order to configure and manage your new CentOS 6.7 virtual machine, you’ll need to log into the new server using either SSH or, for Windows users, Putty. After installing Putty, run it and log in to the IP address of your VM with username root and the password you deciphered above. On a Mac, open a Terminal session and issue a command like this using the actual IP address of your new virtual machine:

ssh root@12.34.56.78

Before you do anything else, reset your Virtual Machine’s root password to something very secure: passwd

Next, let’s address a couple of CloudAtCost quirks that may cause problems down the road. CloudAtCost has a nasty habit of not cleaning up after itself with fresh installs. The net result is your root password may get reset every time you reboot even though you changed it.

sed -i '/exit 0/d' /etc/rc.local
killall plymouthd
echo killall plymouthd >> /etc/rc.local
rm -f /etc/rc3.d/S97*
echo "exit 0" >> /etc/rc.local

Installing Incredible PBX 13 with CentOS 6.7

Now we’re ready to build your VoIP server platform. There aren’t many steps so just cut-and-paste the code into your SSH or Putty session and review the results to make sure nothing comes unglued. If something does, the beauty of virtual machines is you can delete them instantly within your management portal and just start over whenever you like. So here we go…

We’ll begin by permanently turning off SELINUX which causes more problems than it solves. The first command turns it off instantly. The second line assures that it’ll stay off whenever you reboot your virtual machine.

setenforce 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

Now let’s bring CentOS 6.7 up to current specs and add a few important applications:

yum -y update
yum -y install net-tools nano wget tar
reboot

Once your server reboots, we’re ready to kick off the Incredible PBX 13 install:

cd /root
wget http://incrediblepbx.com/incrediblepbx13-12.2-centos.tar.gz
tar zxvf incrediblepbx*
./IncrediblePBX*

When the install begins, read the license agreement and press ENTER to agree to the terms and get things rolling. Now would be a great time to go have breakfast or lunch. Come back in about an hour and your server should be ready to go.

Implementing Dynamic DNS Service on Your Client Machines

Unlike some other PBX offerings that leave your server exposed to the Internet, Incredible PBX is different. Unless the IP address from which you are accessing the server has been whitelisted, nobody on the Internet can see your server. The only exception is the preferred providers list and those on the same local area network (which is nobody in the case of CloudAtCost). As part of the Incredible PBX install, the IP address of the computer you used to perform the install was whitelisted automatically. But there may be other computers from which you wish to allow access to the PBX in order to deploy telephones at remote sites. Some of these sites may have dynamic IP addresses that change from time to time. Or you may have traveling salesman that land in a new hotel almost every night with a new IP address. Fortunately, there are a number of free and paid Dynamic DNS providers. For sites with dynamic IP addresses, simply choose a fully-qualified domain name (FQDN) to identify each location where you need computer access or need to deploy a phone. Then run a dynamic DNS update utility periodically from a computer or router at that site. It reports back the current public IP address of the site and your DNS provider updates the IP address assigned to that FQDN whenever there are changes.

DNS update clients are available for Windows, Mac OS X, and many residential routers. They’re also available for Android devices. Then it’s just a matter of plugging in the remote users’ FQDNs so Incredible PBX knows to give them server access via the whitelist. You implement this in seconds using the add-ip and add-fqdn utilities in the /root directory.

There are other ways to gain access as well using the PortKnocker utility or Travelin’ Man 4 from a telephone. Both of these are covered in the Incredible PBX 13 tutorial so we won’t repeat it here.

Incredible PBX Preliminary Setup Steps

First, let’s check things out and make sure everything is working as it should. With your favorite web browser, visit the IP address of your new server. You should see the default Incredible PBX page, the Kennonsoft Menu. It’s divided into two parts, a Users tab (shown below) and an Admin tab with additional options that we’ll cover shortly.

Now we need to jump back to SSH or Putty and log back into your server as root. You’ll note that the Incredible PBX Automatic Update Utility is run each time you log in. This is how important security updates are pushed to your server so do it regularly. And, no, you don’t need to contribute to our open source projects unless you want to. You’ll still get the updates as they are released.

After the Automatic Update Utility runs, the login script will execute status which tells you everything you need to know about the health of your server. After the initial install, it will look something like this with your server’s IP address obviously. We’ll cover the RED items down the road a bit.

For now, we need to complete a few preliminary setup steps for Incredible PBX to make sure you can log into the various components which have been installed on your computer. There are several different credentials you will need. Most of these are configured using scripts in the /root folder of your server. First, you need your root password for the server itself, and you should have already set that up with a very secure password using passwd. These same credentials are used to login to WebMin.

Next you’ll need an admin password for the Incredible PBX GUI. This is the management utility and Asterisk® code generator which consists of FreePBX® GPL modules that are open source and free to use. The admin password is set by running admin-pw-change in the /root directory.

There are also a number of web-based applications such as Telephone Reminders, AsteriDex, phpMyAdmin, and VoiceMail & Recordings (User Control Panel). You obviously don’t want everyone with a telephone using all of these applications so they are protected using a couple different Apache web server credentials. First, you set up an admin password for the administrator-level applications using the htpasswd utility. Then you set up an end-user account and password for access to AsteriDex, Reminders, and the User Control Panel. With the User Control Panel, end users also will need a username and password for their particular phone extension and this is configured with the Incredible PBX GUI using Admin -> User Management -> Add New User. If this sounds convoluted, it’s really not. Apache credentials can be entered once in an administrator’s or end user’s browser and they’re stored permanently.

Here is a checklist of the preliminary steps to complete before using your server:

Make your root password very secure: passwd
Create admin password for Incredible PBX GUI access: /root/admin-pw-change
Create admin password for web apps: htpasswd /etc/pbx/wwwpasswd admin
Create joeuser password for web apps: htpasswd /etc/pbx/wwwpasswd joeuser
Set up UCP accounts for Voicemail & Recordings access using Incredible PBX GUI
Make a copy of your Knock codes: cat /root/knock.FAQ
Decipher IP address and other info about your server: status
Set your correct time zone: /root/timezone-setup

Activating Incredible Fax on Your Server

Incredible PBX also includes an optional (and free) faxing component that lets you send and receive faxes that are delivered to your email address. To activate Incredible Fax, run the following script and plug in your email address for delivery of incoming faxes: /root/incrediblefax11.sh. After entering your email address, you’ll be prompted for all sorts of additional information. Unless you have unusual requirements, pressing the ENTER key at every prompt is the appropriate response. You’ll need to reboot your server again when the fax installation is complete. Once you log back into your server as root, the bottom line of the status display should now be green UP entries.

Managing Your Server with the Incredible PBX GUI

About 99% of your time managing your server will be spent in the Incredible PBX GUI. To access it, fire up your browser and point to the IP address of your server. At the Kennonsoft menu, click on the Users tab which will change to Admin and bring up the Admin menu shown here:

From the Administrator menu in the Kennonsoft GUI, click on Incredible PBX Administration. This will bring up the following menu:

Click on the first icon to access the Incredible PBX GUI. You’ll be prompted for your credentials. For the username, enter admin. For the password, enter the password you set up using admin-pw-change above. You should then be greeted by the main status display in the Incredible GUI:

If you’re new to Asterisk and FreePBX, here’s the one paragraph primer on what needs to happen before you can make free calls with Google Voice. You’ll obviously need a free Google Voice account. This gets you a phone number for people to call you and a vehicle to place calls to plain old telephones throughout the U.S. and Canada at no cost. You’ll also need a softphone or SIP phone (NOT a regular POTS telephone) to actually place and receive calls. YATE makes a free softphone for PCs, Macs, and Linux machines so download your favorite and install it on your desktop. Phones connect to extensions to work with Incredible PBX. Extensions talk to trunks (like Google Voice) to make and receive calls. We use outbound routes to direct outgoing calls from extensions to trunks, and we use inbound routes to route incoming calls from trunks to extensions to make your phones ring. In a nutshell, that’s how a PBX works. There are lots of bells and whistles that you can explore down the road.

As configured after installation, you have everything you’ll need except a Google Voice trunk, and we’ll cover that next. Then we’ll add a softphone with your extension 701 credentials, and you’ll be ready to make and receive calls. Before we move on, let’s decipher your extension 701 password so that you’ll have it for later. Choose Applications -> Extensions -> 701 and scroll down the screen to the Secret field and write down your password. You can also change it if you like and click Submit and then the Red button to update your settings. While you’re here, write down your extension 701 Voicemail Password.

Deploying Google Voice on Your Server

That leaves one RED entry on your status display, GV OAUTH. Whether to use plain text passwords or OAUTH 2 credentials with Google Voice accounts presently is a matter of choice although Google regularly threatens to discontinue access to Google Voice without OAUTH authentication. We suggest you play with Google Voice using plain text passwords just to get your feet wet because OAUTH implementation gets complicated. When you get ready to deploy a permanent Incredible PBX server, that would be the appropriate time to switch to OAUTH. This tutorial (beginning at step 1b) will guide you through the process.

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX. It’s free at least through 2013. Google Voice no longer is by invitation only so, if you’re in the U.S. or have a friend that is, head over to the Google Voice site and register.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. Google used to permit outbound Gtalk calls using a fake CallerID, but that obviously led to abuse so it’s over! You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Once you have your Google Voice account properly configured with Google, here is the proper sequence to get a Google Voice account working with Incredible PBX. First, using a browser, login to your Google Voice account. Second, make sure that Google Chat is activated in your Phone -> Settings. Third, in a separate browser tab, enable Less Secure Apps for your Google account. Fourth, in another separate browser tab, activate the Google Voice reset procedure. Fifth, in the Incredible PBX GUI, choose Connectivity -> Google Voice (Motif) and enter your Google Voice credentials:

Sixth, save your settings by clicking Submit and the Red Button to reload the GUI. Finally, using SSH or Putty, log into your server as root and restart Asterisk: amportal restart.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and your extension 701 password. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:


DEMO - Allison's IVR Demo
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use the free Google Voice account we set up above. Unlike traditional telephone service where you were 100% dependent upon MaBell, there is no such limitation with VoIP. The smarter long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started. Here are a few of our favorites:

Originally published: Friday, January 29, 2016   Republished: Monday, March 14, 2016





Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

The Ultimate Linux Sandbox in the Cloud for Less Than a $35 Raspberry Pi 2



Every few years we like to drop back and take a fresh look at the best way to get started with Linux. For those coming from the Windows World, it can be a painful process. Learning with a Cloud-based server can be especially dangerous because of the security risks. And then there’s the cost factor. Not everyone has several hundred dollars to buy hardware and, frankly, learning about Linux on a $35 Raspberry Pi can drive most newbies to drink. So today we’ll show you another way. It’s not necessarily a better way. But it’s different, and it’s loads of fun for not much money. Today’s project only takes 30 minutes.

There’s lots to hate at Cloud At Cost, a Canadian provider that offers virtual machines in the cloud for a one-time fee with no recurring charges. For $35 or less, you get a virtual machine with 512MB of RAM, 10GB of storage, and a gigabit Internet connection FOR LIFE. We haven’t seen a week go by when Cloud at Cost didn’t offer some sort of discount. Today it’s 70% off with coupon code TAKE70 which brings the total cost down to $10.50. That’s less than a burger at Five Guys. That’s the good news. But, if security, 99.999% reliability, performance, and excellent customer support are your must-haves, then look elsewhere. So why would anyone in their right mind sign up for a cloud solution that didn’t offer those four things? Did we mention it’s $10.50 for a lifetime cloud server?

If you take our recommendation and plunk down your Alexander Hamilton, you’ll need to go into this with the right attitude. It’s not going to be flawless perfection computing. It’s a sandbox on which to experiment with Linux and Cloud Computing. Will your virtual machine disintegrate at some juncture? Probably. Our experience is that the first couple days are critical. If you start seeing sluggish performance which degenerates to zero, don’t waste your time. Take good notes as you go along, delete the virtual machine, and rebuild a new one. It won’t cost you a dime, and it’ll save you hours of frustration. We suspect that bad folks get onto some of the servers and delight in bringing the machines to their knees. So the quicker you cut your losses, the better off you will be. Is CloudAtCost a good solution for production use? Absolutely not so don’t try to fit a square peg in the round hole. It’s not gonna work, and you WILL be disappointed. You’ve been warned. Let’s get started. ENJOY THE RIDE!

Our objective today is to show you how to build a rock-solid, secure Linux server in the Cloud with all the bells and whistles that make Linux the server platform of choice for almost every organization in the world. We’ll finish up by showing you how to embellish the platform with WordPress to do something that’s special for you whether it’s your own blog like Nerd Vittles, or a school newspaper, or an on-line shopping site to sell comic books. The basic foundation for most Linux platforms is called a LAMP server which stands for Linux, Apache, MySQL, and PHP. Linux is an open source operating system that includes contributions from thousands of developers around the world. Apache is the web server platform on which most commercial businesses stake their reputation. MySQL is the open source database management system now owned by Oracle. If it’s good enough for Facebook, it’s good enough for you. And PHP is THE web-based programming language that will let you build almost any application using Linux, Apache, and MySQL.

So what’s the big deal? There are thousands of online tutorials that will show you how to build a LAMP server. For long time readers of Nerd Vittles, you already know that the component we continually stress is security. Without that, the rest really doesn’t matter. You’ll be building a platform for someone else to hijack and use for nefarious purposes. When we’re finished today, you’ll have a cloud-based server that is totally invisible to the rest of the world with the exception of its web interface. And we’ll show you a simple way to reduce the exposure of your web interface to some of its most likely attackers. Will it be 100% secure? Nope. If you have a web server on the public Internet, it’s never going to be 100% secure because there’s always the chance of a software bug that nobody has yet discovered and corrected. THAT’S WHAT BACKUPS ARE FOR!

Creating Your Virtual Machine Platform in the Cloud

To get started, you’ve got to plunk down your $10.50 at Cloud at Cost using coupon code TAKE70. Once you’ve paid the piper, they will send you credentials to log into the Cloud at Cost Management Portal. Change your password IMMEDIATELY after logging in. Just go to SETTINGS and follow your nose.

To create your virtual machine, click on the CLOUDPRO button and click Add New Server. If you’ve only purchased the $10.50 CloudPRO 1 platform, then you’ll need all of the available resources shown in the pick list. Leave CentOS 6.7 64bit selected as the OS Type and click Complete. Depending upon the type of special pricing that Cloud at Cost is offering when you sign up, the time to build your virtual machine can take anywhere from a minute to the better part of a day. We’ve learned to build new virtual machines at night, and they’re usually available for use by the next morning. Luckily, this slow performance does not impact existing virtual machines that already are running in their hosting facility.

Initial Configuration of Your CentOS 6.7 Virtual Machine

With a little luck, your virtual machine soon will appear in your Cloud at Cost Management Portal and look something like what’s shown above. The red arrow points to the i button you’ll need to click to decipher the password for your new virtual machine. You’ll need both the IP address and the password for your new virtual machine in order to log into the server which is now up and running with a barebones CentOS 6.7 operating system. Note the yellow caution flag. That’s telling you that Cloud at Cost will automatically shut down your server in a week to save (them) computing resources. You can change the setting to keep your server running 24/7. Click Modify, Change Run Mode, and select Normal – Leave Powered On. Click Continue and OK to save your new settings.

Finally, you’ll want to change the Host Name for your server to something more descriptive than c7…cloudpro.92… Click the Modify button again and click Rename Server to make the change. Your management portal then will show the new server name as shown above.

Logging into Your CentOS 6.7 Virtual Machine

In order to configure and manage your new CentOS 6.7 virtual machine, you’ll need to log into the new server using either SSH or, for Windows users, Putty. After installing Putty, run it and log in to the IP address of your VM with username root and the password you deciphered above. On a Mac, open a Terminal session and issue a command like this using the actual IP address of your new virtual machine:

ssh root@12.34.56.78

Before you do anything else, reset your root password to something very secure: passwd

Installing the LAMP Server Basics with CentOS 6.7

Now we’re ready to build your LAMP server platform. We’ve chopped this up into lots of little steps so we can explain what’s happening as we go along. There’s nothing hard about this, but we want to document the process so you can repeat it at any time. As we go along, just cut-and-paste each clump of code into your SSH or Putty session and review the results to make sure nothing comes unglued. If something does, the beauty of virtual machines is you can delete them instantly within your management portal and just start over whenever you like. So here we go…

We’ll begin by permanently turning off SELINUX which causes more problems than it solves. The first command turns it off instantly. The second line assures that it’ll stay off whenever you reboot your virtual machine.

setenforce 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

Now let’s bring CentOS 6.7 up to current specs and add a few important applications:

yum -y update
yum -y install nano wget expect net-tools dialog git xz
yum -y install kernel-headers
yum -y install kernel-devel
reboot

After reboot, log back in as root. Now we’ll set up your Apache web server and configure it to start whenever you reboot your server:

yum -y install httpd
service httpd start
chkconfig httpd on

Now let’s set up your MySQL server, bring it on line, and make sure it restarts after server reboots. Unless you plan to add Asterisk® and FreePBX® to your server down the road, you’ll want to uncomment the two commands that begin with # by removing the # symbol and replacing new-password with a very secure password for your root user account in MySQL. Be sure to run the last command to secure your server. After logging in, the correct answers are n,Y,Y,Y,Y.

yum -y install mysql mysql-server
service mysqld start
chkconfig mysqld on
#/usr/bin/mysqladmin -u root password 'new-password'
#/usr/bin/mysqladmin -u root -p -h localhost.localdomain password 'new-password'
mysql_secure_installation

Next, we’ll set up PHP and configure it to work with MySQL:

yum -y install php
yum -y install php-mysql
service httpd restart

Finally let’s get SendMail installed and configured. Insert your actual email address in the last line and send yourself a test message to be sure it’s working. Be sure to check your spam folder since the message will show a sender address of localhost which many email systems including Gmail automatically identify as spam.

yum -y install sendmail
rpm -e postfix
service sendmail restart
yum -y install mailx
echo "test" | mail -s testmessage youracctname@yourmailserver.com

Installing Supplemental Repositories for CentOS 6.7

One of the beauties of Linux is not being totally dependent upon CentOS for all of your packaged applications. Let’s add a few other repositories that can be used when you need to add a special package that is not in the CentOS repository. Let’s start with EPEL. We’ll disable it by default and only use it when we need it.

yum -y install http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
sed -i 's|enabled=1|enabled=0|' /etc/yum.repos.d/epel.repo

We actually need the EPEL repo to install Fail2Ban for monitoring of attacks on certain Linux services such as SSH:

yum --enablerepo=epel install fail2ban -y
cd /etc
wget http://incrediblepbx.com/fail2ban-lamp.tar.gz
tar zxvf fail2ban-lamp.tar.gz


We also need the EPEL repo to install ipset, a terrific addition to the IPtables Linux firewall that lets you quickly block entire countries from accessing your server:

yum --enablerepo=epel install ipset -y

Next, we’ll add a sample script that documents how the country blocking mechanism works with ipset.1 For a complete list of countries that can be blocked, go here. If you need a decoder badge to match abbreviations against country names, you’ll find it here. To add other countries, simply edit the shell script and clone lines 4-7 using the names of the countries and country zone files that you wish to add. Be sure to insert the new lines before the commands to restart iptables and fail2ban. This script will need to be run each time your server reboots and before IPtables is brought on line. We’ll handle that a little later.

echo "#\\!/bin/bash" > /etc/block-china.sh
echo " " >> /etc/block-china.sh
echo "cd /etc" >> /etc/block-china.sh
echo "ipset -N china hash:net" >> /etc/block-china.sh
echo "rm cn.zone" >> /etc/block-china.sh
echo "wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone" >> /etc/block-china.sh
echo "for i in \$(cat /etc/cn.zone ); do ipset -A china \$i; done" >> /etc/block-china.sh
echo "service iptables restart" >> /etc/block-china.sh
echo "service fail2ban restart" >> /etc/block-china.sh
sed -i 's|\\\\||' /etc/block-china.sh
chmod +x /etc/block-china.sh

Another important repository is REMI. It is especially helpful if you decide to upgrade PHP from the default version 5.3 to one of the newer releases: 5.5 or 5.6. In this case, you’ll want to activate the specific repository to support the release you choose in /etc/yum.repos.d/remi-safe.repo.

yum -y install http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
sed -i 's|enabled=1|enabled=0|' /etc/yum.repos.d/remi-safe.repo

One final repository to have on hand is RPMForge, now renamed RepoForge. We’ll use it in a bit to install a dynamic DNS update utility which you actually won’t need at CloudAtCost since your server is assigned a static IP address. But it’s handy to have in the event you wish to assign a free FQDN to your server anyway.

yum -y install http://incrediblepbx.com/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
sed -i 's|enabled = 1|enabled = 0|' /etc/yum.repos.d/rpmforge.repo

Adding a Few Utilities to Round Out Your LAMP Server Deployment

If you’re like us, you’ll want to test the speed of your Internet connection from time to time. Let’s install a free script that you can run at any time by logging into your server as root and issuing the command: /root/speedtest-cli

cd /root
wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
chmod +x speedtest.py

Next, let’s put in place a simple status display which will quickly tell you what’s running and what’s not. We’ve borrowed some GPL code from Incredible PBX to help you out. Run status-lamp at any time for a snapshot of your server.

cd /usr/local/sbin
wget http://incrediblepbx.com/status-lamp.tar.gz
tar zxvf status-lamp.tar.gz
rm -f status-lamp.tar.gz
sed -i 's|myip.pbxinaflash.com|myip.incrediblepbx.com|' /usr/local/sbin/status-lamp

Now we’ll put the Linux Swiss Army Knife in place. It’s called WebMin, and it provides a GUI to configure almost everything in Linux. Pick up a good WebMin book from your public library to get started. Once installed, you access WebMin from your browser at the IP address of your server on the default port of 10000: https://serverIPaddress:10000. It’s probably a good idea to change this port number and the commented out line shows how to do it with the new port being 9001 in the example. The way in which we typically configure the Linux firewall will block all access to WebMin except from an IP address which you have whitelisted, e.g. your home computer’s public IP address.

cd /root
yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty
yum -y install http://prdownloads.sourceforge.net/webadmin/webmin-1.780-1.noarch.rpm
#sed -i 's|10000|9001|g' /etc/webmin/miniserv.conf
service webmin restart
chkconfig webmin on

Tweaking Your CloudAtCost Setup Improves Performance and Improves Security

Finally, let’s address a couple of CloudAtCost quirks that may cause problems down the road. CloudAtCost has a nasty habit of not cleaning up after itself with fresh installs. The net result is your root password gets reset every time you reboot.

killall plymouthd
echo killall plymouthd >> /etc/rc.local
rm -f /etc/rc3.d/S97*

With the exception of firewall configuration, which is so important that we’re covering it separately below, you now have completed the LAMP server installation. After completing the firewall steps in the next section, simply reboot your server and you’re ready to go.

The Most Important Step: Configuring the Linux IPtables Firewall

RULE #1: DON’T BUILD SERVERS EXPOSED TO THE INTERNET WITHOUT ROCK-SOLID SECURITY!

As installed by CloudAtCost, your server provides ping and SSH access from a remote computer and nothing else. The good news: it’s pretty safe. The bad news: it can’t do anything useful for anybody because all web access to the server is blocked. We want to fix that, tighten up SSH access to restrict it to your IP address, and deploy country blocking to show you how.

As we implement the firewall changes, you need to be extremely careful in your typing so that you don’t accidentally lock yourself out of your own server. A typo in an IP address is all it takes. The good news is that, if you do lock yourself out, you still can gain access via the CloudAtCost Management Portal by clicking the Console button of your virtual machine. Because the console is on the physical machine and the lo interface is whitelisted, you can log in and disable the firewall temporarily: service iptables stop. Then fix the typo and restart the firewall: service iptables start.

First, let’s download the new IPtables config file into your root folder and take a look at it.

cd /root
wget http://incrediblepbx.com/iptables-lamp.tar.gz
tar zxvf iptables-lamp.tar.gz

Now edit the /root/iptables-lamp file by issuing the command: nano -w /root/iptables-lamp

You can scroll up and down through the file with Ctl-V and Ctl-Y. Cursor keys work as well. Once you make changes, save your work: Ctl-X, Y, ENTER. You’re now an expert with the nano text editor, an absolutely essential Linux tool.

Here’s what that file actually looks like:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP
-A INPUT -p tcp -m set --match-set china src                    -j DROP
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A INPUT -s 12.34.56.78 -j ACCEPT
#-A INPUT -s yourFQDN.dyndns.org -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Reminder: If you add another country to your block-china script, don’t forget to add a corresponding new country entry to your iptables file. See line 17 above that includes the word "china" for the syntax. There’s nothing much else to tweak except the two commented out (brown) lines that begin with #. First, remove the # symbol by moving the cursor to the right of the first one and hitting the backspace/delete key on your keyboard. Replace 12.34.56.78 with the public IP address of the computer from which you will be accessing your virtual machine. If you need multiple entries for multiple computers at different addresses, clone the line by pressing Ctrl-K and then Ctrl-U twice. Yes, we know. Some folks IP addresses change from time to time. In the next section, we’ll show you how to set up a Dynamic DNS entry with a utility that will keep track of your current IP address. In this case, uncomment the second commented line and replace yourFQDN.dyndns.org with your dynamic DNS address. Be very careful to assure that your FQDN is always on line. If the firewall cannot verify your DNS entry when it starts, the IPtables firewall will not start which means your server will be left unprotected. HINT: IP addresses are much safer because they are never verified.

Once you have your addresses configured, save the file: Ctl-X, Y, ENTER. Then issue the following commands to copy everything into place and restart the firewall.

mv /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
cp -p /root/iptables-lamp /etc/sysconfig/iptables
echo "/etc/block-china.sh" >> /etc/rc.local
/etc/block-china.sh

Always, always, always check to be sure your firewall is functioning: iptables -nL. If you don’t see your desktop computer’s public IP address near the end of the listing, then the firewall is dead. status-lamp should also show IPtables down. Check for an error message which will tell you the problematic line so you can correct it.

Implementing Dynamic DNS Service on Your Virtual Machine

There are a number of free and paid Dynamic DNS providers. The way this works is you choose a fully-qualified domain name (FQDN) to identify your computer. Then you run a dynamic DNS update utility periodically from that computer. It reports back the current public IP address of your computer and your provider updates the IP address assigned to your FQDN if it has changed. In addition to supporting sites with ever changing IP addresses, it also allows you to permanently assign an FQDN to your computer or server so that it can be accessed without using a cryptic IP address.

If that computer happens to be an Incredible PBX server or a LAMP server that you’ve set up using this tutorial, then the following will get the DNS client update utility loaded using the RPM Forge repository that we previously installed:

yum --enablerepo=rpmforge install ddclient -y

Similar DNS update clients are available for Windows, Mac OS X, and many residential routers. Then it’s just a matter of plugging in the credentials for your dynamic DNS provider and your FQDN. In the case of the CentOS client, the config file is /etc/ddclient/ddclient.conf. Now reboot your server and pick up a good book on Linux to begin your adventure.

Now For Some Fun…

First, let’s check things out and make sure everything is working as it should. With your favorite web browser, visit the IP address of your new server. You should see the default Apache page:

Next, let’s be sure that PHP is working as it should. While still logged into your server as root using SSH or Putty, issue the following commands and make up some file name to replace test4567 in both lines. Be sure to keep the .php file name extension. Note to gurus: Yes, we know the second line below is unnecessary if you remove the space after the less than symbol in the first line. Unfortunately, WordPress forces the space into the display which left us no alternative.

echo "< ?php phpinfo(); ?>" > /var/www/html/test4567.php
sed -i 's|< |<|' /var/www/html/test4567.php

Now jump back to your web browser and access the new page you just created using the IP address of your server and the file name you made up: http://12.34.56.78/test4567.php

The PHPinfo listing will tell you everything you ever wanted to know about your web server setup including all of the PHP functions that have been enabled. That's why you want an obscure file name for the page. You obviously don't want to share that information with every bad guy on the planet. Remember. This is a public-facing web site that anyone on the Internet can access if they know or guess your IP address.

When you're ready to set up your own web site, just name it index.php and store the file in the /var/www/html directory of your server. In the meantime, issuing the following command will assure that anyone accessing your site gets a blank page until you're ready to begin your adventure:

echo " " > /var/www/html/index.php

Ready to learn PHP programming? There's no shortage of books to get you started.

Adding WordPress to Your LAMP Server

Where to begin with WordPress? What used to be a simple platform for bloggers has morphed into an all-purpose tool that makes building virtually any type of web site child's play. If you want to see what's possible, take a look at the templates and sample sites shown on WPZOOM. Unless you're an art major and savvy web designer, this will be the best $70 you ever spent. One of these templates will have your site up and running in minutes once we put the WordPress pieces in place. For the big spenders, $149 will give you access to over 50 gorgeous templates which you can download and use to your heart's content on multiple sites. And, no, your sites don't blow up after a year. You just can't download any additional templates or updates unless you renew your subscription. The other alternative is choose from thousands of templates that are provided across the Internet as well as in the WordPress application itself.

WordPress templates run the gamut from blogs to newsletters to photographer sites to e-commerce to business portfolios to video to travel to magazines to newspapers to education to food to recipes to restaurants and more. Whew! There literally is nothing you can't put together in minutes using a WordPress template. But, before you can begin, we need to get WordPress installed on your server. This is optional, of course. And, if you follow along and add WordPress, we've set it up in such a way that WordPress becomes the primary application for your site. Stated differently, when people use a browser to access your site, your WordPress template will immediately display. When we finish the basic WordPress setup and once you upload an image or two, you'll have a site that looks something like this:

Before you begin, we strongly recommend that you acquire a domain for your site if you plan to use it for anything but experimentation. The reason is because it can be complicated to migrate a WordPress site from one location to another.2 Once you've acquired your domain, point the domain to the IP address of your new server. With a dirt cheap registrar such as Omnis.com, it's easy:

Now let's get started. To begin, we need to load the WordPress application onto your server:

cd /root
mkdir wordpress
cd wordpress
wget http://wordpress.org/latest.tar.gz
tar -xvzf latest.tar.gz -C /var/www/html

Next, we'll configure MySQL to support WordPress. We're assuming that you have NOT already created root passwords for MySQL. If you have, you'll need to add -pYourPassword to the various commands below immediately after root. There is no space between -p and your root password. Also edit the first line and make up a new password (replacing XYZ below) for the wordpress user account that will manage WordPress on your server before you cut and paste the code:

mysql -u root -e 'CREATE USER wordpress@localhost IDENTIFIED BY "XYZ";'
mysql -u root -e 'CREATE DATABASE wordpress;'
mysql -u root -e 'GRANT ALL ON wordpress.* TO wordpress@localhost;'
mysql -u root -e 'FLUSH PRIVILEGES;'

Next, we need to configure WordPress with your new MySQL credentials. Before you cut and paste, replace XYZ in the fourth line with the password you assigned in the preceding MySQL step:

cp /var/www/html/wordpress/wp-config-sample.php /var/www/html/wordpress/wp-config.php
sed -i 's|database_name_here|wordpress|' /var/www/html/wordpress/wp-config.php
sed -i 's|username_here|wordpress|' /var/www/html/wordpress/wp-config.php
sed -i 's|password_here|XYZ|' /var/www/html/wordpress/wp-config.php
chown -R apache:apache /var/www/html/wordpress

Before you forget, take a moment and create a very secure password for your MySQL root user accounts. Here are the commands. Just replace new-password with your new password before you cut and paste. Note that you also will be prompted for this password when you execute the second command because you will now have a root user password in place from executing the first command.

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -p -h localhost.localdomain password 'new-password'

Finally, we need to modify your Apache web server to support WordPress as the primary application. Be sure to enter your actual email address in the third line before you cut and paste the code below:

echo " " >> /etc/httpd/conf/httpd.conf
echo "" >> /etc/httpd/conf/httpd.conf
echo 'ServerAdmin somebody@somedomain.com' >> /etc/httpd/conf/httpd.conf
echo "DocumentRoot /var/www/html/wordpress" >> /etc/httpd/conf/httpd.conf
echo "ServerName wordpress" >> /etc/httpd/conf/httpd.conf
echo "ErrorLog /var/log/httpd/wordpress-error-log" >> /etc/httpd/conf/httpd.conf
echo "CustomLog /var/log/httpd/wordpress-acces-log common" >> /etc/httpd/conf/httpd.conf
echo "" >> /etc/httpd/conf/httpd.conf
echo " " >> /etc/httpd/conf/httpd.conf
service httpd restart

That should do it. Open a browser and navigate to the IP address of your server. You should be greeted with the following form. Fill in the blanks as desired. The account you're setting up will be the credentials you use to add and modify content on your WordPress site when you click Log In (as shown above). Make the username obscure and the password even more so. Remember, it's a public web site accessible worldwide! When you click Install WordPress, you'll be off to the races.

After your server whirs away for a minute or two, you will be greeted with the WordPress login prompt. With the username and password you entered above, you'll be ready to start configuring your WordPress site.

Once you're logged in, navigate to Appearance -> Themes and click Add New Theme. There's you will find literally hundreds of free WordPress templates that can be installed in a matter of seconds if WPZOOM is too rich for your blood. For a terrific all-purpose (free) theme, try Atahualpa. We'll leave our actual demo site running for a bit in case you want to explore and check out its performance. Installing and configuring the new theme took less than a minute:

A Final Word to the Wise. WordPress is relatively secure but new vulnerabilities are discovered regularly. Keep your templates, plug-ins, AND the WordPress application up to date at all times! The WordFence plug-in is a must-have. And we strongly recommend adding the following lines to your WordPress config file which then will let WordPress update everything automatically. Microsoft has given automatic updates a bad name, but in the case of WordPress, they work well.

echo "define('WP_AUTO_UPDATE_CORE', true);" >> /var/www/html/wordpress/wp-config.php
echo "add_filter( 'auto_update_plugin', '__return_true' );" >> /var/www/html/wordpress/wp-config.php
echo "add_filter( 'auto_update_theme', '__return_true' );" >> /var/www/html/wordpress/wp-config.php

Special Thanks: Our special tip of the hat goes to a few web sites that we found helpful in putting this article together especially Unixmen and Matt Wilcox & friends and Programming-Review.

Wondering What to Build Next with your new $10.50 Server in the Sky? Check out the latest Nerd Vittles tutorial. Turn it into a VoIP server FOR LIFE with free calling to/from the U.S. and Canada. Call for free demo:


Originally published: Monday, January 25, 2016





Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest...

  1. It doesn't take long for the probing to begin. So watch your logs, look up the IP addresses to identify the countries, and block them unless you happen to be expecting visitors from that part of the world:
    [Sun Jan 24 00:36:12 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/w00tw00t.at.blackhats.romanian.anti-sec:)
    [Sun Jan 24 00:36:12 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/phpMyAdmin
    [Sun Jan 24 00:36:13 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/phpmyadmin
    [Sun Jan 24 00:36:13 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/pma
    [Sun Jan 24 00:36:13 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/myadmin
    [Sun Jan 24 00:36:14 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/MyAdmin
    [Mon Jan 25 00:29:29 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/w00tw00t.at.blackhats.romanian.anti-sec:)
    [Mon Jan 25 00:29:29 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/phpMyAdmin
    [Mon Jan 25 00:29:29 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/phpmyadmin
    [Mon Jan 25 00:29:30 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/pma
    [Mon Jan 25 00:29:30 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/myadmin
    [Mon Jan 25 00:29:30 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/MyAdmin
    []
  2. Should you ever have to migrate your WordPress site from one domain to another, here are two helpful tools to consider: the Automatic Domain Name Changer Plugin and the one we use, WordPress-Domain-Changer. []