Posts tagged: piaf

The Definitive VoIP Quick Start Guide: Introducing PBX in a Flash 3

It’s been an interesting year with RedHat’s acquisition of CentOS™. But the dust is slowly settling, and we’ve developed a new installation methodology for PBX in a Flash™ which we believe provides everyone with the best of all worlds. Like it or not, Red Hat® is in the driver’s seat now with CentOS, and Scientific Linux™ already has announced that they plan to fold into CentOS with the 7.0 release. That left the rest of us with two choices: fork CentOS and roll your own operating system or comply with the RedHat requirement to initially build a system with their ISO and then embellish it. The PBX in a Flash aggregation is just that. It’s always been built on a superset of the base CentOS operating system. That’s why we found the RedHat fanboy diatribes particularly offensive. PBX in a Flash has never provided a diluted or otherwise marginalized version of CentOS. If you don’t believe it, compare the list of RPMs on today’s build with the list on prior releases. They’re virtually identical even though (as you will see) the installation methodology is different. The bottom line is we don’t want to be in the operating system business, and the recent nightmare with OpenSSL should tell you why. Red Hat has a staff of hundreds to maintain RedHat and now CentOS. So why reinvent the wheel? When you peel away the marketing guys and the lawyers and the fan boys, that’s what open source has always been about. RedHat does what it does best, and we do the same. It never has meant you were getting a product that wasn’t genuine. You were getting a product that was embellished and enhanced to perform a specific task, telephony! By sticking with CentOS 6.5, we’ll all have a supported operating system on which to build telephony applications until the end of November, 2020. We can’t do better than that.

If you’re new to the VoIP community, we recommend you begin by watching this video. Before you begin the PBX in a Flash install procedure, you need to do three things first: pick your hardware platform, think about what types of phones you plan to use, and choose at least a couple of service providers to interconnect your PBX with the rest of the telephones in the world.


Making a Hardware Selection

We’re going to assume that you need a VoIP telephony solution that will support an office of up to several dozen employees and that you have an Internet connection that will support whatever your simultaneous call volume happens to be. This is above and beyond your normal Internet traffic. To keep it simple, you need 100Kbps of bandwidth in both directions for each call.1 And you need a router/firewall that can prioritize VoIP traffic so that all your employees playing Angry Birds won’t cause degradation in VoIP call quality. Almost any good home router can now provide this functionality. Remember to disable ALG on your router, and it’s smooth sailing.

For computer hardware, you’ll need a dedicated machine. There are many good choices. Unless you have a burning desire to preserve your ties with Ma Bell, we recommend limiting your Ma Bell lines to your main number. Most phone companies can provide a service called multi-channel forwarding that lets multiple inbound calls to your main number be routed to one or more VoIP DIDs much like companies do with 800-number calls.

If you’re building a system for home or SOHO use, you probably don’t need PBX in a Flash. If you want the same functionality for under $50 then go with a BeagleBone Black and add RasPBX and Incredible PBX. Our tutorial will show you how to do it. For the business model we’ve described above, any good dual-core Atom computer will suffice. You’ll find lots of suggestions in this thread. And the prices generally are in the $200-$400 range. For larger companies and to increase Asterisk’s capacity with beefier hardware, see these stress test results.

If your requirements involve retention of dozens of Ma Bell lines and complex routing of calls to multiple offices, then we would strongly recommend you spend a couple thousand dollars with a consultant. Some of the best in the business frequent the PBX in a Flash Forum, and they do this for a living. They can easily save you the cost of their services by guiding you through the hardware selection process. For business or for home, another alternative is available if you don’t want to babysit your own hardware. That’s a cloud-based solution such as RentPBX. For $15 a month, you don’t have to worry about electricity and a reliable Internet connection ever.

Choosing the Right Phones

If there is one thing that will kill any new VoIP deployment, it’s choosing the wrong phones. If you value your career, you’ll let that be an organization-driven decision after carefully reviewing at least 6-12 phones that won’t cause you daily heartburn. You and your budget team can figure out the price points that work in your organization keeping in mind that not everyone needs the same type of telephone. Depending upon your staffing, the issue becomes how many different phone sets are you and your colleagues capable of supporting and maintaining on a long term basis.

Schmooze Com has released their commercial End Point Manager (EPM) at a price point of $99 per server. They’ve been using the application internally to support their commercial customers for two years. If you’re doing a major installation, it’s the best money you will ever spend. Just sign up for an account with Schmooze to purchase the software. You can review the Admin User Guide here. The beauty of this software is it gives you the flexibility to support literally hundreds of different VoIP phones and devices almost effortlessly. Using a browser, you can configure and reconfigure almost any VoIP phone or device on the market in a matter of minutes. So the question becomes which phones should you show your business associates. That again should be a decision by you and your management and budget teams, but collect some information from end-users first. Choose a half dozen representative users in your company and get each of them to fill out a questionnaire documenting their 10 most frequent daily phone calls and listing each step of how they process those calls. That will give you a good idea about types and variety of phones you need to consider for different groups of users. Cheaper rarely is better. Keep in mind that phones can last a very long time, even lousy ones. So choose carefully.

The phone brands that we would seriously consider include Yealink, Digium, Snom, Aastra, Mitel, Polycom, Cisco, and Grandstream. Do you need BLF, call parking or multiple line buttons, a hold button, conferencing, speakerphone, HD voice, power over Ethernet support, distinctive ringtones for internal and various types of external calls, Bluetooth, WiFi, web, SMS, or email access, an extra network port for a computer, headset support, customizable buttons (how many?), quick dial keys, custom software, XML provisioning, VPN support? How easy is it to transfer a call? Do you need to mimic key telephones? Also consider color screens, touch screens, busy lamp indicators, extension modules (what capacity?). What do we personally use: Yealink’s T46G is our favorite, and we also have several Digium phones of various types, a couple of Aastra phones, a Grandstream GXP2200, a collection of Panasonic cordless DECT phones, a Samsung Galaxy S4 and Moto X connected through an OBi202 with an OBiBT Bluetooth Adapter, and a Samsung Galaxy S3 extension interconnected with Vitelity’s vMobile service to provide transparent connectivity on both WiFi and cellular networks. You can read all about vMobile here. It is the future of VoIP telephony.

Choosing VoIP Service Providers

One of the design differences between VoIP and the Ma Bell network that we’re all familiar with is that you no longer have to put all your eggs in one basket. The company or companies that you use to make outbound calls need not be the same as the ones you use to handle incoming calls. For home use, VoIP providers typically offer two types of plans: all-you-can-eat (which isn’t really) and pay-by-the-minute (which, in most cases, is priced by the fraction of the minute that you actually use the service). For business use, you have a choice of pay-by-the-trunk (each simultaneous call uses a trunk) and pay-by-the-minute (where you don’t have to manage your simultaneous calls). There was a third option over the past 5 years, and that was Google Voice which was free. But, good things don’t last forever, and Google is in the process of shutting down that service except for those that like making calls with a web browser. Hello, Ring.to.

For businesses, we strongly recommend that you stick with Ma Bell for your main business number only. That gets you listed in the phone book and provides 99.999% reliability for access to your business. Most phone companies can provide a service called multi-channel forwarding that lets multiple inbound calls to your main number be routed to one or more VoIP DIDs much like companies do with 800-number calls. For other business lines as well as home and SOHO setups, ditch Ma Bell as quick as you can. You’ll save boatloads of money. Give some thought to how much non-cellphone usage actually occurs in your situation. In many cases, you will find that pay-by-the-minute service for outbound calls is much less expensive than all-you-can-eat plans. Remember, there are no long term contracts on pay-by-the-minute services so try it and see what your usage habits actually are if you’re unsure. Keep in mind that acquiring inbound trunks for DIDs or phone numbers is almost always all-you-can-eat service ranging in price from $2-$8 a month. The PBX in a Flash Forum is chock full of recommendations. Just remember that, in doing your calculations, separate out the the time spent on incoming calls from the time spent placing outbound calls. Also keep in mind that redundancy is a luxury you never had in the Ma Bell days. Take advantage of it and sign up with multiple pay-by-the-minute providers for outbound (termination) service. You only pay for what you actually use. For inbound trunks, many providers offer failover service to different numbers if the primary connection dies. Even if the failover is to your cellphone, it beats missing the call. If international calling is a frequent part of your business or lifestyle, then spend some time exploring the options that are available. There are numerous all-you-can-eat solutions at incredibly affordable rates if you do your homework. Now let’s get started…

Installing CentOS 6.5

The new installation methodology for PBX in a Flash™ works like this. First, you’ll download the CentOS 6.5 server ISO for what is known as a minimal install. You still have your choice of 32-bit (339.7 MB) or 64-bit (417.3 MB) flavors. Burn the ISO to a USB Thumb Drive or a CD/DVD using a Mac or Windows machine.

If you’re building a system in the cloud or in a hosted environment, the base CentOS install usually has been done for you so you can skip this step.

If you’re using a dedicated PC or virtual machine with no operating system, boot from the CentOS 6.5 CD/DVD or ISO and go through the standard CentOS install procedure. Here are the CentOS 6.5 setup steps and entries that we recommend [in brackets] which will assure that your new server has wired network connectivity through DHCP and a non-LVM partition configuration which is easier to back up and restore. Don’t be intimidated by the list. The entire CentOS setup process only takes a minute or two.

1. Install or upgrade existing system
2. Test media [skip]
3. Begin setup [Next]
4. Choose language [English]
5. Keyboard [U.S. English]
6. Type Devices [Basic Storage Devices]
7. Discard Existing Data [yes]
8. Hostname [localhost.localdomain] ** BEFORE YOU CLICK NEXT, DO STEP 8a. **
  8a. Configure Network [Click eth0 & Edit. Check:Connect Automatically then Apply & Close]
9. Time Zone [New York] ** Uncheck: System Clock Uses UTC **
10. Root Password [** make it very secure **]
11. Type Installation: Create Custom Layout with Primary Partition checked for 11a and 11c
  11a. Create -> Standard Partition -> Mount Point: /boot Type: ext4 Size:200  Fixed
  11b. Create -> Standard Partition -> Mount Point: blank Type: swap Size:2048 Fixed
  11c. Create -> Standard Partition -> Mount Point: /     Type: ext4 Size:Fill to Max Size
12. NEXT
13. FORMAT
14. WRITE CHANGES
15. Checked: Install boot loader on /dev/sda  Boot loader CentOS List: /dev/sda3
16. Reboot when finished

Next, log in to your new server with your root credentials. First, check your disk partitioning to make sure everything looks okay: fdisk -l. Here’s what the partitioning looks like with a 20GB drive. For larger drives, your sda3 partition will obviously be larger.

Device    Boot Start   End  Blocks  ID System
--------- ---- ----- ----- -------- -- ----------
/dev/sda1   *      1    26   204800 83 Linux
/dev/sda2         26   287  2097152 82 Linux swap
/dev/sda3        287  2650 18979840 83 Linux

Installing PBX in a Flash

Now let us welcome you to the World of PBX in a Flash™. This is our best release ever whether you’re a total newbie or an experienced Asterisk developer. You can’t really appreciate what goes into an open source product like PBX in a Flash until you try doing it yourself. If you want to actually learn about Asterisk from the ground up using pure source code to customize your VoIP deployment, PBX in a Flash has no competition because your only other option is to roll your own starting with a Linux DVD. So our extra special kudos go to Tom King, who once again has produced a real masterpiece in that it is very simple for a first-time user to deploy and, at the same time, incredibly flexible for the most experienced Asterisk developer. The new PIAF3™ release not only provides a choice of Asterisk and FreePBX versions to get you started. But now you can build and deploy standalone servers for SugarCRM™, NeoRouter™ VPN, YATE™, FreeSwitch™, and OpenFire™ XMPP using the standard PIAF3 installer. So let’s get started.

First, let’s prepare your server for installation of PBX in a Flash 3. None of these commands will do any damage if your server happens to already be configured properly.

The recommended platform is CentOS or Scientific Linux. Start here:

sed -i 's|no|yes|' /etc/sysconfig/network-scripts/ifcfg-eth0
ifup eth0
setenforce 0
yum -y upgrade
yum -y install net-tools nano wget
ifconfig # to figure out your server IP address here
sed -i 's|quiet|quiet net.ifnames=0 biosdevdame=0|' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
# for CentOS/Scientific Linux 6.5/6.6 only, perform these additional steps:
wget http://pbxinaflash.com/update-kernel-devel
chmod +x update-kernel-devel
./update-kernel-devel
reboot

Now we’re ready to begin the PIAF3 install. Issue the following commands to get started:

cd /root
wget http://pbxinaflash.com/piaf3-install.tar.gz
tar zxvf piaf3-install.tar.gz
./piaf3-install

When the install begins, there’s a 5-10 minute process to reconfigure CentOS by adding over 500 applications to the base install. Be patient. When it completes, your server will reboot, and you’re ready to begin the PBX in a Flash installation process. Choose option A to continue with the installation. While PBX in a Flash supports a number of versions of Asterisk and FreePBX, we believe the combination of Asterisk 11 and FreePBX 2.11 is so compelling in terms of functionality, stability, and security that the other options are no longer worth considering. We wholeheartedly recommend choosing PIAF-Green with FreePBX 2.11 as your platform.

For today, we’re installing PBX in a Flash. So leave it highlighted, tab to OK, and press Enter.

Now pick your PIAF flavor, tab to OK, and press Enter. HINT: Green is the fourth option. :-)

The PIAF Configuration Wizard will load. Press Enter to begin.

Unlike any other aggregation, PIAF gives you the opportunity to fully configure Asterisk using make menuconfig if you know what you’re doing. For everyone else, type N and then confirm your choice. For the time being, type Y. When the menuconfig menu displays during the install, type X to save your settings and exit. No changes are required.

Next, you’ll need to choose your Time Zone again for PHP and FreePBX. Don’t worry if yours is missing. A new timezone-setup utility is also available to reconfigure this to any worldwide time zone once the install has completed.

Next, choose your version of FreePBX to install. As we said, we recommend FreePBX 2.11. Note that Incredible PBX 11 requires PIAF-Green and FreePBX 2.11.

Finally, you need to choose a very secure maint password for access to FreePBX using a browser. You can pick your own, or the installer will generate one for you. Don’t forget it.

The installer will give you one last chance to make changes. If everything looks correct, press the Enter key and go have lunch. Be sure you have a working Internet connection to your server before you leave. :wink:

In about 30-60 minutes, your server will reboot. You should be able to log in as root again using your root password.

Because of a version update to PEAR that is not supported by FreePBX, you’ll need to issue the following commands to clean things up: [NOTE: This has been resolved in latest PIAF3 releases.]

chattr -i /usr/bin/pear
chmod +x /usr/bin/pear
amportal restart
status

We also strongly recommend that you immediately upgrade your version of Asterisk to the current release. If you’re using PIAF-Green with Asterisk 11, we have a script that will do the heavy lifting for you: [NOTE: This already has been addressed in latest PIAF3 release.]

cd /root
wget http://pbxinaflash.com/upgrade-asterisk11-piaf.tar.gz
tar zxvf upgrade-asterisk11-piaf.tar.gz
rm upgrade-asterisk11-piaf.tar.gz
./upgrade-asterisk-piaf

Write down the IP address of your server from the status display (above) and verify that everything installed properly. Note that Samba is disabled by default. If you want to use your server with Windows Networking, run configure-samba once your server is up and running and you’ve logged in.

If you’re familiar with Asterisk and FreePBX, then you can take it from here. You now have a fully functioning platform on which to create your latest VoIP masterpiece. If you’re new to all of this, keep reading…

Configuring PBX in a Flash

Most PIAF Configuration is accomplished using the FreePBX Web GUI. Point your browser to the IP address shown in the status display above to display your PIAF Home Page. Click on the Users tab. Click FreePBX Administration. When prompted for your username and password, the username is maint. The password will be the FreePBX master password you chose in the Config Module phase of the PBX in a Flash installation procedure above.

Here’s a quick overview of what needs to happen before you can start making and receiving calls. You’ll need an account with at least one phone number for people to call you (known as a DID), and you’ll need an account to place outbound calls to plain old telephones throughout the world. Our Vitelity DID deal at the bottom of this article is a terrific service, and Vitelity also provides tremendous financial support to both the Nerd Vittles and PBX in a Flash projects. For outbound calling, you also can use Vitelity or choose from the provider recommendations on the PIAF Forum.

You’ll also need a softphone or SIP phone to actually place and receive calls. YATE makes a free softphone for PCs, Macs, and Linux machines so download your favorite and install it on your desktop. Phones connect to extensions in FreePBX to work with PBX in a Flash. Extensions talk to trunks to make and receive calls. FreePBX uses outbound routes to direct outgoing calls from extensions to trunks, and FreePBX uses inbound routes to route incoming calls from trunks to extensions to make the phones actually ring. In a nutshell, that’s how a PBX works. There are lots of bells and whistles that you can explore down the road. FreePBX now has some of the best documentation in the business. Start here.

To get a minimal system functioning to make and receive calls, here’s the 2-minute drill. Create at least one extension with voicemail. Next, configure a trunk to handle your outside calls. Then set up inbound and outbound routes to manage incoming and outgoing calls. Finally, add a telephone or softphone with your extension credentials.

If this sounds like Greek to you, then install Incredible PBX 11. It’s a 5-minute task. Incredible PBX does all the heavy lifting for you by configuring an extension, building dozens of trunks for the major SIP providers, and creating default routes to manage your calls. You also get a terrific collection of utility programs for Asterisk that handle everything from telephone reminders and wakeup calls to weather and news reports. To get started, log into your server as root and issue the following commands. Then jump to the Incredible PBX 11 tutorial and continue your journey there.

cd /root
wget http://incrediblepbx.com/incrediblepbx11.gz
gunzip incrediblepbx11.gz
chmod +x incrediblepbx11
./incrediblepbx11

A Few Words About Security. PBX in a Flash has been engineered to run on a server sitting safely behind a hardware-based firewall with NO port exposure from the Internet. Leave it that way! It’s your wallet and phone bill that are at stake. If you’re running PBX in a Flash in a hosted environment with no hardware-based firewall, then immediately read and heed our setup instructions for Securing Your VoIP in the Cloud Server. DO NOT RUN PBX IN A FLASH IN THE CLOUD WITHOUT INSTALLING AND ACTIVATING THE IPTABLES FIREWALL. HINT: TRAVELIN’ MAN 3 WILL DO THE HEAVY LIFTING FOR YOU. We would encourage you to visit your PIAF Home Page regularly. It’s our primary way of alerting you to security issues which arise. You’ll see them posted (with links) in the RSS Feed shown above. If you prefer, you can subscribe to the PIAF RSS Feed or follow us on Twitter. For late-breaking enhancements, regularly visit the Bug Reporting & Fixes Topic on the PIAF Forum. Enjoy!

Originally published: Wednesday, May 28, 2014 Updated: Wednesday, December 3, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.79 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity. 


Some Recent Nerd Vittles Articles of Interest…

A Firsthand Look at Disaster Recovery: Tethering and IAX with Asterisk

One of the exciting challenges of building a swimming pool is knowing that it’s just a matter of time until your Internet connection dies. As you might imagine, swimming pools are major construction and involve a lot of digging. And digging usually means some oops moments when cables get cut. In our case, we had watched the folks digging the trenches for all of the pool plumbing to be sure they didn’t accidentally whack one of three coax cables coming into our house. And, when it came time to cover up the trenches, we pointed out the orange cables to the Bobcat driver knowing we were finally home free. Not so fast! Two minutes later, Mario had driven the Bobcat right over the primary Internet cable leaving the shredded remains sticking up through the dirt. Oops. Sorry. Shit happens!

Looking on the positive side, we chuckled, “What a perfect opportunity to test our backup Asterisk® system!” Our backup system is pretty clever if we do say so. It relies upon a Verizon WiFi HotSpot running on our Galaxy smartphone and a duplicate of our Asterisk-based PBX in a Flash™ server running as a virtual machine under VirtualBox on an iMac desktop. The entire setup takes less than a minute to activate. Well, that was the plan anyway.

It turns out that Verizon does SIP a little differently with a SIP ALG in the path so Asterisk couldn’t register with all but one of our dozen SIP providers. Congratulations, CallCentric! The workaround is to enable STUN. That is now possible with Asterisk 11. Short of that, you’re left with CallCentric. Unfortunately for us, we don’t do much SIP trunking with CallCentric, and none of our primary DIDs are connected through them. The other option is to add port=5080 to your trunk setup with any SIP trunks you register with VoIP.ms using a username and password. Our attention span was too short to tackle STUN in the middle of this crisis. But there’s good news. Verizon doesn’t mess with IAX network traffic at all. Since a couple of our primary DIDs are registered with VoIP.ms using IAX trunks, restoring these IAX trunks to full functionality took less than a minute. That is step one of a three-step process. You need inbound trunks, phones, and outbound trunks to get your redundant VoIP server back in business.

Getting phones to function on what is now a purely WiFi network (through the Verizon HotSpot) can be problematic unless you’ve done your homework and sprinkled a few WiFi-capable SIP phones around your home or office. In our case, we still have Grandstream’s GXP2200 Android phones scattered everywhere so it was just a matter of plugging in the WiFI adapters and rebooting. The newer GXV3240 would work just as well.1

All that remained was enabling several trunks for outbound calls. Since VoIP.ms IAX trunks support both incoming and outgoing calls, we were home free. And, with Google Voice trunks, it was simply a matter of jumping through Google’s security hoops to reenable the connections on a new IP address.

Lessons Learned. Here’s a quick checklist for those of you that think about disaster recovery for your home or for clients and businesses. Nothing beats some advance planning. If money is no object, then WiFi tethering from a smartphone with one of the major providers whose service works well in your home or office environment is the way to go. 4G is a must!

In our case, money was an object so we had the foresight to acquire a Verizon SIM card from eBay that included an unlimited data plan. With this setup, it costs only $1 a day extra to add WiFi tethering, and you can turn it off and on as often as you like without any additional fees or surcharges. There also are no additional charges for using boatloads of data! We’re actually writing this column with a tethered connection from a hotel in Washington (results above). To give you some idea of why an unlimited data plan is important, our home operation burned through 4 gigs of data in less than 24 hours once we activated WiFi tethering. Of course, there were people doing things other than making phones calls, but tethering enables 5 connections to function just about like the cable modem service you originally had in place. So expect the data usage to be substantial. Everybody likes 24/7 Internet service.

Loss of phone calls through a PBX is more of an annoyance than a crisis these days because almost everyone also has a smartphone. Even so, the SIP gotcha with Verizon Wireless was a surprise because we hadn’t really tested our super-duper emergency system in advance. That wasn’t too smart obviously. The old adage applies. Do as we say, not as we do. Unplug your cable modem or DSL connection and actually test your backup system before D-Day arrives.

On the VoIP provider end, now is the time to set up an account with a provider that offers both SIP and IAX connectivity. Step 2 is to actually configure an IAX trunk (as a subaccount to use VoIP.ms parlance) and test it. IAX trunks actually have fewer headaches with NAT, but there are only a handful of providers that still provide the service. Find one now and make certain that your primary DIDs will roll over to the IAX trunk in case of an outage. I’m always reminded that we have Mark Spencer to thank for IAX. It was his brainchild. Thank you, Mark! With VoIP.ms, you also can spoof your CallerID so that calls will still appear to originate from your primary Asterisk PBX.

Keep in mind that a VirtualBox-based Asterisk virtual machine and a Desktop computer both need an IP address and will have to be started on WLAN0 rather than ETH0. Remember, your wired connection is now dead.

You’re also going to want to acquire at least a couple of WiFi-capable SIP phones that can be connected with your Asterisk server using your WiFi HotSpot. Also make certain that you have a preconfigured IPtables firewall on your backup system. Remember, your hardware-based firewall connected to your cable modem won’t provide any protection once you switch to HotSpot operation. Lucky for you, Incredible PBX™ servers come preconfigured with a locked-down IPtables firewall and a WhiteList. Just add the new IP addresses of your server and phones, and you’re secure on the public Internet.

Finally, let’s do the HotSpot connection math. You’ll need an IP address for your desktop computer running VirtualBox. You’ll need a second IP address for the Asterisk virtual machine. Then you’ll need an IP address for every WiFi-enabled SIP phone. If the maximum number of connections is five on your HotSpot, that means you’ve got the necessary capacity for at most 3 WiFi SIP phones assuming you don’t enable a WiFi printer and if nobody else wants to use a computer during the outage. The other option is to add an inexpensive travel router with bridge mode to your mix of 5 devices. We always keep one handy for extended trips. A properly configured travel router provides an additional WiFi network with some extra WiFi connections. Good luck!



Security Alerts. Serious SSL and FreePBX security vulnerabilities have been discovered AND patched during the past week. If you have not patched your server and Asterisk, FreePBX, Apache, and/or WebMin are exposed to the public Internet, you have a serious problem on your hands. See this thread for details on the FreePBX vulnerability. And see this thread for the steps necessary to patch SSL in Asterisk, Apache, and Webmin. While Incredible PBX servers were automatically patched for the FreePBX vulnerability, the SSL issues require manual patching and an Asterisk upgrade. A script for upgrading Asterisk 11 servers is included in the message thread linked above. ALWAYS run your VoIP server behind a firewall with no Internet port exposure to Asterisk, FreePBX, SSH, or the Apache and Webmin web servers! And, if you think all of this security stuff is just a silly waste of your time, then read about the latest lucky recipient of a $166,000 phone bill.

Originally published: Monday, October 20, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Zero Day Vulnerability Protection and More: Introducing Cover Your Asterisk


It’s been a difficult couple of weeks for the Linux® and Asterisk® communities with the back-to-back disclosures of the BASH Shellshock bug and then the FreePBX® Asterisk Recording Interface (ARI) bug a few days later. Both of these vulnerabilities have been circulating in the wild for years. We won’t repeat Wikipedia’s Zero Day Attack analysis other than to note that what makes these particular bugs so scary is not only the fact that both went undetected and unpatched for years but also that the attack vectors for both bugs were so simple. Anyone with a web server exposed to the Internet that was running any flavor of Linux or any Asterisk server with the FreePBX GUI was fair game for a seriously compromised server.

For those with shared servers in a hosted environment running under cPanel, your web platform typically runs with the equivalent of root privileges which means that any web intrusion inherits the same server privileges that you as the administrator had. This is similar to the way FreePBX runs with Asterisk. The same user account used for web access controls all of the Asterisk assets on your server. While it’s convenient, it’s also dangerous whenever there’s a web vulnerability because the entire Asterisk platform has exposure.

We always chuckle when one of the anonymous forum trolls launches a tirade claiming that these alerts are nothing more than Monday morning quarterbacking disguised as Chicken Little. What’s more amazing is that anyone would take the comments of an anonymous poster seriously especially on a matter involving server security. It’s one thing to label folks as alarmists for suggesting that the sky is falling when it isn’t. It’s quite another to launch these anonymous personal attacks even when there is documented evidence that the Internet sky was indeed caving in. Kinda reminds us of the global warming naysayers when the polar ice caps are melting beneath their feet.

According to the naysayers, we’re all doomed when it comes to cyberterrorism so why fight it. Here’s why. While reacting to security vulnerabilities has always been a defensive game of cat and mouse, that doesn’t mean you shouldn’t proactively do what you can to patch serious security holes in your servers. The alternative is to give cybercriminals a blank check to launch bots from your server that generate spam or participate in large-scale zombie attacks on our most trusted resources whether they’re DNS root servers, utility infrastructure and our electric grid, banking assets, and even national security resources. So let’s circle back and address what you can do to assure that you’re part of the solution rather than part of the problem.

The Way It Is: Do I Need a Public Web Server with Asterisk?

For purposes of this discussion, our focus today is Asterisk server security. And the number one thing you can do to insulate your server from these vulnerabilities is to make certain that your web server is not exposed to Internet access by the general public. Neither Asterisk nor FreePBX requires public web server access to manage your server. In fact, neither Asterisk nor FreePBX requires any public access to your server to properly perform all required telecommunications functions. And the second paragraph above explains why this is especially dangerous with servers running both Asterisk and FreePBX.

So why do people still publicly expose their web servers and UDP ports 5060 and 10000-20000 to the Internet? As much as we hate to say it, it’s because it’s always been done that way. It’s also because there are a handful of SIP providers that still require UDP 5060 access to make and receive calls. Most do not! And even for those that do require UDP 5060 access, their requirements can be satisfied with a properly configured firewall that supports whitelisting of “safe” IP addresses for limited access. Incredible PBX comes preconfigured with a locked down WhiteList. The same can be added to PBX in a Flash by installing Travelin’ Man 3. We hope the other aggregations will follow suit. It’s long overdue.

Public web server access often is because there are more than a few (lazy) VoIP providers that install systems in a way that makes it easy for them to manage remote sites. Of course, a VPN would provide secure access to the same resources but that’s a little more work on the deployment end. With NeoRouter VPN, it’s a 5-minute job!

There also are companies with remote users or traveling salesmen that claim their servers must be open to the Internet to keep the company running. First, it’s hard to imagine a company whose salespeople don’t have cellphones that require no link to home base. Second, there are numerous solutions for safe connectivity with a home office: VPNs, FQDNs with dynamic DNS support, Port Knocker, and Travelin’ Man 4 to name just a few of the ones we previously have recommended. With the exception of the lazy VoIP installer, you will note that none of the above scenarios ever require web access to a VoIP server. So the rationale for public exposure of an Asterisk web server is all but non-existent.

The bottom line is that, if your server is not and has never been accessible from the Internet by typing its IP address into a public web browser and assuming your root password has not been compromised, then the BASH and ARI vulnerabilities are purely an academic discussion from your vantage point. Should you apply the patches anyway? Absolutely. Will your server be compromised if you don’t? Probably not… at least not from these two vulnerabilities.

Life Is Good: Why Do I Need ‘Cover Your Asterisk’

That brings us to our topic for today. Having said all of the above, how do you really know if your server has been compromised by some zero day attack vector that none of us yet know about? After all, there are tens of thousands of applications installed on a typical Linux server. And a zero day vulnerability could be hiding almost anywhere.

First, a few words about what Cover Your Asterisk is not. This application won’t detect previously compromised servers! Wearing a condom the day after your wild night on the town isn’t all that helpful. If your server has been running as a public web server for the last 5 years, then our best advice is to start with a fresh install to a new, secured server. Then manually copy the settings (not the files!) from your old server to the new platform. Now you’re ready to protect your server.

Second, more than a few words about the VoIP environment in which we find ourselves. If you’re running any of the so-called Asterisk aggregations including PBX in a Flash, Incredible PBX, AsteriskNOW, FreePBX Distro, or Elastix, then your server includes some flavor of the FreePBX GUI, a web-based application to manage and configure Asterisk. As part of the FreePBX GUI setup, you give FreePBX 2.11 and beyond an expansive set of privileges on your server. These include read, write, and delete access to all of your web assets, all of your VoIP-related MySQL database assets, and all of your Asterisk assets. You also grant FreePBX rights to inventory and monitor critical pieces of information about your server so that you can be informed about pertinent FreePBX updates. We don’t see this as a bad thing. But, even with the incredibly talented FreePBX development team, this application design can be dangerous for a number of reasons not the least of which is the events of the past week. Consider for a moment a scenario in which a disgruntled employee or a web vulnerability allows somebody to modify a critical Asterisk configuration file such as manager.conf which controls access to the Asterisk Manager Interface, or to adjust MySQL’s admin.ampusers table which controls web access to the FreePBX GUI, or even to insert a malicious module into FreePBX which “looks and feels” like part of FreePBX. When you don’t know what you’re looking for, detecting subtle changes can be extremely difficult even for the most talented people in the business. For everyone else, it’s next to impossible. This is especially true when the changes aren’t noticeable in the standard day-to-day operation of your server. That was what led us to conclude that an additional detection mechanism was essential to highlight hidden changes made to any of the critical components that make up the Asterisk platform. Thus was born Cover Your Asterisk.

The Elastix folks apparently weren’t comfortable with this arrangement and forked FreePBX years ago and moved to a self-managed environment. The drawback has been their pace of releasing updates and patches, and that apparently applies to the unaddressed ARI bug as well.

The remaining aggregations all function as we’ve described. Before we delve into Cover Your Asterisk, here’s a little known tip. On the output side, FreePBX is basically a code-generator for Asterisk. Once you’ve configured your server using the FreePBX GUI, there is no Asterisk-FreePBX linkage of which we’re aware that requires your web server to remain operational. That turns out to be a good thing. What this means is you can shut down Apache and still have a fully functional Asterisk server with all of the functionality of your FreePBX-designed configuration. Given the times in which we live, that may not be such a bad idea.

An Overview of Cover Your Asterisk

So what does Cover Your Asterisk do? What we’ve sought to do with this GPL2 application is to take a snapshot of your most valuable Asterisk and FreePBX assets and then create checksums of all the individual components. This includes the /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directories as well as the Asterisk DB and MySQL’s asterisk database. Periodically, you then run another script which compares your current setup to the previous snapshot and identifies the changes for further examination. Once you are satisfied that any reported changes are legitimate, you then take a new snapshot of your server and periodically check it to make certain no unexpected modifications have crept into your system. A duplicate of these production assets is always maintained in a separate directory structure (/etc/asterisk.snapshot) accessible only by root. It can easily be converted into a gzipped tarball: tar -cvzf cya.tar.gz /etc/asterisk.snapshot. Then simply store the tarball off site for a rainy day emergency… when the sky falls once again.

Because this application was designed for production servers, its testing and scope have been limited to the Asterisk 11 and FreePBX 2.11 platform. For our installed base, that translates into PIAF-Green with FreePBX 2.11 and all flavors of Incredible PBX 11 running atop CentOS, Scientific Linux, Ubuntu 14, Debian, and Raspbian platforms on both Intel and ARM hardware including the Raspberry Pi, BeagleBone Black, CuBox, and PogoPlug.

Installation and Operation of Cover Your Asterisk

Log into your Asterisk 11 server as root and issue the following commands to install the Cover Your Asterisk software:

cd /root
wget http://incrediblepbx.com/cover-your-Asterisk.tar.gz
tar zxvf cover-your-Asterisk.tar.gz
rm -f cover-your-Asterisk.tar.gz

To take the original snapshot of your server, run: /root/protect-your-ASSets.sh

To check your current setup against the snapshot, run: /root/check-your-ASSets.sh

To compare a file with its snapshot, run: diff /dirpath/filename /etc/asterisk.snapshot/dirpath/filename

To restore a snapshot file to your current Asterisk configuration, run these commands:

cp -p /etc/asterisk.snapshot/etc/asterisk/filename /etc/asterisk/filename
amportal restart

For Raspberry Pi and BeagleBone Black users, change the MySQL root password in both scripts:

sed -i 's|passw0rd|raspberry|' /root/protect-your-ASSets.sh
sed -i 's|passw0rd|raspberry|' /root/check-your-ASSets.sh

Finally, let us close with several recommendations. First, before making changes to your server with FreePBX, always run check-your-ASSets.sh, correct any detected problems, and then run protect-your-ASSets.sh to create a new snapshot of your server. After making any changes with the FreePBX GUI, run check-your-ASSets.sh again to verify that the changes you sought to make were, in fact, the changes that actually were made to your server. Then finish up by taking a new snapshot. These scripts take less than 30 seconds to run on a typical server so this is not a cumbersome process.

Before you restore any snapshot file or if you are puzzled by any changes you see listed after running check-your-ASSets.sh, we strongly recommend that you first seek advice from the gurus on the PIAF Forum. They can help you identify the severity of the problem, if any, and recommend an appropriate course of action for correction of the problem.

Finally, a cautionary note. Cover Your Asterisk is still a project in development. This means there will be changes/improvements as the coming weeks go by. One wrinkle with updates is your previous snapshots will have to be checked before you update. And then the newest protect-your-ASSets.sh script will need to be run following the update. To keep track of future releases and what’s included, visit this development thread on the PIAF Forum. Enjoy!

Originally published: Monday, October 6, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Hold On to Your Wallet: Another Huge VoIP Phone Bill May Be Lurking


We interrupt our regularly scheduled content to bring you an urgent security alert. A couple days ago, a FreePBX® user reported unusual call activity. He traced the calls to a System Admin Dashboard module that was linked back to an IP address in the Netherlands. When the problem was reported, the FreePBX Community Manager quite accurately noted that it wasn’t FreePBX code. When a second user reported the exact same exploit, alarm bells apparently went off.

Further digging by the FreePBX Dev Team found that the legacy ARI module (once again) had been compromised, this time with a Remote Code Execution and Privilege Escalation exploit. Previous security vulnerabilities in this module led the PBX in a Flash developers many years ago to abandon the FreePBX security model in favor of Apache security so that we could totally block ARI access unless the user had administrator privileges. We want to stress that this wasn’t the fault of any of the current FreePBX developers. Instead, our move to Apache security was based upon our realization that this old legacy code was difficult to maintain because none of the original developers were still around. To their credit, the FreePBX developers have introduced a new User Control Panel with the strongest recommendation that the older ARI module be abandoned. Unfortunately, it still exists on all but the very latest FreePBX 12 systems including FreePBX 12 systems which were upgraded from a previous release. In addition, FreePBX 12 now provides checksum protection for all registered modules which will go a long way toward eliminating attacks such as this. So what can you do to protect your servers and your wallet today? For openers, upgrade your FreePBX fw_ari module NOW and clean the malicious module off your server:

rm -rf AMPWEBROOT/admin/modules/admindashboard
amportal a ma upgrade fw_ari

If you encounter an error that FreePBX cannot connect to the Asterisk Manager, do the following from the Linux CLI:

sed -i 's|localhost|127.0.0.1|' /etc/freepbx.conf
amportal restart
amportal a r

Protecting Your Server from Remote VoIP Attacks

Let’s approach the long-term solution on several levels starting with vulnerability exposure. If you can access TCP ports 22 (SSH) and 80 (HTTP) and TCP/UDP port 5060 (SIP) of any of your Asterisk® and FreePBX-based servers anonymously from the Internet, you’re either nuts or rich.

We’ve cautioned against this for nearly a decade and yet even some developers still configure Asterisk and FreePBX-based servers with port 80 Internet exposure. Why? We can only assume it’s because it makes their job of accessing and maintaining these systems easy. Don’t do it! There still are numerous ways to gain access to the FreePBX GUI on any server. Here’s our short list…

Safest. Put your server behind a hardware-based firewall with no Internet port exposure. Then use a VPN to access the FreePBX GUI. In a perfect world, you can run a VPN on all of your VoIP phones so that you have end-to-end protection for your server and all of your users.

Safer. If a hardware-based firewall isn’t possible, use the Linux IPtables firewall and lock down all the ports on your server, especially TCP ports 22 and 80 and TCP/UDP port 5060. Then create a WhiteList of IP addresses that need access privileges. It’s worth stressing that Fail2Ban is completely worthless when it comes to security vulnerabilities such as the ARI RCE flaw because the bad guys walk right in without even being challenged for a password.

Safe. If you need remote access from various remote locations and these sites have dynamic IP addresses, then deploy the Port Knocker technology in addition to locking down your server with the IPtables firewall. This lets you gain temporary access to your server without providing a blank check (literally) to everybody on the Internet. There’s a reason it’s called the World Wide Web and not the Good Guys Web!

Worse. Exposing TCP port 5060 and UDP port 5060 to public Internet access is dangerous. Some providers unfortunately still require direct access to 5060 to make VoIP calls with SIP. TIP: Switch to a provider that allows SIP registrations so that you don’t have to expose port 5060 directly to the Internet EVER!

Worser. Pardon our grammar, but exposing TCP port 22 to public Internet access is a bad idea. At the very least, change the SSH port so that typical port scanners don’t discover your open SSH port. SSH has been compromised in the past. It probably will happen again, or it may have already happened and we just don’t (yet) know about it. Fail2Ban helps with SSH attacks, but it’s not infallible particularly when high performance servers are used in the attacks. Fail2Ban has to scan your logs and, before it can do that, it has to have a sufficient time slice to accomplish the scan, something that may never happen with an attack launched from a platform such as Amazon EC2.

Worst. Never expose TCP port 80 to public Internet access. If you do, then you obviously haven’t had the pleasure of trying to maintain a public web server. TIP: Unless you are a web expert or sleep with one, don’t do it EVER! Earlier this week BASH provided a revolving door to your Internet assets using simple web requests. Earlier this year, OpenSSL was compromised. There will be another vulnerability because it’s the easiest attack target. So it’s just a matter of time until your server is compromised unless you deploy an effective firewall that blocks public access to port 80.

Server Design Still Matters

For our own PBX in a Flash and Incredible PBX users, you can sleep well tonight. Today’s vulnerability is mostly academic for you. PBX in a Flash blocks all access to ARI without the maint password. Incredible PBX blocks all access to ARI through its IPtables WhiteList. It’s still a good idea to apply the FreePBX update just to be double-safe. And Incredible PBX users will have the patch applied the next time they log into their server as root. For everyone else using FreePBX, keep reading.

With our Incredible PBX open source project, we provide state-of-the-art security methodology. While it is not infallible, all of the code is freely available for any and all VoIP developers to review, improve, and deploy. We would encourage our fellow VoIP developers to do so. There were reasons in the past for not deploying Apache security. After all, it lacks the flexibility of the FreePBX security model, and Apache also can be compromised. But we can’t think of any reason today for not deploying a hardened, preconfigured IPtables firewall AND a functional WhiteList as an integral component in every VoIP server install. This is especially important for any product deployed with the FreePBX GUI. Our Travelin’ Man 3 WhiteList implementation has been available for more than 2½ years! While there are downsides to any sort of push technology, we also believe the Incredible PBX (opt-in) update service is worth a careful look. It has been a godsend for us. With every new login, the server checks for important updates and processes them unless the administrator chooses not to use the service.

Keep in mind that FreePBX masquerading as the asterisk user has complete read/write privileges to virtually every Asterisk and web asset on your server. Any compromise is extremely dangerous because the asterisk user on these platforms has such expansive privileges. We recently encountered a trojan authorization lurking inside the permissions list of Asterisk’s manager.conf table. The matter is still under investigation so we can’t reveal much more other than to note that the entry was harmless on the few affected Incredible PBX servers because of the hardened IPtables WhiteList which is a key component of every Incredible PBX server. Had this happened on a server with no firewall protection, the intruder would have had complete access to the Asterisk AMI which pretty much gives the intruder a blank check to Asterisk… using your checkbook. The silver lining was the Incredible PBX update utility which provided a quick way to remove the vulnerability.

The FreePBX Dev Team’s efforts to design and deploy a checksum-based system for FreePBX 12 modules is certainly a step in the right direction. We think more safeguards are warranted. We already are exploring new ways to provide alerts when critical Asterisk or FreePBX resources are modified on PBX in a Flash and Incredible PBX servers. Something akin to the Mac’s admin authorization requirement before critical Asterisk or FreePBX changes are made would be ideal, but we have some other ideas as well. Stay tuned!

Originally published: Wednesday, October 1, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

VoIP Navigation Guide: Getting Started with Asterisk and FreePBX


When you were just getting started with Asterisk® in the early days, you had two choices: hire a consultant to build you an Asterisk system or start with Asterisk@Home and learn it yourself. That was a disaster for many folks. Times have changed, and there are literally dozens of aggregations and platforms from which to choose. But the question we continue to hear is “What’s the best way to get started?” Today’s VoIP Navigation Guide will help you make the right choices.

Before we begin, you need to do a little head-scratching yourself. Sit down with a pencil and paper (or a computer if you must) and jot down answers to our Top 10 Preliminary Questions:

  1. Is this for home or office use?
  2. How many simultaneous calls?
  3. How many users on the system?
  4. Will there be remote or traveling users?
  5. Is this a mission-critical system for you/others?
  6. What type & speed Internet service? Wi-Fi only?
  7. What is the skillset of those supporting the system?
  8. Do you want to babysit hardware for your system?
  9. What’s your initial and monthly budget for the project?
  10. What should happen to calls if your house/office burns down?

Skillset Matters! Let’s start with the obvious. The technical skillset of you and any other people that will be managing your VoIP server are critically important. This isn’t the old days where you only had to monitor people making long distance calls from within your own house. Once you connect a VoIP server to the Internet, anybody and everybody around the world can take a shot at your server and run up huge phone bills on your nickel unless you know what you’re doing or unless you deploy a server on which access is locked down to just you and trusted users and service providers.

We preach (regularly) that firewalls are essential if you’re going to deploy a VoIP server. In the home or office environment, that means that, in addition to your VoIP server, you also need a hardware-based firewall/router with no mapped ports to the VoIP server, period. Any other setup and it’s just a matter of time until you’re hacked.

In the hosted or cloud environment, it means at the very least a software-based firewall on your VoIP server with all access restricted to a whitelist of trusted users and providers. Any other setup and it’s just a matter of time until you’re hacked.

If you’re not qualified to manage either a hardware or software firewall, then your VoIP choices are limited. None of the major aggregations including PBX in a Flash, the FreePBX® Distro, AsteriskNOW, and Elastix provide any firewall protection as installed. While Fail2Ban is included, it is basically a log scanner which searches for failed login attempts and blocks IP addresses that make excessive login attempts. The major problem with Fail2Ban is that it takes time to run and, if your server is attacked from powerful servers, that may not happen until thousands of hack attempts have been executed.

We have attempted to address this problem with this summer’s new releases of Incredible PBX. In these new releases, whitelist access is locked down as part of the installation process. You have a choice of platforms.

On Cloud-based servers and depending upon your installation skills, we recommend:

On self-managed servers, you typically install the Linux operating system and then run the Incredible PBX installer. On smaller devices, we handle that for you. We recommend the following setups with the caveat that the old adage still applies: “You get what you pay for!” All four of the small hardware offerings below support WiFi-only operation. Just add the recommended WiFi USB dongle. For the CuBox-i, it’s built in. The VirtualBox setup takes less than 10 minutes.

Sizing Your Platform. Appropriate server and Internet capacity obviously turns on most of the answers you wrote down in the preliminary questionnaire. If the system will be used by less than a handful of people, you’re probably safe with the cloud-based solutions we’ve identified or one of the four low-cost devices listed above. Keep in mind that you need roughly 100Kbps of Internet bandwidth for each simultaneous VoIP call. If you have existing POTS lines from Ma Bell, those don’t consume Internet bandwidth but do consume local network resources. POTS line integration also requires additional hardware for each line. For less than 5 POTS lines, the OBi110 is an excellent choice. You’ll find it advertised in the right column of Nerd Vittles for under $50.

For up to a couple dozen low-call-volume employees, the RentPBX Cloud offering is a terrific bargain. It includes the necessary bandwidth not only to make calls but also to connect your extensions. When you get above those numbers of users or with heavy call volume, scaling matters. You don’t want to purchase a server only to discover on Day Two that it can’t handle the call volume. Here’s where the PBX in a Flash Forum can be a tremendous help. Describe your environment using the Top 10 Checklist from above. One of our hundreds of experts will lend a hand in recommending what you need to get started. Better yet, hire one of the gurus to handle the setup for you. It’ll save you thousands of dollars in headaches and easily pay for itself in future savings.

The PBX in a Flash Alternative. We haven’t mentioned PBX in a Flash as a solution for those just beginning their VoIP adventure. The reason is simple. The firewall is not preconfigured on PBX in a Flash, and somebody has got to do it unless your server is sitting behind a rock-solid, hardware-based firewall. The beauty of PBX in a Flash is that it’s incredibly flexible. You can choose not only the version of Asterisk and FreePBX to install, but you also can compile Asterisk with any collection of features desired. Once you get your feet wet with Incredible PBX, it’s our VoIP tool of choice, but it takes some skills on your part to run it safely. A good place to begin is the Nerd Vittles Quickstart Guide for PBX in a Flash 3. Enjoy!

Originally published: Wednesday, September 17, 2014


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Our forum is extremely friendly and is supported by literally hundreds of Asterisk gurus.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Another Ride on the Wild Side: Introducing Incredible PBX for CentOS 6.5 and 7

If you’re not one to turn down a new challenge and you consider yourself an open source purist, then this Bud’s for you. Last month we introduced the latest and greatest Ubuntu 14 offering with Incredible PBX. And today it’s RedHat’s turn with the brand new CentOS 7. Be forewarned that CentOS 7 is a very different Linux animal than CentOS 6.5, and it’s just two weeks old. RHEL 7 is only six weeks old. There are more than a few potholes in RedHat’s latest pathway to heaven. This results in a number of direct consequences in any Asterisk® and FreePBX® communications server which depends upon CentOS 7 under the covers. For openers, anything proprietary probably won’t work for a while. That includes Digium phones and Schmooze Com’s commercial modules for FreePBX. In addition, FreePBX 2.11 and 12 were designed using PHP 5.3. CentOS 6.5 is distributed with PHP 5.4. Ubuntu 14 and Fedora 20 have PHP 5.5. There are some incompatibilities between all three versions, and many of us still are sorting out what impact those incompatibilities will have on the overall reliability of the FreePBX platform and some of the Incredible PBX applications. You can help by testing this new build in a non-production environment. 95% of the feature set available in the CentOS 6.5 platform still works fine. But finding the gotcha’s is going to take some time… and some pioneers. So… roll up your sleeves and lend us a hand!

Incredible PBX™ for CentOS 6.5 and 7 is an independent aggregation that does not rely upon PBX in a Flash™ for its roots. Because of the nature of the CentOS platform, it was built from the ground up. PBX in a Flash will follow once the stability of the CentOS 7 platform has been demonstrated. The Incredible PBX installer is pure GPL2 open source code so you are more than welcome (encouraged!) to examine it, improve upon it, and share your discoveries with all of us.

Incredible PBX for CentOS 6.5 and 7 follows our new install procedure which means it’s up to you to first create a CentOS 6.5 or 7 platform. If you prefer Scientific Linux or Oracle Linux, feel free to start there. All work equally well as a base platform. Then you run the Incredible PBX installer. After 30-60 minutes of whirring, you’ll end up with an awesome (free) state-of-the-art Asterisk-based VoIP server with the very latest version of Asterisk 11 and FreePBX 2.11 as well as dozens of turnkey Incredible PBX applications. So enjoy a nice lunch while the Incredible PBX installer works its magic. No user intervention is required during the installation procedure. All text-to-speech (TTS) applications work out of the box. You can add Google’s Speech Recognition to many Incredible PBX applications by following our 5-minute tutorial.

Installing a Base CentOS Operating System

Let’s begin by installing 64-bit CentOS 7 or 6.5 on your favorite hardware or Desktop. Or you may prefer to use a Cloud provider1 that already offers a preconfigured CentOS 7 image. In the latter case, you can skip this section.

For those using a dedicated hardware platform or wishing to install CentOS 7 as a virtual machine, the drill is the same. Start by downloading the CentOS 7 minimal ISO or the 64-bit CentOS 6.5 minimal ISO. We recommend the Everything ISO at the moment since there currently is no minimal install ISO. Burn the whopping ISO to a DVD unless you’ll be booting from the ISO on a virtual machine platform such as VirtualBox. On virtual platforms, we recommend at least 1GB RAM and a 20GB dedicated drive. For VirtualBox, here are the settings:

Type: Linux
Version: RedHat 64-bit
RAM: 1024MB
Default Drive Options with 20GB+ space
Create
Settings->System: Enable IO APIC and Disable HW Clock (leave rest alone)
Settings->Audio: Enable
Settings->Network: Enable, Bridged
Settings->Storage: Far right CD icon (choose your ISO)
Start

Boot your server with the ISO, and start the CentOS 7 install. Here are the simplest installation steps:

Choose Language and Click Continue
Click: Install Destination (do not change anything!)
Click: Done
Click: Network & Hostname
Click: ON
Click: Done
Click: Begin Installation
Click: Root Password: password, password, Click Done twice
Wait for Minimal Software Install and Setup to finish
Click: Reboot

Configuring CentOS 6.5 or 7 for Incredible PBX Installation

Now log into your server as root and issue the following commands to put the basic pieces in place and to reconfigure your Ethernet port as eth0. Make a note of your IP address so you can log in with SSH.

setenforce 0
yum -y upgrade
yum -y install net-tools nano wget
ifconfig # figure out your server IP address here
sed -i 's|quiet|quiet net.ifnames=0 biosdevdame=0|' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
# for CentOS/Scientific Linux 6.5/6.6 only, perform these additional steps:
wget http://incrediblepbx.com/update-kernel-devel
chmod +x update-kernel-devel
./update-kernel-devel
reboot

If you’re on a virtual machine platform, now would be a good time to make an export or backup of your CentOS 7 image. The minimal install is about 500MB instead of 6.6GB. Don’t forget to first remove your hardware address (HWADDR) and network UUID from /etc/sysconfig/network-scripts/ifcfg-enp0s3 or whatever file name was assigned to your hardware. The saved image will be bootable with DHCP network support anywhere down the road.

NEWS FLASH: For those wanting to test things out using VirtualBox, a Scientific Linux 7 Minimal Install image (401MB) is now available on SourceForge. It gets you to right here in the install process.


Installing Incredible PBX for CentOS 6.5 or 7

Adding Incredible PBX to a running CentOS 6.5 or 7 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your new server as root at the IP address you deciphered in the ifconfig step at the end of the CentOS installation procedure above.

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that their Ubuntu setup does NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX install. Log back in as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx11.4.centos.tar.gz
tar zxvf incrediblepbx*
#./create-swapfile-DO
./IncrediblePBX*

Once you have agreed to the license agreement and terms of use, press Enter and go have a long cup of coffee. The Incredible PBX installer runs unattended so find something to do for the next 30-60 minutes unless you just like watching code compile. When you see “Have a nice day”, your installation is complete. Write down your admin password for FreePBX as well as your three “knock” ports for PortKnocker. If you forget them, you can reset your admin password by running /root/admin-pw-change. And you can retrieve your PortKnocker setup like this: cat /root/knock.FAQ.

Log out and back into your server as root and you should be greeted by something like this:

Or, if you started with a CentOS 6.5 or Scientific Linux 6.5 platform, you’ll see this:

1. Access the Asterisk CLI by typing: asterisk -rvvvvvvvvvv

2. Set Your Correct Time Zone by typing: /root/timezone-setup

3. Change ALL of Your Passwords by typing: /root/update-passwords

You can access the FreePBX GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display. The default username is admin and the password is what you wrote down or reset when the install completed. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for your 701 extension and voicemail account: Applications -> Extensions -> 701. If you’re behind a hardware-based firewall, change the NAT setting to: YES.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:


947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to set up a free Google Voice account. Google has threatened to shut this down but as this is written, it still works. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax 11, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using FreePBX. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX 11. It’s free at least through 2013. Google Voice no longer is by invitation only so, if you’re in the U.S. or have a friend that is, head over to the Google Voice site and register.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. Google used to permit outbound Gtalk calls using a fake CallerID, but that obviously led to abuse so it’s over! You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in FreePBX. After logging into FreePBX with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems.

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work with these simple settings in FreePBX: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

A Few Words about the Incredible PBX Security Model for CentOS 7

Incredible PBX for CentOS 7 joins last month’s Ubuntu 14 build as our most secure turnkey PBX implementation, ever. As configured, it is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. The latest release also includes Port Knocker for simple, secure access from any remote computer or smartphone. You can get up to speed on how the technology works by reading the Nerd Vittles tutorial. Your Port Knocker credentials are stored in /root/knock.FAQ together with activation instructions for your server and mobile devices. The NeoRouter VPN client also is included for rock-solid, secure connectivity to remote users. Read our previous tutorial for setup instructions. As configured, nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. You can whitelist additional IP addresses by running the command-line utility /root/add-ip. You can remove whitelisted IP addresses by running /root/del-acct. Incredible PBX is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking. We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. And it’s your phone bill. :wink:

The IPtables firewall is a complex piece of software. If you need assistance with configuring it, visit the PIAF Forum for some friendly assistance.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX 11 server, simply copy the image to a server running Asterisk 11 and FreePBX 2.11 and run /root/incrediblerestore. Doesn’t get much simpler than that.

Incredible PBX Automatic Update Utility

Every time you log into your server as root, Incredible PBX will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along.

In the meantime, we encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie.

Incredible PBX: Pick Your Poison

We fully appreciate that Bleeding Edge technology isn’t right for everyone. Fortunately, with Incredible PBX, you have lots of options, and they’re all free. Come join the party and see what you’ve been missing.


Originally published: Monday, July 20, 2014


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Ringbinder theme by Themocracy