Home » Posts tagged 'iptables'

Tag Archives: iptables

The Most Versatile VoIP Provider: FREE PORTING

Migrating Incredible PBX 2021 to a PUBLIC Facing Cloud PBX


Today we want to again enhance the migration of Incredible PBX 2021 into a PUBLIC-facing Cloud PBX. What that means is authorized users can connect a SIP phone to the PBX regardless of where the user might be located without worries about an ever-changing dynamic IP address and the requirement to whitelist the new IP address. A PUBLIC-facing PBX also provides free SIP URI connectivity to users of your PBX by anyone from anywhere in the world. In other words, it’s similar to the way you could connect to any Ma Bell telephone in the world simply by knowing the number to dial. The difference, of course, is SIP URI connectivity is free while there were often staggering long distance charges for remote connectivity in the Ma Bell days. Fifty years ago it was not uncommon for a college boy to spend $200 a month calling his college sweetheart less than 200 miles away in the same state. Ask me how I know.

Why is this such a big deal? The short answer is security and your phone bill. You don’t want bad guys on the other side of the globe attempting to register a SIP phone to your PBX so that they can use your trunks to make free phone calls on your nickel. You also don’t want anybody and everybody calling your users by simply guessing the IP address of your PBX. So today’s new design combines several security mechanisms to make a PUBLIC-facing PBX safe and secure. First, we will block all SIP connectivity to your PBX by IP address. Second, we will identify 30,000+ known SIP bad guys and block their access to your PBX entirely. Third, we will only permit SSH access to your PBX using public key authentication instead of traditional username/password authentication. Fourth, we will only permit web access to the Incredible PBX portal from whitelisted IP addresses and OpenVPN private addresses. We haven’t mentioned the elephant in the room, Distributed Denial of Service (DDoS) attacks, but today’s methodology reduces the risk considerably since your PBX cannot be ping’d, and all IP address access is blocked at the Linux kernel level.

Prerequisites. To put all these safeguards in place, you’ll need a cloud-based Incredible PBX 2021 KVM platform running Debian 10. Install the latest Incredible PBX 2021 platform using our tutorial. Next, you’ll need these items:

  1. Public IP Address of your server
  2. Obscure FQDN linked to this public IP address
  3. Random SSH port with registered public keys for SSH access
  4. List of SIP extensions to enable for SIP URI access
  5. IP Addresses to WhiteList for Access to the Web GUI

1. Deciphering Public IP Address of Your PBX

After logging into your PBX as root, you can execute pbxstatus to decipher the public IP address of the PBX. Or issue the command: wget -q -O - ipinfo.io/ip

2. Obtaining an FQDN for Your PBX

Security through obscurity provides the critical layer of protection for your server so choose an FQDN carefully. sip.yourname.com provides little protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with SIP registrations because registered extensions on your PBX can obviously make phone calls that cost you money. If you don’t have your own domain, you can always obtain a free hostname from a service such as NoIP.com.

3. Securing SSH Access to Your PBX

Whatever you do, don’t leave SSH access via port 22 exposed on your PBX. In the time it took to create a new PBX on CloudAtCost, there were over 400 attempted logins to the default SSH port of the new server. The simplest (but least secure) method to avoid these script kiddie attacks is to change the port number for SSH access to your server. We suggest using the year you were born as the port number because it’s easy to remember. Edit /etc/ssh/sshd_config and uncomment the Port line replacing 22 with the port number you chose. Then restart SSH: systemctl restart sshd.

The preferable solution to secure SSH is to create and use SSH keys for access and set PasswordAuthentication no on the last line of /etc/ssh/sshd_config. Digital Ocean has an excellent tutorial to walk you through the setup process.

4. Choosing Extensions for SIP URI Public Access

With today’s PUBLIC design, exposing an extension for PUBLIC access means anyone in the world that knows the FQDN of your server and the extension number can do two things using any SIP client: (1) they can call you and (2) they can attempt to register to that extension and make calls on your trunks AND your nickel. So only expose extensions for public access if there is a need to connect or call from remote locations. For extensions you decide to expose, make certain that the passwords for these extensions are extremely secure, lengthy, and use numbers with both UPPER and lower case letters. Never use default extension passwords!

5. Whitelisting IP Addresses for Public Web Access

Without enumerating IP addresses for public web access, you won’t be able to connect to the web GUI of your PBX. Down the road, if you wish to add additional IP addresses, you can use /root/add-ip to add them via SSH.

Deploying New PUBLIC Firewall

To get started, log into your server as root and issue the following commands:

cd /tmp
wget http://incrediblepbx.com/newpublic.tar.gz
tar zxvf newpublic.tar.gz
rm -f newpublic.tar.gz

Next, edit /tmp/iptables.base and change the highlighted entries:


Change port 22 in the dport entry to the SSH port number you chose in Step 3, above.

Change 8.8.8.8, 8.8.4.4., and 1.1.1.1 to actual public IP addresses of desktop machines you wish to use to access the web GUI of your PBX. If you don’t need three entries, comment out the other entries with # at the beginning of each line.

Replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

Save the file.

On the Debian platform, issue the following commands:

cd /etc/iptables
cp /tmp/iptables.base .
mv rules.v4 rules.v4.orig
cp iptables.base rules.v4

Using Incredible PBX PUBLIC with Asterisk

The first line of defense with this PUBLIC implementation is your FQDN. Second is the IPtables firewall setup above. And third is the Asterisk® extensions configuration in extensions_override_freepbx.conf. Here’s how to configure it. Edit /tmp/extensions_override_freepbx.base and change the highlighted entries:


If there are phone numbers assigned to your PBX that you want processed according to your Inbound Routing rules, duplicate the first highlighted line above and, for each trunk, replace 8881234567 with your actual DID numbers.

In exten => _.,1 line, replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

In exten => _.,10 line, replace your-servers-FQDN with the actual FQDN assigned to your PBX from Step 2, above.

Scroll down in the file to the following section:



Comment out undesired default extensions. Place a semicolon at the beginning of the lines.

For any extensions you wish to add, insert a new line in the following format replacing both 7000 entries with the desired extension number:

exten => 7000,13,Dial(local/7000@from-internal)

Save the file and then execute the following commands to complete the PUBLIC setup:

cd /etc/asterisk
cp /tmp/extensions_override_freepbx.base .
mv extensions_override_freepbx.conf extensions_override_freepbx.orig
cp extensions_override_freepbx.base extensions_override_freepbx.conf
fwconsole restart
asterisk -rx "dialplan reload"
iptables-restart
sed -i 's|-A INPUT|-I INPUT|' /root/add-ip
sed -i 's|-A INPUT|-I INPUT|' /root/add-fqdn
sed -i 's|for |PUB |' /usr/local/sbin/pbxstatus

Adding IPSET Protections to Incredible PBX

We’re not the biggest fans of blacklists because the bad guys spend a lot of time trying to corrupt them by inserting valid IP addresses of sites such as DNS servers in the lists to wreak havoc. Having said that, there are two blacklists that are carefully monitored on a daily basis, and both provide additional protection for your PBX by weeding out access by 30,000+ potential bad guys. The oldest of these is VoIP Blacklist. And the new kid on the block is APIBAN from LOD.com and Fred Posner. We’ve simplified the setup process for use with Incredible PBX 2021. To get started, obtain an APIBAN API key here. Then issue the following commands to put all the pieces in place on your server:


apt --fix-broken install -y
apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent -y
cd /usr/local/sbin
wget http://incrediblepbx.com/incrediblepbx-ipsets.tar.gz
tar zxvf incrediblepbx-ipsets.tar.gz
rm -f incrediblepbx-ipsets.tar.gz

Next, edit /usr/local/sbin/apiban-init and insert your APIkey.

Finally, issue the following command to reload the firewall: iptables-restart

Verifying Firewall Setup of Incredible PBX

Let’s make certain that everything got installed correctly. Begin by issuing this command: iptables -nL

Scroll toward the top of the list, and you should see two entries for the voipbl and apiban ipsets indicating that entries in those lists will be dropped by the firewall.


Next, verify that the voipbl and apiban ipsets are populated. The first two commands below will list all of the blocked IP addresses. And the next two commands will provide a count of the dropped IP addresses.

ipset list voipbl
ipset list apiban
ipset list voipbl | wc -l
ipset list apiban | wc -l

Finally, you can refresh the ipsets with the following two commands:

voipbl-init
apiban-init

Rebooting or restarting the firewall with iptables-restart also refreshes the ipset listings.




 

Calling an Incredible PBX PUBLIC Extension

Any extensions that you have whitelisted in the blue section above can be called from anywhere using any SIP client. Simply enter the SIP URI for the extension in the following format: SIP/extension@your-servers-FQDN

CAUTION: If a caller attempts to call any extension on your PUBLIC server from an extension on another Asterisk server to which the caller is registered, the call will fail if there is a matching extension number on the PUBLIC server and the two servers are not registered to each other. So remember to use unique extension numbers on your PUBLIC server if you expect callers from other Asterisk servers.

Registering Incredible PBX PUBLIC Extension

If you wish to login to a whitelisted extension using a SIP client, enter the extension and password of the extension. For the server address, enter the FQDN of your server. If it’s a PJsip extension, add :5061 to the end of the FQDN.

Originally published: Thursday, November 11, 2021



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Morphing Incredible PBX into a PUBLIC-Facing Cloud PBX


We’ve previously documented how to change Incredible PBX 2021 and Incredible PBX 2020 into PUBLIC-facing PBXs. What that means is that authorized users could still connect to your PBX regardless of where they may be located without having to worry about whitelisting IP addresses. To suggest that the procedure was convoluted is a bit of an understatement. So today we offer a simplified solution that you can deploy in a couple of minutes. It lacks some of the safeguards of the earlier releases, but it remains secure so long as you don’t employ a readily decipherable FQDN for your PBX. The idea here is to block communications access to your PBX using its public IP address and allow access by those that know the fully-qualified domain name (FQDN) of your PBX. You can also restrict the extensions that are accessible. And SSH access to your PBX will be protected by assigning a random port number or by requiring public key authentication for access.

Prerequisites. To get started, you’ll obviously need a cloud-based Incredible PBX 2020 or 2021 platform running CentOS 7, Debian 10, or Raspbian. Next, you’ll need these items:

  1. Public IP Address of your server
  2. FQDN linked to the public IP address
  3. Random SSH port for SSH access to PBX
  4. List of secure extensions to enable for SIP URI access
  5. IP Addresses to WhiteList for Access to the Web GUI

1. Deciphering Public IP Address of Your PBX

After logging into your PBX as root, you can execute pbxstatus to decipher the public IP address of the PBX.

2. Obtaining an FQDN for Your PBX

Security through obscurity provides the critical layer of protection for your server so choose an FQDN carefully. sip.yourname.com provides little protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with SIP registrations because registered extensions on your PBX can obviously make phone calls that cost you money. If you don’t have your own domain, you can always obtain a free hostname from a service such as NoIP.com.

3. Securing SSH Access to Your PBX

Whatever you do, don’t leave SSH access via port 22 exposed on your PBX. In the time it took to create a new PBX on CloudAtCost, there were over 400 attempted logins to the default SSH port of the new server. The simplest (but least secure) method to avoid these script kiddie attacks is to change the port number for SSH access to your server. We suggest using the year you were born as the port number because it’s easy to remember. Edit /etc/ssh/sshd_config and uncomment the Port line replacing 22 with the port number you chose. Then restart SSH: systemctl restart sshd.

The preferable solution to secure SSH is to create and use SSH keys for access and set PasswordAuthentication no in /etc/ssh/sshd_config. Digital Ocean has an excellent tutorial to walk you through the setup process.

4. Choosing Extensions for SIP URI Public Access

With today’s PUBLIC design, exposing an extension for PUBLIC access means anyone in the world that knows the FQDN of your server and the extension number can do two things using any SIP client: (1) they can call you and (2) they can attempt to register to that extension and make calls on your trunks AND your nickel. So only expose extensions for public access if there is a need to connect or call from remote locations. For extensions you decide to expose, make certain that the passwords for these extensions are extremely secure, lengthy, and use numbers with both UPPER and lower case letters. Never use default extension passwords!

5. Whitelisting IP Addresses for Public Web Access

Without enumerating IP addresses for public web access, you won’t be able to connect to the web GUI of your PBX. Down the road, if you wish to add additional IP addresses, you can use /root/add-ip to add them via SSH.

Deploying New PUBLIC Firewall

To get started, log into your server as root and issue the following commands:

cd /tmp
wget http://incrediblepbx.com/newpublic.tar.gz
tar zxvf newpublic.tar.gz
rm -f newpublic.tar.gz

Next, edit /tmp/iptables.base and change the highlighted entries:


Change port 22 in the dport entry to the SSH port number you chose in Step 3, above.

Change 8.8.8.8, 8.8.4.4., and 1.1.1.1 to actual public IP addresses of desktop machines you wish to use to access the web GUI of your PBX. If you don’t need three entries, comment out the other entries with # at the beginning of each line.

Replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

Save the file.

On Debian and Raspbian platforms, issue the following commands:

cd /etc/iptables
cp /tmp/iptables.base .
mv rules.v4 rules.v4.orig
cp iptables.base rules.v4

On CentOS platforms, issue the following commands:

cd /etc/sysconfig
cp /tmp/iptables.base .
mv iptables iptables.orig
cp iptables.base iptables

Using Incredible PBX PUBLIC with Asterisk

The first line of defense with this PUBLIC implementation is your FQDN. Second is the IPtables firewall setup above. And third is the Asterisk® extensions configuration in extensions_override_freepbx.conf. Here’s how to configure it. Edit /tmp/extensions_override_freepbx.base and change the highlighted entries:


If there are phone numbers assigned to your PBX that you want processed according to your Inbound Routing rules, duplicate the first highlighted line above and, for each trunk, replace 8881234567 with your actual DID numbers.

In exten => _.,1 line, replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

In exten => _.,10 line, replace your-servers-FQDN with the actual FQDN assigned to your PBX from Step 2, above.

Scroll down in the file to the following section:



Comment out undesired default extensions. Place a semicolon at the beginning of the lines.

For any extensions you wish to add, insert a new line in the following format replacing both 7000 entries with the desired extension number:

exten => 7000,13,Dial(local/7000@from-internal)

Save the file and then execute the following commands to complete the PUBLIC setup:

cd /etc/asterisk
cp /tmp/extensions_override_freepbx.base .
mv extensions_override_freepbx.conf extensions_override_freepbx.orig
cp extensions_override_freepbx.base extensions_override_freepbx.conf
fwconsole restart
asterisk -rx "dialplan reload"
iptables-restart
sed -i 's|-A INPUT|-I INPUT|' /root/add-ip
sed -i 's|-A INPUT|-I INPUT|' /root/add-fqdn

Calling an Incredible PBX PUBLIC Extension

Any extensions that you have whitelisted in the blue section above can be called from anywhere using any SIP client. Simply enter the SIP URI for the extension in the following format: SIP/extension@your-servers-FQDN

CAUTION: If a caller attempts to call any extension on your PUBLIC server from an extension on another Asterisk server to which the caller is registered, the call will fail if there is a matching extension number on the PUBLIC server and the two servers are not registered to each other. So remember to use unique extension numbers on your PUBLIC server if you expect callers from other Asterisk servers.

Registering Incredible PBX PUBLIC Extension

If you wish to login to a whitelisted extension using a SIP client, enter the extension and password of the extension. For the server address, enter the FQDN of your server. If it’s a PJsip extension, add :5061 to the end of the FQDN.

Switching Back to Incredible PBX Default

Should you change your mind and decide to switch back to the default Incredible PBX setup, it’s simple to do so. Here are the steps.

sed -i 's|Port|#Port|' /etc/ssh/sshd_config
cd /etc/asterisk
cp -p extensions_override_freepbx.orig extensions_override_freepbx.conf
cd /root
cd /etc/sysconfig
cp -p iptables.orig iptables
cd /root
cd /etc/iptables
cp -p rules.v4.orig rules.v4
asterisk -rx "dialplan reload"
iptables-restart
systemctl restart sshd

Originally published: Monday, August 16, 2021



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



The Big 30: Incredible PBX 2020 Application User’s Guide

For those just beginning the Incredible PBX® 2020 adventure, start here for CentOS 7 or here for the Raspberry Pi. Once your system is up and running, you’ll be ready to kick the tires. And today we’ll cover 30 applications for Asterisk® and FreePBX® that are included in the latest and greatest Incredible PBX server. Now that you have some time on your hands, continue learning about this powerful platform by reading this documentation. If you still have questions, post them on the PIAF Forum for some quick and friendly assistance.

Here’s a Table of Contents to the Incredible PBX 2020 Applications with hotlinks. Enjoy!

  1. Checking System Status
  2. Enabling Speech Recognition for Asterisk
  3. Wolfram Alpha for Siri-like queries by phone*
  4. Automatic Update Utility
  5. Resetting Incredible PBX Passwords
  6. Apache Authentication for Apps
  7. IPtables Firewall WhiteList
  8. PortKnocker Remote Access
  9. Travelin’ Man 4 Remote Access by Phone
  10. Conference Bridge
  11. CallerID Name (CNAM) Lookups
  12. Faxing with Incredible PBX
  13. Voicemail 101 with Incredible PBX
  14. Email Delivery of MP3 Voicemails
  15. Reconfiguring SendMail for SmartHosts
  16. SMS Messaging with VoIP.ms
  17. SIP URI Calling with Speed Dials
  18. IVR Demo of Incredible PBX Applications*
  19. Backup and Restore Options
  20. AsteriDex – The Poor Man’s Rolodex®
  21. Voice Dialing with AsteriDex*
  22. Speed Dialing with AsteriDex
  23. Scheduling Reminders by Phone or Web
  24. DISA Access with Incredible PBX
  25. Yahoo! News Headlines
  26. Weather Forecasts with Incredible PBX*
  27. ODBC Application Support
  28. Today in History
  29. Time of Day
  30. WebMin

* Requires Voice Recognition implementation. See #2 above.

1. Checking Current Status of Incredible PBX

There are several ways to check the status of your server. First, log into your server as root and type: pbxstatus. You can even add the default phone number for your server by inserting it in /etc/pbx/.phone.

The second option is to use a browser to access your server. Choose the Incredible PBX Admin option after pointing a browser to the IP address of your server:

Once you log in with your admin password, the Dashboard of your server will display the status of trunks, users, and active calls on your server. In addition, you can review the latest news and security alerts from the RSS Feeds of Nerd Vittles, Incredible PBX, FreePBX, and Asterisk. For additional status information, choose Reports:Asterisk Info.

2. Adding Speech Recognition to Asterisk

We no longer recommend Google Speech Recognition because of the licensing issues and Google’s propensity to break things regularly. Instead, we recommend IBM’s Speech Recognition and TTS engines. For most users, there will be no cost. And the services are second to none. For a complete installation and setup tutorial, see our tutorial. Once speech recognition is enabled, the Incredible PBX 2020 feature set grows exponentially. You’ll have access to the Voice Dialer for AsteriDex as well as SMS Voice Messaging and Wolfram Alpha for a Siri-like encyclopedia.

3. Using Wolfram Alpha with Incredible PBX

Ever wished your Asterisk server could harness the power of a 10,000 CPU Supercomputer to answer virtually any question you can dream up about the world we live in? Well, so long as it’s for non-commercial use, today’s your lucky day. Apple demonstrated with Siri™ just how amazing this technology can be by coupling Wolfram Alpha® to a speech-to-text engine on the iPhone. Now you can do much the same thing using voice recognition with Incredible PBX 2020.

Before using Wolfram Alpha from any phone connected to your PBX, you first must configure it by obtaining and adding a Wolfram Alpha application ID to Incredible PBX. Here are the simple steps:

1. Obtain your free Wolfram Alpha APP-ID here.

2. Log into your server as root and issue the following command:

nano -w /var/lib/asterisk/agi-bin/wolfram.sh

3. When the nano editor opens, insert your IBM STT and Wolfram APP-ID credentials in the spaces provided. Then save the file.

To use Wolfram Alpha, dial 4747 (that’s S-I-R-I backwards) from any extension.

Here are some sample queries to get you started:

Weather in Charleston South Carolina
Weather forecast for Washington D.C.
Next solar eclipse
Otis Redding
Define politician
Who won the 1969 Superbowl? (Broadway Joe)
What planes are flying overhead now?
Ham and cheese sandwich (nutritional information)
Holidays 2015 (summary of all holidays for 2015 with dates and DOW)
Medical University of South Carolina (history of MUSC)
Star Trek (show history, air dates, number of episodes, and more)
Apollo 11 (everything you ever wanted to know)
Cheapest Toaster (brand and price)
Battle of Gettysburg (sad day 🙂 )
Daylight Savings Time 2015 (date ranges and how to set your clocks)
Tablets by Samsung (pricing, models, and specs)
Doughnut (you don’t wanna know)
Snickers bar (ditto)
Weather (local weather at your server’s location)

4. Automatic Update Utility for Incredible PBX

A key security component of Incredible PBX is its Automatic Update Utility. Each time you log into your server as root, the Automatic Update Utility is run. It installs the latest fixes and security patches for your server. Don’t disable it! In fact, don’t delete anything from the /root folder. You’ll need all of it sooner or later.

We recommend you log into your server as root at least once a week to keep your server current. Ditto for the web interface to Incredible PBX. Insofar as security is concerned, we make a best effort to keep the components of Incredible PBX up to date. The Linux operating system was installed by you before the Incredible PBX install began. That’s a nice way of saying Linux security is primarily your responsibility. When an egregious Linux vulnerability comes along that we know about, we will try to notify you of the issue on the PIAF Forum and on the RSS Feed that is part of the Incredible PBX GUI. Check the RSS Feeds at least once a week as well. As a condition of use of the free Incredible PBX product, you accepted ultimate responsibility for the security and reliability of your server. Be SAFE!

5. Resetting Incredible PBX Passwords

Yes. It happens to all of us. We forget our passwords. Incredible PBX includes a convenient utility that lets you reset many of the passwords associated with Incredible PBX. Just log into your server as root and issue the command: /root/update-passwords

To reset Incredible PBX GUI admin password, issue command: /root/admin-pw-change

To reset Apache admin password, issue command: /root/apache-pw-change. Apache credentials control access to the web interface of Telephone Reminders and AsteriDex from within the web GUI.

To reset the AvantFax admin password which is accessible within the Incredible PBX GUI, issue the following command: /root/avantfax-pw-change

6. Apache Authentication with Incredible PBX

With the exception of the Admin GUI and WebMin, all web-based applications included in Incredible PBX require successful Apache authentication to gain access. When you installed Incredible PBX, you should have created an admin account for Apache. If not, issue the following command using a secure password after logging in as root:

htpasswd -cb /etc/pbx/wwwpasswd admin newpassword

With the exception of AsteriDex and Reminders, you gain access to other Incredible PBX applications with the admin Apache account. For the remaining apps, you may wish to (but don’t have to) assign different account names and passwords to various departments in your organization. To set up these accounts, use the syntax above substituting the name of the department for "admin" and the department password for "newpassword."

7. Managing the IPtables Linux Firewall

As installed, Incredible PBX includes a preconfigured, locked-down Linux firewall that restricts incoming IPv6 traffic to localhost and, via a Travelin’ Man 3 WhiteList application, limits incoming IPv4 traffic to your server’s public and private IP addresses, your desktop computer’s IP address (that was used for the install), private LAN and NeoRouter VPN traffic, and a collection of our favorite VoIP providers. You can WhiteList additional IP addresses for additional providers or for SIP and IAX phones located outside your firewall. The following firewall management scripts are accessible from the /root directory:

  • ./add-ip — WhiteList an additional IP address or IP address range (CIDR)
  • ./add-fqdn — WhiteList a site using a fully-qualified domain name (FQDN)
  • ./del-acct — Remove previously designated entry from the WhiteList
  • ./ipchecker — Check whether specified FQDNs have changed & update IPtables
  • iptables-restart — Used exclusively to restart IPtables and test for failed FQDNs
  • iptables -nL — Check the current status of your IPtables firewall

On CentOS platforms, IPtables can be manually configured (if you know what you’re doing) by editing iptables and ip6tables in /etc/sysconfig. On the Raspberry Pi, the rules are stored in /etc/iptables/rules.v4. Additional IPtables rules are included and managed in /usr/local/sbin/iptables-custom. All FQDN entries must be entered in iptables-custom. The reason is because a failed FQDN entry in the main IPtables config file will cause the firewall to fail on startup. Also, NEVER use traditional iptables commands such as iptables save to update your IPtables configuration, or you will permanently delete all of your FQDN entries! Instead, use the provided utilities to whitelist additional sites and then restart IPtables using iptables-restart. This protects the FQDN entries in your setup while also checking for invalid FQDN entries and removing them temporarily so that IPtables will successfully restart. If you use service iptables restart to restart IPtables and there happens to be an FQDN entry for a host that is either down or has disappeared, IPtables will fail to restart and your server will be left with NO firewall protection! Using the traditional IPtables mechanisms also will disable Fail2Ban and the rules in iptables-custom will never be loaded. Incredible PBX periodically checks for changed FQDN entries using the ipchecker script as configured in /etc/crontab.

If you elect to integrate Facebook into your Incredible PBX setup, you will need to manually uncomment the last 3 lines in /usr/local/sbin/iptables-custom in order to whitelist the Facebook servers. Then restart the firewall: iptables-restart

WARNING: By default, Incredible PBX whitelists all of the non-routable LAN subnets including 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. If you elect to install Incredible PBX in the Cloud, be advised that some cloud platforms including Amazon treat the 172.16.0.0/12 subnet as routable IP addresses. This means that anyone in the Amazon Cloud (including the bad guys) will have direct access to your server. While they still need a password or vulnerability to gain access, it nevertheless exposes your server to needless hacking attempts. We strongly recommend that you comment out the 172.16.0.0/12 entry in /usr/local/sbin/iptables-custom if you intend to deploy your server in the Amazon Cloud. Then restart the firewall: iptables-restart

8. PortKnocker Remote Access

IPtables is a powerful firewall that keeps the bad guys out. It also will keep legitimate users (including you) from gaining remote access to your server unless you had the forethought to WhiteList your remote IP address before you left on that family vacation. Unfortunately, you don’t always know your IP address in advance. And dynamic IP addresses assigned with hotel WiFi frequently change. To address this problem, Incredible PBX includes a preconfigured PortKnocker utility. This lets you send three secret "knocks" on random TCP ports to your server to tell it to let you in either temporarily (until IPtables is restarted) or permanently.

To reconfigure PortKnocker to permanently whitelist IP addresses from which you issue a successful knock, login as root and issue the command: iptables-knock activate

For PortKnocker to work, you obviously need to know the secret knocks. You’ll find them in /root/knock.FAQ. Record them in your wallet or inside your suitcase for that rainy day! There are PortKnocker apps for almost all smartphones as well as for Windows, Mac, and Linux computers. Install your favorite AND test access before you leave town. You can change the ports by editing /etc/knockd.conf. Then restart PortKnocker: service knockd restart

Finally, be aware that PortKnocker does not need any special access to your server to work; however, if your server is behind a hardware-based firewall, then you must map the three PortKnocker TCP ports to the private IP address of your server, or the knocks obviously will never get delivered to your server.

If you installed Incredible PBX 2020 on a cloud platform, then your server may use a network port other than eth0. Typically, it’s venet0:0 on OpenVZ servers. You can decipher the name of your network port for your public IP address by issuing the command: ifconfig. In this case, the CentOS config file needs to be modified and then PortKnocker needs to be restarted. Edit /etc/sysconfig/knockd and insert the following: OPTIONS="-i venet0:0". Restart PortKnocker with the command: service knockd restart

Review our PortKnocker tutorial for additional configuration tips.

9. Travelin’ Man 4 Remote Access (dial TM4)

In addition to PortKnocker, Incredible PBX also includes a telephone-based solution to temporarily gain remote access to your server. This does require a bit of preplanning since you must create account credentials for the person to whom you wish to give remote access via a phone call. The complete tutorial for Travelin’ Man 4 is available on the PIAF Forum. All of the pieces already are in place on your server so skip down to the Configuration & Operation sections for details on implementation.

10. Using the Conference Bridge (dial CONF)

A turnkey Conference Bridge is included in Incredible PBX 2020. A conference bridge allows a group of people to participate in a joint phone call. Typically, participants dial into a virtual meeting room from their own phone. This virtual meeting room supports dozens or even hundreds of participants depending upon server capacity.

You do not need a timing source for conferencing with Incredible PBX 2020! Old-style Asterisk Conference Rooms which required a timing source are disabled.

To access the Conference Bridge, dial C-O-N-F (2663) from any phone connected to your server. Remote users can be added to a conference by providing a DID that points to an IVR which includes Conference Bridge access. Once connected to the conference bridge, a caller is prompted for the Conference Bridge PIN and his or her name. The user and admin access PINs are randomly generated when you install Incredible PBX. You can decipher or modify the user and admin passwords to access the Conference Bridge in the Incredible PBX GUI: Applications:Conferences. Then edit 2663 and review or change the User and Admin PINs.

11. CallerID Name (CNAM) Lookups

By default, Incredible PBX is configured to automatically provide OpenCNAM CallerID name lookups for the first ten calls received each hour. These lookups are only from cached entries in the OpenCNAM database; however, you can enable the commercial lookup service if desired. The cost is four tenths of a cent per successful query.

To enable the OpenCNAM Professional Tier, set up an account at OpenCNAM.com. Once you’ve obtained your credentials, edit the OpenCNAM entry in Admin:CID Superfecta:Default. You may also wish to enable AsteriDex lookups and move the scheme to the top of your list of lookup schemes.

To activate CallerID Superfecta for incoming calls, edit each of your Inbound Routes and Enable Superfecta Lookup with the Default Scheme in the Other tab.

12. Faxing with Incredible PBX 2020

If you can press the ENTER key 25 times, you are fully capable of installing Incredible Fax on your new server. On the latest Raspberry Pi builds of Incredible PBX 2020, Incredible Fax is preinstalled. On other platforms, log into your server as root and run /root/incrediblefax2020.sh. Provide an email address for delivery of incoming faxes and press ENTER each time you are prompted to make a selection. Once you reboot your server, you’re all set. As part of the install, you provided an email address for delivery of incoming faxes. That’s all the setup that is required to have incoming faxes sent to most of your DIDs delivered via SendMail in PDF format. The best way to figure out whether a particular provider supports fax technology on their DIDs is to send a test fax to yourself. FaxZERO lets you send 5 free (in the U.S. only) faxes of up to 3 pages every day. Give it a whirl.

You also can send faxes using standard document types with the AvantFax web application. Log into AvantFax from the main Incredible PBX GUI by clicking on the AvantFax icon. The default credentials are admin:password. Choose the Send a Fax option from the main menu, fill in the blanks, and attach your document. AvantFax uses the default dialplan so use the prefix desired to send the fax using your preferred provider.

With the latest release of Incredible PBX 2020, fax recognition is supported on incoming calls. Edit each of your Inbound Routes and enable Detect Faxes with Detection Type=SIP, Fax Ring=Yes, Fax Detection Time=4, and Fax Destination=Custom Destination:Fax (HylaFax) in the Fax tab.

On the Raspberry Pi platform, you can change the destination email address for incoming faxes by issuing the command: /root/avantfax-email-change.

Copies of all incoming faxes also are available for retrieval within AvantFax.

13. Voicemail 101 for Incredible PBX 2020

Voicemail functionality is enabled on an extension-by-extension basis as part of the extension setup under the Voicemail tab. Once enabled, you can set up your mailbox and retrieve your messages by dialing *97 from the mailbox extension, or dial *98 to retrieve messages from any extension. Shortcut dialing is also supported, e.g. *98707 would retrieve messages for extension 707. You can leave a message for or forward calls to any extension’s mailbox without actually calling the extension. Just prepend * to any extension number before dialing, e.g. *701. A number of the system settings for voicemail can be tweaked under the Voicemail tab as well. For example, you can automatically delete voicemails once they have been delivered by email. Voicemail Blasting to multiple mailboxes is also supported. Just choose this option under the Applications tab and follow your nose.

14. Email Delivery of MP3 Voicemails

Speaking of email delivery, your voicemails also can be delivered to any email address of your choosing. For every extension under the Voicemail tab for the Extension, simply add an Email Address and enable the Email Attachment. With Incredible PBX 2020, the voicemail message will be attached to the email in MP3 format so it’s suitable for playback with most email clients on desktop PCs, Macs, and smartphones. Be advised that some Internet service providers (such as Comcast) block downstream SMTP servers. You can check whether your outbound email is flowing by issuing the command mailq from the Linux command line. Issuing the command mail will tell you whether outgoing emails are bouncing. You can test sending an email by issuing the following command using your destination email address:

echo "test" | mail -s testmessage your-name@your-email-provider.com

If you find outbound mail is accumulating, add your ISP’s SMTP server address as a SmartHost for SendMail as documented in the next section.

15. Reconfiguring SendMail for a SmartHost

Many residential Internet service providers block downstream SMTP servers such as the SendMail server running with Incredible PBX 2020. If you’re sending emails but they never arrive and you’ve checked your SPAM folder, then chances are your ISP is the culprit. The simple solution is to add your ISP’s SMTP server as a SmartHost for SendMail. This means outbound emails will be forwarded to your ISP for actual email transmission over the Internet. Here’s how. On CentOS platforms, edit /etc/mail/sendmail.cf and search for DS. Immediately after DS, add the FQDN of your ISP’s SMTP server, e.g. DSsmtp.comcrap.net (no spaces!). Save the file and then restart SendMail: service sendmail restart. Your email and voicemail messages with attachments should begin flowing without further delay.

On Raspberry Pi platforms, here’s how to set it up using a Gmail account without two-step authentication. Log into your server as root and run dpkg-reconfigure exim4-config. Choose "mail sent by smarthost; received via SMTP or fetchmail." Accept all the defaults until you get to Outgoing Smarthost prompt. Enter: smtp.gmail.com::587. At the following prompts, choose NO, NO, mbox, and NO. When the setup completes, edit /etc/exim4/passwd.client and insert the following line using your Gmail AcctName and AcctPW. NOTE: If you are using a Gmail account with 2-step verification enabled, you MUST use a Gmail App Key instead of your Gmail account password. You also must enable Less Secure Apps access to your Gmail account.

smtp.gmail.com:AcctName@gmail.com:AcctPW

Save the file and then issue the following commands to complete the setup:

update-exim4.conf
systemctl restart exim4
exim4 -qff

Now send yourself a test email message to make sure things are working properly:

echo "test" | mail -s testmessage yourname@yourmailprovider.com

16. SMS Messaging with VoIP.ms

Incredible PBX 2020 supports SMS messaging through VoIP.ms if you have an account and an SMS-enabled DID. See the VoIP.ms wiki for setup info on the VoIP.ms side.

To install the VoIP.ms SMS scripts, follow these steps:

cd /root
mkdir sms-voip.ms
cd sms-voip.ms
wget http://incrediblepbx.com/voipms-SMS.tar.gz
tar zxvf voipms-SMS.tar.gz

Edit voipms-sms.php and insert your VoIP.ms number that supports SMS messaging (no spoofing allowed!):

$SMSsender="8005551212";

Edit class.voipms.php and insert your VoIP.ms API credentials:

    /*******************************************\
     *  VoIPms - API Credentials
    \*******************************************/
    var $api_username   = 'yourname@youremail.com';
    var $api_password   = 'yourpassword';

Send an SMS message through VoIP.ms with the following command where smsnumber is the 10-digit number of the SMS recipient and "sms message" is the text message surrounded by quotes:

/root/sms-voip.ms/voipms-sms.php smsnumber "sms message"

NOTE: VoIP.ms has indicated that sooner or later there will be a penny per message charge for SMS messages; however, as of today, they’re still free.

17. SIP URI Calling with Incredible PBX

With one line of dialplan code, you can add Speed Dials for free SIP URI calling worldwide. The dialplan code is stored in the [CallingRule_SIP_URI] context in extensions_custom.conf. Just clone one of the existing entries, designate an extension to dial to connect to the SIP URI, and enter the SIP URI for the destination. Numerous SIP providers support assignment of SIP URI’s to DIDs for unlimited free calling from anywhere in the world. Here’s a sample using a speed dial code of 53669 that connects you to SIP URI 2233435945@sip2sip.info: exten = 53669,1,Dial(SIP/2233435945@sip2sip.info)

18. IVR Demo of Incredible PBX Apps

The easiest way to try out a number of the Incredible PBX applications is to take the IVR Demo for a spin. Just pick up any phone on a CentOS-based platform and dial 3366 (D-E-M-O). The sample code for the IVR is available for review and modification in the IVR section of the GUI. There’s also a sample Stealth AutoAttendant. This plays a brief greeting and then rings an extension or ring group. During the greeting, you could configure the application to allow button presses to branch to other applications on your PBX, hence the Stealth name since the codes are not disclosed to callers.

On the Raspberry Pi platform, our detailed tutorial will walk you through setting up the Demo IVR application.

19. Backup & Restore with Incredible PBX

Incredible Backup and Restore scripts are provided in the /root folder. In addition, the FreePBX GUI also provides Backup and Restore utilities under the Admin tab. If backups are important to you, we strongly recommend you consider a $3/month cloud server at Vultr using our referral code. For an additional 20% per month (60 cents), you get weekly image backups of your server that can be restored with a couple of button clicks. It’s the cheapest insurance you can buy for your PBX!

20. AsteriDex – The Poor Man’s Rolodex

AsteriDex is a web-based phonebook application for Incredible PBX. You can access it from the main web menu. Scripts are also available to import your contacts from Outlook and Google Contacts.

21. Voice Dialing with AsteriDex (dial 411)

If you have voice recognition enabled on your server, you can call anyone in your AsteriDex database by dialing 411.

22. Speed Dialing with AsteriDex (dial 000+)

For those without voice recognition, Incredible PBX 2020 includes two speed dialing utilities. The first is accessed by dialing 412. Then enter any 3-digit dialcode from your AsteriDex database to complete the call. If you’d prefer to skip the intermediate step, dial 000 + the 3-digit speed dial code desired. The call will be placed immediately using your default outbound routes.

For a complete listing of your AsteriDex dial codes, execute this query:

mysql -u root -ppassw0rd asteridex -e "select name,dialcode from user1 order by name"

To automatically generate the 3-digit speed dial codes for everyone in your AsteriDex database using the first three letters of each name, run the following script from your web browser: http://your-server-ip/asteridex4/dialcode.php.

23. Telephone Reminders (dial 123)

Incredible PBX 2020 includes a sophisticated reminders system that lets you schedule individual or recurring reminders using your phone by dialing 123 or a web browser. A complete tutorial is available here. For phone reminders, a password is required to access the reminder system. Typically, these reminders set up a return call at a scheduled time that then plays back either a recorded message or a TTS message generated from the text you entered in the browser application. Incredible PBX also includes a new addition that lets you schedule web reminders that are delivered by email or SMS message.

24. DISA Access with Incredible PBX 2020

Direct Inward System Access (aka DISA) is one of the great PBX inventions of the last 50 years. It’s also one of the most dangerous. It lets someone connect to your PBX and obtain dial tone to place an outbound call using your trunks… on your nickel. Typically, it is offered as an option with an IVR or AutoAttendant. The DISA extension is not preconfigured with Incredible PBX; however, you can easily set it up in the GUI by choosing Applications:DISA. Make up a very secure PIN before exposing DISA access to the outside world. It’s your phone bill.

25. Yahoo! News (Dial 951)

Yahoo! news headlines are available by dialing 951. The news option also is included in the sample IVR application.

26. Weather Forecasts by Phone (dial 947)

You can obtain a current weather forecast for most zip codes by dialing 947 (Z-I-P) and entering the 5-digit zip code.

27. ODBC Application Support for Asterisk

If you’ve recently logged into your server as root, Automatic Update #4 added ODBC/MySQL application support for Asterisk. You can try out a few sample applications that are included to get you started. Dial 222 and enter 12345 for the employee number. This retrieves an employee name from the MySQL timeclock database using Asterisk. Dial 223 to retrieve an AsteriDex name and phone number by entering the 3-character dialcode. You then have the option of placing the call by pressing 1. Once you have created accounts for Travelin’ Man 4, you can dial 864 (T-M-4) to WhiteList an IP address for that account after entering the account number and matching PIN. Use the * key for periods in the IP address.

28. Today in History (Dial T-O-D-A-Y)

It’s always interesting to find out what happened Today in History. And Incredible PBX now delivers it by phone. Just dial 86329 (T-O-D-A-Y) for a walk down memory lane.

29. Time of Day

Speaking of yesteryear, if you grew up dialing TI-4-1212 for the time of day, Ma Bell may have discontinued the service, but we haven’t. Now you can do it on your very own PBX.

If you want your users to be able to dial in for the time directly by dialing extension, here’s how. In the GUI, choose Admin:Custom Destinations:Add Destination. Set up a Time of Day description with a target of new-time,s,1 and save your entry. Now Enable an Application:Misc Application:Add Application with a Feature Code of 8463, Time of Day description, and point it to Custom Destination:Time of Day. Save your entry and then dial 8463 (T-I-M-E) for the Time of Day.

30. WebMin: The Linux Swiss Army Knife

There is no finer Linux application than WebMin. There is no more dangerous Linux application than WebMin. You’ve been warned. We heartily recommend WebMin as a tool to LOOK at your server’s settings. We strongly discourage changing anything in WebMin unless you totally know what you are doing. This is especially true with management of Linux applications that make up the core of Incredible PBX: the Linux kernel, SendMail, IPtables, Apache, MySQL, PHP, and…

To access WebMin on the CentOS platform, visit the following link with a web browser using the actual IP address of your server: https://ip-address:9001/. The username is root. The password is your root password. WebMin has root privileges to your server. Reread paragraph 1 and act accordingly.

Due to space and performance constraints, WebMin is no longer installed by default on the Raspberry Pi platform. To install WebMin, follow these steps after logging into your Raspberry Pi as root:

cd /root
apt-get update
apt-get install python perl openssl libnet-ssleay-perl 
apt-get install libauthen-pam-perl libio-pty-perl libpam-runtime
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.941_all.deb
dpkg --install webmin_1.941_all.deb

For an exhaustive tutorial on WebMin, download The Book of WebMin by Joe Cooper. For a more recent commercial offering, take a look at Michal Karzyński’s WebMin Administrator’s Cookbook.

Originally published: Monday, April 13, 2020



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



The One-Minute Installer: Deploying Asterisk on the Internet


Last week we introduced a new methodology for deploying Incredible PBX® and Asterisk® on the wide open Internet. And this week we’ve put all the pieces together in a One-Minute Installer that will transform any Incredible PBX 13-13.10 server into a public-facing server platform in under a minute. Today you not only get the cupcake, but also some of the sprinkles in the form of tips or scripts to whitelist providers and users, to adjust countries on the blacklists, to add IP addresses to the blacklist, and to update our default VoIP Blacklist which now blocks over 83,000 suspicious IP addresses worldwide. Stay tuned for more.

Is It Safe?

Let’s first cover our deployment strategy so you can decide whether a public facing PBX is the right choice for you or your organization. What we mean by "exposed to the Internet" is that all of your SIP traffic is opened for public access. It doesn’t mean everybody gets free admission, but it does allow everyone to come to the door and at least knock. We still protect web access to your server with a whitelist of IP addresses, and SSH access is hidden behind a port number of your choice to protect you from the script kiddies. Is it as safe as the traditional Incredible PBX platform that is totally hidden from public view by the Travelin’ Man 3 firewall whitelist? Obviously not. But what you gain is what we had with the traditional Ma Bell phone system. Anybody can call you, but it’s up to you to determine whether to answer or block the calls. The major difference is there was a cost of calling random numbers in the old days. With VoIP technology, all of the calls are free so long as the caller has an Internet connection and a SIP client. We believe the platform is relatively safe today, but there is always a chance of SIP flooding or some zero-day vulnerability that could put your server at risk. If you’re not comfortable with that risk, now would be a good time to stop reading. Stick with the traditional Incredible PBX platform and avoid the worries of SIP attacks. The bad guys can’t see your server, and you still can be reached by calls to your PSTN number.

Changing Your Mindset About Security

Deploying a public-facing PBX does require an attitude adjustment. Behind the security of an airtight firewall, passwords for extensions, voicemail, and trunks didn’t much matter because the bad guys couldn’t find you much less get the necessary access to attempt to decipher your passwords. THAT HAS NOW CHANGED! You should immediately create new passwords that are as secure as you would use for your bank account because some folks will be trying to figure them out shortly. And, once they do, if you have VoIP services that allow calls to anywhere, your phone bill can skyrocket in a matter of minutes. You’ve been warned. If you have automatic replenishment of funds with one or more VoIP providers, change that now. And set up low balance notifications instead. Fund your VoIP provider accounts with amounts you can stand to lose in a worst case scenario. Better safe than sorry… and broke!

Choosing FQDNs for Your Server

There’s another important safeguard in today’s implementation, and that’s fully-qualified domain names (FQDNs) for your server. Without knowing your FQDN, nobody will be able to make a SIP connection to your PBX. Guessing your IP address won’t help because we automatically block all of those calls. And, once any caller attempts to connect in that way, they will be blocked from further access for a very long time by the Fail2Ban service. You have the option of using a single FQDN for both incoming calls and for registering SIP phones to your extensions. You also may use two separate FQDNs, one for incoming calls from the public and another for SIP phone registrations. Despite what some pundits would say, security through obscurity matters. Using less obvious FQDNs dramatically reduces the likelihood that your server can be attacked. This is especially important in the case of a SIP registration FQDN. Making this FQDN as obscure as possible protects your server in much the same way that a password would. So give serious consideration to whether your FQDN will be known or guessed by the general public. If so, deploy a second obscure one for registrations.

Deployment Prerequisites

That’s all we’re going to say about security. We’re now going to turn our attention to deployment. Before running the One-Minute Installer, there are some prerequisites. Here’s the short list:

  1. Functioning Incredible PBX 13-13.10 server with CentOS 6
  2. KVM (not OpenVZ) Cloud Platform with 1GB+ RAM
  3. Public, Static IPv4 Address for your server
  4. One or two FQDNs pointed to your server
  5. Whole Enchilada installed, if desired
  6. Incredible Fax installed, if desired (requires reboot)
  7. Preconfigured extensions & voicemail accounts with SECURE PASSWORDS

We’ve provided the link above to get your Incredible PBX 13-13.10 server up and running. This must be deployed on a Cloud-based KVM platform using CentOS 6 on a KVM (not OpenVZ) platform with a static IP address and a minimum of 1GB of RAM and a 20GB disk. The KVM platform is mandatory because we’ll be using ipset (which won’t work with OpenVZ platforms) to block entire countries as well as to set up our VoIP Blacklist. You’ll need at least one and preferably two FQDNs pointed to the IP address of your PBX. If you plan to use the Incredible PBX apps, then make sure to install the Whole Enchilada and Incredible Fax components before you transform your PBX into a public-facing server. And, as previously mentioned, tighten up ALL of your passwords for SSH and web access as well as for all of your extension secrets and voicemail PINs. It’s also a good idea to create the extensions you plan to make available for incoming calls although these can be added later as well.

UPDATE: CentOS 7 support with Incredible PBX 13-13.10 now has been added.

Choosing a KVM Platform

There are numerous cloud providers that offer a KVM platform. Choosing one that’s a perfect fit depends upon your budget obviously. For rock-solid dependability and little risk of provider implosion, we recommend Digital Ocean, Vultr, and OVH.1 If you’re just experimenting and can recover if your provider happens to suddenly go out of business, then the LowEndBox KVM offerings will save you some money. We don’t recommend CloudAtCost.

Converting to a Public-Facing PBX

Once you’ve completed the steps above and verified that your PBX is functioning reliably, you’re ready to download and run the One-Minute Installer to convert Incredible PBX into a public-facing server.

WARNING: Before you proceed, make certain that you log out any extensions that are registered using the IP address of the PBX as opposed to the FQDN of your server. Otherwise, these extensions may find their IP addresses locked out by Fail2Ban since SIP extension registrations by IP address will be blocked once the conversion to a public server is finished. After the update, if you find extensions that won’t register, the first thing to do is to issue the command: iptables -nL. See if the extension’s IP address is blocked. If it is, change the extension’s SIP registration to point the FQDN of the server as opposed to its IP address. Then you can unblock the IP address with this command using the extension’s actual IP address:

fail2ban-client set asterisk unbanip xxx.xxx.xxx.xxx

Now let’s proceed. Log into your server as root with SSH/Putty and issue these commands:

cd /root
wget http://incrediblepbx.com/go-public.tar.gz
tar zxvf go-public.tar.gz
rm -f go-public.tar.gz
./GO-PUBLIC


Modifying the Blocked Countries List

As part of the install, all of the IP addresses from a number of countries were blocked using ipset in conjunction with the IPtables firewall. You can add or change the countries being blocked by making modifications in two places: (1) /etc/sysconfig/iptables beginning at line #69 and (2) /etc/blockem.sh on line #7. Be advised that every country blocked in IPtables requires a separate DROP line and the same country must also be enumerated on line #7 in /etc/blockem.sh. Otherwise, the IPtables firewall startup will fail when your server is rebooted or when IPtables is restarted. If a country is blocked on line #7 in /etc/blockem.sh but a DROP line is not added to /etc/sysconfig/iptables, then that country’s IP addresses will NOT be blacklisted when IPtables is restarted or your server is rebooted. Simply stated, the countries blocked in IPtables must match the country list in /etc/blockem.sh. For a current list matching countries with their international country code abbreviations, go here.

Blacklist Update Methodology

As configured, the country blacklists are only updated when the /etc/blockem.sh script is run. This occurs whenever you reboot your server or when you manually run the script. The VoIP Blacklist is updated nightly by a cron job which runs the /etc/update-voipbl.sh script.

Adding Extensions to Your SIP WhiteList

For the time being, you can manually adjust the extension listing that controls incoming SIP call access to your PBX. Only extensions included in this list are made available to receive incoming calls using the SIP URI syntax of 701@your.fqdn.com. First, you will need to edit extensions_override_freepbx.conf in /etc/asterisk. Once you’ve saved your changes, reload your dialplan: asterisk -rx "dialplan reload"

Beginning on line 31 of extensions_override_freepbx.conf, you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. Below them are the extensions you whitelisted when you ran the One Minute Installer above. The 13 entry in each line of the dialplan is required for all extensions to be enabled. You can add additional extensions by cloning the syntax of one of the existing entries. Be sure to enter the new extension number in BOTH places on each line that you add. The first entry corresponds to the left side of the SIP URI, e.g. 947@your.FQDN.com. The second entry tells Asterisk the extension to which to send the incoming call. Samples also are provided in the comments for redirecting incoming calls to outbound destinations. See also last week’s article.

exten => 947,13,Dial(local/947@from-internal)
exten => 951,13,Dial(local/951@from-internal)
exten => news,13,Dial(local/951@from-internal)
exten => weather,13,Dial(local/947@from-internal)

Adding IP Addresses to Your IPtables BlackList

You can manually add BlackList entries to your server using ipset; however, keep in mind that these entries will be overwitten when the VoIP Blacklist is updated each night. The recommended procedure is to first add them to ipset using the following command with the actual IP address to be blacklisted: ipset add voipbl xx.xx.xx.xx

Then visit the VoIP BlackList site and add the same IP address in the Blacklist Submission form. Multiple IP addresses can be added by separating every entry with a space.

Adding IP Addresses to Your IPtables WhiteList

You can whitelist additional IP addresses to enable access to your PBX that takes precedence over the blacklists by using the existing add-ip and add-fqdn utilities included in the /root folder. These were both modified to accommodate the public-facing Incredible PBX design.

Last week we got bitten by the age-old problem with BlackLists, namely that the bad guys populate them with IP addresses of places you actually want to go, such as CallCentric and Skyetel. Without a whitelist of safe sites, a blacklist is worse than worthless. So the way this works in Incredible PBX is the whitelist entries are moved to the top of the pecking order so that they take precedence in IPtables processing. The IPtables design works like this. Once a packet qualifies as safe by being accepted, the rest of the IPtables rules are ignored. Enjoy!

Originally published: Monday, June 10, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. []

Safely Deploying Incredible PBX on the Wide Open Internet

We’ve previously documented the benefits of SIP URI calling. Because the calls are free from and to anywhere in the world, the use case is compelling. The drawbacks, particularly with Asterisk® servers, have primarily centered around the security implications of exposing SIP on a publicly-accessible server. Today we want to take another look at an open Internet SIP implementation for Asterisk based upon the pioneering work of Dr. Lin Song back in the PBX in a Flash heyday. We’ve embellished Lin’s original IPtables creation and our original article with some additional security mechanisms for Fail2Ban, Asterisk, FreePBX®, and Travelin’ Man 3. Special thanks also for a terrific tutorial from JavaPipe. All of today’s implementation is open source code which you are more than welcome to use or improve pursuant to GPL3.

July 22 UPDATE: New Incredible PBX 16-15-PUBLIC deployment tutorial is now available here.

Consider this. If everyone in the world had an accessible SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends upon your platform. With Asterisk they look like this: SIP/somebody@FQDN.yourdomain.com. On SIP phones, SIP URIs look like this: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have “dialed” a SIP URI, the destination SIP device will ring just as if the called party had a POTS phone. Asterisk® processes SIP URIs in much the same way as calls originating from commercial trunk providers except anonymous SIP calls are blocked.

While we have tested today’s design extensively including implementation of a cloud-based server with no security issues since deployment over four months ago, we still don’t recommend this SIP design for mission-critical PBXs because there remain some security risks with denial of service attacks and zero-day vulnerabilities. For these deployments, Incredible PBX® coupled with the Travelin’ Man 3 firewall which blocks SIP access except from whitelisted IP addresses and FQDNs has no equal. When properly deployed, the bad guys cannot even see your server much less attack it. A typical use case for today’s new SIP design would be a public Asterisk server that provides anonymous SIP access to the general public without any exposure to the corporate jewels. For example, we’ve put up a demonstration server that provides news and weather reports. In the corporate world, an equivalent deployment might provide access to a product database with pricing and availability details. Our rule of thumb before deploying today’s platform would be to ask yourself what damage could be inflicted if your server were totally compromised. If the answer is zero, then proceed. Otherwise, stick with Incredible PBX and the Travelin’ Man 3 firewall. The ideal platform for deployment using the same rule of thumb as above is one of the $1 a month cloud platforms.

ProviderRAMDiskBandwidthPerformance as of 12/1/19Cost
CrownCloud KVM (LA)1GB20GB +
Snapshot
1TB/month598Mb/DN 281Mb/UP
2CPU Core
$25/year
Best Buy!
Naranjatech KVM (The Netherlands)1GB20GB1TB/monthHosting since 2005
VAT: EU res.
20€/year w/code:
SBF2019
BudgetNode KVM (LA)1GB40GB RAID101TB/monthAlso available in U.K PM @Ishaq on LET before payment$24/year
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA)1GB20GB SSD3TB/monthPick EGG loc'n
Open ticket for last 5GB SSD
$30/year w/code:
LEBEGG30

Overview. There are a number of moving parts in today’s implementation. So let’s briefly go through the steps. Begin with a cloud-based installation of Incredible PBX. Next, we’ll upgrade the Fail2Ban setup to better secure a publicly-accessible Asterisk server. We’ll also customize the port for SSH access to reduce the attack rate on the SSH port. You’ll need a fully-qualified domain name (FQDN) for your server because we’ll be blocking all access to your server by IP address. If you want to allow SIP URI calls to your server, you’ll need this FQDN. If you want to also allow SIP registrations from this same FQDN, then a single FQDN will suffice; however, with OpenVZ platforms, we recommend using a different (and preferably more obscure) FQDN for SIP registrations since registered users have an actual extension on your PBX that is capable of making outbound calls which usually cost money. In this case, the obscure FQDN performs double-duty as the equivalent of a password to your PBX. For example, an FQDN such as hk76dl34z.yourdomain.com would rarely be guessed by an anonymous person while sip.yourdomain.com would be fairly obvious to attempted intruders. But that’s your call.

Using whatever FQDN you’ve chosen for SIP registrations, we’ll add an entry to /etc/asterisk/sip_custom.conf that looks like this: domain=hk76dl34z.yourdomain.com. That will block all SIP registration attempts except from that domain. It will not block SIP invitations! The next step will be to add a new [from-sip-external] context to extensions_override_freepbx.conf. Inside that context, we’ll specify the FQDN used for public SIP URI connections to your server, e.g. sip.yourdomain.com. This will block SIP invitations except SIP URIs containing that domain name. We’ll also define all of the extensions on your Asterisk server which can be reached with SIP URI invitations. These could be actual extensions, or ring groups, or IVRs, or Asterisk applications. The choice is yours. These SIP URI authorizations can be either numeric (701@sip.yourdomain.com) or alpha (weather@sip.yourdomain.com) or alphanumeric (channel7@sip.abc.com). Finally, we’ll put the new IPtables firewall rules in place and adjust your existing iptables-custom setup to support the new publicly-accessible PBX. For example, we’ll still use whitelist entries for web access to your server since anonymous users would cause nothing but mischief if TCP ports 80 and 443 were exposed. It’s worth noting that KVM platforms provide a more robust implementation of IPtables that can block more types of nefarious traffic. We’ve supplemented the original article with a KVM update below. With OpenVZ platforms, we have to rely upon Asterisk to achieve IP address blocking and some types of packet filtering. So why not choose a KVM platform? It’s simple. These platforms typically cost twice as much as equivalent OpenVZ offerings. With this type of deployment, KVM is worth it.

Installing Incredible PBX Base Platform

Today’s design requires an Incredible PBX platform on a cloud-based server. Start by following this tutorial to put the pieces in place. We recommend you also install the Whole Enchilada addition once the base install is finished. Make sure everything is functioning reliably before continuing.


Upgrading the Fail2Ban Platform

Because this will be a publicly-accessible server, we’re going to tighten up the Asterisk configuration in Fail2Ban and lengthen the bantime and findtime associated with Fail2Ban’s Asterisk log monitoring. We also recommend that you whitelist the IP addresses associated with your server and PCs from which you plan to access your server so that you don’t inadvertently block yourself.

Log into your server as root and issue the following commands. When the jail.conf file opens in the nano editor, scroll down to line 34 and add the IP addresses you’d like to whitelist to the existing ignoreip settings separating each IP address with a space. Then press Ctrl-X, Y, then Enter to save your changes. Verify that Fail2Ban restarts successfully.

cd /etc/fail2ban
wget http://incrediblepbx.com/fail2ban-public.tar.gz
tar zxvf fail2ban-public.tar.gz
rm -f fail2ban-public.tar.gz
nano -w jail.conf
service fail2ban restart

If you ever get locked out of your own server, you can use the Serial Console in your VPS Control Panel to log into your server. Then verify that your IP address has been blocked by issuing the command: iptables -nL. If your IP is shown as blocked, issue this command with your address to unblock it: fail2ban-client set asterisk unbanip 12.34.56.78

Obtaining an FQDN for Your Server

Because we’ll be blocking IP address SIP access to your server, you’ll need to obtain one or perhaps two FQDNs for your server. If you manage DNS for a domain that you own, this is easy. If not, you can obtain a free FQDN from ChangeIP here. Thanks, @mbellot.

For the FQDN that you’ll be using for SIP registrations on your server, configure Asterisk to use it by logging into your server as root and issuing the following command using your new FQDN, e.g. xyz.yourdomain.com. Thanks, @ou812.

echo "domain=xyz.yourdomain.com" >> /etc/asterisk/sip_custom.conf

SECURITY ALERT: Never use the SIP URI MOD on a server such as this one with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.

Customizing the [sip-external-custom] Context

All FreePBX-based servers include a sip-external-custom context as part of the default installation; however, we need a customized version to use for a publicly-accessible PBX. You can’t simply update the context in /etc/asterisk/extensions.conf because FreePBX will overwrite the changes the next time you reload your dialplan. Instead we have to copy the context into extensions_override_freepbx.conf and make the changes there. So let’s start by copying the new template there with the following commands:

cd /tmp
wget http://incrediblepbx.com/from-sip-external.txt
cd /etc/asterisk
cat /tmp/from-sip-external.txt >> extensions_override_freepbx.conf
rm -f /tmp/from-sip-external.txt
nano -w extensions_override_freepbx.conf

When the nano editor opens the override file, navigate to line #10 of the [from-sip-external] context and replace xyz.domain.com with the FQDN you want to use for SIP invites to your server. These are the connections that are used to actually connect to an extension on your server (NOT to register). As noted previously, this can be a different FQDN than the one used to actually register to an extension on your server. Next, scroll down below line #27, and you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. The 13th position in the dialplan is required for all authorized calls.

exten => 947,13,Dial(local/947@from-internal)
exten => 951,13,Dial(local/951@from-internal)
exten => news,13,Dial(local/951@from-internal)
exten => weather,13,Dial(local/947@from-internal)

You can leave these in place, remove them, or add new entries depending upon which extensions you want to make publicly accessible on your server. Here are some syntax examples for other types of server access that may be of interest.

; Call VoIP Users Conference
exten => 882,13,Dial(SIP/vuc@vuc.me)
exten => vuc,13,Dial(SIP/vuc@vuc.me)
; Call Default CONF app
exten => 2663,13,Dial(local/${EXTEN}@from-internal)
exten => conf,13,Dial(local/2663@from-internal)
; Call Bob at Local Extension 701
exten => 701,13,Dial(local/${EXTEN}@from-internal)
exten => bob,13,Dial(local/701@from-internal)
; Call Default Inbound Route thru Time Condition
exten => home,13,Goto(timeconditions,1,1)
; Call Inbound Trunk 8005551212
exten => 8005551212,13,Goto(from-trunk,${DID},1)
; Call Lenny
exten => 53669,13,Dial(local/${EXTEN}@from-internal)
exten => lenny,13,Dial(SIP/2233435945@sip2sip.info)
; Call any toll-free number (AT&T Directory Assistance in example)
exten => information,13,Dial(SIP/18005551212@switch.starcompartners.com)

Once you’ve added your FQDN and authorized SIP URI extensions, save the file: Ctrl-X, Y, then Enter.

One final piece is required to enabled anonymous SIP URI connections to your server:

echo "allowguest=yes" >> /etc/asterisk/sip_general_custom.conf

Now restart Asterisk: amportal restart

UPDATE for DialPlan Junkies: We received a few inquiries following publication inquiring about the dialplan design. We’ve taken advantage of a terrific feature of Asterisk which lets calls fall through to the next line of a dialplan if there is no match on a Goto(${EXTEN},13) command. For example, if a caller dials ward@sip.domain.com and there is a line 12 in the dialplan directing the call to ward,13 which exists, call processing will continue there. However, if the extension does not exist, the call will not be terminated. Instead, if there exists a more generic line 13 in the dialplan, e.g. exten => _X.,13,Goto(s,1), call processing will continue there. We use this trick to then redirect the call to an ‘s’ extension sequence to announce that the called extension could not be reached. It’s the reason all of the whitelisted extensions have to have the same line 13 designation so that call processing can continue with the generic line 13 when a specific extension match fails.

Configuring IPtables for Public SIP Access

You may recall that, with Incredible PBX, we bring up the basic IPtables firewall using the /etc/sysconfig/iptables rules. Then we add a number of whitelist entries using /usr/local/sbin/iptables-custom. We’re going to do much the same thing with today’s setup except the rule sets are a bit different. Let’s start by putting the default iptables-custom file in place:

cd /usr/local/sbin
wget http://incrediblepbx.com/iptables-custom-public.tar.gz
tar zxvf iptables-custom-public.tar.gz
rm -f iptables-custom-public.tar.gz
nano -w iptables-custom

When the nano editor opens, scroll to the bottom of the file. You’ll note that we’ve started a little list of notorious bad guys to get you started. Fail2Ban will actually do a pretty good job of managing these, but for the serious recidivists, blocking them permanently is probably a good idea. In addition to the bad guys, you’ll want to whitelist your own IP addresses and domains so that you don’t get blocked from FreePBX web access to your server. The syntax looks like the following two examples:

/usr/sbin/iptables -I INPUT -s pbxinaflash.dynamo.org -j ACCEPT
/usr/sbin/iptables -I INPUT -s 8.8.8.8                -j ACCEPT

Whenever you make changes to your IPtables configuration, remember to restart IPtables using the following command ONLY: iptables-restart

Now let’s put the final IPtables piece in place with the default IPtables config file:

cd /etc/sysconfig
wget http://incrediblepbx.com/iptables-public.tar.gz
tar zxvf iptables-public.tar.gz
rm -f iptables-public.tar.gz
nano -w iptables

When the nano editor opens the file, scroll down to line 55 which controls the TCP port for SSH access to your server. We strongly recommend you change this from 22 to something in the 1000-2000 range. HINT: Your birth year is easy to remember. In the next step, we’ll make the change in your SSH configuration as well.

Next, scroll down to lines 148 and 149. Replace YOUR_HOSTNAME.no-ip.com on both lines with the FQDN of your server that will be used to accept SIP invitations (connections) on your server. These entries have no effect on SIP registrations which we covered above!

Once you’ve made these changes, save the file BUT DO NOT RESTART IPTABLES JUST YET.

Securing the SSH Access Port

TCP port 22 is probably one of the most abused ports on the Internet because it controls access to SSH and the crown jewels by default. Assuming you changed this port in the IPtables firewall setup above, we now need to change it in your SSH config file as well. Edit /etc/ssh/sshd_config and scroll down to line 12. Change the entry to: Port 1999 assuming 1999 is the port you’ve chosen. Be sure to remove the comment symbol (#) at the beginning of the line if it exists. Then save the file.

You’ll also want to update the SSH port in Fail2Ban. Edit /etc/fail2ban/jail.conf and search for port=ssh. In the [ssh-iptables] context, change the entry to port=1999 assuming 1999 is your chosen port. Save the file and reboot your server. Then you should be all set.

Dealing with the Bad Guys

You’ll be amazed how quickly and how many new friends you’ll make on the public Internet within the first few hours. You can watch the excitement from the Asterisk CLI by logging into your server as root and issuing the command: asterisk -rvvvvvvvvvv. Another helpful tool is to monitor your IPtables status which will show IP addresses that have been temporarily blocked by Fail2Ban: iptables -nL. This will catch most of the bad guys and block them. But some are smarter than others, and many know how to spoof IP addresses in SIP packets as you will quickly see. Unlike on KVM platforms, IPtables on most OpenVZ platforms cannot search packets for text strings which is a simple way to block many of these attackers. HINT: You get what you pay for. And, in some cases, attackers disguise their address or use yours. We’ve now found that ${SIPURI} holds the caller’s true identity so we’ve updated the code accordingly. Whether to permanently block these guys is completely up to you. A typical SIP INVITE before such a call is dropped only consumes about 100 bytes so it’s usually not a big deal. You also can manually block callers using the Fail2Ban client with the desired IP address: fail2ban-client set asterisk banip 12.34.56.78.

Additional Security on KVM Platforms

As we mentioned above, a KVM platform provides considerably more security for your public-facing server because you can block entire countries using the ipset extension to IPtables. You can read all about it here. After considerable discussion and suggestions on the PIAF Forum, we would offer the following code which blocks the countries we have identified as causing the majority of problems. First, modify your /etc/sysconfig/iptables configuration and insert the following code in the IPSPF section of the script around line 93. You can change the list of blocked countries to meet your own needs. Just be sure to make the same country-code changes in the blockem.sh script which we will cover in step 2. A list of available country codes can be found here. Save your changes, but do NOT restart IPtables just yet.

-A IPSPF -m set --match-set cn src -j DROP
-A IPSPF -m set --match-set ru src -j DROP
-A IPSPF -m set --match-set ps src -j DROP
-A IPSPF -m set --match-set kp src -j DROP
-A IPSPF -m set --match-set ua src -j DROP
-A IPSPF -m set --match-set md src -j DROP
-A IPSPF -m set --match-set nl src -j DROP
-A IPSPF -m set --match-set fr src -j DROP
-A IPSPF -m set --match-set SIPFLOOD src -j DROP

Second, we want to add a new /etc/blockem.sh script and make it executable (chmod +x /etc/blockem.sh). With the exception of the SIPFLOOD entry which is our custom Bad Guys List, make sure the country list in line #5 below matches the dropped countries list you added to IPtables in step #1 above.

#!/bin/bash
cd /etc
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxvf -
for i in \\
cn ru ps kp ua md nl fr
do
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
wait
sleep 5
wget http://incrediblepbx.com/badguys.tar.gz
tar zxvf badguys.tar.gz
rm -f badguys.tar.gz
/usr/sbin/ipset restore -! < /etc/SIPFLOOD.zone
wait
sleep 5
service iptables restart
wait
sleep 5
/usr/local/sbin/iptables-custom
wait
sleep 5
service fail2ban restart
wait
exit 0

Third, try things out by running the script: /etc/blockem.sh. Verify that IPtables is, in fact, blocking the listed countries: iptables -nL.

Finally, we recommend adding the script to /etc/rc.d/rc.local replacing the existing iptables-restart line. In that way, it gets run whenever you reboot your server.

In choosing a KVM platform, we've had good luck with the $5/month Digital Ocean platform where you still can get a $50 credit to kick the tires for 60 days, Vultr (similar pricing to D.O. also with a $50 credit). With either of these providers, you can add automatic backups for an extra dollar a month. In the bargain basement (may not be here tomorrow) category, we like the following providers. Many other low-cost options are documented on the LowEndBox site. Just don't invest more than you can afford to lose... and make a backup.1

Connecting a SIP Phone to OpenSIPS or LinPhone

If you followed along in our OpenSIPS adventure, then it's easy to test some SIP URI calls to your new server. You can connect virtually any kind of SIP telephone or endpoint to OpenSIPS. Another easy way to try out SIP calling is to first set up a free LinPhone Account.

You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we'll get you started with one of our favorite (free) softphones, YateClient. It's available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for your OpenSIPS or LinPhone account you've previously created. You’ll need the IP address of your OpenSIPS server or LinPhone's FQDN (sip.linphone.org) plus your account’s password. Fill in the Yate Client template using the IP address or FQDN as well as your Username and whatever Password you assigned to the account when you created it. Click OK to save your entries.

Once the Yate softphone shows that it is registered, try a test call to one of the SIP URIs you authorized on your new Asterisk server or try ours:

If you don't happen to have an OpenSIPS server or a LinPhone SIP account to play with but you have another Asterisk server, then the simple way to enable SIP URI extensions is by editing /etc/asterisk/extensions_custom.conf. In the [from-internal-custom] context, add an extension that can be used to contact any desired SIP URI. Then reload your dialplan: asterisk -rx "dialplan reload". Now dial that extension (2468 in the following example) from any phone connected to your Asterisk server. The entry would look something like this to call our SIP URI for the latest weather forecast:

NEWS FLASH: A new One-Minute Installer to use Incredible PBX on the open Internet is now available here.

Originally published: Monday, June 3, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. []

Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS




Last week we introduced OpenSIPS, the multi-functional, multi-purpose signaling SIP server which can fulfill almost any communications function one can dream up except the unified communications tasks typically performed with a PBX such as Asterisk®. Today we want to marry the two platforms to give you the best of both worlds. For Incredible PBX® users, the primary advantage of adding an OpenSIPS front end is the elimination of the complexities associated with interacting with your PBX from remote sites with ever changing, dynamic IP addresses coupled with NAT firewalls over which you have no control. While there are many approaches to interconnecting the two platforms, we’re not comfortable with the exposure that a simple registration passthrough design introduces for many Asterisk users. Instead we prefer a model that lets everybody contact you and your users without providing the world the access necessary to allow anonymous strangers a platform from which to launch endless attempts to compromise your Asterisk server and individual Asterisk accounts.

Not all users on an Asterisk PBX need anonymous lurkers to have worldwide, public access to their individual phones. For most, DIDs suffice for public access. For users that do need such access, we will begin by creating a SIP account on your OpenSIPS server that is separate and apart from your Asterisk user account or extension. Also keep in mind that anonymous SIP calls require a match on the SIP URI to reach the person or function desired. You can enable and disable these SIP URI-accessible functions on your OpenSIPS server as desired. And you can determine how obscure to make each of the SIP URIs. Security through obscurity works and deters many SIP attacks. Now let’s address what you can and cannot do with this setup.

Using a SIP phone from anywhere in the world, any SIP user CAN:

  • Make SIP URI calls to authorized extensions and ring groups on your Asterisk PBX
  • Make SIP URI calls to authorized clients registered to a 3CX PBX with a SIP UUID
  • With a legitimate password, make DISA-like calls with Asterisk trunks, if enabled
  • With an invalid DISA password, converse with Lenny
  • With a legitimate password, check and manage authorized Asterisk voicemail accounts
  • With a legitimate password, participate in authorized Asterisk conferences
  • Access other authorized Asterisk applications available from Asterisk extensions

Using a SIP phone from anywhere in the world, an OpenSIPS-registered User also CAN:

  • Make PSTN calls from OpenSIPS-registered SIP phones, if enabled
  • Receive calls from Asterisk forwarded to any OpenSIPS-registered SIP phone
  • Receive calls from Asterisk forwarded to any 3CX-registered client or SIP phone

Using any SIP phone registered to a SIP proxy, you CANNOT:

  • Log into any Asterisk user account without whitelist permission and credentials
  • Make 911 calls

Prerequisites: To complete today’s setup, we’re assuming you have (1) an Incredible PBX server running Asterisk 13, (2) an OpenSIPS server built with version 1.2.0 or later of the Incredible PBX for OpenSIPS installer, and (3) either a registered SIP account and SIP URI on your OpenSIPS PBX or a SIP account with a provider such as a free linphone.org account.

Running pbxstatus on your OpenSIPS server will tell you which version you have. If you don’t have pbxstatus or the version is below 1.2.0, please initialize your Debian 8 platform, download the latest release, and reinstall following the our OpenSIPS tutorial here. There were major changes in the OpenSIPS configuration to support Asterisk connectivity which made an in place upgrade too complex. Our apologies.

Before creating user accounts on your OpenSIPS server, give some thought to a numbering scheme that won’t conflict with extension registrations on your Asterisk server. For example, if your Asterisk server uses extensions 701 through 750, then you may wish to consider using 7701 through 7750 on your OpenSIPS server. The one-to-one match keeps things simple without running into conflicts between the Asterisk extension numbers and the OpenSIPS user accounts. We’ll use the 700 (Asterisk) and 7700 (OpenSIPS) extension ranges in our examples which follow. And we’ve reworked the original OpenSIPS tutorial in keeping with this design to simplify Asterisk integration for new readers just joining the party.

We want to express our sincere appreciation to Bill Simon for his patient tutelage in walking us through some of the potential landmines in marrying an OpenSIPS server with Asterisk. Should your organization ever need professional help with a SIP deployment, there is no finer SIP authority than Simon Telephonics.


1. Configuring Asterisk for Inbound OpenSIPS Calls

Assuming you have an Incredible PBX 13 platform, open the GUI as admin using a browser from your desktop. First, let’s create a Trunk for the OpenSIPS server. Choose Connectivity -> Trunks -> Add SIP (chan_sip) Trunk. For Trunk Name, use opensips. Next, click on the SIP Settings tab in the dialog. For Trunk Name, again use opensips. In PEER DETAILS, enter the following and replace xxx.xxx.xxx.xxx twice with the actual IP address of your OpenSIPS server. Then click Submit and Reload Dialplan when prompted.

type=peer
host=xxx.xxx.xxx.xxx
context=from-opensips
insecure=port,invite
disallow=all
allow=ulaw
deny=0.0.0.0/0.0.0.0
permit=xxx.xxx.xxx.xxx/255.255.255.255

Next, using SSH or Putty, login to your Asterisk server as root and issue these commands replacing xxx.xxx.xxx.xxx with the IP address of your OpenSIPS server (choose option 0 when prompted for access type):

cd /root
./add-ip opensips xxx.xxx.xxx.xxx
wget http://incrediblepbx.com/from-opensips.tar.gz
tar zxvf from-opensips.tar.gz
rm -f from-opensips.tar.gz
nano -w from-opensips.txt

When the editor opens, scroll down to line 16 and enter a very secure PIN (up to 10 digits) for access to the DISA-like service to make outbound calls via SIP URI. It’s your phone bill so make it long (up to 10 digits) and something that is not easily guessed. On line 20, we have configured DISA for numbers up to 11 digits. If your dialplan requires international dialing support, you can adjust 11 to the desired number of digits. Then save the file and copy the dialplan code into extensions_custom.conf and reload your dialplan:

cd /etc/asterisk
cat /root/from-opensips.txt >> extensions_custom.conf
asterisk -rx "dialplan reload"

IMPORTANT NOTE: Just because you have configured this DISA option on your Asterisk server does not mean it is available via SIP URI. In fact, no SIP URI access to your Asterisk server is enabled at this juncture. You still must set up the SIP URI connections on your OpenSIPS server. Whether to do that and which features to activate are completely up to you.

2. Configuring OpenSIPS for Asterisk Connectivity

Beginning with version 1.2.0 of the Incredible PBX installer for OpenSIPS, the server itself is preconfigured to support Asterisk connectivity using AVPs. Implementation only requires command line execution of an AVP script to enable each feature you wish to activate. A similar script can be used to deactivate any AVP feature previously activated. To install the scripts on your OpenSIPS server, log in as root using SSH or Putty and issue these commands:

cd /root
wget http://incrediblepbx.com/asterisk-features-for-opensips.tar.gz
tar zxvf asterisk-features-for-opensips.tar.gz
rm -f asterisk-features-for-opensips.tar.gz

The function of each of the Asterisk scripts is self-explanatory from the script names:

  • asterisk-add-forward
  • asterisk-delete-forward
  • asterisk-list-forwards

Three pieces of information are required to add a SIP URI forward from OpenSIPS to your Asterisk server using the AVP asterisk-add-forward script:

  • UUID of SIP URI (from any SIP phone, dial UUID@opensips.yourdomain.com to connect)
  • Asterisk Extension (destination where incoming OpenSIPS call should be forwarded)
  • Asterisk Public IP Address

To add a SIP URI for extension 701 on your Asterisk server at xx.xx.xx.xx reachable at 701@opensips.yourdomain.com, the command would look like this where xx.xx.xx.xx is the public IP address of your Asterisk server and opensips.yourdomain.com is the FQDN of your OpenSIPS server: /root/asterisk-add-forward 701 701 xx.xx.xx.xx

CAUTION: Other than for forwards like this, do NOT set up User accounts in the OpenSIPS Control Panel using the same numbers as existing extensions on your Asterisk server. Otherwise, if your SIP phone is registered to a 701 user account on your OpenSIPS server, you lose the ability to connect to any extension on your Asterisk server if a 701 account requiring registration also existed on the Asterisk platform.

To use a name in the SIP URI or enable a second SIP URI for the same Asterisk 701 extension (jdoe@opensips.yourdomain.com): /root/asterisk-add-forward jdoe 701 xx.xx.xx.xx

Simply repeat the steps above for every SIP URI you wish to enable for an Asterisk extension.

To enable DISA-like access via SIP URI using dial as UUID (dial@opensips.yourdomain.com): /root/asterisk-add-forward dial *1 xx.xx.xx.xx

Keep in mind that you need not use "dial" as the UUID. You can make up any name you like. So long *1 is the DISA extension, the UUID can be as obscure as desired e.g. disa5038now.

For voicemail access via SIP URI, you can do it in two ways. For generic access triggering prompts for both the voice mailbox number and the mailbox PIN, use the following: /root/asterisk-add-forward vm *98 xx.xx.xx.xx

For voicemail access to a specific mailbox (701) with only a prompt for the mail PIN, use: /root/asterisk-add-forward vm701 *98701 xx.xx.xx.xx

For access to a specified conference (2663) with a prompt for the conference PIN, use: /root/asterisk-add-forward conf2663 2663 xx.xx.xx.xx

For access to Weather Reports (947) with a prompt for the ZIP Code, use something like this: /root/asterisk-add-forward weather 947 xx.xx.xx.xx

For News Headlines (951), use: /root/asterisk-add-forward news 951 xx.xx.xx.xx

To delete any previously created UUID forward: /root/asterisk-delete-forward

To list existing UUID forwards for SIP URIs: /root/asterisk-list-forwards

Calling Tip: If your softphone is registered to an OpenSIPS User account, you can call any of the enabled forwarding entries by entering the UUID without @opensips.yourdomain.com, e.g. dialing vm would connect to the Asterisk voicemail system with a prompt for mailbox.

3. Enabling Inbound Calls from Asterisk to a SIP Phone

In today’s design, incoming calls to your Asterisk PBX can be forwarded to a user account on your OpenSIPS server or a free linphone.org user account by (1) creating a free User account in the OpenSIPS Control Panel or at linphone.org, (2) logging into that user account with a SIP phone or softphone, (3) creating a custom extension in the Incredible PBX GUI that points to the SIP URI of your user account on the OpenSIPS server or your free linphone.org SIP user account or a 3CX client, and (4) adding that custom extension to either a Ring Group that includes your Asterisk extension or enabling FindMe/FollowMe for your Asterisk extension and designating the custom extension as the No Answer Destination. Need support for multiple Asterisk users? Not a problem. Repeat the drill for each user.

The procedure for adding a User Account in the OpenSIPS Control Panel was covered in last week’s article. The procedure for creating a free Linphone User Account was covered in an earlier article so we won’t repeat it here. Another obvious SIP URI destination is any 3CX Client if you’ve previously set up a free 3CX server following our 3CX tutorial. Refer back to those articles if you need a refresher.

On the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension and Display Name, we recommend using the 7701 numbering scheme for remote accounts. Then click on the Advanced tab and enter the SIP URI of your OpenSIPS, Linphone, or 3CX User account as the Dial option, e.g. SIP/yourname@sip.linphone.org or SIP/7701@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

To assure that incoming calls ring on both your Asterisk phone (701) and your registered SIP phone, we recommend setting up a Ring Group on the Asterisk side that includes both the 701 extension and the new 7701 custom extension. Then adjust your Inbound Routes to point to the number of this Ring Group instead of to 701. In this way, you can preserve the voicemail functionality associated with your 701 extension. FYI: None of these servers proxy audio and video of your calls. They provide a SIP registration service only.

The other alternative to a Ring Group is to enable FindMe/FollowMe in the 701 extension settings and then specify Extension:701 as the No Answer Destination. With this approach, voicemail will never be triggered on calls sent to extension 701 on your PBX. Since OpenSIPS lacks voicemail, you would lose calls not answered on your registered SIP phone or softphone.

TIP: We use 3CX clients exclusively for inbound calls on iPhones and Android devices because we have found they are far superior in dealing with both push notifications and NAT routing. 3CX clients actually ring when someone calls AND you can hear both sides of every call.

4. Outbound PSTN Calling from OpenSIPS

The DISA setup documented above allows your existing Trunks to continue to be managed and secured exclusively on your Asterisk server with no trunk exposure on the OpenSIPS platform at all. Thus, if either your public-facing OpenSIPS server or Linphone is ever compromised, nobody will be able to make any calls on your nickel because there will be no trunks available to process the outbound calls. Your DISA password is never exposed.

For some (like us), a two-step outbound calling procedure is just too painful. In that case, with providers such as Skyetel, you can deploy a PSTN calling platform on both your Asterisk server and on OpenSIPS. We documented the Skyetel trunk setup for OpenSIPS in our tutorial last week. The good news is nothing precludes deployment of Skyetel at multiple sites even if you only use Skyetel on the OpenSIPS platform for outbound calling. And this completely avoids implementing a DISA solution which has security implications of its own. Effective 10/1/2023, $25/month minimum spend at Skyetel is required.

Enabling direct PSTN calling with OpenSIPS means nobody can ever make PSTN calls merely by guessing a SIP URI. It requires an actual SIP registration to OpenSIPS, and you have Fail2Ban to assist with securing that process. So the outbound calling design is completely up to you. Direct PSTN calling from OpenSIPS is no less safe so long as none of your OpenSIPS User account passwords are compromised.

5. Enabling Calls from Asterisk to OpenSIPS Users

For OpenSIPS AVP forwards that have been enabled to Asterisk extensions, you probably will also want to provide a way for Asterisk users to return those calls directly to OpenSIPS users since that will be the CallerID that displays when an OpenSIPS user places a call directly to a forwarded Asterisk extension. Assuming a SIP phone has been registered to User account 7709, when that OpenSIPS user places a call to a forwarded Asterisk extension 701, it means the Asterisk user will see 7709 displayed as the CallerID for the incoming call even though the User of the OpenSIPS 7709 extension may also be associated with extension 709 on the Asterisk side. If the Asterisk callee attempts to return the call by dialing 7709 instead of 709, the call would fail. To avoid confusion by Asterisk users, the simple solution is to add an additional Custom SIP extension for every OpenSIPS User account.

For example, on the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension, enter 7709. For the Display Name, enter the name of the person using that OpenSIPS user account. Next, click on the Advanced tab and enter the SIP URI for this OpenSIPS User account as the Dial option, e.g. SIP/7709@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

FYI: Matching Custom Extension numbers on the Asterisk platform to identical extensions on your OpenSIPS server does not create the registration problems we cautioned against earlier. Only Asterisk extensions requiring actual SIP registration need to remain unique from accounts on your OpenSIPS platform.

6. A Few Words About Security

If you’ve been using Incredible PBX with its Travelin’ Man 3 firewall, it’s not unlike living in a gated community where most of the outside world doesn’t even know you exist. Adding a "second home" with OpenSIPS is not unlike buying a summer place next door to Fred Sanford in Watts. You might as well have set up shop in the middle of Russia because, for all intents and purposes, you have. Anybody in the world can guess your IP address and spend the day trying to break into your server. So the name of the game is vigilance. Especially for the first few weeks, you need to run iptables -nL regularly and see how quickly your Fail2Ban blacklist is filling up. If you heeded our advice and set up your OpenSIPS server on a KVM platform (instead of OpenVZ), we’ve got a handy little script that will let you move bad guys snagged by Fail2Ban to the permanent IPset blacklist. Just download the script and run it daily to move the Fail2Ban entries to permanent block status in the IPset blacklist:

cd /root
wget http://incrediblepbx.com/move-fail2bans-to-ipset.tar.gz
tar zxvf move-fail2bans-to-ipset.tar.gz
rm -f move-fail2bans-to-ipset.tar.gz
./move-fail2bans-to-ipset

Once you have verified that the IP addresses actually are being populated in the IPset blacklist table (ipset list | sort), you can add the script to /etc/crontab to run automatically each night:

echo "2 4 * * * root /root/move-fail2bans-to-ipset > /dev/null 2>&1" >> /etc/crontab

If you’d like a head start on your IPset blacklist, simply download our latest list and then reboot your server:

cd /etc
wget http://incrediblepbx.com/badguys.tar.gz
tar zxvf badguys.tar.gz
rm -f badguys.tar.gz 

Another potential vulnerability is SSH. This command will tell you who has attempted to login to your server as root: cat /var/log/auth.log | grep password. If you ever see a failed login and it wasn’t a mistake on your part, change your SSH access port immediately if not sooner: nano -w /etc/ssh/sshd_config. Then restart SSH: /etc/init.d/ssh restart. Better yet, set up SSH public key authentication.

The other major consideration is the number of holes you punch into the security of your Asterisk server using the OpenSIPS asterisk-add-forward script. Every time you add an extension to this list, you open another (read-only) window into your Asterisk communications world. And anybody can connect to these extensions using either the FQDN of your OpenSIPS server or its IP address. Even though we don’t practice what we preach, we strongly recommend using alphanumeric UUIDs instead of numbers for these access points. That at least avoids random calls from bad guys that are accustomed to numeric numbers only in SIP URIs. Regularly review your OpenSIPS log for unusual strings of forwarded calls and adjust your forwarding UUIDs accordingly: cat /var/log/opensips.log | grep forwarded.

In our previous article, we’ve already addressed how important it is to limit User accounts to your FQDN and never the IP address of your OpenSIPS server. In this way, you limit OpenSIPS registration exposure to your FQDN and never the IP address of your server. Fail2Ban also assists here by blocking failed login attempts after a single failure unless you have whitelisted the IP address in Fail2ban’s ignoreip list in /etc/fail2ban/jail.conf and restarted Fail2Ban with this command: /etc/init.d/fail2ban restart. These are the only entry points that offer the ability to actually register to your server. AVPs never do. Obviously, a successful SIP registration is much more dangerous than a random phone call on a SIP URI set up using AVP extension forwarding.

Finally, passwords now matter on your Asterisk PBX for any port forward you’ve established with OpenSIPS. For example, if you’ve set up a generic forward to access voicemail, then it means anybody guessing the SIP URI you created can spend the day (at no cost) attempting to break into ANY voicemail account on your Asterisk server by guessing the PIN. Fail2Ban will not protect you here. If you’ve set up DISA-like access to your Asterisk server on OpenSIPS, then the same applies except now the attacker gets a blank check to make commercial calls if they can guess your access PIN. Worried yet? We hope so. Sure beats a $100,000 phone bill.

7. Taking OpenSIPS for a Test Drive

We usually provide a Demo Line for readers to try out our latest creations. For obvious reasons, we prefer not to disclose our OpenSIPS FQDN to the general public. But we have set up a port forward from a DID that we temporarily configured on our OpenSIPS server. So, if you’d like to sample the voice quality of placing a call to a DID in Atlanta forwarded to an OpenSIPS server in New York forwarded to an Asterisk server in Miami and then back to you, try calling 843-606-0555 for a weather report in your favorite ZIP code. We’re betting you will be dumbfounded by the quality of the call. Enjoy!

Originally published: Monday, May 20, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



A Golden Newbie: Incredible PBX 13-13.10 for Ubuntu 18.04.2


If you’re as big a fan of Ubuntu as we are, then you’ll be pleased to know that the month-old update to Ubuntu 18.04 LTS is rock-solid. It takes a brave soul to name anything Bionic Beaver, but Ubuntu pulls it off and makes you want to meet one face-to-face, just not in a bar after midnight. Well, St. Paddy would be proud. Today’s new Incredible PBX® 13-13.10 release brings you everything you could want in a PBX, and the icing on the cake is Ubuntu 18.04.2. The only drawback to Ubuntu 18.04 is that none of our $1/month VPS cloud providers support the platform just yet. But have no fear, both Digital Ocean and Vultr already do.1

Introducing 2019 Edition of Incredible PBX

This is our third major release of our flagship Incredible PBX 13-13 platform. In addition to today’s release for Ubuntu 18.04.2, it’s also available for Raspbian 8 as well as CentOS 6 and 7. It features 70+ new FreePBX® GPL modules plus all the latest components for OSS Endpoint Manager making SIP phone deployment with Asterisk® 13 a breeze. There also are terrific new backup and restore utilities which make migration and restoration of Incredible PBX platforms a snap. Finally, we’ve incorporated Skyetel SIP trunking in the build. It literally makes configuration of outbound and incoming calling a one-minute process. On the Skyetel side, create an Endpoint Group pointing to the IP address of your PBX, order one or more DIDs and point them to the new EndPoint Group. Done. On the Incredible PBX side, add Inbound Routes specifying the 11-digit numbers of your Skyetel DIDs and point each of them to the desired destination for incoming calls. Done. Outbound calls are automatically configured to use your Skyetel account. Our complete Skyetel tutorial is available here and includes up to a $250 usage credit with Skyetel’s new BOGO deposit match.2 Effective 10/1/2023, $25/month minimum spend required.

Creating an Ubuntu 18.04.2 Platform

If you plan to install Incredible PBX 13-13.10 using a cloud provider that supports Ubuntu 18.04.2, then creation of the Ubuntu 18.04.2 platform is as simple as clicking on the 64-bit OS as part of the creation of your 1GB RAM virtual machine. If you plan to use your own hardware, then any modern desktop computer will suffice. Begin by downloading the Ubuntu 18.04.2 ISO from here. Then create a bootable USB stick or assign the ISO as the boot device on your virtual machine platform. Here are steps for Ubuntu install using the server console:

  • Preferred language: English
  • Keyboard: English (US)
  • Install Ubuntu
  • Network interface (eth or wlan) from DHCP
  • Proxy (leave blank)
  • Ubuntu mirror (accept default entry)
  • Partitioning: Use Entire Disk
  • Choose Disk for Install (accept default usually)
  • File System Setup (choose Done)
  • Confirm Disk Install (Continue)
  • Profile Setup (create a username and password)
  • Install OpenSSH server (press Space Bar then Done)
  • Featured Server Snaps (leave blank)
  • Reboot Now (when prompted)
  • Remove installation media
  • Login using username created above
  • sudo passwd root
  • exit
  • Login as root with new root password
  • userdel username (that you created above)
  • nano -w /etc/ssh/sshd_config
  • Add: PermitRootLogin yes
  • save file
  • exit
  • Login as root using SSH or Putty

CAUTION: Don’t make any "improvements" to Ubuntu 18.04.2 after the initial install, or the Incredible PBX install may fail. It is designed for a base platform only!

Installing Incredible PBX 13-13.10

If you haven’t already done so, log into your Ubuntu 18.04.2 server as root using SSH or Putty. It’s important to log in from a desktop computer that you will be using to make changes on your server since this IP address will be whitelisted in the firewall as part of the installation process. Do NOT use the server console to install Incredible PBX, or you may not be able to log in from your desktop computer thereafter.

Before we begin the install procedure, let’s determine whether a swap file exists on your platform. If not, you’ll need to create one below as one of the first steps after downloading the Incredible PBX installer. Issue this command to determine if you have swap space: free -h

Now let’s download and install Incredible PBX 13-13.10. There are two flavors: the base install with the 70+ FreePBX GPL modules that comprise the web-based GUI to manage your PBX and the Whole Enchilada which adds 30+ Asterisk applications to the base install to provide TTS support, voice recognition, news and weather TTS apps, AsteriDex, telephone reminders, and much more. Here are the steps. Be sure to uncomment the create-swapfile-DO entry if you are lacking a swapfile.

cd /root
wget http://incrediblepbx.com/incrediblepbx-13-13.10U-LEAN.tar.gz
tar zxvf incrediblepbx-13-13.10U-LEAN.tar.gz
rm -f incrediblepbx-13-13.10U-LEAN.tar.gz
#./create-swapfile-DO
./Incredible*

There are two phases to the base install. You’ve just completed Phase #1. After your server reboots, log back in and kick off the Incredible PBX installer a second time. Don’t disappear immediately. On some cloud platforms, you may be asked whether to preserve your existing SSH setup. Choose the Keep Local Version default. On all platforms, you’ll be prompted for two additional responses in the first few minutes. At the first prompt, simply press ENTER to continue. At the second prompt, enter the country code to associate with your PBX. For those in the United States, the code is 1. We assume others are more familiar with their country code than Americans are. 😉

cd /root
./Incredible*

Make some careful notes when the install finishes. Then press ENTER to reboot your server.

If you don’t plan to use the Incredible PBX applications, then your install is complete after the reboot. Each time you log in to your server, the Automatic Update Utility will run to provide late-breaking updates that may affect the security of your server. So make sure you log in to the Linux CLI at least once a week to stay safe!

Assuming you’ve already created a very secure root password (update it by running passwd), perform the following 5 Steps to get everything locked down:

  1. Create an admin password for GUI access: /root/admin-pw-change
  2. Create an admin password for Apache web access: htpasswd /etc/pbx/wwwpasswd admin
  3. Configure the correct timezone for your server: /root/timezone-setup
  4. Retrieve your PortKnocker setup like this: cat /root/knock.FAQ
  5. Add IPtables WhiteList entries for remote access: /root/add-ip or /root/add-fqdn

Most of the configuration of your PBX will be performed using the web-based Incredible PBX GUI with its FreePBX 13 GPL modules. Use a browser pointed to the IP address of your server and choose Incredible PBX Admin. Log in as admin with the password you configured in the first step above. HINT: You can always change it if you happen to forget it.

To get a basic system set up so that you can make and receive calls, you’ll need to add a VoIP trunk, create one or more extensions, set up an inbound route to send incoming calls to an extension, and set up an outbound route to send calls placed from your extension to a VoIP trunk that connects to telephones in the real world. You’ll also need a SIP phone or softphone to use as an extension on your PBX.

Continue Reading: Configuring Extensions, Trunks & Routes

Installing Incredible PBX 13-13 Whole Enchilada

There now are two more pieces to put in place. The sequence matters! Be sure to upgrade to the Whole Enchilada before you install Incredible Fax. If you perform the steps backwards, you may irreparably damage your fax setup by overwriting parts of it.

The Whole Enchilada upgrade script now is included in the Incredible PBX LEAN tarball. To run it, issue the following commands:

cd /root
./Enchilada*

If you accidentally installed Incredible Fax before upgrading to the Whole Enchilada, you may be able to recover your Incredible Fax setup by executing the following commands. It’s worth a try anyway.

amportal a ma install avantfax
amportal a r



Installing Incredible Fax with HylaFax/AvantFax

You don’t need to upgrade to the Whole Enchilada in order to use Incredible Fax; however, you may forfeit the opportunity to later upgrade to the Whole Enchilada if you install Incredible Fax first. But the choice is completely up to you. To install Incredible Fax, log into your server as root and issue the following commands:

cd /root
./incrediblefax13_ubuntu18.sh

After entering your email address to receive incoming faxes, you’ll be prompted several times to choose options as part of the install. Simply press the ENTER key at each prompt and accept all of the defaults. When the install finishes, make certain that you reboot your server to bring Incredible Fax on line. There will be a new AvantFax option in the Incredible PBX GUI. The default credentials for AvantFax GUI are admin:password. Be advised that there remain a couple of quirks on the Ubuntu 18.04 platform. First, after entering your credentials, you may get a timeout error with your browser. Simply press the Reload/Refresh icon in your browser, and the default AvantFax menu will appear. Second, you will need to set your email delivery address and a new password for AvantFax manually. Click on the Settings option in the upper right corner of the dialog. When you save your settings, you may again experience a timeout event. Click the Reload/Refresh button on your browser again, and AvantFax will come back to life.

NAT-Based Router and Dynamic IP Wrinkles

If your PBX is sitting behind a NAT-based router, you’ll need to redirect incoming UDP 5060 traffic to the private IP address of your PBX. While this isn’t technically necessary to complete calls with registered trunk providers, there are others such as Skyetel that don’t use SIP registrations where failure to redirect UDP 5060 would cause inbound calls to fail.

The Incredible PBX GUI is accessed using a web browser pointed to the IP address of your server. As part of the password setup, you created an admin password for the Incredible PBX GUI, a.k.a. FreePBX GUI. Login now using your favorite browser. If you have forgotten your admin password, you can reset it by logging into your server as root using SSH: /root/admin-pw-change. Once you’ve logged into the GUI, your first task is to record the public and private IP addresses for your server. This eliminates 99% of the problems with one-way audio on calls where your server is sitting behind a NAT-based router. Navigate to Settings -> SIP Settings and click on Detect Network Settings in the NAT Settings section of the template. Verify that the entries shown are correct and then click Submit followed by Apply Config.

Many Internet service providers assign dynamic IP addresses to customers. This poses issues with a PBX because SIP phones positioned outside your LAN need to be able to connect to the PBX. It also complicates SIP routing which needs both the public IP address and the private IP address of the PBX in order to route calls properly. In the previous section, you configured your PBX with these two IP addresses. The problem, of course, is that this public IP address may change when your ISP assigns dynamic IP addresses. Luckily, many ISPs rarely update dynamic IP addresses of their customers. For example, our home network has had the same dynamic IP address for more than four years. If this is your situation, then you have little to worry about. If the IP address ever changes, you can simply repeat the steps in the previous section. However, if your ISP regularly changes your public IP address, then you need an automatic way to keep your PBX configured properly. Otherwise you will start experiencing calls with one-way audio or no audio, and remote phones will no longer be able to connect to the PBX. We’ve developed a script to update the public IP address of your PBX. Depending upon your situation, all you need to do is run it hourly or daily to keep your PBX configured properly. To begin, first download the updater script after logging into your server as root:

cd /root
wget http://incrediblepbx.com/update-externip.tar.gz
tar zxvf update-externip.tar.gz
rm -f update-externip.tar.gz

Try running the script once to make sure it correctly identifies the public IP address of your server: /root/update-externip. Then add an entry to the end of /etc/crontab that schedules the script to run at 12:30 a.m. each night:

30 0 * * * root /root/update-externip > /dev/null 2>&1

Configuring Trunks with Incredible PBX

Before you can actually make and receive calls, you’ll need to add one or more VoIP trunks with providers, create extensions for your phones, and add inbound and outbound routes that link your extensions to your trunks. Here’s how a PBX works. Phones connect to extensions. Extensions connect to outbound routes that direct calls to specific trunks, a.k.a. commercial providers that complete your outbound calls to any phone in the world. Coming the other way, incoming calls are directed to your phone number, otherwise known as a DID. DIDs are assigned by providers. Some require trunk registration using credentials handed out by these providers. Others including Skyetel use the IP address of your PBX to make connections. Incoming calls are routed to your DIDs which use inbound routes telling the PBX how to direct the calls internally. A call could go to an extension to ring a phone, or it could go to a group of extensions known as a ring group to ring a group of phones. It could also go to a conference that joins multiple people into a single call. Finally, it could be routed to an IVR or AutoAttendant providing a list of options from which callers could choose by pressing various keys on their phone.

We’ve done most of the prep work for you with Incredible PBX. We’ve set up an Extension to which you can connect a SIP phone or softphone. We’ve set up an Inbound Route that, by default, sends all incoming calls from registered trunks to a Demo IVR. And we’ve built dozens of trunks for some of the best providers in the business. Sign up with the ones you prefer, plug in your credentials, and you’re done. The next section of this tutorial will show you the easier way, using Skyetel.

Unlike traditional telephone service, you need not and probably should not put all your eggs in one basket when it comes to telephone providers. In order to connect to Plain Old Telephones, you still need at least one provider. But there is nothing wrong with having several. And a provider that handles an outbound call (termination) need not be the same one that handles an incoming call (origination) and provides your phone number (DID). Keep in mind that you only pay for the calls you make with each provider so you have little to lose by choosing several. The PIAF Forum also has dozens of recommendations on VoIP providers.

With the preconfigured trunks in Incredible PBX, all you need are your credentials for each provider and the domain name of their server. Log into Incredible PBX GUI Administration as admin using a browser. From the System Status menu, click Connectivity -> Trunks. Click on each provider you have chosen and fill in your credentials including the host entry. Be sure to uncheck the Disable Trunk checkbox! Fill in the appropriate information for the Register String. Save your settings by clicking Submit Changes. Then click the red Apply Config button.

Using Skyetel with Incredible PBX

On the Raspberry Pi platform, all of the Skyetel trunks are preconfigured. All you need to do is sign up for Skyetel service in March to take advantage of the $50 Nerd Vittles special offer. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request a $50 credit for your account by referencing the Nerd Vittles special offer. Greed will get you nowhere. Credit is limited to one per person/company/address/location. You can also take advantage of a 10% discount on your current service. Just open another ticket and attach a copy of your last month’s bill. See footnote 3 for the fine print.3 If you have high call volume requirements, document these in your Prequalification Form, and we will be in touch.

Unlike many VoIP providers, Skyetel does not use SIP registrations to make connections to your PBX. Instead, Skyetel utilizes Endpoint Groups to identify which servers can communicate with the Skyetel service. An Endpoint Group consists of a Name, an IP address, a UDP or TCP port for the connection, and a numerical Priority for the group. For incoming calls destined to your PBX, DIDs are associated with an Endpoint Group to route the calls to your PBX. For outgoing calls from your PBX, a matching Endpoint Group is required to authorize outbound calls through the Skyetel network. Thus, the first step in configuring the Skyetel side for use with your PBX is to set up an Endpoint Group. A typical setup for use with Incredible PBX®, Asterisk®, or FreePBX® would look like the following:

  • Name: MyPBX
  • Priority: 1
  • IP Address: PBX-Public-IP-Address
  • Port: 5060
  • Protocol: UDP
  • Description: server1.incrediblepbx.com

To receive incoming PSTN calls, you’ll need at least one DID. On the Skyetel site, you acquire DIDs under the Phone Numbers tab. You have the option of Porting in Existing Numbers (free for the first 60 days after you sign up for service) or purchasing new ones under the Buy Phone Numbers menu option.

Once you have acquired one or more DIDs, navigate to the Local Numbers or Toll Free Numbers tab and specify the desired SIP Format and Endpoint Group for each DID. Add SMS/MMS and E911 support, if desired. Call Forwarding and Failover are also supported. That completes the VoIP setup on the Skyetel side. System Status is always available here.

Configuring a Skyetel Inbound Route

Because there is no SIP registration with Skyetel, incoming calls to Skyetel trunks will NOT be sent to the Default Inbound Route configured on your PBX because FreePBX treats the calls as blocked anonymous calls without an Inbound Route pointing to the 11-digit number of each Skyetel DID. From the GUI, choose Connectivity -> Inbound Routes. You will note that we already have configured a Skyetel template for you. Simply edit the existing entry and plug in the 11-digit phone number (beginning with a 1) of your Skyetel DID . Set the Destination for the incoming DID as desired and click Submit. It defaults to extension 701.

If your PBX is sitting behind a NAT-based router, you’ll need to redirect incoming UDP 5060 traffic to the private IP address of your PBX. Then place a test call to each of your DIDs after configuring the Inbound Routes.

If you have installed the Incredible Fax add-on, you can enable Fax Detection under the Fax tab. And, if you’d like CallerID Name lookups using CallerID Superfecta, you can enable it under the Other tab before saving your setup and reloading your dialplan.

Configuring a Skyetel Outbound Route

If Skyetel will be your primary provider, it is preconfigured by default on the Raspberry Pi platform so you can use both 10-digit and 11-digit dialing to process outbound calls through your Skyetel account. If you prefer another setup, choose Connectivity -> Outbound Routes.

There are a million ways to design outbound calling schemes on PBXs with multiple trunks. One of the simplest ways is to use no dial prefix for the primary trunk and then use dialing prefixes for the remaining trunks.

Another outbound calling scheme would be to assign specific DIDs to individual extensions on your PBX. Here you could use NXXNXXXXXX with the 1 Prepend as the Dial Pattern with every Outbound Route and change the Extension Number in the CallerID field of the Dial Pattern. With this setup, you’d need a separate Outbound Route for each group of extensions using a specific trunk on your PBX. Additional dial patterns can be added for each extension designated for a particular trunk. A lower priority Outbound Route then could be added without a CallerID entry to cover extensions that weren’t restricted or specified.

HINT: Keep in mind that Outbound Routes are processed by FreePBX in top-down order. The first route with a matching dial pattern is the trunk that is selected to place the outbound call. No other outbound routes are ever used even if the call fails or the trunk is unavailable. To avoid failed calls, consider adding additional trunks to the Trunk Sequence in every outbound route. In summary, if you have multiple routes with the exact same dial pattern, then the match nearest to the top of the Outbound Route list wins. You can rearrange the order of the outbound routes by dragging them into any sequence desired.

Audio Issues with Skyetel

If you experience one-way or no audio on some calls, make sure you have filled in the NAT Settings section in the GUI under Settings -> Asterisk SIP Settings -> General. In addition to adding your external and internal IP addresses there, be sure to add your external IP address in /etc/asterisk/sip_general_custom.conf like the following example and restart Asterisk:

externip=xxx.xxx.xxx.xxx

If you’re using PJSIP trunks or extensions on your PBX, implement this fix as well.

Receiving SMS Messages Through Skyetel

Most Skyetel DIDs support SMS messaging. Once you have purchased one or more DIDs, you can edit each number and, under the SMS & MMS tab, you can redirect incoming SMS messages to an email or SMS destination of your choice using the following example:



Sending SMS Messages Through Skyetel

We’ve created a simple script that will let you send SMS messages from the Linux CLI using your Skyetel DIDs. In order to send SMS messages, you first will need to create an SID key and password in the Skyetel portal. From the Settings icon, choose API Keys -> Create. Once the credentials appear, copy both your SID and Password. Then click SAVE.

Next, from the Linux CLI, issue the following commands to download the sms-skyetel script into your /root folder. Then edit the file and insert your SID, secret, and DID credentials in the fields at the top of the script. Save the file, and you’re all set.

cd /root
wget http://incrediblepbx.com/sms-skyetel
chmod +x sms-skyetel
nano -w sms-skyetel

To send an SMS message, use the following syntax where 18005551212 is the 11-digit SMS destination: sms-skyetel 18005551212 "Some message"

Configuring a Softphone for Incredible PBX

We’re in the home stretch now. You can connect virtually any kind of telephone to your new PBX. Plain Old Phones require an analog telephone adapter (ATA) which can be a separate board in your computer from a company such as Digium. Or it can be a standalone SIP device such as ObiHai’s OBi100 or OBi110 (if you have a phone line from Ma Bell to hook up as well). SIP phones can be connected directly so long as they have an IP address. These could be hardware devices or software devices such as the YateClient softphone. We’ll start with a free one today so you can begin making calls. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum when you’re ready to get serious about VoIP telephony.

We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Applications _> Extensions -> 701 and write down your SIP/IAX Password. You can also reset it by running /root/update-passwords. Fill in the blanks using the IP address of your Server, 701 for your Username, and whatever Password you assigned to the extension when you installed Incredible PBX. Click OK to save your entries.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

DEMO - Apps Demo
123 - Reminders
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
TODAY - Today in History

If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store.

Upgrading to IBM Speech Engines

If you’ve endured Google’s Death by a Thousand Cuts with text-to-speech (TTS) and voice recognition (STT) over the years, then we don’t have to tell you what a welcome addition IBM’s new speech utilities are. We can’t say enough good things about the new IBM Watson TTS and STT offerings. With IBM’s services, you have a choice of free or commercial tiers. Let’s put the pieces in place so you’ll be ready to play with the Whole Enchilada.

Getting Started with IBM Watson TTS Service

We’ve created a separate tutorial to walk you through obtaining and configuring your IBM Watson credentials. Start there.

Next, login to your Incredible PBX server and issue these commands to update your Asterisk dialplan and edit ibmtts.php:

cd /var/lib/asterisk/agi-bin
./install-ibmtts-dialplan.sh
nano -w ibmtts.php

Insert your credentials in $IBM_username and $IBM_password. For new users, your $IBM_username will be apikey. Your $IBM_password will be the TTS APIkey you obtained from IBM. Next, verify that $IBM_url matches the entry provided when you registered with IBM. Then save the file: Ctrl-X, Y, then ENTER. Now reload the Asterisk dialplan: asterisk -rx "dialplan reload". Try things out by dialing 951 (news) or 947 (Weather) from an extension registered on your PBX.

Getting Started with IBM Watson STT Service

Now let’s get IBM’s Speech to Text service activated. Log back in to the IBM Cloud. Click on the Speech to Text app. Choose a Region to deploy in, choose your Organization from the pull-down menu, and select STT as your Space. Choose the Standard Pricing Plan. Then click Create. When Speech to Text Portal opens, click the Service Credentials tab. In the Actions column, click View Credentials and copy down your STT username and password.

Finally, login to your Incredible PBX server and issue these commands to edit getnumber.sh:

cd /var/lib/asterisk/agi-bin
nano -w getnumber.sh

Insert apikey as your API_USERNAME and your actual STT APIkey API_PASSWORD in the fields provided. Then save the file: Ctrl-X, Y, then ENTER. Update your Voice Dialer (411) to use the new IBM STT service:

sed -i '\\:// BEGIN Call by Name:,\\:// END Call by Name:d' /etc/asterisk/extensions_custom.conf
sed -i '/\\[from-internal-custom\]/r ibm-411.txt' /etc/asterisk/extensions_custom.conf
asterisk -rx "dialplan reload"

Now try out the Incredible PBX Voice Dialer with AsteriDex by dialing 411 and saying "Delta Airlines."

Transcribing Voicemails with IBM Watson STT Service

We’ve included the necessary script to transcribe your incoming voicemails using IBM’s STT service. Navigate to the /usr/local/sbin folder and edit sendmailmp3.ibm. Insert your APIKEY in the password field and save the file. Now copy the file to sendmailmp3 and make the file executable: chmod +x sendmailmp3.

Using Gmail as a SmartHost for SendMail

Many Internet service providers block email transmissions from downstream servers (that’s you) to reduce spam. The simple solution is to use your Gmail account as a smarthost for SendMail. Here’s how. Log into your server as root and issue the following commands:

cd /etc/mail
hostname -f > genericsdomain
touch genericstable
makemap -r hash genericstable.db < genericstable
mv sendmail.mc sendmail.mc.original
wget http://incrediblepbx.com/sendmail.mc.gmail
cp sendmail.mc.gmail sendmail.mc
mkdir -p auth
chmod 700 auth
cd auth
echo AuthInfo:smtp.gmail.com \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" > client-info
echo AuthInfo:smtp.gmail.com:587 \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" >> client-info
echo AuthInfo:smtp.gmail.com:465 \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" >> client-info
nano -w client-info

When the nano editor opens the client-info file, change the 3 user_id entries to your Gmail account name without @gmail.com and change the 3 password entries to your actual Gmail password. Save the file: Ctrl-X, Y, then ENTER.

Now issue the following commands. In the last step, press ENTER to accept all of the default prompts:

chmod 600 client-info
makemap -r hash client-info.db < client-info
cd ..
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.mc
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.mc
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/Makefile
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.cf
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/databases
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.mc.gmail
sed -i 's|sendmail-cf|sendmail\/cf|' /etc/mail/sendmail.cf.errors
make
sendmailconfig

Finally, stop and restart SendMail and then send yourself a test message. Be sure to check your spam folder!

/etc/init.d/sendmail stop
/etc/init.d/sendmail start
apt-get install mailutils -y
echo "test" | mail -s testmessage yourname@yourdomain.com

Check mail success with: tail /var/log/mail.log. If you have trouble getting a successful Gmail registration (especially if you have previously used this Google account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

Configuring a SIP URI Address for Your PBX

Setting up a SIP URI is a simple way to let anyone with a SIP phone call you from anywhere in the world and talk for as long and as often as you like FOR FREE. The drawback of SIP URIs is typically the security risk accompanying the SIP exposure you must provide to receive these calls. Here's the safe way using what we call a hybrid SIP URI. It works like this. Sign up for a VoIP.ms account and create a subaccount that you will register using the VoIPms trunk included in Incredible PBX. As part of the setup in the VoIP.ms portal, assign an Internal Extension Number to your subaccount, e.g. 789123. Make it random so you don't get surprise calls from anonymous sources. The extension can be up to 10 digits long. Next, sign up for a free iNUM DID, e.g. 883510009901234, in your VoIP.ms account. Using Manage DIDs in the portal, link the iNUM DID to your subaccount and assign one of the VoIP.ms POP locations for incoming calls, e.g. atlanta.voip.ms. Next, write down your VoIP.ms account number, e.g. 12345. Once you've completed these three steps and registered the VoIP.ms subaccount on your PBX, you now have two SIP URIs that are protected by your VoIP.ms credentials and don't require you to expose your SIP port to the outside world at all. These SIP URIs can be pointed to different destinations by setting up Inbound Routes using your VoIP.ms account number as one DID and setting up your iNUM number as the second DID. To reach your PBX via SIP URI, callers can use 12345789123@atlanta.voip.ms to reach the DID you set up for your VoIP.ms subaccount where 12345 is your VoIP.ms account number and 789123 is the Internal Extension Number for your subaccount. Or callers can use 8835100099012234@inum.net to reach the DID you set up using your iNUM number that was assigned by VoIP.ms. Don't forget to whitelist the VoIP.ms POP's FQDN for SIP UDP access to your PBX:

/root/add-fqdn voipms atlanta.voip.ms

If you wish to make SIP URI calls yourself, the easiest way is to first set up a free LinPhone SIP Account. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we'll get you started with one of our favorite (free) softphones, YateClient. It's available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for your LinPhone account. You’ll need LinPhone's FQDN (sip.linphone.org) plus your LinPhone account name and password. Fill in the Yate Client template and click OK to save your entries. Once the Yate softphone shows that it is registered, try a test call to one of our demo SIP URIs: sip:weather@demo.nerdvittles.com or sip:news@demo.nerdvittles.com.

Adding the NeoRouter Virtual Private Network

We've made it easy to set up a virtual private network between your PBX and your other computers. NeoRouter is a free VPN for up to 256 machines. It requires that you first set up a server for NeoRouter using a static IP address and preferably a fully-qualified domain name. This is covered in this Nerd Vittles tutorial. Once you have your NeoRouter server operational, adding your PBX to the VPN is easy. Simply run nrclientcmd and enter the FQDN of your VPN server together with your credentials. All clients on the VPN have an encrypted tunnel with private LAN addresses in the 10.0.0.x range. HINT: Setting up a NeoRouter VPN provides an easy way to get back into your server if the firewall ever locks you out since the 10.0.0.x subnet is automatically whitelisted as part of the initial install.

Using PortKnocker to Regain Access to Your PBX

And speaking of getting locked out of your server because you've forgotten to whitelist the IP address of your computer, there's another easy way to regain access: PortKnocker. The way the service works is you send sequential pings to 3 randomized TCP ports that are known only by you. They are listed in /etc/knock.FAQ. When your server detects a match, it will whitelist your new IP address allowing you to login using SSH or Putty. There also are PortKnocker utilities for both iOS and Android devices. Complete implementation details are available in this Nerd Vittles tutorial. If your PBX is sitting behind a router or firewall, don't forget to forward the three TCP ports from your router to the private LAN address of your PBX.

Planning Ahead for That Rainy Day

If you haven't already learned the hard way, let us save you from a future shock. Hardware fails. All of it. So spend an extra hour now so that you'll be prepared when (not if) disaster strikes. First, once you have your new PBX configured the way you plan to use it, make a backup of your PBX by running the Incredible Backup script: /root/incrediblebackup13

Copy down the name of the backup file that was created. You'll need it in a few minutes.

Second, build yourself a VirtualBox platform on your desktop PC using the Ubuntu ISO you previously downloaded. Once you complete the identical Incredible PBX install plus the Whole Enchilada upgrade and Incredible Fax (if used on your primary server), fire up the virtual machine and login as root with password as your password.

Next, create a /backup folder on your new VirtualBox PBX and copy the backup file from your main server to your VirtualBox server and restore it while logged into the VirtualBox PBX as root:

mkdir /backup
scp root@main-pbx-ip-address:/backup/backup-file-name.tar.gz /backup/.
/root/incrediblerestore13 /backup/backup-file-name.tar.gz

Verify that everything looks right by using a browser to access and review the settings in your new VirtualBox PBX. At a minimum, verify extensions, trunks, and routes.

Last but not least, if you're running Incredible PBX in the Cloud on Digital Ocean or Vultr, you can set up automatic backups of your server for only an extra dollar a month. It's the cheapest insurance your can buy. Enjoy!

Continue Reading: Configuring Extensions, Trunks & Routes

Don't Miss: Incredible PBX Application User's Guide covering the 31 Whole Enchilada apps

Originally published: Monday, March 18, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. With some providers including Digital Ocean and Vultr, Nerd Vittles receives referral credits when you sign up for service. This assists in keeping the Nerd Vittles lights burning brightly. So... thank you. []
  2. Skyetel is a Platinum Sponsor of Nerd Vittles and open source projects of Ward Mundy & Associates, LLC. []
  3. In the unlikely event that Skyetel cannot provide a 10% reduction in your current origination rate and/or DID costs, Skyetel will give you an additional $50 credit to use with the Skyetel service. []

Adding SIP URI Dialing to Asterisk for Free Worldwide Calling



Since giving up on Google Voice, we’ve been extolling the virtues of SIP URI dialing which gives you unlimited free calls to anyone else in the world that happens to have their own SIP URI address. SIP URIs look very much like email addresses except they’re used to share phone conversations instead of email messages. And, as we’ve mentioned previously, if everyone in the world had their own SIP URI, paying for phone calls would become a thing of the past. We hope you’ll join us in making that happen. As a fallback, give our $50 credit at Skyetel a try.

One of the drawbacks of Asterisk® PBXs using the FreePBX® GUI has been the inability to place outbound SIP URI calls from SIP phones registered as extensions on the PBX. Today we first want to address that shortcoming. Our SIP URI dialing solution for Asterisk should work with any FreePBX-based implementation including Incredible PBX® and Issabel as well as on Raspberry Pi platforms. We’ll wrap things up by providing some tips on obtaining and deploying your own SIP URI at little or no cost and pointing you to some excellent resources that facilitate calling millions of SIP phones around the world at zero cost. All you need is an Internet connection, and we’ll point you to a terrific softphone to begin your adventure.

Let’s begin by examining why SIP URI dialing is a problem with FreePBX. The reason is pretty simple. FreePBX interprets dial strings by matching them against some rules to determine whether you’re making an internal call or a call outside your PBX. It matches internal calls against a list of available internal extensions. External calls are matched against rules defined in your outbound routes which are associated with trunks. Since SIP URI calls don’t match any extension or outbound route, the caller receives a congestion tone.

The traditional workaround has been to define a custom extension using the FreePBX GUI which points to a SIP URI. Then the user can dial the custom extension, and the call will be routed to the defined SIP URI. These custom extensions also can be defined in extensions_custom.conf within the from-internal-custom context. For example, the following dialplan code would let users dial 411 to reach AT&T’s Toll-Free Directory Assistance: exten => 411,1,18005551212@switch.starcompartners.com.

But there’s a better way. Wouldn’t it be nice to be able to dial any SIP URI from a softphone or to store SIP URI addresses in the phonebook of your SIP phone?1 Well, now you can. Before we actually put the dialplan code in place, let us explain how this will work. First, FreePBX still needs to be able to distinguish a SIP URI call from a "regular call." The reason this gets tricky is because Asterisk typically throws away the destination hostname when you place a call. For example, calls to 8005551212 and 8005551212@sip2sip.info are processed by Asterisk in exactly the same way, i.e. dropping the host address before dialing.

Using the new dialplan code in the next section, here’s how calls will be processed:

User dials                    Asterisk processes call as
------------------------      ---------------------------------------------
701                           internal call to local extension 701
4045551212                    external call using NXXNXXXXXX outbound route
2233435945@sip2sip.info       SIP URI call to Lenny by acct at sip2sip.info
lennybgood@sip2sip.info       SIP URI call to alias lennybgood@sip2sip.info 

Cautionary Notes: Our code should work fine with any Asterisk 13 and FreePBX 13 or Incredible PBX deployment on any Linux platform; however, with servers other than Incredible PBX, make sure you have added the following entries to sip_general_custom.conf, or you can configure them in the GUI by making the changes in Settings -> Asterisk SIP Settings -> Chan SIP Settings:

srvlookup=yes
allowguest=yes

You also need to test a traditional outbound call (e.g. 8005551212) immediately after you finish the install procedure. Monitor the Asterisk CLI (asterisk -rvvvvvvvvvv) and observe the first few lines of the log after you place a call. The second line will show SIPDOMAIN which should be either the FQDN of your server or an IP address depending upon how you registered your softphone extension. The first line should display the MyDomain variable. If it is empty or doesn’t match the SIPDOMAIN entry, the outbound call will fail. To fix it, add an entry to the Asterisk database from the Asterisk CLI using syntax like the following: database put MyDomain FQDN 10.0.0.11 or database put MyDomain FQDN sip.me.com where 10.0.0.11 or sip.me.com matches the SIPDOMAIN entry shown on the second line. Then retry your outbound call, and it should complete successfully. We’ve tested this back to the early Asterisk 11 days with FreePBX 2.11 without any problems. If your calls still fail, then you will probably need to remove the new code from your platform until you upgrade to a more current version of Asterisk and FreePBX. The code hasn’t been tested with FreePBX 14 and 15.

Finally, you may want to manually set the CallerID for your outgoing SIP URI calls. From the Asterisk CLI, issue a command for every extension from which you will be placing SIP URI calls, e.g. extension 701 syntax: database put 701 user_sipname "Nerd Uno"

Enabling SIP URI Dialing with FreePBX

To enable SIP URI dialing from phones registered with your Asterisk PBX, we’ll modify the dialplan in order to detect SIP URI dial strings entered into a softphone or retrieved from a phonebook associated with almost any SIP phone. When a SIP URI dial string is detected, we’ll send the call out as requested rather than passing the call through the outbound routes and trunks associated with your PBX. All of this dialplan code is open source and is licensed pursuant to the GPL2 license.

SECURITY ALERT: Never use the SIP URI MOD on a server with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.

FEB. 21 UPDATE: There was a bug in the original code which caused some internal calls to fail including calls to a DISA extension. Simply install the application again, and it will overwrite the previous version.

MAR. 5 UPDATE: A bug was discovered in previous releases that treated 911 and 933 calls as internal calls when, in fact, they should have been routed out using your outbound trunks. Simply install the application again, and it will overwrite the previous version.

MAR. 13 ALERT: This software is not compatible with the Debian, Raspbian, and Ubuntu platforms.

To begin or update your installation, log in to your PBX as root using SSH or Putty and issue these commands:

cd /tmp
wget http://incrediblepbx.com/sipuri-mod.tar.gz
tar zxvf sipuri-mod.tar.gz
rm -f sipuri-mod.tar.gz
./install-sip-uri-mod.sh

Obtaining Your Own SIP URI

There are a number of ways to obtain your own SIP URI. Perhaps the easiest is to set up the open Incredible PBX cloud platform that we introduced several weeks ago. Then you can create as many SIP URIs as you like, and they can be used to perform any task that’s available with Asterisk. If you’re not quite ready to make that leap, a free or almost free SIP URI is available from the following sources. VoIP.ms provides a SIP URI for every subaccount you create. Just set up an internal extension number for the subaccount, and that becomes a SIP URI to connect back to your registered server or SIP phone. In the alternative, VoIP.ms will also provide you with a free iNUM DID which can be reached at the following IP address: 81.201.82.50. CallCentric provides a SIP URI matching your account number which can be reached @in.callcentric.com. CallCentric will also provide you with a free iNUM DID which can be reached at the following IP address: 81.201.82.50. LocalPhone provides the same two options as CallCentric: you can be reached by your account number @localphone.com. Or the LocalPhone-assigned iNUM DID can be reached @81.201.82.50. Then there’s pbxes.org. Your account name can be used for SIP URI access @pbxes.org. And, of course, if you’re a 3CX user, you can set up a SIP URI for each extension on your PBX. Just navigate to the Options tab of the desired extension(s) and enter a unique SIP ID for each extension. The SIP URI becomes SIPID@YOUR-3CX-FQDN. SIP URI calls to 3CX Clients on smartphones are also free! This list is not exhaustive. There are now more than 2,000 VoIP networks that support SIP URI access. Using a SIP URI dialing prefix, call any of the referenced networks @sipbbroker.com.2

Choosing a SIP Phone or Softphone

You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we’ll get you started with one of our favorite (free) softphones, YateClient. It’s available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for an extension on your PBX. You’ll need the IP address of your server plus your extension number and its password. Fill in the Yate Client template using the IP address of your PBX as well as your extension credentials. Click OK to save your entries.

Once the Yate softphone shows that it is registered, try a test call to Lenny using one of the following SIP URIs: 2233435945@sip2sip.info or 883510001198938@81.201.82.50. Better yet, try out a few Incredible PBX samples from the public server we previously deployed:

Yahoo News Headlines    - news@demo.nerdvittles.com
Weather by Zip Code     - weather@demo.nerdvittles.com
Directory Assistance    - information@demo.nerdvittles.com
Lenny for Telemarketers - lenny@demo.nerdvittles.com

Originally published: Monday, February 11, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Special thanks to Olivier Adler and voip-info.org for their early work on SIP URI dialing with Asterisk. []
  2. Some of our links refer users to sites or service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. []