Posts tagged: fail2ban

Hardware Device of the Year: Meet the CuBox-i with Incredible PBX for Ubuntu

It’s been many years since we’ve written back-to-back articles about the same device. That should tell you how really special the CuBox-i is. After two weeks of 14-hour days developing the new Incredible PBX platform for CuBox, we are thrilled to crown this jewel as Nerd Vittles Hardware Device of the Year. Flawless design, incredible performance, tiny size, feature-rich components, minimal power consumption, and completely silent operation are merely the tip of the iceberg with this 2x2x2 cubic zircon. On the $130 CuBox-i4PRO, there’s a Quad Core processor, 2 gigs of RAM, a 10/100/1000 Ethernet port, a 1080p HDMI port, two powered USB 2 ports, an eSATA II port for an external drive, a realtime clock with backup battery, an Optical S/PDIF Audio Out port, a microSD port, an infrared receiver and transmitter, WiFi 11n, and Bluetooth plus a power adapter to match either American or European power sources. Whew! And here’s the best part. Everything works while squeezed in a tiny case that’s a third the size of Rubic’s Cube.

A SOHO Swiss Army Knife That Fits in Your Cupholder: Voice, Fax, SMS, TTS, Email, PBX, Incredible!

Did we mention it’s a near perfect VoIP platform for any home office or small business? Well, it is. And everything we’ve learned about Asterisk® and FreePBX® and Internet security over the past decade is rolled into today’s release of our crown jewel edition of Incredible PBX™ for the CuBox. First, you’ll need to purchase one and we strongly recommend the CuBox-i4PRO with its Quad Core ARM processor and built-in WiFi and Bluetooth. In the U.S, there’s NewEgg or NewEgg (10% off on i4PRO with promo code SW829NE10 = $117 until 9/4). In the U.K, there’s NewIT. For everyone else, you can buy directly from SolidRun, the creator.

Before we dive into Incredible PBX, we want to express our deepest appreciation to Zhando and Josh North of PIAF Forum fame. Zhando’s pioneering efforts with Ubuntu and Incredible PBX on the CuBox platform and Josh North’s morphing of Incredible Fax for deployment with Ubuntu paved the way for everything you’re about to read. It reinforces the spectacular results which can be achieved in the open source community when a talented group of even a few folks put their heads together. The Ubuntu developers and the tens of thousands of open source contributors from around the world also deserve a well-earned tip of the hat for producing a Linux platform that is rock-solid reliable and incredibly versatile. Nearly 1,000 open source packages are included in the latest Incredible PBX build. Click on the link to view the package list in PDF format and prepare to be amazed. We couldn’t have done it without all of you!

Introducing Incredible PBX 11.12.0 for the CuBox-i4PRO

If you’re new to Asterisk and the world of VoIP telephony, let us take a moment and explain how Incredible PBX fits into the puzzle. For lack of a better term, Incredible PBX on the CuBox platform is a turnkey aggregation in a bootable image that is based upon a superset of Ubuntu 14 packages plus Asterisk, the FreePBX GUI, and a sizable collection of applications for the Asterisk platform. You download a tarball, decompress it, write the image file to a microSD card, insert the card into your CuBox-i, and presto! You’ve got a turnkey PBX. Add credentials for a trunk or two to make and receive calls, connect some phones, and your whole office will come alive with a versatile PBX platform that used to cost organizations hundreds of thousands of dollars. What’s included in Incredible PBX? Glad you asked. Here’s a 3-minute video showcasing a few of our favorite Incredible PBX text-to-speech applications:

The Incredible PBX 11 Inventory. Here’s the current feature set on the CuBox platform. It’s the most robust ever! In addition to its superset of nearly 1,000 Ubuntu 14 packages, Asterisk 11, and FreePBX 2.11 with Apache, SendMail, MySQL, PHP, phpMyAdmin, Fail2Ban, WebMin, and the IPtables Linux firewall, check out these additions:

A Few Words About Security. Thanks to its Zero Internet Footprint™ design, Incredible PBX is different. It remains the most secure Asterisk-based PBX around. What this means is Incredible PBX has been engineered to sit anywhere, either behind a NAT-based, hardware firewall or directly on the Internet. No device other than those on your private LAN, a few of the major (trusted) SIP providers around the world, and those that you authorize on your WhiteList can even see your server. Additional IP addresses can be added to the WhiteList in three ways:

  1. An administrator registers new IP addresses using add-ip or add-fqdn from the Linux CLI
  2. A remote user sends the (correct) randomized PortKnock code assigned to your CuBox
  3. A remote user dials in from a standard telephone to register a new remote IP address

Read about this $100,000 VoIP phone bill, and you’ll better appreciate why WhiteList-based server security has become absolutely essential. WhiteList Security means only those devices with a registered IP address in your WhiteList can get to your server’s resources. To the NSA and everyone else, your server doesn’t even show up on the radar. Their only way to contact you is a POTS telephone using your published phone number. Our complete tutorial on Travelin’ Man 3 is available here. With Incredible PBX for CuBox, it’s installed and preconfigured.

Installing Incredible PBX 11.12.0 on the CuBox-i

There are five simple steps to get Incredible PBX up and running on your CuBox:

  1. Purchase a storage device
  2. Download Incredible PBX image
  3. Untar the image on your desktop
  4. Burn the image to a microSD card
  5. Insert microSD card in CuBox and boot

Choosing a Storage Platform. Unless you plan to run your server with an external eSATA hard drive (CuBox-i4PRO tutorial here), the first step is to purchase a suitable microSD card. We recommend at least a 32GB Class 10 card from Transcend, SanDisk, or Kingston. All of them are under $20 on Amazon and most include free 2-day shipping for Prime customers. If using an eSATA drive, you still need a microSD card to boot up, but any 4GB or 8GB card will suffice.1

Downloading Incredible PBX for CuBox. From your favorite desktop computer, download the latest build of Incredible PBX from SourceForge. Depending upon your network connection and the SourceForge mirror, it can take awhile. It’s a whopping 1.3GB!

Untarring Incredible PBX for CuBox. Depending upon your desktop platform, untarring incrediblepbx.4.cubox.U14.latest.tar.gz is as simple as double-clicking on it in the Downloads folder (on a Mac). On the Windows platform, here are 3 utilities that will do the job. On a Linux desktop, open a Terminal window and…

tar zxvf incrediblepbx.4.cubox.U14.latest.tar.gz

Burning the Incredible PBX image to microSD. Once you’ve untarred the file, you’ll find two scripts that make burning the image to a microSD card simple if you’re on a Mac or Linux desktop. On a Windows machine, it’s a little more complicated. Most SD cards come preformatted with a DOS partition so your Windows machine should recognize the microSD card when it’s inserted. If not, format the card using a utility such as SD Card Formatter. Next, you’ll need Win32 Disk Imager to burn cubox.img to your card. Once the image has been transferred, gracefully unmount the card from your desktop, and then remove the card from the SD card adapter.

Booting Incredible PBX on the CuBox. Insert the microSD card (electronics side up) into your CuBox-i. Then apply power to the CuBox after connecting a USB keyboard, HDMI monitor, and Ethernet cable to a network with Internet connectivity that can also hand out DHCP addresses. Log into Incredible PBX as root with cubox as your password. Your SSH credentials, Asterisk DUNDI secrets, logs, and network connection options will be initialized and then your server will reboot. You may need to hit the Enter key once or twice during the SSH credentials initialization to move things along. And, with some SD cards, you may find yourself waiting an eternity for the promised reboot. After seeing the “rebooting” message, count to ten. If your server still hasn’t rebooted, remove and reapply power. This quirk goes away after the first reboot.

After the reboot, log in again as root with password: cubox. Your firewall setup will be initialized to lock down your whitelist to your server’s public and private IP addresses AND the IP address of the machine from which you’re logging in. All of your FreePBX passwords will be randomized and your secret PortKnocker codes will be generated. The whole process only takes a few seconds.

When the second pass configuration is complete, you will be greeted by a welcoming message. STOP and read it. It has loads of important information about your server’s configuration and your next steps. Press ENTER to review status:

The Next 10 Steps. Before you do anything else, complete the following steps. It only takes a minute to secure and properly configure your server:

  1. Change your root password: passwd
  2. Change your FreePBX admin password: /root/admin-pw-change
  3. Set your correct time zone: /root/timezone-setup
  4. Expand partition to match microSD card size: /root/resize-partition
  5. Add any desired IP addresses to WhiteList: /root/add-ip
  6. Put PortKnocker credentials in a safe place: cat /root/knock.FAQ
  7. Change AvantFax admin password: /root/avantfax-pw-change
  8. Set Email Address for Incoming Faxes: /root/avantfax-email-dest
  9. Check status to be sure everything is working: status
  10. If using an eSATA external drive, do the migration drill (note the free disk space in status above)

A Few Important Tips. Every operating system and service provider has their quirks. Ask Bill Gates! Ubuntu and especially Comcast are no different. Fortunately, with Ubuntu, it’s a very short list.

1. Use the following commands (only!) to shutdown and restart your server: halt and reboot. These commands are reworked in Incredible PBX to gracefully shutdown important services so that files don’t get damaged. Please use them!

2. If you ever want to move your server to a different network, complete these three simple steps before you leave your existing network. This will trigger a new Phase I update (outlined above) and set the default network back to wired eth0 using DHCP the next time you boot your server.

touch /etc/update_hostconfig
# press Ctrl-C when prompted to reboot. then type:

3. You really do need email connectivity to get the most out of Incredible PBX. It’s the way you receive important notifications from FreePBX, and it’s also how faxes and voicemail messages are delivered. From the Linux CLI, test your server to be sure you can send emails reliably:

echo "test" | mail -s testmessage

After checking your spam folder, if you really didn’t get the email, it may be that your service provider is blocking downstream SMTP traffic. You can use your provider’s SMTP server as a smarthost to send out mail with SendMail. Just edit /etc/mail/, search for DS, and add the provider’s SMTP server address immediately after it (no spaces!), e.g. or Then restart SendMail: service sendmail restart.

Once you’ve logged into FreePBX below, be sure to set your default email address in the right margin of Admin -> Module Admin and save your entry. This will assure receipt of timely notifications of FreePBX updates for your server.

4. If you’re sure you’ll never need remote access in an emergency, you can disable PortKnocker at startup and save about 5% of your processing cycles. Our complete PortKnocker tutorial is available here. To disable startup on boot, issue the following command from the Linux CLI:

update-rc.d -f knockd disable

5. The same applies to WebMin. We actually introduced one of the first tutorials for WebMin… over 9 years ago. A word to the wise: WebMin is a terrific tool for looking at stuff about your system. But be very careful making system changes with WebMin. You usually will break some of the customized settings in Incredible PBX. This is particularly true in the case of the IPtables firewall. To access WebMin, use a browser and the actual IP address of your server to go to: Log in as root with your root password. To disable automatic startup of WebMin on boot:

update-rc.d -f webmin disable

Setting Up WiFi with the CuBox-i4PRO

This may sound simple now, but two weeks ago it was quite a different story. For those with a CuBox-i4Pro, WiFi is built into the hardware. The trick was getting it to work. Well, with Incredible PBX, it does. In the /root folder, you’ll find several self-explanatory scripts to do the heavy lifting for you. For options 2 and 3, you’ll need the SSID of the WiFi network you’ll be using as well as the SSID password.

  1. enable-eth0-only (the default setting)
  2. enable-wifi-eth0 (enables both but eth0 works with Asterisk)
  3. enable-wifi-only (runs your server purely on WiFi)

Getting Started with VoIP and FreePBX

Up to now, all of your time has been spent using the Linux CLI. That will be a rarity once you get this far. Henceforth, 90% of your time setting up Incredible PBX will be done using the FreePBX GUI and your favorite web browser. To access it, just point to the IP address of your server. status will tell you the address if you’ve forgotten it. The main control panel looks like this:

As configured, the default user account for both FreePBX and AvantFax administration is admin. The passwords are whatever you set in steps #2 and #7 above. As configured, email delivery of faxes with AvantFax is automatic so no further setup is required other than setting a delivery mechanism for faxes within FreePBX.

For those new to Asterisk and FreePBX, here’s a brief primer on what needs to happen before you can make and receive calls. If you have an existing Google Voice account or a smartphone that’s less than 2 years old, lucky you. This gets you a phone number for your PBX so people can call you. And it provides a vehicle to place calls to plain old telephones at little or no cost.

If you don’t have a Google Voice account or a shiny new smartphone, then you will need to purchase a SIP trunk from one of the numerous vendors around the world. Our favorite (because they provide terrific service at a modest price AND provide financial support to the Nerd Vittles, PBX in a Flash, and Incredible PBX projects) is Vitelity. Their special rates and a link for a discount are included at the end of today’s article.

Unlike POTS phone service from Ma Bell, the SIP World is a little different. First, you don’t need to put all your eggs in one basket. A trunk that gets you a phone number for incoming calls need not be with the same vendor that provides a trunk to place outbound calls. In fact, you may want multiple trunks for outbound calls just to have some redundancy. A list of our favorites in the U.S. and Canada is available on the PIAF Forum. Of course, there also are providers that offer all-you-can-eat calling plans. Two of our favorites are Vestalink and Future-Nine.

You’ll also need a softphone or SIP phone to actually place and receive calls. YATE makes a free softphone for PCs, Macs, and Linux machines so download your favorite and install it on your desktop.

Phones connect to extensions in FreePBX to work with Incredible PBX. Extensions talk to trunks (like Google Voice) to make and receive calls. FreePBX uses outbound routes to direct outgoing calls from extensions to trunks, and FreePBX uses inbound routes to route incoming calls from trunks to extensions to make your phones ring. In a nutshell, that’s how a PBX works.

There are lots of bells and whistles that you can explore down the road including voicemail, conferencing, IVRs, autoattendants, paging, intercoms, CallerID lookups, announcements, DISA, call parking and pickup, queues, ring groups, and on and on. And then there’s all of the Incredible PBX applications which are covered separately in this Nerd Vittles article. Once you’re comfortable with one server, you or your company will want some more. This Nerd Vittles article will walk you through interconnecting them into a seamless mesh network so that you can call from one office to another transparently. Yes, those articles were written for the Raspberry Pi. But the beauty of Incredible PBX is that it runs identically on virtually every server platform.

Here’s our 10-Step Checklist to Getting Started with FreePBX:

1. Setting Up Google Voice. If you want free calling in the U.S. and Canada, then you’ll need an existing Google Voice account that includes the Google Chat feature. You’ll need one dedicated to Incredible PBX, or it won’t work. Log out after setting up the new Google Voice account! Also note that Google Voice may cease to function at any time after May 15, 2014. You can read all about it here.

  • Log into existing Google Voice account
  • Enable Google Chat as Phone Destination
  • Configure Google Voice Calls Settings:
    • Call ScreeningOFF
    • Call PresentationOFF
    • Caller ID (In)Display Caller’s Number
    • Caller ID (Out)Don’t Change Anything
    • Do Not DisturbOFF
    • Call Options (Enable Recording)OFF
    • Global Spam FilteringON

  • Place test call in and out using GMail Call Phone
  • Log out of your Google Voice account

2. Activating a Google Voice Trunk. To create a Trunk in FreePBX to handle calls to and from Google Voice, you’ll need three pieces of information from the Google Voice account you set up above: the 10-digit Google Voice phone number, your Google Voice account name, and your Google Voice password. Choose Connectivity -> Google Voice (Motif) from the FreePBX GUI. The following form will appear:

Fill in the blanks with your information and check only the top 2 boxes. If your Google Voice account name ends in, leave that out. Otherwise, include the full email address. Then click Submit Changes and Apply Config.

There’s one more step or your Google Voice account won’t work reliably with Incredible PBX! From the Linux command prompt while logged into your server as root, restart Asterisk: amportal restart

3. Setting a Destination for Incoming Calls and Managing Faxes. Now that you’ve created your Google Voice Trunk, we need to tell FreePBX how to process inbound calls when someone dials your Google Voice number. There are any number of choices. You could simply ring an extension. Or you could ring multiple extensions by first creating a Ring Group which is just a list of extension numbers. Or you could direct incoming calls to an Interactive Voice Response (IVR) system. By default, Incredible PBX is configured to route all incoming calls to extension 701. You can change the setting whenever you like by choosing Connectivity -> Inbound Routes -> Default. In the Set Destination section of the form, change the target destination from the pull-down lists.

If you want your default inbound route to also handle incoming faxes, then go to the Fax Detect section of the Default inbound route. Change Detect Faxes to Yes. Change Fax Detection Type to SIP. Leave the Detection Time setting at 4. And change the Fax Destination to Custom Destinations: Fax (Hylafax). To Send Faxes, open AvantFax in FreePBX’s Other pulldown menu.

Always click Submit and then click Apply Config to save new settings in FreePBX.

4. Activating a Smartphone Trunk Using Bluetooth. One of the more exotic features of Incredible PBX on the CuBox platform is the ability to add your smartphone as an Asterisk trunk using Bluetooth. We’ve written a short recipe to get things working. So have a look at our Bluetooth tutorial and see if you’re up for the challenge. Moral of the story: the newer the cellphone, the better.

The LG G3 is the best of the lot, at least of the numerous cellphones we tested. Even better is an LG G3 paired with StraightTalk’s (AT&T-hosted) unlimited talk, text, and data plan for $45 a month. With Samsung smartphones older than a Galaxy S4, don’t waste your time. Ditto with Apple iPhones other than perhaps the very latest. Our iPhone 4S failed miserably. We gave up on Apple phones after that. Someday I’ll test my daughter’s 5c and report back.

5. Activating Additional Trunks with FreePBX. As we mentioned, there are lots of SIP providers to choose from. Once you have signed up for service, configuring the trunk is easy. Here is a quick Cheat Sheet courtesy of Kristian Hare, who translated our original setups into a spreadsheet. Just click on the image below to open it in a new window. Then click on the redisplayed image to enlarge it. The left and right cursor keys will move you around in the image. Click on the image again to shrink it.

6. Changing Extension Passwords. From the main FreePBX GUI, choose Applications -> Extensions. Then click on 701 in the Extension List on the right side of your display. You’ll see a form that looks like this:

For now, we only need to make a few changes. First, you need a very secure password for both the extension itself and your voicemail account for this extension. The extension secret needs to be a combination of letters and numbers. The Voicemail Password needs to be all numbers, preferably six or more. Replace the existing password entries with your own (very secure) entries. You also need to lock down this extension so that it is only accessible from devices on your private LAN. You do that with the deny and permit entries which currently are filled with zeroes. Leave the deny entry the way it is which tells Incredible PBX to block everybody except those allowed in the permit entry below. For the permit, we need the first three octets of your private LAN address, e.g. if your LAN is 192.168.0.something then the permit entry will be

Finally, you need to plug in your actual email address in the Voicemail section so that voicemails can be delivered to you when someone leaves a message. You can also include a pager email address if you want a text message alert with incoming voicemails. If you want the voicemails to automatically be deleted from the server after they are emailed to you (a good idea considering the disk storage limitations of your microSD card), change the Delete Voicemail option from No to Yes. That’s it. Now save your settings by clicking the Submit button. Then reload the dialplan by clicking on the red prompt when it appears.

In case you’re curious, unless you’ve chosen to automatically delete voicemails after emailing them, you can retrieve your voicemails by dialing *98701 from any extension on your phone system. You’ll be prompted to enter the voicemail password you set up. In addition to managing your voicemails, you’ll also be given the opportunity to either return the call to the number of the person that called or to transfer the voicemail to another extension’s voicemail box. And you can always leave a voicemail for someone by dialing their extension number preceded by an asterisk, e.g. *701 would let someone leave you a voicemail without actually calling you.

7. Eliminating Audio and DTMF Problems. You can avoid one-way audio on calls and touchtones that don’t work with these simple settings in FreePBX: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

8. Configuring Your YATE Softphone. As we mentioned, the easiest way to get started with Incredible PBX is to set up a free YATE softphone on your Desktop computer. Versions are available at no cost for Macs, PCs, and Linux machines. Just download the appropriate one and install it from this link. Once installed, it’s a simple matter to plug in your extension 701 credentials and start making calls. Run the application and choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of Incredible PBX, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place your first call. It’s that easy!

9. Configuring CallerID Superfecta. In order to match names with phone numbers, Incredible PBX includes a FreePBX application named CallerID Superfecta. Out of the box, Incredible PBX will work fine if you remember to activate CallerID Superfecta whenever you create a new Inbound Route. The CNAM entries also will be displayed in your CDR reports. For those not in the United States, you may prefer to use a lookup source for your numbers other than the ones preconfigured in CallerID Superfecta. You will find all of the available modules on the POSSA GitHub site. Just download the ones desired into /var/www/html/admin/superfecta/sources and then activate the desired sources in Admin -> CID Superfecta -> Default. You can test your results and the performance using the Debug facility that’s built into the module.

10. Adding Speech Recognition for Incredible Applications. We used to include Google’s Speech-to-Text service in Incredible PBX builds. Unfortunately, Google has changed the rules a bit. Assuming your server still meets the “personal and development” standard, you can obtain an API key from Google and reactivate speech-to-text functionality for many of the Incredible PBX applications including Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), SMS Dictator (767), and Wolfram Alpha for Asterisk (4747). To activate the STT service, just complete the steps in our tutorial. Then sign up for a Wolfram Alpha App ID (tutorial here), and run the following install scripts:


Enabling SAMBA Windows Networking with Ubuntu

It only takes a minute to enable SAMBA Windows Networking on your CuBox. We’ve reproduced our quick tutorial to show you how. Just follow the steps below to interconnect Incredible PBX with all the other computers on your LAN.

apt-get -y install samba samba-common python-glade2 system-config-samba
cd /etc/samba
mv smb.conf smb.orig.conf
tar zxvf samba-ubuntu.tar.gz
rm *.tar.gz
sed -i '/# End of Trusted Provider Section/r '/etc/samba/smb.iptables'' /etc/iptables/rules.v4
service smbd restart
service nmbd restart
sed -i 's|/usr/local/sbin/amportal restart|service smbd restart\nservice nmbd restart\n/usr/local/sbin/amportal restart|' /etc/rc.local
# set up root password for SAMBA access with full RW privileges
smbpasswd -a root

Incredible Backup and Restore

Once you have everything configured, it’s time to take a snapshot of your system and store it in a safe place. The new Incredible Backup lets you do that. From the Linux CLI, login as root and run: /root/incrediblebackup. The backup image will be saved to the /tmp folder and can be copied to a different server easily. To restore the backup to another system, you simply bring the other system up to the same version of Asterisk (11) and FreePBX (2.11), and then run /root/incrediblerestore with your backed up image. It’s the cheapest insurance you can buy! For detailed instructions on restoring backups, see this thread on the PIAF Forum.

Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number.

Originally published: Monday, September 1, 2014

Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Our forum is extremely friendly and is supported by literally hundreds of Asterisk gurus.

Need help with Asterisk? Visit the PBX in a Flash Forum.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

State of the Art: The New Incredible PBX Security Model for Asterisk

About once a year, we try to shine the spotlight on Asterisk® security in hopes of saving lots of organizations and individuals a little bit (or a lot) of money. The problem with open source phone systems is they’re open source phone systems. So the bad guys can figure out how they work just like the good guys. That’s not to suggest that proprietary phone systems are any more secure. They’re not. It just may take the bad guys a little longer to figure out where the holes are.

Olle Johansson has been one of the primary shakers and movers when it comes to educating folks on Asterisk security and inspiring developers to do a better job designing these systems. If you didn’t attend last year’s AstriCon and haven’t watched the Security Master Class, put it on your Bucket List. It’s free and well worth your time.

When we began building out Incredible PBX™ on other platforms this summer, we decided it was an opportune time to revisit our Asterisk security model and make it as bullet-proof as possible given the number of people now deploying Asterisk servers in the cloud. As a practical matter, there are no hardware-based firewalls to protect you with many of the cloud-based systems. So you literally live or die based upon the strength of your own software-based security model.

As in the past, security is all about layers of protection. A bundle of sticks is harder to break than a single stick. In the last month, we have rolled out new Incredible PBX systems for CentOS 7, Scientific Linux 7, Ubuntu 14, and the latest Raspbian OS for the Raspberry Pi B+. We’re in the final testing stage for a new Incredible PBX for CentOS 6.5 and Scientific Linux 6.5 as well as Ubuntu 14. All of these releases include the new Incredible PBX security model, and we will retrofit it to Fedora 20 and our standard builds for PBX in a Flash and RasPBX in coming weeks. Here’s how it works…

The 7 Security Layers include the following, and we will go into the details below:

  1. Preconfigured IPtables Linux Firewall
  2. Preconfigured Travelin’ Man 3 WhiteLists
  3. Randomized Port Knocker for Remote Access
  4. TM4 WhiteListing by Telephone (optional)
  5. Fail2Ban
  6. Randomized Ultra-Secure Passwords
  7. Automatic Security Updates & Bug Fixes

1. IPtables Linux Firewall. Yes, we’ve had IPtables in place with PBX in a Flash for many years. And, yes, it was partially locked down in previous Incredible PBX releases if you chose to deploy Travelin’ Man 3. Now it’s automatically locked down, period. As installed, the new Incredible PBX limits login access to your server to those on your private LAN (if any) and anyone logging in from the server’s public or private IP address and the public IP address of the desktop machine used to install the Incredible PBX software. If you or your users need access from other computers or phones, those addresses can be added quickly using either the Travelin’ Man 3 tools (add-ip and add-fqdn) or using the Port Knocker application running on your desktop or smartphone. All you need is your randomized 3 codes for the knock. You can also enable a remote IP address by telephone. Keep reading!

2. Travelin’ Man 3 WhiteLists. As in the past, many of the major SIP providers have been whitelisted in the default setup so that you can quickly add new service without worrying about firewall access. These are providers that we’ve used over the years. The preconfigured providers include Vitelity ( and, Google Voice (, (, DIDforsale (, CallCentric (, and also ( plus, (, Future-Nine, AxVoice (, SIP2SIP (, VoIPMyWay (, Obivoice/Vestalink (, Teliax, and IPkall. You are, of course, free to add other providers or users using the whitelist tools being provided. add-ip lets you add an IP address to your whitelist. add-fqdn lets you add a fully-qualified domain name to your whitelist. del-acct lets you remove an entry from your whitelist. Because FQDNs cause problems with IPtables if the FQDN happens to be invalid or non-functional, we’ve provided a customized iptables-restart tool which will filter out bad FQDNs and start up IPtables without the problematic entries.

Be advised that whitelist entries created with PortKnocker are stored in RAM, not in your IPtables file. These RAM entries will get blown out of the water whenever your system is restarted OR if IPtables is restarted. Stated another way, PortKnocker should be used as a stopgap tool to get new IP addresses qualified quickly. If these addresses need access for more than a few hours, then the Travelin’ Man 3 tools should be used to add them to your IPtables whitelist. If your whitelist setup includes dynamic IP addresses, be aware that using ipchecker in a cron job to test for changing dynamic IP addresses will remove PortKnocker whitelist RAM entries whenever an IP address change triggers an iptables-restart.

For more detail on Travelin’ Man 3, review our original tutorial.

3. PortKnocker WhiteListing. We wrote about PortKnocker several weeks ago and won’t repeat the article here. In a nutshell, it lets you knock on three ports on a host machine in the proper order to gain access. If you get the timing and sequence right, the IP address from which you knocked gets whitelisted for access to the server… with appropriate admin or root passwords, of course. The knocking can be accomplished with either a command line tool or an iOS or Android app using your smartphone or tablet. As noted above, it’s a terrific stopgap tool to let you or your users gain quick access to your server. For the reasons we’ve documented, don’t forget that it’s a stopgap tool. Don’t use it as a replacement for Travelin’ Man 3 whitelists unless you don’t plan to deploy dynamic IP address automatic updating. Just to repeat, PortKnocker whitelists get destroyed whenever IPtables is restarted or your server is rebooted. You’ve been warned.

4. TM4 WhiteListing by Telephone. Newer releases of Incredible PBX are preconfigured with ODBC support for telephony applications. One worth mentioning is our new Travelin’ Man 4 utility which lets a remote user dial into a dedicated DID and register an IP address to be whitelisted on the server. Within a couple minutes, the user will be sent an email confirming that the IP address has been whitelisted and remote access is now enabled. For phone systems and administrators supporting hundreds of remote users, this new feature will be a welcome addition. It can be configured in a couple minutes by following the Installation instructions in the Travelin’ Man 4 tutorial. Unlike PortKnocker, whitelisted IP addresses added with TM4 are permanent until modified by the remote user or deleted by the administrator.

5. Fail2Ban. We’ve never been a big fan of Fail2Ban which scans your logs and blacklists IP addresses after several failed attempts to log in or register with SSH or Apache or Asterisk. The reason is because of documented cases where attacks from powerful servers (think: Amazon) completely overpower a machine and delay execution of Fail2Ban log scanning until tens of thousands of registration attempts have been launched. The FreePBX folks are working on a methodology to move failed login attempts to a separate (smaller) log which would go a long way toward eliminating the log scanning bottleneck. In the the meantime, Fail2Ban is included, and it works when it works. But don’t count on it as your only security layer.

6. Randomized Passwords. With the new security model described above, we’ve dispensed with Apache security to protect FreePBX® access. These new Incredible PBX releases rely upon the FreePBX security model which relies upon encrypted passwords stored in MySQL or MariaDB. As part of the installation process, Incredible PBX randomizes ALL FreePBX passwords including those for the default 701 extension as well as the admin password. When your new Incredible PBX install completes, the most important things to remember are your (randomized) FreePBX admin password AND the (randomized) 3 ports required for Port Knocker access. Put them in a safe place. Sooner or later, you’ll need them. You can review your PortKnocker settings in /root/knock.FAQ. We’ve also included admin-pw-change in the /root folder for those that are too lazy to heed our advice. With the new security model, there is no way to look up your admin password. All you can do is change it… assuming you haven’t also forgotten your root password. :wink:

7. Automatic Update Service. All new Incredible PBX builds include an automatic update service to provide security patches and bug fixes whenever you log into your server as root. If you don’t want the updates for some reason, you can delete the /root/update* file from your server. If the cost of maintaining this service becomes prohibitive, we may implement a pay-for-service fee, but it presently is supported by voluntary contributions from our users. It has worked extremely well and provided a vehicle for pushing out updates that affect the reliability and security of your server.

A Word About IPv6. Sooner or later Internet Protocol version 6 will be upon us because of the exhaustion of IPv4 IP addresses. Incredible PBX is IPv6-aware and IPtables has been configured to support it as well. As deployed, outbound IPv6 is not restricted. Inbound access is limited to localhost. You, of course, are free to modify it in any way desired. Be advised that disabling IPv6 localhost inbound access will block access to the FreePBX GUI. Don’t ask us how we know. :-)

Originally published: Monday, August 11, 2014

Support Issues. With any application as sophisticated as firewall security, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. You won’t have to wait long for an answer to your question.

Need help with Asterisk? Visit the PBX in a Flash Forum.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest…

Just 3 Steps to Paradise: It’s Incredible PBX for Asterisk 1.8

UPDATE: Incredible PBX 2.0 has just been released. Here's the article.

Hard to believe it's been over a year since we introduced The Incredible PBX. That makes today really special. And we're especially pleased to introduce a major facelift for the Incredible web site and, more importantly, an awesome new edition of Incredible PBX. Seems only fitting to release it on 5-9, a day synonymous with the level of perfection we're always shooting for. Time will tell. With the recent release of CentOS 5.6 came a new PBX in a Flash, and a much more stable Asterisk® We've retweaked Incredible PBX to take advantage of the refinements and added some new features like faxing, SMS messaging, and MLB scores & schedules. Under the covers, you'll find Kennonsoft's incredible new PBX in a Flash UI with HTML5 and CSS3 support for the latest Firefox, Chrome, and IE8 browsers. Later this week, we expect one more iteration of the UI to conquer native Internet Explorer 9.2

What began as a kludgey, dual-call, dual-provider Google Voice implementation to take advantage of Google's free PSTN calling in the U.S. and Canada with Asterisk 1.4 and 1.6 is now a zippy-quick, Gtalk-based calling platform that rivals the best SIP-to-SIP calls on the planet and provides virtually instantaneous PSTN connections to almost anybody, anywhere. Trust us! Except for the price which is still free, you'll never know you weren't connected via Ma Bell's overpriced long-distance lines and neither will the Little Mrs. And, yes, our recommended $50 Nortel SIP videophone is plug-and-play.

Just download the latest PBX in a Flash ISO, burn to then boot from the PIAF CD, choose the Purple Edition to load Asterisk 1.8 and FreePBX 2.8, and then install the new Incredible PBX for Asterisk 1.8. In about an hour, you'll have a turnkey PBX with a local phone number and free calling in the U.S. and Canada via your own Google Voice account plus dozens and dozens of terrific Asterisk applications to keep your head spinning for months.

Thanks to its Zero Internet Footprint™ design, The Incredible PBX remains the most secure Asterisk-based PBX around. What this means is The Incredible PBX™ has been engineered to sit safely behind a NAT-based, hardware firewall with minimal port exposure to your actual server. And you won't find a more full-featured Personal Branch Exchange™ at any price.

Did we mention that all of this telephone goodness is still absolutely FREE!

The Incredible PBX Inventory. For those that have never heard of The Incredible PBX, here's a feature list of components you get in addition to the base install of PBX in a Flash the latest CentOS 5.x, Asterisk 1.8, FreePBX 2.8, and Apache, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin. Cepstral TTS, Fax, Hamachi VPN, and Mondo Backups are just one command away and may be installed using some of the PBX in a Flash-provided scripts.

Prerequisites. Here's what we recommend to get started properly:

Installing The Incredible PBX. The installation process is simple and straight-forward. We're down to 3 Easy Steps to Free Calling, and The Incredible PBX will be ready to receive and make free U.S./Canada calls immediately:

1. Install PBX in a Flash Purple Edition
2. Download & run The Incredible PBX 1.8 installer
3. Configure a softphone or SIP telephone

Installing PBX in a Flash. Here's a quick tutorial to get PBX in a Flash installed. To use Incredible PBX for Asterisk 1.8, just install the latest 32-bit version of PBX in a Flash. Unlike other Asterisk aggregations, PBX in a Flash utilizes a two-step install process. The ISO only installs the CentOS 5.6 operating system. Once CentOS is installed, the server reboots and downloads a payload file that includes Asterisk, FreePBX, and many other VoIP and Linux utilities including all of the new Google Voice components. Just choose the new Purple Payload to get the latest Asterisk 1.8 release and all of the Google Voice goodies!

You can download the 32-bit PIAF from SourceForge or one of our download mirrors. Burn the ISO to a CD. Then boot from the installation CD and press the Enter key to begin.

WARNING: This install will completely erase, repartition, and reformat EVERY DISK (including USB flash drives) connected to your system so disable any disk you wish to preserve AND remove any USB flash drives! Press Ctrl-C to cancel the install.

At the keyboard prompt, tab to OK and press Enter. At the time zone prompt, tab once, highlight your time zone, tab to OK and press Enter. At the password prompt, make up a VERY secure root password. Type it twice. Tab to OK, press Enter. Get a cup of coffee. Come back in about 5 minutes. When the system has installed CentOS, it will reboot. Remove the CD promptly. After the reboot, choose PIAF-Purple option. Have a 15-minute cup of coffee. After installation is complete, the machine will reboot a second time. You now have a PBX in a Flash base install. On a stand-alone machine, it takes about 30 minutes. On a virtual machine, it takes about half that time. Write down the IP address of your new PIAF server. You'll need it to configure your hardware-based firewall in a minute.

NOTE: For previous users of PBX in a Flash, be aware that this new version automatically runs update-programs, update-fixes, and passwd-master for you. So your system is secure out of the box!

Configuring Google Voice. You'll need a dedicated Google Voice account to support The Incredible PBX. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So why take the chance. Keep this account a secret!

We've tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively with The Incredible PBX. Google Voice no longer is by invitation only so, if you're in the U.S. or have a friend that is, head over to the Google Voice site and register. If you're living on another continent, see MisterQ's posting for some tips on getting set up.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work... in either direction. Google used to permit outbound Gtalk calls using a fake CallerID, but that obviously led to abuse so it's over! You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don't skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you'd like in Settings, Voice Setting, Phones. But...

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That's the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don't see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you're still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call Screening - OFF
  • Call Presentation - OFF
  • Caller ID (In) - Display Caller's Number
  • Caller ID (Out) - Don't Change Anything
  • Do Not Disturb - OFF
  • Call Options (Enable Recording) - OFF
  • Global Spam Filtering - ON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

Incredible PBX Installation. Log into your server as root and issue the following commands to download and run The Incredible PBX installer:

cd /root
chmod +x incrediblepbx18.x

When The Incredible PBX install begins, you'll be prompted for the following:

Google Voice Account Name
Google Voice Password
Gmail Notification Address
FreePBX maint Password

The Google Voice Account Name is the Gmail address for your new dedicated account, e.g. Don't forget! The Google Voice Password is the password for this dedicated account. The Gmail Notification Address is the email address where you wish to receive alerts when incoming and outgoing Google Voice calls are placed using The Incredible PBX. And your FreePBX maint Password is the password you'll use to access FreePBX. It gets set automatically as part of the The Incredible PBX install. By the way, none of this confidential information ever leaves your machine... just in case you were wondering. :roll:

Now have another 15-minute cup of coffee, and consider a modest donation to Nerd Vittles... for all of our hard work. :wink: You'll find a link at the top of the page. While you're waiting just make sure that you've heeded our advice and installed your server behind a hardware-based firewall. No ports need to be opened on your firewall to support Incredible PBX so leave it that way!

Here's a short video demonstration of the original Incredible PBX installer process. It still works just about the same way except there's no longer a second step to get things working.

Incredible Fax Installation. If you want the added convenience of having your Incredible PBX double as a free fax machine, run /root/ shell script when the Incredible PBX install completes. Plug in your email address for delivery of incoming faxes and enter your home area code when prompted. For every other prompt, just press the Enter key. For complete documentation, see last week's Nerd Vittles article. We should note that updated versions of HylaFax and AvantFax now have been incorporated into the installer thanks to gvtricks on the PIAF Forums, and Google Voice now seems to be much more reliable for delivery of faxes... if you happen to like FREE. :wink:

Our experience suggests that using a single trunk for both voice and fax delivery is hit and miss so you may wish to consider adding an additional trunk just to support faxing. You'll find the templates for adding a second Google Voice trunk in the /tmp directory, and complete instructions are available on the PIAF Forums. We've also provided preconfigured trunk settings for both Vitelity and if you'd like to try those options as well. Just plug in your credentials and configure an inbound route to map incoming faxes to the Fax Custom Destination. If you want to add support for a second Google Voice trunk, we've included dialplan2.txt and jabber2.conf in /tmp to get you started with the tutorial above.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Logging in to FreePBX. Using a web browser, you access the FreePBX GUI by pointing your browser to the IP address of your Incredible PBX. Click on the Admin tab and choose FreePBX. When prompted for a username, it's maint. When prompted for the password, it's whatever you set up as your maint password when you installed Incredible PBX. If you forget it, you can always reset it by logging into your server as root and running passwd-master.

Extension Password Discovery. If you're too lazy to look up your extension 701 password using the FreePBX GUI, you can log into your server as root and issue the following command to obtain the password for extension 701 which we'll need to configure your softphone or color videophone in the next step:

mysql -uroot -ppassw0rd -e"select id,data from asterisk.sip where id='701' and keyword='secret'"

The result will look something like the following where 701 is the extension and 18016 is the randomly-generated extension password exclusively for your Incredible PBX:

id         data
701      18016

Configuring a SIP Phone. There are hundreds of terrific SIP telephones and softphones for Asterisk-based systems. Once you get things humming along, you'll want a real SIP telephone such as the $50 Nortel color videophone we've recommended above. You'll also find lots of additional recommendations on Nerd Vittles and in the PBX in a Flash Forum. If you're like us, we want to make damn sure this stuff works before you shell out any money. So, for today, let's download a terrific (free) softphone to get you started. We recommend X-Lite because there are versions for Windows, Mac, and Linux. So download your favorite from this link. Install and run X-Lite on your Desktop. At the top of the phone, click on the Down Arrow and choose SIP Account Settings, Add. Enter the following information using your actual password for extension 701 and the actual IP address of your Incredible PBX server instead of Click OK when finished. Your softphone should now show: Available.

Incredible PBX Test Flight. The proof is in the pudding as they say. So let's try two simple tests. First, let's place an outbound call. Using the softphone, dial your 10-digit cellphone number. Google Voice should transparently connect you. Answer the call and make sure you can send and receive voice on both phones. Second, from another phone, call the Google Voice number that you've dedicated to The Incredible PBX. Your softphone should begin ringing shortly. Answer the call, press 1 to accept the call, and then make sure you can send and receive voice on both phones. Hang up. If everything is working, congratulations!

Here's a brief video demonstration showing how to set up a softphone to use with your Incredible PBX, and it also walks you through several of the dozens of Asterisk applications included in your system.

Solving One-Way Audio Problems. If you experience one-way audio on some of your phone calls, you may need to adjust the settings in /etc/asterisk/sip_custom.conf. Just uncomment the first two lines by removing the semicolons. Then replace with your public IP address, and replace with the subnet address of your private network. There are similar settings in gtalk.conf that can be activated although we've never had to use them. In fact, we've never had to use any of these settings. After making these changes, save the file(s) and restart Asterisk with the command: amportal restart.

Learn First. Explore Second. Even though the installation process has been completed, we strongly recommend you do some reading before you begin your VoIP adventure. VoIP PBX systems have become a favorite target of the hackers and crackers around the world and, unless you have an unlimited bank account, you need to take some time learning where the minefields are in today's VoIP world. Start by reading our Primer on Asterisk Security. We've secured all of your passwords except your root password and your passwd-master password. We're assuming you've put very secure passwords on those accounts as if your phone bill depended upon it. It does! Also read our PBX in a Flash and VPN in a Flash knols. If you're still not asleep, there's loads of additional documentation on the PBX in a Flash documentation web site.

Adding Multiple Google Voice Trunks. Thanks to rentpbx on our forums, adding support for multiple Google Voice trunks is now a five-minute operation. Once you have your initial setup running smoothly, hop on over to the forums and check out this Incredible solution. You'll also find sample templates in the /tmp directory: dialplan2.txt and jabber2.conf.

Choosing a VoIP Provider for Redundancy. Nothing beats free when it comes to long distance calls. But nothing lasts forever. And, in the VoIP World, redundancy is dirt cheap. So we strongly recommend you set up another account with Vitelity using our special link below. This gives your PBX a secondary way to communicate with every telephone in the world, and it also gets you a second real phone number for your new system... so that people can call you. Here's how it works. You pay Vitelity a deposit for phone service. They then will bill you $3.99 a month for your new phone number. This $3.99 also covers the cost of unlimited inbound calls (two at a time) delivered to your PBX for the month. For outbound calls, you pay by the minute and the cost is determined by where you're calling. If you're in the U.S., outbound calls to anywhere in the U.S. are a little over a penny a minute. If you change your mind about Vitelity and want a refund of the balance in your account, all you have to do is ask. The trunks for Vitelity already are preconfigured with The Incredible PBX. Just insert your credentials using FreePBX. Then add the Vitelity trunk as the third destination for your default outbound route. That's it. Congratulations! You now have a totally redundant phone system.

Using ENUMPlus. Another terrific money-saving tool is ENUM. Your system comes with ENUMPlus installed. The advantage of ENUM is that numbers registered with any of the ENUM services such as can be called via SIP for free. You can read all about it in this Nerd Vittles' article. To activate ENUMPlus, you'll need to register and obtain an API Key at It's free! Sign up, log in, and click on the Account tab to get your API key. Once you have your key, copy it to your clipboard and open FreePBX with your browser. Then choose SetUp, ENUMPlus and paste in your API Key. Save your entry, and you're all set. After entering your key, all outbound calls will be checked for a free ENUM calling path first before using other outbound trunks.

Stealth AutoAttendant. When incoming calls arrive, the caller is greeted with a welcoming message from Allison which says something like "Thanks for calling. Please hold a moment while I locate someone to take your call." To the caller, it's merely a greeting. To those "in the know," it's actually an AutoAttendant (aka IVR system) that gives you the opportunity to press a button during the message to trigger the running of some application on your Incredible PBX. As configured, the only option that works is 0 which fires up the Nerd Vittles Apps IVR. It's quite easy to add additional features such as voicemail retrieval or DISA for outbound calling. Just edit the MainIVR option in FreePBX under Setup, IVR. Keep in mind that anyone (anywhere in the world) can choose these options. So be extremely careful not to expose your system to security vulnerabilities by making certain that any options you add have very secure passwords! It's your phone bill. :wink:

Configuring Email. You're going to want to be notified when updates are available for FreePBX, and you may also want notifications when new voicemails arrive. Everything already is set up for you except actually entering your email notification address. Using a web browser, open the FreePBX GUI by pointing your browser to the IP address of your Incredible PBX. Then click Administration and choose FreePBX. To set your email address for FreePBX updates, go to Setup, General Settings and scroll to the bottom of the screen. To configure emails to notify you of incoming voicemails, go to Setup, Extensions, 701 and scroll to the bottom of the screen. Then follow your nose. Be sure to reload FreePBX when prompted after saving your changes.

A Word About Security. Security matters to us, and it should matter to you. Not only is the safety of your system at stake but also your wallet and the safety of other folks' systems. Our only means of contacting you with security updates is through the RSS Feed that we maintain for the PBX in a Flash project. This feed is prominently displayed in the web GUI which you can access with any browser pointed to the IP address of your server. Check It Daily! Or add our RSS Feed to your favorite RSS Reader. We also recommend you follow @NerdUno on Twitter. We'll keep you entertained and provide immediate notification of security problems that we hear about. Be safe!

Enabling Google Voicemail. Some have requested a way to retain Google's voicemail system for unanswered calls in lieu of using Asterisk voicemail. The advantage is that Google offers a free transcription service for voicemail messages. To activate this, you'll need to edit the [googlein] context in extensions_custom.conf in /etc/asterisk. Just modify the last four lines in the context so that they look like this and then restart Asterisk: amportal restart

;exten => s,n(regcall),Answer
;exten => s,n,SendDTMF(1)
exten => s,n(regcall),Set(DIAL_OPTIONS=${DIAL_OPTIONS}aD(:1))
exten => s,n,Goto(from-trunk,gv-incoming,1)

Kicking the Tires. OK. That's enough tutorial for today. Let's play. Using your new softphone, begin your adventure by dialing these extensions:

  • D-E-M-O - Incredible PBX Demo (running on your PBX)
  • 1234*1061 - Nerd Vittles Demo via ISN FreeNum connection to NV
  • 17476009082*1089 - Nerd Vittles Demo via ISN to Google/Gizmo5
  • Z-I-P - Enter a five digit zip code for any U.S. weather report
  • 6-1-1 - Enter a 3-character airport code for any U.S. weather report
  • 5-1-1 - Get the latest news and sports headlines from Yahoo News
  • T-I-D-E - Get today's tides and lunar schedule for any U.S. port
  • F-A-X - Send a fax to an email address of your choice
  • 4-1-2 - 3-character phonebook lookup/dialer with AsteriDex
  • M-A-I-L - Record a message and deliver it to any email address
  • C-O-N-F - Set up a MeetMe Conference on the fly
  • 1-2-3 - Schedule regular/recurring reminder (PW: 12345678)
  • 2-2-2 - ODBC/Timeclock Lookup Demo (Empl No: 12345)
  • 2-2-3 - ODBC/AsteriDex Lookup Demo (Code: AME)
  • Dial *68 - Schedule a hotel-style wakeup call from any extension
  • 1061*1061 - PIAF Support Conference Bridge (Conf#: 1061)
  • 882*1061 - VoIP Users Conference every Friday at Noon (EST)

PBX in a Flash SQLite Registry. Last, but not least, we want to introduce you to the new PBX in a Flash Registry which uses SQLite, a zero-configuration SQL-compatible database engine. After logging into your server as root, just type show-registry for a listing of all of the applications, versions, and install dates of everything on your new server. Choosing the A option will generate registry.txt in the /root folder while the other options will let you review the applications by category on the screen. For example, the G option displays all of The Incredible PBX add-ons that have been installed. Here's the complete list of options:

  • A - Write the contents of the registry to registry.txt
  • B - PBX in a Flash install details
  • C - Extra programs install details
  • D - Update-fixes status and details
  • E - RPM install details
  • F - FreePBX modules install details
  • G - Incredible PBX install details
  • Q - Quit this program

And here's a sample from an install we recently completed.

Click above. Enter your name and phone number. Press Connect to begin the call.

Special Thanks. It's hard to know where to start in expressing our gratitude for all of the participants that made today's incredibly simple-to-use product possible. Please bear with us. To Mark Spencer, Malcolm Davenport, and the rest of the Asterisk development team, thanks for a much improved Asterisk. To Philippe Sultan and his co-developers, thank you for finally making Jabber jabber with Asterisk. To Leif Madsen, our special thanks for your early pioneering work with Gtalk and Jabber which got this ball rolling. To Philippe Lindheimer & Co., thanks for FreePBX 2.8 which really makes Asterisk shine. To Lefteris Zafiris, thank you for making Flite work with Asterisk 1.8 thereby preserving all of the Nerd Vittles text-to-speech applications. To Darren Sessions, thanks for whipping app_swift into shape and restoring Cepstral and commercial TTS applications to the land of the living with Asterisk 1.8. And to our pal, Tom King, we couldn't have done it without you. You rolled up your sleeves and really made CentOS 5.6 and Asterisk 1.8 sit up and bark. No one will quite understand what an endeavor that was until they try it themselves. You've made it look so easy. And, finally, to our dozens of beta testers, THANK YOU! We've implemented almost all of your suggestions.

Additional Goodies. Be sure to log into your server as root and look through the scripts added in the /root and /root/nv folders. You'll find all sorts of goodies to keep you busy. There's an all-new script that painlessly installs and configures HylaFax and AvantFax for state-of-the-art faxing. The 32-bit install-cepstral script does just what it says. With Allison's Cepstral voice, you'll have the best TTS implementation for Asterisk available. ipscan is a little shell script that will tell you every working IP device on your LAN. tells you all of the Asterisk trunks configured on your system. will clean out the CallerID cache in the Asterisk database. shows you how to convert a .wav file to .gsm. munin.pbx will install Munin on your system while awstats.pbx installs AWstats. s3cmd.faq tells you how to quickly activate the Amazon S3 Cloud Computing service. All the other scripts and apps in /root/nv already have been installed for you so don't install them again.

If you've heeded our advice and purchased a PogoPlug, you can link to your home-grown cloud as well. Just add your credentials to /root/ Then run the script to enable the PogoPlug Cloud on your server. All of your cloud resources are instantly accessible in /mnt/pogoplug. It's perfect for off-site backups and is included as one of the backup options in the PBX in a Flash backup utilities.

Don't forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number. Enjoy!

Originally published: Monday, May 9, 2011

VoIP Virtualization with Incredible PBX: OpenVZ and Cloud Solutions

Safely Interconnecting Asterisk Servers for Free Calling

Adding Skype to The Incredible PBX

Adding Incredible Fax to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Remotes, Preserving Security with The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Part II.

Continue reading Part III.

Continue reading Part IV.

Support Issues. With any application as sophisticated as this one, you're bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It's the best Asterisk tech support site in the business, and it's all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won't have to wait long for an answer to your questions.

Changes in PBX in a Flash Distribution. In light of the events outlined in our recent Nerd Vittles article and the issues with Asterisk 1.8.4, the PIAF Dev Team has made some changes in our distribution methodology. As many of you know, PBX in a Flash is the only distribution that compiles Asterisk from source code during the install. This has provided us enormous flexibility to distribute new releases with the latest Asterisk code. Unfortunately, Asterisk 1.8 is still a work in progress to put it charitably. We also feel some responsibility to insulate our users from show-stopping Asterisk releases. Going forward, the plan is to reserve the PIAF-Purple default install for the most stable version of Asterisk 1.8. As of June 1, Asterisk is the new PIAF-Purple default install. Other versions of Asterisk 1.8 (newer and older) will be available through a new configuration utility which now is incorporated into the PIAF ISO.

Here's how it works. Begin the install of a new PIAF system in the usual way by booting from your USB flash drive and pressing Enter to load the most current version of CentOS 5.6. When the CentOS install finishes, your system will reboot. Accept the license agreement, and choose the PIAF-Purple option to load the latest stable version of Asterisk 1.8. Or exit to the Linux CLI if you want a different version. Log into CentOS as root. Then issue a command like this: piafdl -p beta_1841 (loads Asterisk, piafdl -p 184 (loads Asterisk 1.8.4), piafdl -p 1833 (loads Asterisk, or piafdl -p 1832 (loads Asterisk If there should ever be an outage on one of the PBX in a Flash mirrors, you can optionally choose a different mirror for the payload download by adding piafdl -c for the .com site, piafdl -d for the .org site, or piafdl -e for the .net site. Then add the payload switch, e.g. piafdl -c -p beta_1841.

Bottom Line: If you use the piafdl utility to choose a particular version of Asterisk 1.8, you are making a conscious decision to accept the consequences of your particular choice. We would have preferred implementation of a testing methodology at Digium® before distribution of new Asterisk releases; however, that doesn't appear to be in the cards. So, as new Asterisk 1.8 releases hit the street, they will be made available through the piafdl utility until such time as our PIAF Pioneers independently establish their reliability.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge. If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new statistical web site and check out what's happening. It's a terrific resource both for us and for you.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

  1. Unless you happen to own a Cisco 79XX phone. See comment below for details. []
  2. If you're using IE9, you'll need to run it in IE8 browser mode for the time being. We're working on it. :-) []
  3. For 64-bit systems with Asterisk 1.8, use the Cepstral install procedures outlined in this Nerd Vittles article. []
  4. If you use the recommended Acer Aspire Revo, be advised that it does NOT include a CD/DVD drive. You will need an external USB drive to load the software. Some of these work with CentOS, and some don't. Most HP and Sony drives work; however, we strongly recommend you purchase an external DVD drive from a merchant that will accept returns, e.g. Best Buy, WalMart, Office Depot, Office Max, Staples. You also can run The Incredible PBX on a virtual machine such as the free Proxmox server. Another less costly (but untested) option might be this Shuttle from NewEgg: $185 with free shipping. Use Promo Code: EMCYTZT220 []

Welcome to IP Country: A New Layer of Asterisk Security

image courtesy of One of the problems with writing a blog like Nerd Vittles is it's more than double the work of your typical blog where a writer pontificates about something and then moves on. What makes Nerd Vittles a little different is that, with help from a number of very gifted developers, we actually create useful applications and then write about how to use them. So you get a bonus for the same low price: free! This obviously imposes some time constraints in order to get fresh material into your hot little hands every week.

This week we turn our attention to Asterisk® Security again and unfortunately the Whole Enchilada is not yet ready. So today you get Chapter I of this topic with a comment that we're still mulling over some enhancements. When those pieces are finished or at least properly evaluated, we'll produce a sequel. Software houses spend years developing applications. And sometimes it takes us more than a week. :-)

Let's start with a few observations which should be quite obvious to those who have wrestled with VoIP or Asterisk for a while. Internet security is a bitch. And Asterisk security is much, much worse. When a few disgruntled people can bring Twitter to its knees because they're mad about some particular tweet or Twitter user, it tells you what we're all up against. Hate to say it but we can all thank Microsoft for years of security neglect that rendered the Windows operating system less than optimum in preventing the spread and deployment of BOTs. And the tools have gotten more dangerous as well. Strangers (our euphemism for these folks) write new software, too.

If you're using PBX in a Flash (and you really should be!), you know that we've devoted enormous resources to Asterisk security. Two years ago when PBX in a Flash was introduced, the majority of people using Asterisk still were using 1234 as the extension password on all or most of their extensions. A couple $100,000 phone bills and lots of public education, and that situation hopefully is behind us. Two years ago, no Asterisk aggregation included a firewall... except PBX in a Flash. Believe it or not, there were individuals running Asterisk servers on the public Internet with a default root password of password. That added more than a few more BOTs to the Internet kettle of fish. Then there were the brute force password hacks that hit Asterisk servers thousands of times per minute guessing passwords. Nothing stood in the way of these attacks until PBX in a Flash introduced Fail2Ban which automatically blacklisted IP addresses after a certain number of failed login attempts. We followed Fail2Ban with our Atomic Flash product which provided a turnkey Hamachi VPN implementation for rock-solid safe remote computing. And, of course, there was a one-minute Hamachi VPN install script for standard PBX in a Flash systems. No other aggregation has it to this day.

The purpose of the history lesson isn't to crow about PBX in a Flash although we're mighty proud of it. Rather we wanted to make you aware that precious little development effort is actually going into security while enormous resources are devoted to things such as Internet faxing, Skype, and Google Voice integration. We'll be the first to admit that we love the latest gee whiz gizmos as much as anybody. But come on. A handful of us who do this purely for fun somehow manage to turn out loads of security enhancements while huge, for-profit companies are devoting virtually zero resources to making Asterisk, SIP, and the VoIP community safer. SIP is about as secure as whispering at a movie theater. Google releases Google Voice with SIP access protected by a 4-digit password. :roll: That approach to security needs to change, or we're all going to wake up sorry one day soon. If this is preaching to the choir, then feel free to pass this article on to one of your brethren who has not yet seen the light! Start by reading our Primer on Asterisk Security.

If you have extremely secure passwords on your Asterisk extensions and trunks, and you have deployed a properly configured firewall with Fail2Ban to protect against brute force attacks, then you're ahead of the curve insofar as Asterisk security is concerned. But what we think is still missing is access restrictions based upon what the military calls a "need to know." Simply stated, it means folks shouldn't get access of any kind to your Asterisk server unless they have a need to be there. And, if we find someone there that doesn't belong, they should be kicked off and banned from further access.

So today we have a new security tool for your Asterisk toolbox: IP Country, country-based network filtering by IP address. In a nutshell, it means configuring your Asterisk server to dramatically reduce the number of IP addresses which can reach your server at all. If you receive anonymous SIP connections from all around the globe that you actually need or if you're attacked from a BOT running on grandma's Windows machine down the block, this may not work for you, but it's another tool in your quiver of arrows. For most servers, it has the potential to reduce the vulnerability from random outside threats substantially. It's taken a lot of research to come up with much of what follows, and we want to express our special thanks to Sandro Gauci and Joe Roper for their assistance. Some of this technology has been around for many years, but unfortunately it was expensive. So we also want to express our special appreciation to MaxMind for releasing their open source GeoLite Country database which is now free for downloading. That is the critical ingredient in much of what follows. So here's a word from our sponsor:

This product includes GeoLite data created by MaxMind, available from

Scope of Protection. An obvious question is just exactly what are we trying to protect. In our view, it's several things. First, we don't want strangers logging in to extensions on our server and making free calls around the globe using pilfered or hacked passwords. We also don't want strangers using our extensions to masquerade as us for any other purpose. Second, we don't want strangers randomly calling our server using SIP URI's that they've dreamed up. And third, we don't want strangers accessing any other applications on our server including SSH and FTP as well as web and email services.

IP Country Design. As with other security features in Asterisk, FreePBX, and IPtables, our implementation of IP Country uses permit and deny access tables that consist of authorized and unauthorized ranges of IP addresses. There's also a table with the latest GeoLite Country information which is used as the data source for your permit table. When a connection to the server is made, the IP address is checked against the permit table of authorized addresses. If there's no match, we'll consider the connection a stranger. If there is a match, then we'll check the deny table to make certain this particular IP address hasn't been banned. Unless you alter all of our scripts, your system must be using the default MySQL account name of root with a password of passw0rd. As configured in PBX in a Flash, this is NOT a security risk since MySQL access is limited to your server, and your server requires root credentials to log in.

Today's Objective. To get everyone started, we're going to tackle the first two objectives today. The solutions offered should work fine on any FreePBX-based Asterisk system... even those that hide the existence of FreePBX.

For outgoing calls, we'll introduce a new script which runs periodically to examine the IP addresses attached to every SIP and IAX extension and trunk on your Asterisk server. If a stranger's IP address is identified (as explained above), we'll add an IPtables firewall rule to permanently block access to your server from this IP address. These rules are stored in /etc/sysconfig/iptables should you ever need to remove an IP address that has been blocked. You can adjust the script execution frequency based upon the thickness of your wallet. After all, it's your phone bill. This functionality is mutually independent from the incoming call protection outlined below so you can use either or both of the functions to meet your own requirements. For systems that use enormous numbers of SIP URI's for communications around the globe, you might choose to implement just this piece for extension and trunk IP Country protection without altering your incoming dialplan at all. Keep in mind that FreePBX now supports permit and deny IP address filters on extensions, something you really should be using even if you decide against implementing the IP Country security protection layer.

For incoming calls, we're going to modify FreePBX's existing Blacklist functionality to also look up the calling IP address in our IP Country permit and deny tables. If the IP address is authorized, the call will go through. Otherwise, the call will be treated just as if the caller's number were blacklisted. Be aware that incoming calls to one of your commercial DIDs may reflect the IP address of your provider since the caller may be calling from a Plain Old Telephone rather than an IP address. The existing Blacklist functionality can be used to block these unwanted callers. If you live in the United States, you'll probably also want to call 888-382-1222 and place your DIDs in the Do Not Call database. Just call from a phone using the CallerID of the number you wish to block.

Installing GeoLite Country. To get started, log into your server as root and issue the following commands:

cd /
tar zxvf ipcountry.tgz
rm ipcountry.tgz
cd /root/ipcountry

Once the nv-ipcountry script begins to run, it will download and install the GeoLite Country database into MySQL. You then will be asked whether to add countries to your permit table. Since your permit table is empty at this point, the answer should be yes. You'll then get a list of country codes. Choose the two-character country code desired and type it in UPPERCASE, e.g. US. If you want to add one or more additional countries, just rerun ./nv-ipcountry and do NOT initialize the permit table (which erases all of its contents).

New GeoLite Country databases are released every month or two so get used to the procedure. You'll be using it periodically to keep your list of IP addresses current. We'll cover the update procedure after we get you up and running.

Remember: If no IP addresses for any country are added to the permit table, you will not be able to make calls or register trunks with your providers! The only default entries added to the permit table are the non-routable, private IP address ranges, e.g. 192.168.0, etc. The geolite table is merely a data repository of the latest GeoLite Country database and has no effect on the daily operation of your system! You use it only as a data source for populating your permit table.

Testing IP Country. Before we actually turn anything on, we need to be sure we're not going to blow your Asterisk system out of the water! In short, we want to make sure that every extension that's supposed to be able to make a connection to your PBX still can. And we need to make sure all of your trunk registrations still are working. While you're still in the /root/ipcountry directory, issue the following command: ./ This script will display all of your SIP and IAX connections and then will tell you whether each connection will pass muster with IP Country security in place. Each IP address should display ok. If any of them show ko, you have a problem. This means that you have an extension or trunk with an IP address that is not included in your permit table. You can scan through the show peers listings in the display to figure out which providers or extensions are associated with any problem IP addresses. Be sure it's not a bad guy first. Then you have a couple of options. You can either manually add the IP address to the permit table as outlined below. Or you can add additional countries which include the missing IP address(es). To decipher the country of any problem IP address, go to this link and plug in the IP address. Once you've made entries in your permit table to cover all of your needed IP addresses, run the test script again just to be sure everything shows ok. Do NOT proceed until you get all ok's, and don't write us if you do.

Manually Adding IP Addresses to IP Country. We've provided a command-line utility which makes it easy to add IP addresses and address ranges to either the permit or deny tables of IP Country. Be very careful using this tool! There's limited error-checking which means it's easy to create a mess. You'll find iputility.php in the /root/ipcountry folder. Since all IP addresses are stored as integers, you can use it to merely discover the integer value of an IP address, or you can actually insert IP addresses into either the permit or deny tables. Here are a few examples to show how the utility works:

Returns the integer value for this IP address; no database update
Returns integer values for this IP address range; no database update
./iputility.php deny
Adds this IP address to IP Country deny table
./iputility.php permit
Adds this address range to IP Country permit table)

A couple of points worth noting. First, all custom entries in your permit and deny tables using iputility will show a country code of AA. This makes them easy to find using phpMyAdmin if you make a mistake. Second, if you attempt to enter the same IP address range more than once, you'll get a database error since all entries in the tables must be unique. Third, remember that entries in the deny table take precedence over entries in the permit table. So, if the same IP address or address range is in both tables, access will be denied. The reason for this is to make it easy to exclude a few bad apples from a country that you might otherwise find unobjectionable. Finally, keep in mind that manual entries added to the permit table will have to be added again each time you initialize the table and insert new country IP codes after a GeoLite Country refresh. The deny table is unaffected by database refreshes. So make yourself a list of entries you manually insert into the permit table and keep it in a safe place for future reference.

Activating the IP Address Checker. In the /root/ipcountry directory, you'll find the script that we'll use to check your system periodically to be sure all of the extensions and trunks are registered at permitted IP addresses. To run the script manually, log into your server as root and type: /root/ipcountry/ When you run it, you shouldn't see any modifications to IPtables, just a string of ok's. So now we want to added the script as a cron job that will be run periodically to watch your system. Edit /etc/crontab and insert the following line at the bottom of the file:

*/1 * * * * /root/ipcountry/ > /dev/null

*/1 means run the script once a minute, all day and night, every day. */5 means every 5 minutes. You make the call on how safe you'd like your system to be. If you'd like to receive an email or text message every time an IP address is blocked by, just edit the filecheck.php script, uncomment the two lines that begin with // and replace with your email or text message address.

WARNING: For to work properly with IPtables, there are a couple of prerequisites. First, IPtables must be running on your system with the iptables file located in /etc/sysconfig. Second, your IPtables setup must include an SSH permit rule that looks like this:

-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

We use this rule as a place finder to determine where to insert new rules to block stranger's IP addresses. If you don't have the above rule, filecheck.php (used by won't be able to insert new rules. So you'll need to manually edit filecheck.php to provide a "hook" that can be used to insert rules into your iptables file. PBX in a Flash systems come preconfigured to support this. With other aggregations, YMMV!

Activating the Incoming Call Checker. To screen incoming calls using your IP Country permit and deny tables, the setup is straight-forward assuming you are running the latest version of FreePBX 2.5. We're going to adjust the Blacklist context to also perform IP address lookups from IP Country when new calls arrive on your PBX. Just log into your server as root and add the following lines to the bottom of the extensions_override_freepbx.conf file in /etc/asterisk:

include => app-blacklist-check-custom
exten => s,1,LookupBlacklist()
exten => s,n,GotoIf($["${LOOKUPBLSTATUS}"="FOUND"]?blacklisted)
exten => s,n,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
exten => s,n,GotoIf($["${TESTAT}" != ""]?hasat)
exten => s,n,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
exten => s,n,Goto(gotip)
exten => s,n(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
exten => s,n(gotip),NoOp(Gateway IP is ${FROM_IP})
exten => s,n,NoOp(IP Country Lookup in Progress...)
; put authorized special calls like sipgate's Google Voice ringbacks below
exten => s,n,GotoIf($["${FROM_IP}"=""]?keepon)
exten => s,n,AGI(nv-ipcountry.php|${FROM_IP})
exten => s,n,GotoIf($["${STRANGER}"="true"]?blacklisted)
exten => s,n(keepon),NoOp(** AUTHORIZED CALLER **)
exten => s,n,Return()
exten => s,n(blacklisted),Answer
exten => s,n,Wait(1)
exten => s,n,Zapateller()
exten => s,n,Playback(ss-noservice)
exten => s,n,Hangup

Make sure you remove the line-wrap in the s,n(hasat) line and any others that may have wrapped in the display above! Then save the file and reload your Asterisk dialplan: asterisk -rx "dialplan reload". You're all set! If you'd like email notices when a stranger calls and is blacklisted, edit nv-ipcountry.php in /var/lib/asterisk/agi-bin. Plug in your actual email address in the $email variable and set $emailalerts = 1.

Housekeeping 101. As we mentioned above, the pool and location of IP addresses continues to change so periodic updates are necessary, or you'll end up blocking calls that otherwise should be permitted. MaxMind updates GeoLite Country on the first day of every month so add it to your TO-DO list. We strongly recommend that you perform these steps through an SSH connection from a remote PC. Why? Because, if you forget step 1 while logged directly into your server, you could inadvertently lock yourself out of your own system if the ip-checker script happens to run while your permit table is empty. If you do it from a remote machine, you can simply move to another machine and follow these instructions properly. Otherwise, you've got a serious problem on your main server. If this server provides phones to your business, do the update when the server is idle. So here's the drill:

  1. Comment out the /etc/crontab entry
  2. Download new GeoLite Country database from MaxMind
  3. Initialize the ipcountry.permit table
  4. Add authorized countries back into ipcountry.permit table
  5. Add back any custom entries to permit table
  6. Test your IP Country system to make sure you get all ok's
  7. Reactivate in /etc/crontab

1. Log into your server as root. To comment out the line in /etc/crontab, just add # as the first character on the line and save the file.

2. Change to the /root/ipcountry directory and run ./nv-GeoIPrefresh.

3. While still in the /root/ipcountry directory, run ./nv-ipcountry and choose 1-Yes to initialize your ipcountry.permit table.

4. Continue running or rerun ./nv-ipcountry to add each desired country to your ipcountry.permit table.

5. Run ./iputility.php to add custom IP address entries to your ipcountry.permit table. You do NOT need to reenter addresses in the deny table. It is unaffected by this update procedure.

6. Test your system again to make sure all extensions and trunks get an ok by running ./

7. Edit /etc/crontab and remove the # at the beginning of the line and save the file.

What's Next. We're still exploring another possibility with IP Country, and that is integrating GeoLite Country directly into IPtables. This would validate every packet coming into your firewall using IP Country-like rules in IPtables. If you want to look at how it could be done, see this excellent writeup. Well, not so fast. Unfortunately, it won't compile under CentOS 5.2. Here's a link to the problem code if there are any Linux gurus in the house. Our reluctance in doing this has to do with performance. Keep in mind that, without stateful packet inspection, every single packet coming into your server would presumably trigger a database lookup. On a busy telephony system generating hundreds of thousands of packets per second, it would take a beast of a server with sufficient memory to cache the entire IP Country database in order to handle the processing load. So now we've got to either learn about or find an expert on the IPtables State Machine. If anyone wants to experiment, please share your expertise with the rest of us. There's a Google Voice invite in it for you, too. If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new statistical web site and check out what's happening. It's a terrific resource both for us and for you.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Here's a headline to wake up any CEO: "Small business gets $120,000 phone bill after hackers attack VoIP phone." actually ran this story on January 20. "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours... 115,000 international mobile calls were made using the small business's VoIP system over a six month period."

News Flash: Be sure to read our latest article introducing Travelin' Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.

For the latest Security Tips: See our most recent article.

Sad to say that folks install VoIP phone systems to save money and then completely ignore tried-and-true network security principles: hardening your system, regularly watching your logs, and periodically changing your passwords. If PBX in a Flash were a commercial offering, we'd probably keep much of what follows to ourselves and start touting our PBX systems as the only Asterisk® offering with Secure-Wrap™. That's not our world, of course, nor is it what open source is all about... which turns out to be both a blessing and a curse. We openly and jointly figure out ways to secure our Asterisk systems as well as those of our competitors. Then the bad guys get to read all about it and come up with new, more creative "solutions." The silver lining is there are millions of insecure Asterisk systems so the creeps typically move on to easier targets.

Today we'll walk you through our Top Ten Security Tips and Tricks. All of these can be implemented easily to harden your Asterisk PBX and lessen the chances of the bad guys transforming your VoIP system into a free, international payphone: you pay, they phone. In the process, we'll identify some common security blunders that accompany new system installs in hopes that you won't make the same mistakes. So let's start with the basics. If you plug your Asterisk PBX directly into the public Internet without carefully securing it, your chances of being hacked within the hour are pretty good.

Rule #1: Protect Your PBX With IPtables. PBX in a Flash systems are delivered with the IPtables firewall enabled. Leave it that way! If your Asterisk implementation doesn't have IPtables support, demand that it be added immediately or ask for assistance in adding it yourself. There is no reason not to use a freely available, open source firewall, period! And there are many good tools including WebMin (also included in PBX in a Flash distributions) to get it configured properly. With PBX in a Flash, all of the grunt work has been done for you.

Firewalls, of course, are only as good as the set of rules defined to secure your system. So only activate ports that are absolutely essential to run your PBX. For an excellent review of the ports that are opened by default in PBX in a Flash systems, see Joe Roper's summary. Think of an activated port as a hole in the dike. The more holes you add, the less secure your PBX will be. We'll leave it to you to count the holes in the dike if you choose to run your PBX without IPtables enabled. Our rule of thumb for PBX security goes something like this. If you don't need web access to your PBX, don't open ports 80 and 9080. If you don't need SSH, FTP, FOP, or WebMin access to your PBX, don't enable those ports. Better yet, don't even turn those services on unless there is a pressing need.

All of the IPtables rules are stored in /etc/sysconfig/iptables. Don't edit this file unless you know what you're doing. If you need help with the rules, post a question on the PBX in a Flash Forum. Typical response time on posted questions is under an hour on our forum. And don't forget to restart IPtables if you make changes to any of the rules: service iptables restart.

Rule #2: Protect Your PBX With A Hardware-Based Firewall. If one firewall is good protection, two firewalls are even better. As much as NAT-based firewall/routers get a bad rap, the extra layer of protection that a $50 hardware-based firewall/router delivers cannot be overstressed. Think of the software-based firewall as the tool of choice to secure your PBX on your internal LAN while the hardware-based firewall secures your system on the public Internet. We recommend the dLink WBR-2310 for home and SOHO use. It provides a reliable NAT-based router, a firewall, and excellent WiFi capability for under $50. If you've got some spare change, step up to one of dLink's Gaming Routers which we happen to use. They provide all the tools you'll need to prioritize your VoIP traffic. As with Rule #1, only open and redirect ports that are absolutely essential to use your PBX.

Rule #3: Safeguard Against Random Password Hacks. There is no better tool to protect your PBX from random password attacks than Fail2Ban 0.8.3. Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful password attempts. It updates IPtables rules to reject those IP addresses for a period of time that you can set in /etc/fail2ban/jail.conf. Originally PBX in a Flash systems were shipped with an earlier version of Fail2Ban that provided only minimal protection. If your system doesn't include the jail.conf file above, you still have the older version. Simply run our update script to get the current release:

cd /root
mkdir fail2ban
cd fail2ban
chmod +x fail2ban-update
service fail2ban restart

As was true with IPtables, Fail2Ban is only as good as the rules which are defined to identify failed password attempts on your system. On PBX in a Flash systems, we now protect against web, FTP, SSH, SIP, and IAX password attempts.

If your particular Asterisk implementation lacks Fail2Ban support, you're missing a critically important (free) tool to safeguard your system from random password attacks against SSH and your protected web sites as well as your SIP and IAX extension passwords. For tips on installation, review our script that is available on this thread in the PBX in a Flash Forum.

Rule #4: Narrow Access With IP Address Restrictions. Security privileges in the U.S. government are based upon a "need to know." It's pretty simple. If you don't have a need to know the information to perform your duties, you don't get the privilege. You can use a similar technique to secure your PBX by implementing IP address restrictions. For example, if all of your extensions are housed on a private subnet of your internal LAN, then there is no reason to allow Internet access to those extensions. Similarly, for extensions outside your local network, you now can hardcode the IP address into the extension to restrict access. To implement this with Asterisk and FreePBX-based systems, you'll first need to upgrade FreePBX to at least version Once you've upgraded, go into each extension and enter either an IP address or an IP subnet for that extension in the permit field. For an IP address, the syntax is For an IP subnet, the syntax would look like this: This one tip would have been worth $120,000 to the Australian company referenced above. Yes, consultants can be worth their weight in gold. :-)

If you're as absent-minded as we are, you don't want to have to worry about remembering this each time you add a new extension to your system. So it's quite simple to change the default permit entry from to the subnet mask of your LAN. Then you only have to adjust this entry whenever you add an extension which is not on your internal LAN. For example, if your LAN subnet is 192.168.0, then we want to replace the default entry with The file to edit is /var/www/html/admin/modules/core/ Just search for $tmparr['permit'] in BOTH the iax2 and sip sections of the file and make the value substitution preserving the single quotes on both sides of your new entries.

You also can implement both password and IP address restrictions to limit web access to your server. With Apache web servers, this is done through .htaccess files and directory restrictions in your Apache config files. On PBX in a Flash systems, htaccess password restrictions now are the default setup in all of our builds. Suffice it to say, if you can access the /admin directory on your web site from the Internet without being prompted for a password, your site probably has been compromised. Keep in mind that these passwords get cached so be sure you have cleaned out your browser cache before having a heart attack. Better yet, try this from a browser you don't ordinarily use (such as the one on your cellphone).

For additional security, you can further restrict access to your web directories by adding a list of authorized IP addresses to the .htaccess file in each subdirectory. Here's what an .htaccess file with IP address restrictions might look like. The first Allow entry is the private LAN subnet, the second is a remote site, and the third is the Hamachi VPN subnet mask:

Deny from All
Allow from 192.168.0
Allow from
Allow from 5.67

Rule #5: Don't Use 'Normal Ports' for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you've done. Read that last sentence again. It's important! With a hardware-based firewall such as the WBR-2310, this is incredibly easy. dLink calls them Virtual Servers. Here is a typical entry:

HTTP   TCP 80/2319   Allow All   Always

You can simply redirect common ports to different ports for Internet access. Don't do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. For example, port 80 typically is the default web server port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) web access, simply remap TCP port 80 to some obscure port and change it periodically. For example, you might redirect TCP port 80 to port 2319. Once the setting is saved, you access the web site with a browser entry like this: Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don't use these numbers obviously! Make up your own. The key here is that 5 minutes work every month will keep web access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 80 every night while you're sleeping. Incidentally, most of these routers also will let you block access to certain ports during certain hours of the day. If you're sleeping, there's really not much need to provide SSH and web access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world's best crackers reside in countries where daytime happens to be nighttime in the United States.

Rule #6: Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our wild-assed guess (WAG) is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn't Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. The first five rules would have protected most Asterisk systems. But our WAG on the number of Asterisk PBX's that have implemented all five rules above would be less than one in a thousand. Part of that is because some of these tools weren't readily available until recently. But part of it is because most of us are just plain L-A-Z-Y.

Really secure passwords really do matter. And it's more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, make certain it has a really, really secure password. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). You've been warned. It's your phone bill and bank account!
<end of sermon>

Rule #7: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn't begin to describe some of what lies under the FreePBX covers. Make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to an Asterisk PBX goes like this. Don't! But, if you must, build as many layers of protection as possible to assure that your system is not compromised. If the bad guys get into FreePBX, the security of your PBX has been compromised... permanently! This means you need to start over with all-new passwords by installing a fresh system. You simply cannot fix every possible hole that has been opened on a FreePBX-compromised system!

Rule #8: Implement VPNs for PBX Systems. PBX in a Flash has provided simple install scripts to deploy Hamachi VPNs on all of our current systems. Hopefully, the other aggregations will do likewise. In addition, we offer turnkey VPN in a Flash systems which provide this functionality out of the box. VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. We now are exploring other VPN solutions which would facilitate the use of VPN-enabled telephones such as the new offerings from SNOM.

Rule #9: Check Your Logs Every Day. We're still dumbfounded by the following quote from the article above: "115,000 international mobile calls were made using the small business's VoIP system over a six month period." Six months and they never checked their call logs? Sounds like they earned this phone bill. FreePBX provides an incredibly simple way to review your call logs. Click the Reports tab at the top of the screen and look at the bar graph showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day! It also should be noted that Ethan Schroeder has released a beta of some new monitoring software which will provide more granular monitoring of daily call volumes. For additional information or to participate in the beta, visit this link.

Rule #10: Do Some Reading... Regularly. No security implementation is complete without a little regular effort on your part: reading. If you're going to manage your own network or PBX, then you need to keep abreast of what's happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the trixbox Forum, and the FreePBX Forum. Aside from reviewing your call logs, it's the best 15 minutes you could spend to safeguard your system. We also have an RSS Feed which includes security alerts.

Update #1: Be sure to read this great new article. It has two fresh ideas for securing your system!

Update #2: Please also read this Nerd Vittles Alert about FreePBX backdoors and default passwords that was published on April 15, 2011.

Some Other Suggestions. A couple other suggestions come to mind that don't involve securing your PBX per se but nevertheless will lessen your exposure in the event of a security breach. First, if your usual calling patterns don't involve international calling or if they're limited to one or two countries, tighten up your outbound dialplan and restrict calling to countries that you actually need. It can always be changed when the need to call elsewhere arises. Second, if you use pay-as-you-go providers, never use credit card auto-replenishment. Instead, add funds periodically using the provider's web interface. The advantage of this is that, if someone does manage to break into your system, your loss will be limited to the current balance in your provider account. You'll not only save a lot of money, but you'll also get a notification that something has gone horribly wrong. Finally, a forum user mentioned one we had overlooked. If you have a mix of POTS and VoIP lines, don't put the POTS lines in the default outbound pool for toll calls. This could potentially save you lots of money.

Continue Reading Part II: The VoIP WhiteList for IPtables...

Got Some Other Ideas? 50,000 heads always are better than one when it comes to network security. If there are things we've missed, take a minute to post a comment. It'll help all of us keep our systems more secure. Good luck!

Digium® Weighs In. Since this article first appeared, Digium has released its own set of tips on SIP security. By all means, have a look!

Security Alert of the Week. A trixbox user yesterday reported that he had discovered a rootkit exploit on his server. You can could read all about it here. The 6:03 a.m. (California time) post mysteriously disappeared a few hours later... soon after the trixbox staff got to work. Another darn computer failure according to Fonality staff. :-? We've attempted to recreate the information from Google snippets. And here's a simple test to see if you have a similar rootkit problem:

ls -all /sbin/init.zk

Want a Bootable PBX in a Flash Drive? Our bootable USB flash installer for PBX in a Flash will provide all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and our flash installer in less than 15 minutes!

If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.1

Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next couple weeks. All of the individuals whose comments were used in today's story will automatically be included in the drawing as well. Good luck to everyone and Happy New Year!!

New Fonica Special. If you want to communicate with the rest of the telephones in the world, then you'll need a way to route outbound calls (terminations) to their destination. For outbound calling, we recommend you establish accounts with several providers. We've included two of the very best! These include Joe Roper's new service for PBX in a Flash as well as our old favorite, Vitelity. To get started with the Fonica service, just visit the web site and register. You can choose penny a minute service in the U.S. Or premium service is available for a bit more. Try both. You've got nothing to lose! In addition, Fonica offers some of the best international calling rates in the world. And Joe Roper has almost a decade of experience configuring and managing these services. So we have little doubt that you'll love the service AND the support. To sign up in the USA and be charged in U.S. Dollars, sign up here. To sign up for the European Service and be charged in Euros, sign up here. See the Fonica image which tells you everything you need to know about this terrific new offering. In addition to being first rate service, Fonica is one of the least expensive and most reliable providers on the planet.
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

  1. This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. []

Ringbinder theme by Themocracy