Nerd Vittles

Posts tagged: security

The Incredible PBX: Adding Remotes, Preserving Security

Unlike most Asterisk®-based PBXs which are insecure as installed and leave it to you to implement sufficient safeguards to preserve the integrity of your system, the Incredible PBX is delivered with rock-solid, air-tight security already in place. Because it is designed to operate behind a hardware- based firewall, what you'll be doing when you want to add functionality with the Incredible PBX is loosening security rather than tightening it. The trick, of course, is to do it in a way that doesn't compromise the overall integrity of your system. As delivered, the Incredible PBX relies upon four layers of network security: a hardware-based firewall of your choice¹, a preconfigured IPtables software-based Linux firewall, preconfigured Fail2Ban to monitor your logs for suspicious activity and to block specific IP addresses when abuse is detected, and random passwords for all extensions and DISA connections.

If you installed the Incredible PBX using SIPgate as the intermediate provider with Google Voice, then your hardware-based firewall should have no ports opened and forwarded to your server. If you used IPkall, then only UDP 4569 has been opened and forwarded to your server. And the Incredible PBX IPtables setup for IAX restricts access to just a few IP addresses to support IPkall.

There are obviously situations in which you will want or need additional connectivity. The most likely one involves activation of SIP telephones at remote locations, such as a branch office, or Grandma's house or a relative in college. The other obvious use is with cellphones and PDAs that support SIP clients such as Android phones, iPhones, and iPads.²

What we'd recommend you not do is open the SIP floodgate to your PBX by providing unrestricted inbound SIP access, but we'll show you how if you really want or need this functionality. As desirable as this can be, it is accompanied by an array of security issues that really are not worth the risks unless you know what you're doing and you're willing to stay on top of security updates and keep your system patched.

Let's first tackle how to provide limited inbound SIP functionality without selling the farm. If the remote site has a fixed IP address, the procedure to allow remote access to your server is fairly straight-forward: just map the SIP ports on the hardware-based firewall to your server (UDP 5000:5082 and UDP 10000:20000) and then restrict SIP access using IPtables to the remote IP address as well as the subnet of your private LAN. You can decipher your private subnet by running status. If your server's IP address is 192.168.0.123, then your private subnet would be 192.168.0.0. The IPtables firewall settings are stored in /etc/sysconfig/iptables. Edit that file and find the line that looks like this:

-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT

Delete or comment out this entry with a leading # and insert new entries that look like the following using the public IP address(es) you wish to add plus the private subnet:

-A INPUT -p udp -m udp -s 141.146.20.10 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 141.146.20.11 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT

After making the changes, save the file: Ctrl-X, Y, then Enter. Then restart IPtables: service iptables restart.

Unfortunately, in many situations, the remote phone or cellphone uses an Internet connection with a dynamic IP address. So we don't know the actual IP address that will be assigned. There are a number of solutions to this problem, and we'll rank them in our order of preference. First, spend the $200 and install another Incredible PBX at the remote site. Then the two servers can be linked with IAX connections between the servers making connectivity between the systems totally transparent. Second, install VPN routers at both sites and use a private IP address to establish connectivity with the host system. In this situation, you will have the equivalent of a fixed IP address for the remote device which makes it the equivalent of the fixed IP address solution above. Third, install OpenVPN on your host system and purchase a SIP phone or cellphone that supports VPN connectivity. Most of the high-end SNOM SIP phones have this functionality as do Android phones, iPhones, and iPads. With this setup you also have the equivalent of a fixed IP address, even though it's on a virtual private network. Fourth, talk to the Internet service provider at your remote site and obtain the range of IP addresses that DHCP hands out to those using their services... or just make an educated guess.³

BEFORE Activating Full SIP Connectivity. OK. We hear you. You travel for a living, and the IP address of your cellphone changes hourly, all day, every day of the year. Then, yes, you are a candidate for a full-fledged Asterisk server with unlimited SIP access. Before covering how, let's review what responsibilities go with running such a server. Bear in mind that one compromised SIP password or otherwise vulnerable application on your server (including Asterisk, FreePBX, SSH, and hundreds of others), and you may very well be the proud owner of a whopping phone bill. And we're not talking hundreds of dollars. It could very well be tens of thousands of dollars. And it doesn't take weeks or months. It could be a few hours.

Baker's Dozen SIP Security Checklist

1. Keep Asterisk Current & Patched
2. Keep FreePBX Current & Patched
3. Make Frequent Backups
4. Visit PBX in a Flash Forums Regularly
5. Subscribe to PBX in a Flash RSS Feed
6. Secure Alphanumeric Extension Passwords
7. Secure DISA, VMail, Root, FreePBX Passwords
8. Lock Down Extensions with Deny/Permit
9. Turn Off Recurring Payments with Providers
10. Restrict Trunks to 1-2 Simultaneous Calls
11. Tighten Dialplan by Removing Wildcards
12. Eliminate Intl & Toll Calls With Providers
13. Check FreePBX Call Logs Daily for Abuse

Baker's Dozen SIP Security Checklist. Before opening the floodgates, let's review what you need to do. First, you'll need to run the very latest version of Asterisk... all the time. This means you need to monitor asterisk.org, and keep your system up to date by running update-scripts, update-source, and update-fixes regularly. The default version of Asterisk on current PBX in a Flash and Incredible PBX builds is extremely reliable, but it contains SIP and IAX vulnerabilities which should not be exposed directly to the Internet! Second, you need to run the latest version of FreePBX and apply all patches as they are released. Third, you need to make frequent backups appreciating that sometimes the Asterisk and FreePBX developers get things horribly wrong, and stuff that used to work no longer does. Believe it or not, they're human! Fourth, you need to visit the PBX in a Flash Forums daily and keep abreast of security alerts and bug reports on CentOS, Asterisk, and FreePBX. Fifth, you need to subscribe to the PBX in a Flash RSS Feed which provides regular security alerts when there are reported problems. Sixth, you need to really secure your extension passwords with very long, complex alphanumeric passwords. Ditto for your root and FreePBX passwords! Seventh, for DISA and voicemail, these passwords need to be numeric, complex, and extra long. Eighth, you need to lock down as many of your extensions as possible with deny/permit settings to restrict the IP addresses of those extensions. If you only have one or two remote SIP extensions with dynamic IP addresses, then all of the rest should have deny/permit entries! Ninth, turn off recurring payments with all of your telephony providers and keep minimal funds available in all of your accounts. This means you'll have to monitor these accounts to make sure they are not deactivated for lack of funds. Tenth, restrict all of your trunks to one or at most two simultaneous calls to reduce your call exposure in the event someone breaks into your system. Eleventh, tighten up your Trunk Dial Rules and eliminate any entries that would permit calls to anywhere in the world! If you don't regularly make international calls, there's absolutely no reason to have such entries in your dialplan. If you still have Ma Bell PSTN lines, this is even more important. In fact, consider eliminating long distance access to all of these trunks. Twelfth, where possible, configure your provider accounts to eliminate international and toll calls of all varieties. Finally, check your FreePBX call log every day to make certain no one is making calls on your nickel.

If you are unwilling or unable to perform these Baker's Dozen steps while continuing to monitor the sites provided and recheck your setup regularly (at least every week), don't activate unrestricted SIP access to your server.

Other Options. Consider using an intermediate provider such as voip.ms to provide SIP URI access to your server. Keep in mind that having a registered connection between your server and a VoIP provider alleviates the need to punch a hole in your firewall. So the idea here is to sign up for an inexpensive voip.ms account and set up the trunk connection with your server as either an IAX or SIP account with an always-on connection. Then voip.ms gives you the option of activating a SIP URI as part of a subaccount setup. Just create an internal extension on their server, and this will generate a SIP URI, e.g. 123456666@sip.us4.voip.ms where 12345 is your voip.ms account number and 6666 is the internal extension you created. This lets you connect directly with your server through the SIP URI from anywhere once you map this subaccount to an extension or IVR on your server. The charge for SIP URI calls is only $.001 per minute. The last step is to use this SIP URI in your remote SIP phone to connect back to your server. You can take advantage of the full range of Asterisk functions once these calls reach your server including IVRs and DISA. The approach is not only simple to implement, but it's also safe and economical.

There are some other alternatives as well. Use something like Google Voice or Ooma to redirect calls to your cellphone when you're traveling. Or buy an Ooma for Grandma or a MagicJack for Joe College. These options also are safe, secure, and quite inexpensive.

Just Released: Remote Phone Meets Travelin' Man

Activating Inbound SIP on Your Server. If you still are hell-bent on opening SIP access to your server, the Incredible PBX already is preconfigured to support it. Just map the SIP ports on your hardware- based firewall to your server (UDP 5000:5082 and UDP 10000:20000). Once activated, anyone can reach you through the following SIP URI using the actual public IP address of your server: mothership@12.34.56.78. You also can adjust the e164 trunk in FreePBX to route inbound calls to any destination desired. Then register your phone number on e164.org and others can call you at no cost using your traditional phone number. Enjoy!

The Incredible PBX: Basic Installation Guide

Adding Skype to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Basic Installation Guide, Part II.

Continue reading Basic Installation Guide, Part III.

Continue reading Basic Installation Guide, Part IV.

Support Issues. With any application as sophisticated as this one, you're bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It's the best Asterisk tech support site in the business, and it's all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won't have to wait long for an answer to your questions.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

We, of course, continue to recommend a dLink Router/Firewall. Low Cost: $35 WBR-2310 Better: DIR-825 Best: DGL-4500 [↩]
We recommend the free SipAgent client for Android devices and the commercial Acrobits Softphone for iPods and iPads. [↩]
Adding an entry like the following would dramatically reduce the likelihood of a SIP attack: -A INPUT -p udp -m udp -s 141.146.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT [↩]

Posted in Cellular, Internet/Web, Networking, Smartphones, Technology, Telephony, Wi-Fi by ward, Monday, June 7, 2010 7:50 am Comments (16)

Tags: asterisk, firewall, freepbx, iax, IncrediblePBX, ooma, piaf, security, sip

Orgasmatron 5.2: The Secure Swiss Army Knife for Asterisk

It’s been an exciting couple of weeks watching the overwhelmingly positive response to our release of Orgasmatron 5.1. With this version, we introduced a new Asterisk® security model that took into account the ever-increasing security risks posed by exposing web and telephony servers to direct Internet access. The bottom line is this. If your telecom requirements still can be accomplished by placing a server securely behind a $35 hardware-based Internet firewall with no Internet exposure, then it makes absolutely no sense to dangle such a tempting target in front of the world’s most nefarious creeps.

News Flash: Incredible PBX 4.0 is now available with FreePBX 2.10 support!

Coming January 19: Incredible PBX 11 & Incredible Fax for Asterisk 11 and FreePBX 2.11

Our experience suggests that the only trade off with this new approach is the inability to receive anonymous SIP calls… a small price to pay considering the potential financial and computer risks involved. You still can place outbound VoIP calls as well as placing and receiving calls using any of the phone numbers registered on your new PBX in a Flash server. And, thanks to Google Voice, SIPgate, and IPkall, all inbound calls are free, and all outbound calls to numbers in the U.S. and Canada are free as well.

If a SIP URI and your own Freenum/ISN number are simply features you can’t live without, sign up for a voip.ms IAX account, and you’ll get a SIP URI for free. Inbound SIP URI and Freenum/ISN calls will set you back $1 for every 1,000 minutes billed in 6 second increments.

Or you can sign up for a free IP Freedom CallCentric account and configure a new SIP trunk in FreePBX by following these directions. Once configured, your new server SIP URI will be 1777xxxxxxx@in.callcentric.com where xxxxxxx is your assigned 7-digit CallCentric number.

Keep in mind that a new security vulnerability has been found with either Asterisk or FreePBX almost monthly. The chart below tells you why. With virtually limitless attack surfaces because of the number of interrelated components in CentOS, Asterisk, and FreePBX comes enormous and recurring potential for remote compromise of these systems. Rather than play this cat-and-mouse security game with the underworld, the Orgasmatron design changes the paradigm. It lets you use any (secure or insecure) version of Asterisk and FreePBX without worrying about any outside attacks. Do passwords on your new server matter? Not really… unless there is someone inside your firewall that you don’t trust. Are we going to secure them anyway? Absolutely. But instead of the constant worry over new security vulnerabilities, Orgasmatron 5.2 lets you enjoy exploring the world of Asterisk and VoIP telephony with an incredibly rich feature set that you won’t find anywhere else, period! We’ll resist making any other device analogies, but the idea here is to protect the good guy (you!) while keeping the bad guys out. No penetration. No worries. Simple as that.

In our former life working for a living, we actually procured and managed multimillion dollar PBXs as part of our "other duties as assigned." Without qualification, we can tell you that the feature set that Orgasmatron 5.2 brings to the table for free runs circles around anything you could buy (then or now) in the commercial marketplace. And, at one time or another, we purchased every Nortel feature good money could buy. There’s one other difference. Orgasmatron 5.2 runs swimmingly on a $200 Atom-based PC that you can purchase at any Best Buy as well as hundreds of other stores including Amazon, NewEgg, and Buy.com. We paid more than $200 to provision an additional extension on our Nortel switch! You, of course, can add as many extensions as you like. De nada.

So, why a new version of Orgasmatron in only a few weeks? Well, it’s not security-related. In fact, there is nothing wrong with continuing on with Orgasmatron 5.1. Unfortunately, it relied exclusively upon SIPgate to make free Google Voice calls in the U.S. and Canada. And SIPgate required an invite using an SMS message from a U.S.-based cellphone. That pretty well knocked out all of our friends living outside the United States. Today’s version fixes that by letting anyone sign up for a free IPkall phone number in Washington state. All you need is a valid email address. The setup process is a bit more complex because IPkall doesn’t support registered connections to their servers. But we’ll walk you through the additional steps and, once completed, your server will be just as secure as the SIPgate approach we set up with Orgasmatron 5.1. And few, if any, Linux skills are required to set up or manage Orgasmatron 5.2. As we’ve noted previously, if you can handle slice and bake cookies, you’ve got the necessary skillset! Be aware this is about a one-hour project, and you need to track through the article carefully, or the entire house of cards comes down.

New Asterisk Security Model. Orgasmatron 5.2 maintains our design goal of running an absolutely secure Asterisk PBX from behind a hardware-based firewall with either NO INBOUND PORTS exposed to the Internet with SIPgate or an IP-address-restricted IAX port for IPkall. Don’t defeat this security mechanism by exposing additional ports on your PBX in a Flash server to Internet access. And choose your NAT-based firewall/router carefully. All of these devices are not created equally. Not only do some perform better than others, but certain models are notoriously bad at handling NAT-based routing tasks, a critical requirement in the Asterisk VoIP environment. In almost every case of problems with one-way audio, the real culprit can be traced back to a crappy router. For $35, you really can’t go wrong with the dLink WBR-2310. If you want traffic shaping functionality as well, take a look at dLink’s Gaming Router, our personal favorite.

As long as your router, Google Voice, SIPgate, and IPkall passwords are secure, you can sleep like a baby. We use an intermediate SIP provider for Google Voice to set up free outbound Google Voice calls in the U.S. and Canada because Google Voice actually places two calls to connect you to your destination. First, you get a call back. And then the party you’re calling is connected. The SIPgate or IPkall trunk is used by Google Voice to call you back so the inbound call is always free. We handle the interconnection magic with Asterisk transparently so your calls appear to be processed as if you were using a standard telephone to dial out. Just refrain from using extension 75 in Asterisk for personal conferencing!

The choice is yours. You can use SIPgate with no incoming ports exposed to your server from the Internet. Or you can use IPkall and map UDP port 4569 (IAX2) on your hardware-based firewall to the internal IP address of your new PBX in a Flash server. Even with the IPkall setup, we’ve locked down IPtables (our Linux firewall) to restrict IAX access to several specific IP addresses so your server remains absolutely secure. We’ve also included support for FonicaTec’s IAX offering for those that want a backup IAX provider. We’ll have much more to say about IPtables in coming weeks.

If you’ve already installed Orgasmatron 5.1 and it’s working for you, do you need to upgrade? NO. With the exception of the new IAX support for IPkall, the code in Orgasmatron 5.2 is identical.

We, of course, continue to recommend that you sign up with Vitelity so you have an alternate communications vehicle in the event of a problem with your free service. Vitelity also can provide 911 emergency service for your home or home office. You can save a little money while supporting the PBX in a Flash project by using the links at the end of this article.

Swiss Army Knife Inventory. There’s no need for a Swiss Army Knife if you don’t know what all the blades are for. So, for those that are wondering what’s included in the Orgasmatron 5.2 build, here’s a feature list of the components you get in addition to the base PBX in a Flash build with CentOS 5.4, Asterisk 1.4, FreePBX 2.6, and Apache, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin. Please note that A2Billing, Cepstral TTS, Hamachi VPN, and Mondo Backups are optional and may be installed using the scripts that are provided.

A2Billing (/root/nv/install-a2billing)
Amazon S3 Cloud Computing
AsteriDex
CallerID Superfecta (FreePBX Module)
CallWho for Asterisk
Cepstral TTS (/root/nv/install-cepstral.sh)
Preconfigured Email That Works with SendMail
Extensions (16 preconfigured)
Fax Module using nvFax
FONmail
FreePBX Backups
Gizmo5 (Free Calls to Gizmo5 users worldwide: 1747xxxxxxx*1089)
Google Voice (preconfigured)
Hamachi VPN (/root/nv/install-hamachi.x)
Hotel-Style Wakeup Calls (FreePBX Module)
ISN: FreeNum SIP Calling from Any Phone
MeetMe Conference Bridge (just dial C-O-N-F)
Mondo Full System Backups (/root/nv/install-diskbackup.x)
NewsClips from Yahoo
ODBC Database Support
PogoPlug Cloud Computing
Reminders by Phone and Web
SIP URI Outbound Calling (call any SIP URI worldwide for free)
TeleYapper
Tide Reports with xTide
Trunk Lister Script (/root/nv/trunks.sh)
Trunks (Vitelity, Fonica, SIPgate, IPkall, and ENUM)
Twitter Interface (Make Free Calls and Send SMS Messages)
Weather by Airport Code
Weather by ZIP Code
Worldwide Weather
Zaptel Updater (/root/nv/zaptel-update.sh)

Prerequisites. Here’s what you’ll need to get started:

Broadband Internet connection
Rock-solid NAT router/firewall. Recommend: $35 dLink WBR-2310
$200 PC on which to run PBX in a Flash or a Proxmox Virtual Machine
Free Google Voice account (HINT: Under $2 on eBay)
Free SIPgateOne residential account (Use cell to get SMS invite) OR
Free IPkall IAX account

Learn First. Install Second. Even though the installation process is now a No-Brainer, you are well-advised to do some reading before you begin. VoIP PBX systems have become a favorite target of the hackers and crackers around the world and, unless you have an unlimited bank account, you need to take some time learning where the minefields are in today’s VoIP world. Start by reading our Primer on Asterisk Security. Then read our PBX in a Flash and VPN in a Flash knols. If you’re still not asleep, there’s loads of additional documentation on the PBX in a Flash documentation web site.

Today’s Drill. The installation process is straight-forward, but a little different than the Orgasmo 5.1 scenario because of the need to accommodate IPkall. Just don’t skip any steps. In a nutshell, here are the 6 Steps to Free Calling and an incredibly versatile, preconfigured Asterisk PBX:

1. Install the latest version of PBX in a Flash
2. Run the Orgasmatron 5.2 Installer
3. Configure a softphone or SIP telephone
4. Configure Providers for Orgasmatron 5.2
5. Enter your Google Voice and SIPgate/IPkall credentials
6. Change existing passwords to secure your system

Installing PBX in a Flash. Here’s a quick tutorial to get PBX in a Flash installed. We recommend you install the latest PIAF 1.6 beta on a new Atom-based PC. This beta is virtually identical to version 1.4 except it uses CentOS 5.4 instead of CentOS 5.2. This means it works better with newer hardware including Atom-based computers and newer network cards. Unlike other Asterisk aggregations, PBX in a Flash utilizes a two-step install process. The ISO only installs the CentOS operating system. Once installed, the server reboots and downloads a payload file that includes Asterisk, FreePBX, and many other VoIP and Linux utilities. We use the identical payload for versions 1.3, 1.4, 1.5, and 1.6 of PBX in a Flash. The beta label simply means we haven’t had time to sufficiently test CentOS. But this is not a Microsoft-style beta so fear not!

Download the 32-bit, PIAF 1.6 version from Google, SourceForge, Vitelity, Cybernetic Networks, or AdHoc Electronics. The MD5 checksum for the file is e8a3fc96702d8aa9ecbd2a8afb934d36. Burn the ISO to a CD. Then boot from the installation CD and type ksalt to begin.

WARNING: This install will completely erase, repartition, and reformat ALL disks on your system! Press Ctrl-C to cancel the install.

On some systems you may get a notice that CentOS can’t find the kickstart file. Just tab to OK and press Enter. Don’t change the name or location of the kickstart file! This will get you going. Think of it as a CentOS ‘feature’.

At the keyboard prompt, tab to OK and press Enter. At the time zone prompt, tab once, highlight your time zone, tab to OK and press Enter. At the password prompt, make up a VERY secure root password. Type it twice. Tab to OK, press Enter. Get a cup of coffee. Come back in about 5 minutes. When the system has installed CentOS, it will reboot. Remove the CD promptly. After the reboot, choose A option. Have a 10-minute cup of coffee. After installation is complete, the machine will reboot a second time. Log in as root with your new password and execute the following commands:

update-scripts
update-fixes

When prompted, change the ARI password to something really obscure. You’re never going to use it! You now have a PBX in a Flash base install. On a stand-alone machine, it takes about 30 minutes. On a virtual machine, it takes about half that time.

NOTE: So long as your system is safely sitting behind a hardware-based firewall, we do NOT recommend running update-source on the Orgasmatron builds because of parking lot issues in the latest releases of Asterisk.

Running the Orgasmatron 5.2 Installer. Log into your server as root and issue the following commands to run the Orgasmatron 5.2 installer:

cd /root
wget http://pbxinaflash.net/orgasmo52.x
chmod +x orgasmo52.x
./orgasmo52.x

Have another 15-minute cup of coffee. It’s a great time to consider a modest donation to the Nerd Vittles project. You’ll find a link at the top of the page. When the installer finishes, READ THE SCREEN!

Now run passwd-master¹. Set your FreePBX passwords to something very secure but different from your Linux root password.

Next, type status² and press Enter. Write down the IP address of your new server.

If you’re using IPkall, now’s the time to log in to your hardware-based firewall/router and map UDP port 4569³ to the private IP address that you just wrote down. This tells your firewall to pass all IAX2 traffic from the Internet directly to your new server. Don’t worry. We have severely restricted which IP addresses can actually send IAX data through the PBX in a Flash IPtables firewall which is an integral part of this build. And, remember, no hardware firewall adjustments are necessary if you’re using SIPgate instead of IPkall.

For good measure, we recommend you reboot your server at this point. The command to type is simple: reboot⁴

Configuring a SIP Phone. There are hundreds of terrific SIP telephones and softphones for Asterisk-based systems. Once you get things humming along, you’ll want a real SIP telephone, and you’ll find lots of recommendations on Nerd Vittles. For today, let’s download a terrific (free) softphone to get you started. We recommend X-Lite because there are versions for Windows, Mac, and Linux. So download your favorite from this link. Install and run X-Lite on your Desktop. At the top of the phone, click on the Down Arrow and choose SIP Account Settings, Add. Enter the following information using 82812661 as the password for extension 701 and the actual IP address of your PBX in a Flash server instead of 192.168.0.251. Click OK when finished. Your softphone should now show: Available.

Don’t Forget! After you change your extension passwords later in this tutorial, you will need to update the password entry in X-Lite, or you will no longer be able to place calls! In fact, you will get locked out of your server for 90 minutes after three failed password attempts. So put this on a sticky note so you don’t forget, or you’ll regret it in about 15 minutes.

Either a free SIPgate One residential phone number or an IPkall number is a key component in today’s project. And there’s really no reason you can’t use both if they’re available in your location. Do NOT use special characters in your provider passwords, or nothing will work! Continue reading whichever section below applies to you.

Configuring SIPgate. If you live in the U.S. and have a cellphone, we’d recommend the SIPgate option since no adjustment of your hardware-based firewall is required. Otherwise, skip to the IPkall setup below. Step #1 is to request a SIPgate invite at this link. You’ll need to enter your U.S. cellphone number to receive the SMS message with your invitation code. Don’t worry. You can erase your cellphone number from your account once it is set up. Once you receive the invite code, enter it and choose the option to set up a residential account. Next, choose a phone number and write it down. The area code really doesn’t matter because Google Voice is the only one that will be calling this number after we get things set up. For now, leave your cellphone number in place so that you can receive your confirmation call from Google Voice in the next step. After that, you’ll want to revisit SIPgate and remove all parallel calling numbers. Finally, click on the Settings link and write down your SIP ID and SIP Password. You’ll need these in a few minutes to configure PBX in a Flash. Now place a call to your new SIPgate number and make certain that your cellphone rings before proceeding.

Configuring IPkall. If you’ve opted to use IPkall, here’s the drill. First, you’ll need to register for a free IPkall number. This is actually a two-step process. Set it up as a SIP connection when you first register. Then we’ll change it to IAX once your new phone number is provided. So your initial IPkall request should look like this:

We recommend area code 425 for your requested number because IPkall appears to have lots of them. If they don’t have an available number, your request apparently goes in the bit bucket. You’ll know because IPkall typically turns these requests around in a few minutes. Don’t worry about the mothership entry. We’ll change it shortly. The other issue here is your public IP address. If you have a dedicated IP address, no worries. Just plug in the IP address for SIP Proxy. If it’s dynamic, then you’ll need to set up a fully-qualified domain name (FQDN) with a provider such as dyndns.com. Once you’ve got it set up, enter your credentials in the Dynamic DNS tab of your hardware-based firewall to assure that your dynamic IP address is always synchronized with your FQDN. Then enter the FQDN for your SIP Proxy address in the IPkall form. Be sure to make up a VERY secure password. Now send it off and wait for the return email with your new phone number.

When you receive your new phone number, you’ll need to revisit the IPkall site and log in with your phone number and the password you chose above. Make the changes shown below using your actual IPkall phone number instead of 4259876543:

It’s worth stressing that these settings are extremely important so check your work carefully. Be sure the IAX option is selected. Be sure there are no typos in your two phone number entries. And be sure your FQDN or public IP address is correct. Then save your new settings.

We’re going to be making some entries in FreePBX which is the web-GUI that manages PBX in a Flash. For now, we simply need to enter your new IPkall phone number so that incoming calls to your IPkall number will actually ring on your softphone. Later, we’ll make some further adjustments once we get Google Voice humming along.

Using a web browser from your desktop, log in to FreePBX 2.6 at the following link substituting your server’s private IP address for ipaddress: http://ipaddress/admin. You’ll be prompted for a user name (maint) and password (the one you just created with passwd-master).

When FreePBX loads, choose Setup, Trunks, ipkall (iax). In the USER Context field, enter your 10-digit IPkall phone number. Click Submit Changes, Apply Configuration Changes, Continue with Reload to save your settings.

TIP: Be aware that IPkall cancels an assigned phone number after 30 consecutive days of inactivity. If you will be using your number infrequently, it’s a good idea to schedule a Weekly Reminder to call the number with a prerecorded message. This will assure that your number stays functional.

Now let’s test your new phone number. Call your IPkall number from a cellphone or some other phone. Your softphone should ring. Answer the call, and be sure you have voice in both directions! Do not proceed without success here, or the rest of the adventure is a waste of your time.

Configuring Google Voice. Google Voice still is by invitation only so the first thing you’ll need is an invite. If you’re in a hurry, then stroll over to eBay where you’ll find lots of them for under $2. Once you have your invite in hand, click on the email link to set up your account. After you’ve chosen a telephone number, plug in your new SIPgate or IPkall number as the destination for your Google Voice calls and choose Office as the Phone Type. Trust us.

Google then will place a call to your number and ask you to enter a confirmation code that’s been provided. When your cellphone (SIPgate) or softphone (IPkall) rings, answer it and punch in the number. Wait for confirmation. Then hang up.

As we mentioned earlier, there’s no reason you can’t set up both SIPgate and IPkall forwarding numbers in Google Voice. Just repeat the drill with the other provider’s number if you wish to activate both numbers for use with Google Voice. They’re not both going to ring simultaneously as you will see in a minute.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

Call Screening – OFF
Call Presentation – OFF
Caller ID (In) – Display Caller’s Number
Caller ID (Out) – Don’t Change Anything
Do Not Disturb – OFF

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

Finally, place a test call to your new Google Voice number and be sure your cellphone or softphone rings. Don’t move forward until you’ve been able to successfully place a call to your phone by dialing your Google Voice number. Once this is working, revisit SIPgate and remove all parallel calling numbers including your cell number.

Adding Your Credentials to PBX in a Flash. We’re ready to insert your Google Voice credentials and SIPgate/IPkall number into PBX in a Flash. You’ll need four pieces of information: your 10-digit Google Voice phone number, your Google Voice account name (which is the email address you used to set up your GV account), your GV password (no spaces!), and your 11-digit SIPgate or IPkall RingBack DID (beginning with a 1). Don’t get the 10-digit GV number mixed up with the 11-digit SIPgate/IPkall RingBack DID, or nothing will work.

Log back into your server as root and issue the following command: ./configure-gv. Check your entries carefully. If you make a typo in entering any of your data, press Ctrl-C to cancel the script and then run it again!!

Configuring FreePBX. Now shift back to your Desktop and, using a web browser, log in to FreePBX 2.6 at the following link substituting your actual IP address for ipaddress: http://ipaddress/admin. You’ll be prompted for a user name (maint) and password (the one you just created with passwd-master). Depending upon which intermediate provider you’re using, do the following:

SIPgate Setup. When FreePBX loads, choose Setup, Trunks, sipgate. In Peer Details, replace both instances of sipID with your actual SipGate SIP ID. In Peer Details, replace sipPassword with your actual SipGate SIP Password. In Register String, replace sipID with your SipGate SIP ID, replace sipPassword with your SipGate SIP Password, and replace 3333333333 with your 10-digit SipGate Phone Number. When finished, the Register String should look something like the following:

7004484f0:B8TTW3@sipgate.com/4155201234

Click Submit, Apply Configuration Changes, Continue with Reload to save your changes.

SIPgate and IPkall Setup. While still in FreePBX with your browser, click Setup, Inbound Routes, gv-ringback. In DID Number, replace 3333333333 with your 10-digit SIPGate or IPkall Phone Number. In CallerID Number, replace 7777777777 with your 10-digit Google Voice Number.

Click Submit, Apply Configuration Changes, Continue with Reload to save your changes.

Securing FreePBX. You’re almost done. While still in FreePBX, choose each of the 16 preconfigured extensions on your new server and change the extension AND voicemail passwords. Here’s the drill: Setup, Extensions, 501, Submit. After changing secret and Voicemail Password, repeat with the next extension number instead of 501. Then Apply Config Changes, Continue when you’ve finished with all of them.

Now change the default DISA password: Setup, DISA, DISAmain, PIN, Submit Changes, Apply Config Changes, Continue.

Don’t forget to adjust your X-Lite password to match the password entry you made for extension 701!

Orgasmatron Test Flight. The proof is in the pudding as they say. So let’s try two simple tests. First, from another phone, call your Google Voice number. Your softphone should begin ringing shortly. Answer the call and make sure you can send and receive voice on both phones. Hang up. Now let’s place an outbound call. Using the softphone, dial your cellphone number. Google Voice should transparently connect you. Answer the call and make sure you can send and receive voice on both phones. If everything is working, congratulations!

Solving One-Way Audio Problems. If you experience one-way audio on some of your phone calls, you may need to adjust the settings in /etc/asterisk/sip_custom.conf. Just uncomment the first two lines by removing the semicolons. Then replace 173.15.238.123 with your public IP address, and replace 192.168.0.0 with the subnet address of your private network. Save the file and restart Asterisk with the command: amportal restart.

Choosing a VoIP Provider. For this week, we’ll point you to some things to play with on your new server. Then, in the subsequent articles below, we’ll cover in detail how to customize every application that’s been loaded. Nothing beats free when it comes to long distance calls. But nothing lasts forever. So we’d recommend you set up another account with Vitelity using our special link below. This gives your PBX a secondary way to communicate with every telephone in the world, and it also gets you a second real phone number for your new system… so that people can call you. Here’s how it works. You pay Vitelity a deposit for phone service. They then will bill you $3.99 a month for your new phone number. This $3.99 also covers the cost of unlimited inbound calls (two at a time) delivered to your PBX for the month. For outbound calls, you pay by the minute and the cost is determined by where you’re calling. If you’re in the U.S., outbound calls to anywhere in the U.S. are a little over a penny a minute. If you change your mind about Vitelity and want a refund of the balance in your account, all you have to do is ask.

The VoIP world is new territory for some of you. Unlike the Ma Bell days, there’s really no reason not to have multiple VoIP providers especially for outbound calls. Depending upon where you are calling, calls may be cheaper using different providers for calls to different locations. So we recommend having at least two providers. Visit the PBX in a Flash Forum to get some ideas on choosing alternative providers.

Kicking the Tires. OK. That’s enough tutorial for today. Let’s play. Using your new softphone, begin your adventure by dialing these extensions:

D-E-M-O – Nerd Vittles Orgasmatron Demo (running on your PBX)
1234*1061 – Nerd Vittles Demo via ISN FreeNum connection to NV
17476009082*1089 – Nerd Vittles Demo via ISN to Google/Gizmo5
Z-I-P – Enter a five digit zip code for any U.S. weather report
6-1-1 – Enter a 3-character airport code for any U.S. weather report
5-1-1 – Get the latest news and sports headlines from Yahoo News
T-I-D-E – Get today’s tides and lunar schedule for any U.S. port
F-A-X – Send a fax to an email address of your choice
4-1-2 – 3-character phonebook lookup/dialer with AsteriDex
M-A-I-L – Record a message and deliver it to any email address
C-O-N-F – Set up a MeetMe Conference on the fly
1-2-3 – Schedule regular/recurring reminder (PW: 12345678)
2-2-2 – ODBC/Timeclock Lookup Demo (Empl No: 12345)
2-2-3 – ODBC/AsteriDex Lookup Demo (Code: AME)
Dial *68 – Schedule a hotel-style wakeup call from any extension
1061*1061 – PBX in a Flash Support Conference Bridge
882*1061 – VoIP Users Conference every Friday at Noon (EST)

Click above. Enter your name and phone number. Press Connect to begin the call.

Homework. Your homework for this week is to do some exploring. FreePBX is a treasure trove of functionality, and the Orgasmatron build adds a bunch of additional options. See if you can find all of them. For starters, you’ll want to activate CallerID Lookups in FreePBX. Choose Setup, CID Superfecta, Default and enter the maint password you created with passwd-master. Then choose Tools, Module Administration, CallerID Lookup, Enable, Process and Save the Settings. Then edit each of the Inbound Routes and choose CallerID Superfecta as the CID Lookup Source. Save your changes. Finally, choose Setup, CallerID Lookup Sources, CallerID Superfecta and be sure your maint password created with passwd-master is correct here, too. If not, update it. For additional tips, visit the forums.

Be sure to log into your server as root and look through the scripts added in the /root/nv folder. You’ll find all sorts of goodies to keep you busy. s3cmd.faq tells you how to quickly activate the Amazon S3 Cloud Computing service. And, if you’ve heeded our advice and purchased a PogoPlug, you can link to your home-grown cloud. Just add your credentials to /root/pogo-start.sh. Then run the script to enable the PogoPlug Cloud on your server. All of your cloud resources are instantly accessible in /mnt/pogoplug. It’s also perfect for off-site backups!

Also check out Tweet2Dial which lets you use Twitter to make Google Voice calls, send free SMS messages, and manage your new Asterisk server. Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number. Finally, try out the included Stealth AutoAttendant by dialing your own number and pressing 0 while the greeting is played. This will reroute your call to the demo applications option in the IVR.

Continue reading Part II.

Continue reading Part III.

Continue reading Part IV.

Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches for Orgasmatron 5.1 and 5.2. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.

Coming Attractions. In our next episode, we’ll walk you through the process of adding a second, third, fourth, and fifth Google Voice line to your server so that you’ll never run out of free calling on your server. Enjoy!

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest…

passwd-master is the PIAF utility for setting a master password for FreePBX access with the maint user account. [↩]
status is the PIAF utility program that displays the current status of most major applications running on your server. [↩]
Mapping a port on your firewall to a private IP address unblocks certain Internet packets and allows them to pass through your firewall directly to an IP device "inside" your firewall for further processing. [↩]
reboot is the Linux command for restarting your server. It’s functionally equivalent to shutdown -r now. [↩]

Posted in Audio, Home Automation, Internet/Web, Microsoft PCs, MP3 Devices, Networking, Streaming Devices, Technology, Telephony by ward, Monday, March 15, 2010 4:03 am Comments (19)

Tags: asterisk, creeps, firewall, IncrediblePBX, Internet/Web, orgasmatron, piaf, security, voip

Is It Time to Get Your Buzz On?

If you’ve been on vacation for the past week without your computer and cellphone, welcome back. Here’s what you missed: Everything! Yes, in seven little days, we’ve watched in amazement as Google the Giant Internet Gorilla with unlimited financial resources jumped off the 1,000 foot cliff without a parachute and then set about discovering how to land safely. Google jumped head first into social networking with a new product, Google Buzz, and decided to kick start the project using the age-old business trick of tying the new product to an old one, in this case their 175 million existing Gmail customers.

In the process of introducing Google Buzz, Google got almost everything wrong. Ironically, it’s the only new Google product that’s ever been introduced without the beta label. We’ll let you be the judge of whether Buzz is ready for prime time. Consider the following. There was the exposure of people’s most cherished Little Black Books to complete strangers. And cross-scripting security issues have been reported with the potential of exposing users’ Google credentials which in turn provides the key to the Google Checkout castle not to mention all of your most confidential emails. Then there were complaints that customer’s geolocation data was being compromised without user authorization. If that wasn’t enough on your plate for one week, Google now has to contend with a class action lawsuit and several government investigations into its Buzz business practices. Aside from that, did we mention Google Buzz is a huge hit!

If social networking is your thing, then you’re going to love Google Buzz. Think of it as FriendFeed on Steroids. Rich multimedia and location-based services on top of everything you always loved about IRC. And, if you have an Android 2.0+ phone, it gets even better with complete integration into Google Maps 2.0.

Unfortunately, everyone has been so busy with damage control and Google bashing that there’s been precious little time to actually explore the potential for Google Buzz in the social networking community. Our brief look at the product and its potential suggests that Google has another winner on its hands. It’s just too bad it wasn’t introduced in a manner similar to Google Wave so that users (and Google) could walk before attempting to fly. Here’s our first crack at how Google Buzz could actually be integrated into the blogging community, in our case making Google Buzz an integral part of a WordPress blog. And there’s also the widget approach from MoreTechTips.net which we’ve tweaked in the right margin below our Google maps. We’ll have more to say about these methodologies in coming weeks. In the meantime, come join the fun and Get Your Buzz On.

Nerd Uno’s Latest Buzz

Some Recent Nerd Vittles Articles of Interest…

Posted in Blogs, Internet/Web, Networking, Technology by ward, Wednesday, February 17, 2010 9:16 am Comments (1)

Tags: android, buzz, Google Wave, security

Welcome to IP Country: A New Layer of Asterisk Security

image courtesy of fail2ban.org One of the problems with writing a blog like Nerd Vittles is it's more than double the work of your typical blog where a writer pontificates about something and then moves on. What makes Nerd Vittles a little different is that, with help from a number of very gifted developers, we actually create useful applications and then write about how to use them. So you get a bonus for the same low price: free! This obviously imposes some time constraints in order to get fresh material into your hot little hands every week.

This week we turn our attention to Asterisk® Security again and unfortunately the Whole Enchilada is not yet ready. So today you get Chapter I of this topic with a comment that we're still mulling over some enhancements. When those pieces are finished or at least properly evaluated, we'll produce a sequel. Software houses spend years developing applications. And sometimes it takes us more than a week.

Let's start with a few observations which should be quite obvious to those who have wrestled with VoIP or Asterisk for a while. Internet security is a bitch. And Asterisk security is much, much worse. When a few disgruntled people can bring Twitter to its knees because they're mad about some particular tweet or Twitter user, it tells you what we're all up against. Hate to say it but we can all thank Microsoft for years of security neglect that rendered the Windows operating system less than optimum in preventing the spread and deployment of BOTs. And the tools have gotten more dangerous as well. Strangers (our euphemism for these folks) write new software, too.

If you're using PBX in a Flash (and you really should be!), you know that we've devoted enormous resources to Asterisk security. Two years ago when PBX in a Flash was introduced, the majority of people using Asterisk still were using 1234 as the extension password on all or most of their extensions. A couple $100,000 phone bills and lots of public education, and that situation hopefully is behind us. Two years ago, no Asterisk aggregation included a firewall... except PBX in a Flash. Believe it or not, there were individuals running Asterisk servers on the public Internet with a default root password of password. That added more than a few more BOTs to the Internet kettle of fish. Then there were the brute force password hacks that hit Asterisk servers thousands of times per minute guessing passwords. Nothing stood in the way of these attacks until PBX in a Flash introduced Fail2Ban which automatically blacklisted IP addresses after a certain number of failed login attempts. We followed Fail2Ban with our Atomic Flash product which provided a turnkey Hamachi VPN implementation for rock-solid safe remote computing. And, of course, there was a one-minute Hamachi VPN install script for standard PBX in a Flash systems. No other aggregation has it to this day.

The purpose of the history lesson isn't to crow about PBX in a Flash although we're mighty proud of it. Rather we wanted to make you aware that precious little development effort is actually going into security while enormous resources are devoted to things such as Internet faxing, Skype, and Google Voice integration. We'll be the first to admit that we love the latest gee whiz gizmos as much as anybody. But come on. A handful of us who do this purely for fun somehow manage to turn out loads of security enhancements while huge, for-profit companies are devoting virtually zero resources to making Asterisk, SIP, and the VoIP community safer. SIP is about as secure as whispering at a movie theater. Google releases Google Voice with SIP access protected by a 4-digit password. That approach to security needs to change, or we're all going to wake up sorry one day soon. If this is preaching to the choir, then feel free to pass this article on to one of your brethren who has not yet seen the light! Start by reading our Primer on Asterisk Security.

If you have extremely secure passwords on your Asterisk extensions and trunks, and you have deployed a properly configured firewall with Fail2Ban to protect against brute force attacks, then you're ahead of the curve insofar as Asterisk security is concerned. But what we think is still missing is access restrictions based upon what the military calls a "need to know." Simply stated, it means folks shouldn't get access of any kind to your Asterisk server unless they have a need to be there. And, if we find someone there that doesn't belong, they should be kicked off and banned from further access.

So today we have a new security tool for your Asterisk toolbox: IP Country, country-based network filtering by IP address. In a nutshell, it means configuring your Asterisk server to dramatically reduce the number of IP addresses which can reach your server at all. If you receive anonymous SIP connections from all around the globe that you actually need or if you're attacked from a BOT running on grandma's Windows machine down the block, this may not work for you, but it's another tool in your quiver of arrows. For most servers, it has the potential to reduce the vulnerability from random outside threats substantially. It's taken a lot of research to come up with much of what follows, and we want to express our special thanks to Sandro Gauci and Joe Roper for their assistance. Some of this technology has been around for many years, but unfortunately it was expensive. So we also want to express our special appreciation to MaxMind for releasing their open source GeoLite Country database which is now free for downloading. That is the critical ingredient in much of what follows. So here's a word from our sponsor:

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

Scope of Protection. An obvious question is just exactly what are we trying to protect. In our view, it's several things. First, we don't want strangers logging in to extensions on our server and making free calls around the globe using pilfered or hacked passwords. We also don't want strangers using our extensions to masquerade as us for any other purpose. Second, we don't want strangers randomly calling our server using SIP URI's that they've dreamed up. And third, we don't want strangers accessing any other applications on our server including SSH and FTP as well as web and email services.

IP Country Design. As with other security features in Asterisk, FreePBX, and IPtables, our implementation of IP Country uses permit and deny access tables that consist of authorized and unauthorized ranges of IP addresses. There's also a table with the latest GeoLite Country information which is used as the data source for your permit table. When a connection to the server is made, the IP address is checked against the permit table of authorized addresses. If there's no match, we'll consider the connection a stranger. If there is a match, then we'll check the deny table to make certain this particular IP address hasn't been banned. Unless you alter all of our scripts, your system must be using the default MySQL account name of root with a password of passw0rd. As configured in PBX in a Flash, this is NOT a security risk since MySQL access is limited to your server, and your server requires root credentials to log in.

Today's Objective. To get everyone started, we're going to tackle the first two objectives today. The solutions offered should work fine on any FreePBX-based Asterisk system... even those that hide the existence of FreePBX.

For outgoing calls, we'll introduce a new script which runs periodically to examine the IP addresses attached to every SIP and IAX extension and trunk on your Asterisk server. If a stranger's IP address is identified (as explained above), we'll add an IPtables firewall rule to permanently block access to your server from this IP address. These rules are stored in /etc/sysconfig/iptables should you ever need to remove an IP address that has been blocked. You can adjust the script execution frequency based upon the thickness of your wallet. After all, it's your phone bill. This functionality is mutually independent from the incoming call protection outlined below so you can use either or both of the functions to meet your own requirements. For systems that use enormous numbers of SIP URI's for communications around the globe, you might choose to implement just this piece for extension and trunk IP Country protection without altering your incoming dialplan at all. Keep in mind that FreePBX now supports permit and deny IP address filters on extensions, something you really should be using even if you decide against implementing the IP Country security protection layer.

For incoming calls, we're going to modify FreePBX's existing Blacklist functionality to also look up the calling IP address in our IP Country permit and deny tables. If the IP address is authorized, the call will go through. Otherwise, the call will be treated just as if the caller's number were blacklisted. Be aware that incoming calls to one of your commercial DIDs may reflect the IP address of your provider since the caller may be calling from a Plain Old Telephone rather than an IP address. The existing Blacklist functionality can be used to block these unwanted callers. If you live in the United States, you'll probably also want to call 888-382-1222 and place your DIDs in the Do Not Call database. Just call from a phone using the CallerID of the number you wish to block.

Installing GeoLite Country. To get started, log into your server as root and issue the following commands:
cd / wget http://bestof.nerdvittles.com/applications/ipcountry/ipcountry.tgz tar zxvf ipcountry.tgz rm ipcountry.tgz cd /root/ipcountry ./nv-ipcountry

Once the nv-ipcountry script begins to run, it will download and install the GeoLite Country database into MySQL. You then will be asked whether to add countries to your permit table. Since your permit table is empty at this point, the answer should be yes. You'll then get a list of country codes. Choose the two-character country code desired and type it in UPPERCASE, e.g. US. If you want to add one or more additional countries, just rerun ./nv-ipcountry and do NOT initialize the permit table (which erases all of its contents).

New GeoLite Country databases are released every month or two so get used to the procedure. You'll be using it periodically to keep your list of IP addresses current. We'll cover the update procedure after we get you up and running.

Remember: If no IP addresses for any country are added to the permit table, you will not be able to make calls or register trunks with your providers! The only default entries added to the permit table are the non-routable, private IP address ranges, e.g. 192.168.0, etc. The geolite table is merely a data repository of the latest GeoLite Country database and has no effect on the daily operation of your system! You use it only as a data source for populating your permit table.

Testing IP Country. Before we actually turn anything on, we need to be sure we're not going to blow your Asterisk system out of the water! In short, we want to make sure that every extension that's supposed to be able to make a connection to your PBX still can. And we need to make sure all of your trunk registrations still are working. While you're still in the /root/ipcountry directory, issue the following command: ./test.sh. This script will display all of your SIP and IAX connections and then will tell you whether each connection will pass muster with IP Country security in place. Each IP address should display ok. If any of them show ko, you have a problem. This means that you have an extension or trunk with an IP address that is not included in your permit table. You can scan through the show peers listings in the display to figure out which providers or extensions are associated with any problem IP addresses. Be sure it's not a bad guy first. Then you have a couple of options. You can either manually add the IP address to the permit table as outlined below. Or you can add additional countries which include the missing IP address(es). To decipher the country of any problem IP address, go to this link and plug in the IP address. Once you've made entries in your permit table to cover all of your needed IP addresses, run the test script again just to be sure everything shows ok. Do NOT proceed until you get all ok's, and don't write us if you do.

Manually Adding IP Addresses to IP Country. We've provided a command-line utility which makes it easy to add IP addresses and address ranges to either the permit or deny tables of IP Country. Be very careful using this tool! There's limited error-checking which means it's easy to create a mess. You'll find iputility.php in the /root/ipcountry folder. Since all IP addresses are stored as integers, you can use it to merely discover the integer value of an IP address, or you can actually insert IP addresses into either the permit or deny tables. Here are a few examples to show how the utility works:

./iputility.php 156.130.20.10
Returns the integer value for this IP address; no database update
./iputility.php 156.130.20.10 156.130.20.255
Returns integer values for this IP address range; no database update
./iputility.php 156.130.20.10 deny
Adds this IP address to IP Country deny table
./iputility.php 156.130.20.10 156.130.20.255 permit
Adds this address range to IP Country permit table)

A couple of points worth noting. First, all custom entries in your permit and deny tables using iputility will show a country code of AA. This makes them easy to find using phpMyAdmin if you make a mistake. Second, if you attempt to enter the same IP address range more than once, you'll get a database error since all entries in the tables must be unique. Third, remember that entries in the deny table take precedence over entries in the permit table. So, if the same IP address or address range is in both tables, access will be denied. The reason for this is to make it easy to exclude a few bad apples from a country that you might otherwise find unobjectionable. Finally, keep in mind that manual entries added to the permit table will have to be added again each time you initialize the table and insert new country IP codes after a GeoLite Country refresh. The deny table is unaffected by database refreshes. So make yourself a list of entries you manually insert into the permit table and keep it in a safe place for future reference.

Activating the IP Address Checker. In the /root/ipcountry directory, you'll find the script that we'll use to check your system periodically to be sure all of the extensions and trunks are registered at permitted IP addresses. To run the script manually, log into your server as root and type: /root/ipcountry/ip-checker.sh. When you run it, you shouldn't see any modifications to IPtables, just a string of ok's. So now we want to added the script as a cron job that will be run periodically to watch your system. Edit /etc/crontab and insert the following line at the bottom of the file:

*/1 * * * * /root/ipcountry/ip-checker.sh > /dev/null

*/1 means run the script once a minute, all day and night, every day. */5 means every 5 minutes. You make the call on how safe you'd like your system to be. If you'd like to receive an email or text message every time an IP address is blocked by ip-checker.sh, just edit the filecheck.php script, uncomment the two lines that begin with // and replace yourname@gmail.com with your email or text message address.

WARNING: For ip-checker.sh to work properly with IPtables, there are a couple of prerequisites. First, IPtables must be running on your system with the iptables file located in /etc/sysconfig. Second, your IPtables setup must include an SSH permit rule that looks like this:

-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

We use this rule as a place finder to determine where to insert new rules to block stranger's IP addresses. If you don't have the above rule, filecheck.php (used by ip-checker.sh) won't be able to insert new rules. So you'll need to manually edit filecheck.php to provide a "hook" that can be used to insert rules into your iptables file. PBX in a Flash systems come preconfigured to support this. With other aggregations, YMMV!

Activating the Incoming Call Checker. To screen incoming calls using your IP Country permit and deny tables, the setup is straight-forward assuming you are running the latest version of FreePBX 2.5. We're going to adjust the Blacklist context to also perform IP address lookups from IP Country when new calls arrive on your PBX. Just log into your server as root and add the following lines to the bottom of the extensions_override_freepbx.conf file in /etc/asterisk:

[app-blacklist-check]
include => app-blacklist-check-custom
exten => s,1,LookupBlacklist()
exten => s,n,GotoIf($["${LOOKUPBLSTATUS}"="FOUND"]?blacklisted)
exten => s,n,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
exten => s,n,GotoIf($["${TESTAT}" != ""]?hasat)
exten => s,n,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
exten => s,n,Goto(gotip)
exten => s,n(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
exten => s,n(gotip),NoOp(Gateway IP is ${FROM_IP})
exten => s,n,NoOp(IP Country Lookup in Progress...)
; put authorized special calls like sipgate's Google Voice ringbacks below
exten => s,n,GotoIf($["${FROM_IP}"="sipgate.com"]?keepon)
exten => s,n,AGI(nv-ipcountry.php|${FROM_IP})
exten => s,n,GotoIf($["${STRANGER}"="true"]?blacklisted)
exten => s,n(keepon),NoOp(** AUTHORIZED CALLER **)
exten => s,n,Return()
exten => s,n(blacklisted),Answer
exten => s,n,Wait(1)
exten => s,n,Zapateller()
exten => s,n,Playback(ss-noservice)
exten => s,n,Hangup

Make sure you remove the line-wrap in the s,n(hasat) line and any others that may have wrapped in the display above! Then save the file and reload your Asterisk dialplan: asterisk -rx "dialplan reload". You're all set! If you'd like email notices when a stranger calls and is blacklisted, edit nv-ipcountry.php in /var/lib/asterisk/agi-bin. Plug in your actual email address in the $email variable and set $emailalerts = 1.

Housekeeping 101. As we mentioned above, the pool and location of IP addresses continues to change so periodic updates are necessary, or you'll end up blocking calls that otherwise should be permitted. MaxMind updates GeoLite Country on the first day of every month so add it to your TO-DO list. We strongly recommend that you perform these steps through an SSH connection from a remote PC. Why? Because, if you forget step 1 while logged directly into your server, you could inadvertently lock yourself out of your own system if the ip-checker script happens to run while your permit table is empty. If you do it from a remote machine, you can simply move to another machine and follow these instructions properly. Otherwise, you've got a serious problem on your main server. If this server provides phones to your business, do the update when the server is idle. So here's the drill:

Comment out the ip-checker.sh /etc/crontab entry
Download new GeoLite Country database from MaxMind
Initialize the ipcountry.permit table
Add authorized countries back into ipcountry.permit table
Add back any custom entries to permit table
Test your IP Country system to make sure you get all ok's
Reactivate ip-checker.sh in /etc/crontab

1. Log into your server as root. To comment out the ip-checker.sh line in /etc/crontab, just add # as the first character on the line and save the file.

2. Change to the /root/ipcountry directory and run ./nv-GeoIPrefresh.

3. While still in the /root/ipcountry directory, run ./nv-ipcountry and choose 1-Yes to initialize your ipcountry.permit table.

4. Continue running or rerun ./nv-ipcountry to add each desired country to your ipcountry.permit table.

5. Run ./iputility.php to add custom IP address entries to your ipcountry.permit table. You do NOT need to reenter addresses in the deny table. It is unaffected by this update procedure.

6. Test your system again to make sure all extensions and trunks get an ok by running ./test.sh.

7. Edit /etc/crontab and remove the # at the beginning of the ip-checker.sh line and save the file.

What's Next. We're still exploring another possibility with IP Country, and that is integrating GeoLite Country directly into IPtables. This would validate every packet coming into your firewall using IP Country-like rules in IPtables. If you want to look at how it could be done, see this excellent writeup. Well, not so fast. Unfortunately, it won't compile under CentOS 5.2. Here's a link to the problem code if there are any Linux gurus in the house. Our reluctance in doing this has to do with performance. Keep in mind that, without stateful packet inspection, every single packet coming into your server would presumably trigger a database lookup. On a busy telephony system generating hundreds of thousands of packets per second, it would take a beast of a server with sufficient memory to cache the entire IP Country database in order to handle the processing load. So now we've got to either learn about or find an expert on the IPtables State Machine. If anyone wants to experiment, please share your expertise with the rest of us. There's a Google Voice invite in it for you, too.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

Some Recent Nerd Vittles Articles of Interest...

Posted in Networking, Technology, Telephony by ward, Wednesday, August 26, 2009 11:25 am Comments (10)

Tags: asterisk, fail2ban, freepbx, iptables, pbx, piaf, security, vpn

Introducing PBX in a Flash 1.4: The Lean, Mean Asterisk Machine

It's almost spring. So what better time to introduce version 1.4 of PBX in a Flash. It's chock full of new telephony goodies to whet your appetite for Internet Telephony. Tom King has worked his usual Magic™ to come up with a pair of new ISOs that are nothing short of spectacular. Not only is PBX in a Flash leaner and meaner, but it's now incredibly flexible and even easier to use.

You don't get the kitchen sink in PBX in a Flash ISOs. Instead you get a rock-solid CentOS 5.2 operating system with the latest CentOS kernel on which to build an Internet telephony server that meets your specific needs. Want a 64-bit operating system? We've got it. Prefer to stick with a 32-bit operating system? We've got you covered there, too. Want to experiment with Asterisk® 1.6 and DAHDI? We've got it. Prefer to stick with Asterisk 1.4 and Zaptel for a production environment? No problem. Do you prefer LVM, ext3, or SATA RAID for your disk drives? Well, take your pick. PBX in a Flash 1.4 now supports all of them. For those with a physical handicap, you now can install the complete system with no user intervention by typing ksauto at the first prompt. And, for PBX in a Flash development partners, we've got a 2-CD install set that makes generation of multiple systems with minimal Internet access a reality.

A Better Mousetrap. Asterisk-based LAMP aggregations thankfully are more plentiful today, but we think we have a better mousetrap. Here are a few reasons why? First, PBX in a Flash is the only distribution that is totally source-based with Asterisk compiled from source as part of the install. What that means is when you purchase add-on hardware and it has a problem for some reason, all of the tools are already in place for you to contact the manufacturer or reseller and have them reconfigure or recompile whatever is necessary on your system to get you back in business quickly. It also means that most of our applications are compiled from source on your specific hardware which assures a more reliable and stable software platform on which to build your telephony system.

Second, we don't release PBX in a Flash ISOs every other week. We don't have to. Every time a new security patch is released for Asterisk, the "other guys" have to create a new RPM or ISO to support it. That means your system is vulnerable for weeks or months while that process is underway. In some cases, it means installing a new ISO and starting over. I wish I had a nickel for every time I reinstalled and basically started over with Asterisk@Home or trixbox. With PBX in a Flash, you simply type update-source at the command prompt and your system is brought current without missing a beat. The total downtime for your system is typically under 15 minutes!

Third, PBX in a Flash uses a two-step install process that all but eliminates the ISO obsolescence issues that have plagued other distributions. The PBX in a Flash ISO is used to install either the 32-bit or the 64-bit CentOS 5.2 operating system and kernel. When that process completes, the installer then searches multiple sites on the Internet for our "payload file" which contains the latest, greatest version of Asterisk which is compiled on-the-fly. The payload script also installs FreePBX and many of the customized features that make PBX in a Flash unique. If you need additional functionality, we have an entire web site, pbxinaflash.org, dedicated to add-on scripts. Most of these add-on scripts install without user intervention in under a minute. So... install what you need and skip the BloatWare. Using this design, most bugs are eliminated as well without your having to do much of anything. Translation: More time to enjoy your production-quality VoIP PBX... and less all-nighters!

So today we're proud to introduce the 1.4 release of PBX in a Flash for Linux, Windows, and Macs. It's still the Lean, Mean Asterisk Machine designed to meet the needs of hobbyists as well as business users. Text-to-speech works, Bluetooth works, faxing works. FreePBX 2.5 is rock-solid and much more secure.

And, speaking of security, PBX in a Flash is the only distribution that brings you multiple layers of security out of the box. There's the preconfigured Linux IPtables firewall. And, in addition, there's the latest and greatest version of Fail2Ban which blocks malicious intruders attempting to guess your passwords and break into your system. We also recommend adding a hardware-based firewall/router to block HTTP access to your system unless you really know what you're doing. Does all of this matter? Well, it's your phone bill. Here's a link to our article about a company that recently received an unexpected $120,000 phone bill in the mail. So you decide. If you read nothing else before embarking on your VoIP adventure, read our Primer on Asterisk Security!

As some of our regular readers know, we have been very concerned with the Asterisk development strategy that continues the process of regularly deleting commands and syntaxes with each major version change. Many of us rely upon these commands in building dialplans and vertical market applications for Asterisk so it causes real problems. PBX systems break that used to work. When that happens almost annually, it's a bad thing. One way that we hope to improve the dialogue with the developers is to make it easy for more people to experiment with Asterisk 1.6. Whether you choose our 32-bit or 64-bit ISO, you also have the option to install the latest release of Asterisk 1.6 and get you involved in this process. Otherwise, we might as well look forward to annual train wrecks because of the Asterisk design strategy. You can read all about it here and here.

Getting Started with PBX in a Flash 1.4. Begin by downloading either the 32-bit or 64-bit ISO image for PBX in a Flash. Don't worry. If you try to run the 64-bit install on a system that doesn't support it, it'll just sit there so you've got nothing to lose by trying the Ferrari first. As new locations for ISO downloads come on line, we will add them to the download list. Once you've got the ISO image in hand, use your favorite tool to burn it to a bootable CD. This next step is the most important. Do some reading!! There also are loads of helpful tutorials that are free for the downloading from our support site.

What About Hardware? If you're new to all of this, let us recommend you try either one of Dell's entry-level T100 or T105 PowerEdge servers or one of the newer Intel Atom-based small-footprint PCs or netbooks such as the Acer Aspire One. On sale pricing is typically around $300. You can save an additional 2% plus $5 by using our coupon link in the right margin. These systems are just about perfect for a home or small business telephony server.

Basic Install. Once you have your new system, just insert the CD containing the pbxinaflash.iso and then reboot the machine you wish to dedicate to PBX in a Flash. After reading this tutorial and the initial prompts and warnings, choose an option and press the <Enter key> to begin the installation. If you want to first check the media for corruption, type linux mediacheck and then press the <Enter> key. When prompted, be sure to choose the option that erases all existing partitions and uses the default partition layout. Then choose your time zone and leave the UTC system clock option unchecked. Next choose a root password for your new system. Make it secure, and write it down (not on your shoe). We plan to use this password for virtually everything on your new system. The install process begins. This includes MySQL, Apache, PHP, CUPS, Samba, WebMin, Subversion, SendMail, Yum, Bluetooth support, SSL, Perl, Python, the kernel development package, and much more. In about 15 minutes depending upon the speed of your PC, the machine will reboot. Be sure to eject the CD at this point. You now must have an Internet connection to complete the install so be sure you've plugged in a 10/100 cable if you haven't done so already.

After the reboot, the system will start up with CentOS 5.2, then download and install Asterisk and FreePBX, and search for the necessary installation script and payload file on pbxinaflash.net. If that site happens to be down, the script will go to pbxinaflash.com for the same payload file. Just to repeat, if you don't have Internet connectivity, then the installation cannot complete. When the installation finishes, reboot your system and log in as root. The IP address of your PBX in a Flash system will be displayed once you log in. If it's blank, type service network restart after assuring that you have Internet connectivity and access to a DHCP server that hands out IP addresses. Typing ifconfig should display your IP address on the eth0 port. Write it down. We'll need it in a minute.

Now that you've logged in as root, you should see the IP address displayed with the following command prompt: root@pbx:~/. If instead you see bash displayed as the command prompt and it's not green, then the installation has not completed successfully. This is probably due to network problems but also could be caused by the time being set incorrectly on your server. You can't compile Asterisk if the time on your computer is a date in the past! For this glitch you have to try again. If it's a network issue, fix it and then reboot and watch for the eth0 connection to complete. Assuming it doesn't fail the second time around, the installation will continue. Likewise, if you do not have DHCP on your network, the installation will fail because the PBX will not be given an IP address. Simply type netconfig, fill in the blanks and reboot.

Four Steps to Complete the Install. There are four important things to do to complete the installation. First, from the command prompt, run genzaptelconf. This sets up your ZAP hardware as well as a timing source for conferencing. If you're using additional hardware for your Asterisk system, we recommend removing the 56K modem when you install the cards. This will help avoid interrupt conflicts. Second, decide how to handle the IP address for your PBX in a Flash server. The default is DHCP, but you don't want the IP address of your PBX changing. Phones and phone calls need to know how to find your PBX, and if your internal IP address changes because of DHCP, that's a problem. You have two choices. Either set your router to always hand out the same DHCP address to your PBX in a Flash server by specifying its MAC address in the reserved IP address table of your router, or run netconfig at the command prompt and assign a permanent IP address to your server. Be aware that netconfig no longer is a part of CentOS 5.2. We added it back in as part of the install. If you update your CentOS configuration, you will need to reinstall it by running update-scripts, then update-fixes, and then install-netconfig. If you experience problems with the process, see this message thread on the forum. The third configuration requirement probably accounts for more beginner problems with Asterisk systems than everything else combined. Read the next section carefully and do it now!

Getting Rid of One-Way Audio. There are some settings you'll need to add to /etc/asterisk/sip_custom.conf if you want to have reliable, two-way communications with Asterisk: nano -w /etc/asterisk/sip_custom.conf. The entries depend upon whether your Internet connection has a fixed IP address or a DHCP address issued by your provider. In the latter case, you also need to configure your router to support Dynamic DNS (DDNS) using a service such as dyndns.org. If you have a fixed IP address, then enter settings like the following using your actual public IP address and your private IP subnet:
externip=180.12.12.12 localnet=192.168.1.0/255.255.255.0
If you have a public address that changes and you're using DDNS, then the settings would look something like the following:
externhost=myserver.dyndns.org localnet=192.168.0.0/255.255.255.0

(NOTE: The first 3 octets in the above localnet entries need to match your private IP addresses!)

Once you've made your entries, save the file: Ctrl-X, Y, then Enter. Reload Asterisk: amportal restart. If you assigned a permanent IP address, reboot your server: shutdown -r now.

Be aware that some people experience problems with the externhost approach outlined above. If your provider only gives you a dynamic IP address, you still can use the externip approach above so long as you have a method to frequently verify your IP address. The approach we actually use on our home network is to run a little script every 5 minutes. If it finds that your outside IP address has changed, it will automatically update your sip_custom.conf file with the new address. To use our approach, create a file in /var/lib/asterisk/agi-bin names ip.sh. Here's the code:¹
#!/bin/bash # File to log the IP Address IPFILE='/var/log/asterisk/externip' # Your local lan ip block localnet=192.168.1.0 # Nothing else needs to be changed. if [ ! -f "$IPFILE" ]; then echo "creating $IPFILE" echo first_time_usage > $IPFILE fi lastip=`cat $IPFILE` externip=$(curl -s -S --user-agent "PIAF 1.4"↩ http://myip.pbxinaflash.com | awk 'NR==2') if [ $externip != $lastip ]; then # Writes new IP address (if it has changed) to file. echo "$externip" > $IPFILE echo "externip=$externip" > /etc/asterisk/sip_custom.conf echo "localnet=$localnet/255.255.255.0" >>↩ /etc/asterisk/sip_custom.conf echo "srvlookup=yes" >> /etc/asterisk/sip_custom.conf echo "nat=yes" >> /etc/asterisk/sip_custom.conf asterisk -rx "dialplan reload" ; else exit 0; fi exit;

On line 5, enter the internal subnet for your server as the localnet entry. This is usually 192.168.0.0 or 192.168.1.0. YMMV!

Save the file and give it execute permissions: chmod +x /var/lib/asterisk/agi-bin/ip.sh. Then make asterisk the file owner: chown asterisk:asterisk /var/lib/asterisk/agi-bin/ip.sh.

Finally, add the following entry to the bottom of /etc/crontab:
*/5 * * * * asterisk /var/lib/asterisk/agi-bin/ip.sh > /dev/null

Getting Your Machine Up to Date. Tom King, one of our lead developers, has gone to great pains to make it easy for you to always have a current system. All you have to do is type a few commands, but you do have to type them. So do it now! After logging in as root, type update-scripts to get the latest PBX in a Flash scripts installed on your system. This doesn't run them, it merely makes them available for you to run them. Once you complete this step, you can always review the latest scripting options by typing help-pbx. Now run update-fixes to apply the latest patches to your PBX in a Flash system. When it completes, you're up to date. If you want the latest version of Asterisk, it's easy! Just run update-source. In the case of PBX in a Flash 1.4, you have the latest stable version of Asterisk 1.4 or 1.6... at least for today.

Activating Email Delivery of Voicemail Messages. We've previously shown how to configure systems to reliably deliver email messages whenever a voicemail arrives unless your ISP happens to block downstream SMTP mail servers. Here's the link in case you need it. As it happens, you really don't have to use a real fully-qualified domain name to get this working. So long as the entry (such as pbx.dyndns.org) is inserted in both the /etc/hosts file and /etc/asterisk/vm_general.inc with a matching servermail entry of vm@pbx.dyndns.org (as explained in the link above), your system will reliably send emails to you whenever you get a voicemail if you configure your extensions in FreePBX to support this capability. You can, of course, put in real host entries if you prefer. For 90% of the systems around the world, if you just want your server to reliably e-mail you your voicemail messages, make line 3 of /etc/hosts look like this with a tab after 127.0.0.1 and spaces between the domain names:
127.0.0.1 pbx.dyndns.org pbx.local pbx localhost.localdomain localhost
And then make line 6 of /etc/asterisk/vm_general.inc look like the following:
serveremail=voicemail@pbx.dyndns.org
Now issue the following two commands to make the changes take effect:
service network restart amportal restart

The command "setup-mail" can be used from the Linux prompt to set the fully-qualified domain name (FQDN) of the mail that is sent out from your server. This may help mail to be delivered from the PBX. One of things mail servers do to reduce spam is to do a reverse lookup on where the mail has come from, checking that there is actually a mailserver at the other end. You can only do this if you have set up dynamic DNS or if you have pointed a hostname at your fixed IP address. Once you have done this, and assuming your ISP is cooperative, then you will receive your voicemails via email if you wish (this is set within FreePBX),and your PBX will email you when FreePBX needs an update. You set this feature in FreePBX General Settings.

If your hosting provider blocks downstream SMTP servers to reduce spam, here's a simple way to use your Gmail account (free!) as your SMTP Relay Host. Then you never have to worry about this again!

Setting Passwords and Other Stuff. Be aware that major security issues are reported from time to time with FreePBX. We strongly recommend that you not use FreePBX admin security alone to protect your system from a web attack. It may compromise root access to your entire server. For this reason, we recommend that you log in as root and immediately run passwd-master after completing the update-scripts and update-fixes scenario. This establishes Apache htaccess security on your FreePBX web interface. After running this conversion utility, you can only log into the FreePBX admin interface with the username maint (not admin) and the password which you establish when you run the utility.

Other passwords can be set in your system with these commands:
passwd... reset your root user password passwd-maint... reset your FreePBX maint password passwd-wwwadmin... for users needing FOP and MeetMe access passwd-meetme... for users needing only MeetMe access passwd-webmin... for users needing WebMin access to your server (very dangerous!)

There's also an Administration password that you can set in the KennonSoft UI that displays when you point your browser to the IP address of your server. Do NOT use the same password here that you use elsewhere as it is not overly secure.

Configuring WebMin. WebMin is the Swiss Army Knife of Linux. It provides TOTAL access to your system through a web interface. Search Nerd Vittles for webmin if you want more information. Be very careful if you decide to enable it on the public Internet. You do this by opening port 9001 on your router and pointing it to the private IP address of your PBX in a Flash server. Before using WebMin, you need to set up a username and password for access. From the Linux prompt while logged in as root, type the following command where admin is the username you wish to set up and foo is the password you've chosen for the admininstrator account. HINT: Don't use admin and foo as your username and password for WebMin unless you want your server trashed!
/usr/libexec/webmin/changepass.pl /etc/webmin root password

To access WebMin on your private network, go to http://192.168.0.123:9001 where 192.168.0.123 is the private IP address of your PBX in a Flash server. Then type the username and password you assigned above to gain entry. To stop WebMin: /etc/webmin/stop. To start WebMin: /etc/webmin/start. For complete documentation, go here.

Updating and Configuring FreePBX. FreePBX 2.5 is installed as part of the PBX in a Flash 1.4 implementation. This incredible, web-based tool provides a complete menu-driven user interface to Asterisk. The entire FreePBX project is a model of how open source development projects ought to work. And having Philippe Lindheimer's as the Captain of the Ship is just icing on the cake. All it takes to get started with FreePBX is a few minutes of configuration, and you'll have a functioning Asterisk PBX complete with voicemail, music on hold, call forwarding, and a powerful interactive voice response (IVR) system. There is excellent documentation for FreePBX which you should read at your earliest convenience. It will answer 99% of your questions about how to use and configure FreePBX. For the one percent that is not covered in the Guide, visit the FreePBX Forums which are frequented regularly by the FreePBX developers. Kindly post FreePBX questions on their forum rather than the PBX-in-a-Flash Forum. This helps everybody. Now let's get started.

NOTE: PBX in a Flash comes with the IPtables firewall enabled on your system. If this causes problems with access to the FreePBX repository (for loading the FreePBX updates below), you can easily (and temporarily) turn off the firewall. Type help-pbx for assistance. Don't forget to restart the firewall especially if your system has any Internet exposure!

Now move to a PC or Mac and, using your favorite web browser, go to the IP address you deciphered above for your new server. Be aware that FreePBX has a difficult time displaying properly with IE6 and IE7 and regularly blows up with older versions of Safari. Be safe. Use Firefox. From the PBX in a Flash Main Menu in your web browser, click on the Administration link and then click the FreePBX button. The username and password both default to admin. Click Apply Configuration Changes, Continue with Reload, and then Refresh your browser screen. Now click the Module Administration option in the left frame once FreePBX loads. Now click Check for Updates online in the upper right panel. Next, click Download All which will select every module for download and install. The important step here is to move down the list and Deselect Speed Dials and PHPAGI from the download and install options. Once these apps have been deselected, scroll to the bottom of the page and click Process, then Confirm, then Return once the apps are downloaded and installed, then Apply, then Continue with Reload. Now repeat the process once more and do not deselect the two applications, then Process, Confirm, Return, Apply Config Changes, and Continue with Reload. Finally, scroll down the Modules listing until you get to the Maintenance section. Click on each of the following and choose Install: ConfigEdit, Sys Info, and phpMyAdmin. Then click Process, then Confirm, then Return once the apps are downloaded and installed, then Apply, then Continue with Reload. All three of these tools now are installed in the Maintenance section of the Tools tab of FreePBX. One final step, and you're good to go. An update of FreePBX has been released. Click Check for Updates online. Then choose Download and Upgrade for the Core, FreePBX Framework, and System Dashboard modules. Then click Process, then Confirm, then Return once the apps are downloaded and installed, then Apply, then Continue with Reload. You now have an up-to-date version of FreePBX. You'll need to repeat the drill every few weeks as new updates are released. This will assure that you have all of the latest and greatest software. To change your Admin password, click on the Setup tab in the left frame, then click Administrators, then Admin in the far right column, enter a new password, and click Submit Changes, Apply Configuration Changes, and Continue with reload. We're going to be repeating this process a number of times in the next section so... when instructed to Save Your Changes, that means "click Submit Changes, Apply Configuration Changes, and Continue with reload."

Choosing Internet Telephony Hosting Providers for Your System. Before you can place calls to users outside your system or to receive incoming calls, you'll need at least one provider (each) for your incoming phone number (DID) and incoming calls as well as a provider for your outbound calls (terminations). We have a list of some of our favorites here, and there are many, many others. You basically have two choices with most providers. You can either pay as you go or sign up for an all-you-can-eat plan. Most of the latter plans also have caps on minutes so it's more akin to all-they-care-for-you-to-eat, and there are none of the latter plans for business service. In the U.S. market, the going rate for pay as you go service is about 1.5¢ per minute rounded to the tenth of a minute. The best deal on DIDs is from Vitelity. They charge $3.99 a month for a DID with unlimited, free incoming calls. There's a link to the Nerd Vittles discount on this service for PBX in a Flash users below.

Before you sign up for any all-you-can-eat plan, do some reading about the service providers. Some of them are real scam artists with backbilling and all sorts of unconscionable restrictions. You need to be careful. Our cardinal rule in the VoIP Wild West is never, ever entrust your entire PBX to a single hosting provider. As Forrest Gump would say, "Stuff happens!" And life's too short to have dead telephones, even if it's a rarity.

Setting Up FreePBX to Make Your First Call. There are four components in FreePBX that need to be configured before you can place a call or receive one from outside your PBX in a Flash system. So here's FreePBX for Dummies in less than 50 words. You need to configure Trunks, Extensions, Outbound Routes, and Inbound Routes. Trunks are hosting provider specifications that get calls delivered to and transported from your PBX to the rest of the world. Extensions are internal numbers on your PBX that connect your PBX to telephone hardware or softphones. Inbound Routes specify what should be done with calls coming in on a Trunk. Outbound Routes specify what should be done with calls going out to a Trunk. Everything else is bells and whistles.

Trunks. When you sign up with most of the better ITHP's that support Asterisk, they will provide documentation on how to connect their service with your Asterisk system. If they have a trixbox tutorial, use that since it also uses FreePBX as the web front end to Asterisk. Here's an example from les.net. And here's the Vitelity support page although you will need to set up an account before you can access it. We also have covered the setups for a number of providers in previous articles. Just search the Nerd Vittles site for the name of the provider you wish to use. You'll also find many Trunk setups in the trixbox Trunk Forum. Once you find the setup for your provider, add it in FreePBX by going to Setup, Trunks, Add SIP Trunk. Our AxVoice setup (which is all entered in the Outgoing section with a label of axvoice) looks like this with a Registration String of yourusername:yourpassword@sip.axvoice.com:
allow=ulaw authname=yourusername canreinvite=no context=all-incoming defaultip=sip.axvoice.com disallow=all dtmfmode=inband fromdomain=sip.axvoice.com fromuser=yourusername host=sip.axvoice.com insecure=very nat=yes secret=yourpassword type=friend user=phone username=yourusername

And our Vitelity Outbound Trunk looks like the following (labeled vitel-outbound) with no registration string:
allow=ulaw&gsm canreinvite=no context=from-pstn disallow=all fromuser=yourusername host=outbound1.vitelity.net secret=yourpassword sendrpid=yes trustrpid=yes type=friend username=yourusername

Extensions. Now let's set up a couple of Extensions to get you started. A good rule of thumb for systems with less than 50 extensions is to reserve the IP addresses from 192.x.x.201 to 192.x.x.250 for your phones. Then you can create extension numbers in FreePBX to match those IP addresses. This makes it easy to identify which phone on your system goes with which IP address and makes it easy for end-users to access the phone's GUI to add bells and whistles. To create extension 201 (don't start with 200), click Setup, Extensions, Generic SIP Device, Submit. Then fill in the following blanks USING VERY SECURE PASSWORDS and leaving the defaults in the other fields for the time being.

User Extension ... 201
Display Name ... Home
Outbound CID ... [your 10-digit phone number if you have one; otherwise, leave blank]
Emergency CID ... [your 10-digit phone number for 911 ID if you have one; otherwise, leave blank]
Device Options
secret ... 1299864 < -- make this unique AND secure!
dtmfmode ... rfc2833
Voicemail & Directory ... Enabled
voicemail password ... 1299864 <-- make this unique AND secure!
email address ... yourname@yourdomain.com [if you want voicemail messages emailed to you]
pager email address ... yourname@yourdomain.com [if you want to be paged when voicemail messages arrive]
email attachment ... yes [if you want the voicemail message included in the email message]
play CID ... yes [if you want the CallerID played when you retrieve a message]
play envelope ... yes [if you want the date/time of the message played before the message is read to you]
delete Vmail ... yes [if you want the voicemail message deleted after it's emailed to you]
vm options ... callback=from-internal [to enable automatic callbacks by pressing 3,2 after playing a voicemail message]
vm context ... default

Now create several more extensions using the template above: 202, 203, 204, and 205 would be a good start. Keep the passwords simple. You'll need them whenever you configure your phone instruments.

Extension Security. We cannot overstress the need to make your extension passwords secure. All the firewalls in the world won't protect you from malicious phone calls on your nickel if you use your extension number or something like 1234 for your extension password because the SIP and IAX ports typically are exposed to allow connections to your providers. In addition to making up secure passwords, the latest version of FreePBX also lets you define the IP address or subnet that can access each of your extensions. Use it!!! Once the extensions are created, edit each one and modify the permit field to specify the actual IP address or subnet of each phone on your system. A specific IP address entry should look like this: 192.168.1.142/255.255.255.255. If most of your phones are on a private LAN, you may prefer to use a subnet entry like this: 192.168.1.0/255.255.255.0 using your actual subnet, of course.

Outbound Routes. The idea behind multiple outbound routes is to save money. Some providers are cheaper to some places than others. We're going to skip that tutorial today. You can search the site for lots of information on choosing providers. Assuming you have only one or two for starters, let's just set up a default outbound route for all your calls. Using your web browser, access FreePBX on your server and click Setup, Outbound Routes. Enter a route name of Everything. Enter the dial patterns for your outbound calls. In the U.S., you'd enter something like the following:
1NXXNXXXXXX NXXNXXXXXX
Click on the Trunk Sequence pull-down and choose your providers in the order you'd like them to be used for outbound calls.Click Submit Changes and then save your changes. Note that a second choice in trunk sequence only gets used if the calls fail to go through using your first choice. You'll notice there's already a 9_outside route which we don't need. Click on it and then choose Delete Route 9_outside. Save your changes.

Inbound Routes. We're also going to abbreviate the inbound routes tutorial just to get you going quickly today. The idea here is that you can have multiple DIDs (phone numbers) that get routed to different extensions or ring groups or departments. For today, we recommend you first build a Ring Group with all of the extension numbers you have created. Once you've done that, choose Inbound Routes, leave all of the settings at their default values and move to the Set Destination section and choose your Ring Group as the destination. Now click Submit and save your changes. That will set up a default incoming route for your calls. As you add bells and whistles to your system, you can move the Default Route down the list of priorities so that it only catches calls that aren't processed with other inbound routing rules.

General Settings. Last, but not least, we need to enter an email address for you so that you are notified when new FreePBX updates are released. Scroll to the bottom of the General Settings screen after selecting it from the left panel. Plug in your email address, click Submit, and save your changes. Done!

Adding Plain Old Phones. Before your new PBX will be of much use, you're going to need something to make and receive calls, i.e. a telephone. For today, you've got several choices: a POTS phone, a softphone, or a SIP phone. Option #1 and the best home solution is to use a Plain Old Telephone or your favorite cordless phone set (with 8-10 extensions) if you purchase a little device known as a Sipura SPA-3102. It's under $70. Be sure you specify that you want an unlocked device, meaning it doesn't force you to use a particular service provider. This device also supports connection of your PBX to a standard office or home phone line as well as a telephone.

Downloading a Free Softphone. Unless you already have an IP phone, the easiest way to get started and make sure everything is working is to install an IP softphone. You can download a softphone for Windows, Mac, or Linux from CounterPath. Or download the pulver.Communicator or the snom 360 Softphone which is a replica of perhaps the best IP phone on the planet. Here's another great SIP/IAX softphone for all platforms that's great, too, and it requires no installation: Zoiper 2.0 (formerly IDEfisk). All are free! Just install and then configure with the IP address of your PBX in a Flash server. For username and password, use one of the extension numbers and passwords which you set up with freePBX. Once you make a few test calls, don't waste any more time. Buy a decent SIP telephone. Visit the PBX in a Flash Forum for lots of suggestions on telephones. Our personal favorite and the phone that PBX in a Flash officially supports is the Aastra 57i or 57iCT which also includes cordless DECT phone. Do some reading before you buy.

A Word About Ports. For the techies out there that want "the rest of the story" to properly configure firewalls, here's a list of the ports available and used by PBX in a Flash:
TCP 80 - HTTP TCP 9080 - Duplicate HTTP TCP 22 - SSH TCP 9022 - Duplicate SSH TCP 9001 - WebMin UDP 10000-20000 - RTP UDP 5004-5082 - SIP UDP 4569 - IAX2 UDP 2727 - Media Gateway

Where To Go From Here. The PBX in a Flash script repository at pbxinaflash.org also has gotten a facelift. That should be your next stop because it is the home of all the goodies that make PBX in a Flash shine. Tom King, the ultimate scripting guru, manages that site. So check it often. You'll also find all of our Nerd Vittles Goodies work with this new release. Most of our original collection work flawlessly with Asterisk 1.4 including AsteriDex, Yahoo News Headlines, Weather by Airport Code, Weather by Zip Code, Worldwide Weather Forecasts, Telephone Reminders, MailCall for Asterisk, and TeleYapper. We have not yet completed testing with Asterisk 1.6, but most should work. Complete documentation for each application also is provided at the link above. And, if you still have a DBT-120 Bluetooth adapter, you'll be happy to learn that it works out-of-the-box with PBX in a Flash on your new Everex Green PC. Dust off our recent article on Proximity Detection, and you should be in business in under 10 minutes. Enjoy!

Nerd Vittles Skype Gateway to Asterisk. If you haven't yet built your own Skype Gateway to Asterisk, you're missing a treat. To give you some idea of the flexibility of the gateway, pick up any Skype phone and call our Skype demo hotline: nerdvittles. It was a 5-minute project once the gateway was running.

Want a Bootable PBX in a Flash Drive? Our Atomic Flash bootable USB flash installer for PBX in a Flash has been quite the hit. Special thanks to all of our generous contributors! Atomic Flash provides all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and this USB flash installer in less than 15 minutes!

If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.²

And it still isn't too late to make a contribution of $50 or more to the PBX in a Flash project and get a free Atomic Flash installer delivered to your door as our special thank you gift. See this Nerd Vittles article for details.

New Fonica Special. If you want to communicate with the rest of the telephones in the world, then you'll need a way to route outbound calls (terminations) to their destination. For outbound calling, we recommend you establish accounts with several providers. We've included two of the very best! These include Joe Roper's new service for PBX in a Flash as well as our old favorite, Vitelity. To get started with the Fonica service, just visit the web site and register. You can choose penny a minute service in the U.S. Or premium service is available for a bit more. Try both. You've got nothing to lose! In addition, Fonica offers some of the best international calling rates in the world. And Joe Roper has almost a decade of experience configuring and managing these services. So we have little doubt that you'll love the service AND the support. To sign up in the USA and be charged in U.S. Dollars, sign up here. To sign up for the European Service and be charged in Euros, sign up here. See the Fonica image which tells you everything you need to know about this terrific new offering. In addition to being first rate service, Fonica is one of the least expensive and most reliable providers on the planet.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

Join the following line to the original line of code whenever you encounter the ↩ character. [↩]
This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. [↩]

Posted in Technology, Telephony by ward, Wednesday, March 4, 2009 2:24 pm Comments (8)

Tags: asterisk, piaf, security

Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Here's a headline to wake up any CEO: "Small business gets $120,000 phone bill after hackers attack VoIP phone." News.com.au actually ran this story on January 20. "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours... 115,000 international mobile calls were made using the small business's VoIP system over a six month period."

News Flash: Be sure to read our latest article introducing Travelin' Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.

For the latest Security Tips: See our most recent article.

Sad to say that folks install VoIP phone systems to save money and then completely ignore tried-and-true network security principles: hardening your system, regularly watching your logs, and periodically changing your passwords. If PBX in a Flash were a commercial offering, we'd probably keep much of what follows to ourselves and start touting our PBX systems as the only Asterisk® offering with Secure-Wrap™. That's not our world, of course, nor is it what open source is all about... which turns out to be both a blessing and a curse. We openly and jointly figure out ways to secure our Asterisk systems as well as those of our competitors. Then the bad guys get to read all about it and come up with new, more creative "solutions." The silver lining is there are millions of insecure Asterisk systems so the creeps typically move on to easier targets.

Today we'll walk you through our Top Ten Security Tips and Tricks. All of these can be implemented easily to harden your Asterisk PBX and lessen the chances of the bad guys transforming your VoIP system into a free, international payphone: you pay, they phone. In the process, we'll identify some common security blunders that accompany new system installs in hopes that you won't make the same mistakes. So let's start with the basics. If you plug your Asterisk PBX directly into the public Internet without carefully securing it, your chances of being hacked within the hour are pretty good.

Rule #1: Protect Your PBX With IPtables. PBX in a Flash systems are delivered with the IPtables firewall enabled. Leave it that way! If your Asterisk implementation doesn't have IPtables support, demand that it be added immediately or ask for assistance in adding it yourself. There is no reason not to use a freely available, open source firewall, period! And there are many good tools including WebMin (also included in PBX in a Flash distributions) to get it configured properly. With PBX in a Flash, all of the grunt work has been done for you.

Firewalls, of course, are only as good as the set of rules defined to secure your system. So only activate ports that are absolutely essential to run your PBX. For an excellent review of the ports that are opened by default in PBX in a Flash systems, see Joe Roper's summary. Think of an activated port as a hole in the dike. The more holes you add, the less secure your PBX will be. We'll leave it to you to count the holes in the dike if you choose to run your PBX without IPtables enabled. Our rule of thumb for PBX security goes something like this. If you don't need web access to your PBX, don't open ports 80 and 9080. If you don't need SSH, FTP, FOP, or WebMin access to your PBX, don't enable those ports. Better yet, don't even turn those services on unless there is a pressing need.

All of the IPtables rules are stored in /etc/sysconfig/iptables. Don't edit this file unless you know what you're doing. If you need help with the rules, post a question on the PBX in a Flash Forum. Typical response time on posted questions is under an hour on our forum. And don't forget to restart IPtables if you make changes to any of the rules: service iptables restart.

Rule #2: Protect Your PBX With A Hardware-Based Firewall. If one firewall is good protection, two firewalls are even better. As much as NAT-based firewall/routers get a bad rap, the extra layer of protection that a $50 hardware-based firewall/router delivers cannot be overstressed. Think of the software-based firewall as the tool of choice to secure your PBX on your internal LAN while the hardware-based firewall secures your system on the public Internet. We recommend the dLink WBR-2310 for home and SOHO use. It provides a reliable NAT-based router, a firewall, and excellent WiFi capability for under $50. If you've got some spare change, step up to one of dLink's Gaming Routers which we happen to use. They provide all the tools you'll need to prioritize your VoIP traffic. As with Rule #1, only open and redirect ports that are absolutely essential to use your PBX.

Rule #3: Safeguard Against Random Password Hacks. There is no better tool to protect your PBX from random password attacks than Fail2Ban 0.8.3. Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful password attempts. It updates IPtables rules to reject those IP addresses for a period of time that you can set in /etc/fail2ban/jail.conf. Originally PBX in a Flash systems were shipped with an earlier version of Fail2Ban that provided only minimal protection. If your system doesn't include the jail.conf file above, you still have the older version. Simply run our update script to get the current release:
cd /root mkdir fail2ban cd fail2ban wget http://pbxinaflash.net/source/fail2ban/fail2ban-update chmod +x fail2ban-update ./fail2ban-update service fail2ban restart

As was true with IPtables, Fail2Ban is only as good as the rules which are defined to identify failed password attempts on your system. On PBX in a Flash systems, we now protect against web, FTP, SSH, SIP, and IAX password attempts.

If your particular Asterisk implementation lacks Fail2Ban support, you're missing a critically important (free) tool to safeguard your system from random password attacks against SSH and your protected web sites as well as your SIP and IAX extension passwords. For tips on installation, review our script that is available on this thread in the PBX in a Flash Forum.

Rule #4: Narrow Access With IP Address Restrictions. Security privileges in the U.S. government are based upon a "need to know." It's pretty simple. If you don't have a need to know the information to perform your duties, you don't get the privilege. You can use a similar technique to secure your PBX by implementing IP address restrictions. For example, if all of your extensions are housed on a private subnet of your internal LAN, then there is no reason to allow Internet access to those extensions. Similarly, for extensions outside your local network, you now can hardcode the IP address into the extension to restrict access. To implement this with Asterisk and FreePBX-based systems, you'll first need to upgrade FreePBX to at least version 2.5.1.1. Once you've upgraded, go into each extension and enter either an IP address or an IP subnet for that extension in the permit field. For an IP address, the syntax is 192.168.0.44/255.255.255.255. For an IP subnet, the syntax would look like this: 192.168.0.0/255.255.255.0. This one tip would have been worth $120,000 to the Australian company referenced above. Yes, consultants can be worth their weight in gold.

If you're as absent-minded as we are, you don't want to have to worry about remembering this each time you add a new extension to your system. So it's quite simple to change the default permit entry from 0.0.0.0/0.0.0.0 to the subnet mask of your LAN. Then you only have to adjust this entry whenever you add an extension which is not on your internal LAN. For example, if your LAN subnet is 192.168.0, then we want to replace the default entry with 192.168.0.0/255.255.255.0. The file to edit is /var/www/html/admin/modules/core/functions.inc.php. Just search for $tmparr['permit'] in BOTH the iax2 and sip sections of the file and make the value substitution preserving the single quotes on both sides of your new entries.

You also can implement both password and IP address restrictions to limit web access to your server. With Apache web servers, this is done through .htaccess files and directory restrictions in your Apache config files. On PBX in a Flash systems, htaccess password restrictions now are the default setup in all of our builds. Suffice it to say, if you can access the /admin directory on your web site from the Internet without being prompted for a password, your site probably has been compromised. Keep in mind that these passwords get cached so be sure you have cleaned out your browser cache before having a heart attack. Better yet, try this from a browser you don't ordinarily use (such as the one on your cellphone).

For additional security, you can further restrict access to your web directories by adding a list of authorized IP addresses to the .htaccess file in each subdirectory. Here's what an .htaccess file with IP address restrictions might look like. The first Allow entry is the private LAN subnet, the second is a remote site, and the third is the Hamachi VPN subnet mask:
Deny from All Allow from 192.168.0 Allow from 68.218.222.70 Allow from 5.67

Rule #5: Don't Use 'Normal Ports' for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you've done. Read that last sentence again. It's important! With a hardware-based firewall such as the WBR-2310, this is incredibly easy. dLink calls them Virtual Servers. Here is a typical entry:
HTTP 192.168.0.150 TCP 80/2319 Allow All Always
You can simply redirect common ports to different ports for Internet access. Don't do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. For example, port 80 typically is the default web server port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) web access, simply remap TCP port 80 to some obscure port and change it periodically. For example, you might redirect TCP port 80 to port 2319. Once the setting is saved, you access the web site with a browser entry like this: http://pbx.mydomain.com:2319/. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don't use these numbers obviously! Make up your own. The key here is that 5 minutes work every month will keep web access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 80 every night while you're sleeping. Incidentally, most of these routers also will let you block access to certain ports during certain hours of the day. If you're sleeping, there's really not much need to provide SSH and web access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world's best crackers reside in countries where daytime happens to be nighttime in the United States.

Rule #6: Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our wild-assed guess (WAG) is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn't Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. The first five rules would have protected most Asterisk systems. But our WAG on the number of Asterisk PBX's that have implemented all five rules above would be less than one in a thousand. Part of that is because some of these tools weren't readily available until recently. But part of it is because most of us are just plain L-A-Z-Y.

Really secure passwords really do matter. And it's more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, make certain it has a really, really secure password. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). You've been warned. It's your phone bill and bank account!
<end of sermon>

Rule #7: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn't begin to describe some of what lies under the FreePBX covers. Make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to an Asterisk PBX goes like this. Don't! But, if you must, build as many layers of protection as possible to assure that your system is not compromised. If the bad guys get into FreePBX, the security of your PBX has been compromised... permanently! This means you need to start over with all-new passwords by installing a fresh system. You simply cannot fix every possible hole that has been opened on a FreePBX-compromised system!

Rule #8: Implement VPNs for PBX Systems. PBX in a Flash has provided simple install scripts to deploy Hamachi VPNs on all of our current systems. Hopefully, the other aggregations will do likewise. In addition, we offer turnkey VPN in a Flash systems which provide this functionality out of the box. VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. We now are exploring other VPN solutions which would facilitate the use of VPN-enabled telephones such as the new offerings from SNOM.

Rule #9: Check Your Logs Every Day. We're still dumbfounded by the following quote from the article above: "115,000 international mobile calls were made using the small business's VoIP system over a six month period." Six months and they never checked their call logs? Sounds like they earned this phone bill. FreePBX provides an incredibly simple way to review your call logs. Click the Reports tab at the top of the screen and look at the bar graph showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day! It also should be noted that Ethan Schroeder has released a beta of some new monitoring software which will provide more granular monitoring of daily call volumes. For additional information or to participate in the beta, visit this link.

Rule #10: Do Some Reading... Regularly. No security implementation is complete without a little regular effort on your part: reading. If you're going to manage your own network or PBX, then you need to keep abreast of what's happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the trixbox Forum, and the FreePBX Forum. Aside from reviewing your call logs, it's the best 15 minutes you could spend to safeguard your system. We also have an RSS Feed which includes security alerts.

Update #1: Be sure to read this great new article. It has two fresh ideas for securing your system!

Update #2: Please also read this Nerd Vittles Alert about FreePBX backdoors and default passwords that was published on April 15, 2011.

Some Other Suggestions. A couple other suggestions come to mind that don't involve securing your PBX per se but nevertheless will lessen your exposure in the event of a security breach. First, if your usual calling patterns don't involve international calling or if they're limited to one or two countries, tighten up your outbound dialplan and restrict calling to countries that you actually need. It can always be changed when the need to call elsewhere arises. Second, if you use pay-as-you-go providers, never use credit card auto-replenishment. Instead, add funds periodically using the provider's web interface. The advantage of this is that, if someone does manage to break into your system, your loss will be limited to the current balance in your provider account. You'll not only save a lot of money, but you'll also get a notification that something has gone horribly wrong. Finally, a forum user mentioned one we had overlooked. If you have a mix of POTS and VoIP lines, don't put the POTS lines in the default outbound pool for toll calls. This could potentially save you lots of money.

Continue Reading Part II: The VoIP WhiteList for IPtables...

Got Some Other Ideas? 50,000 heads always are better than one when it comes to network security. If there are things we've missed, take a minute to post a comment. It'll help all of us keep our systems more secure. Good luck!

Digium® Weighs In. Since this article first appeared, Digium has released its own set of tips on SIP security. By all means, have a look!

Security Alert of the Week. A trixbox user yesterday reported that he had discovered a rootkit exploit on his server. You ~~can~~ could read all about it here. The 6:03 a.m. (California time) post mysteriously disappeared a few hours later... soon after the trixbox staff got to work. Another darn computer failure according to Fonality staff. We've attempted to recreate the information from Google snippets. And here's a simple test to see if you have a similar rootkit problem:
ls -all /sbin/init.zk

Want a Bootable PBX in a Flash Drive? Our bootable USB flash installer for PBX in a Flash will provide all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and our flash installer in less than 15 minutes!

If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.¹

Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next couple weeks. All of the individuals whose comments were used in today's story will automatically be included in the drawing as well. Good luck to everyone and Happy New Year!!

Some Recent Nerd Vittles Articles of Interest...

This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. [↩]

Posted in Microsoft PCs, Technology by ward, Tuesday, January 27, 2009 4:54 am Comments (18)

Tags: asterisk, creeps, disa, fail2ban, firewall, iptables, passwords, piaf, security, tips, voip

Now Visiting:
Help the Nerdy
Links

Categories
- General
- Photography
- Technology
  - Apple Macs
  - Audio
  - Blogs
  - Cellular
  - Home Automation
  - Internet/Web
  - Microsoft PCs
  - MP3 Devices
  - Networking
  - Office Automation
  - Smartphones
  - Streaming Devices
  - Telephony
  - TiVo/ReplayTV
  - Video
  - Wi-Fi
Search
Tagcloud
android appliance asterisk backup best phone bootable flash Cellular centOS cepstral cloud computing email enum fax firewall flite freenum freepbx gizmo google voice IncrediblePBX ipad iptables ivr music Networking openvz orgasmatron pbx piaf proxmox security sip sip phone skype SMS Streaming Devices superfecta tts twitter virtualization vitelity vm voip vpn Wi-Fi

NerdsTwitter

Tweets by @NerdUno
Google Goodies
Click Here to Sign Up NOW!

Where in the World is NerdUno?

Where in the World Are You?

Woodbridge NJ US

Meta
Calendar

May 2013

S M T W T F S

« Apr

1 2 3 4

5 6 7 8 9 10 11

12 13 14 15 16 17 18

19 20 21 22 23 24 25

26 27 28 29 30 31
Site Stats

What Other Folks Are Reading

Ward Mundy's Technobabblelog

Download Incredible PBX Virtual Machine for Windows, Mac, Linux, and Solaris desktops. It's FREE!

Posts tagged: security

The Incredible PBX: Adding Remotes, Preserving Security

Orgasmatron 5.2: The Secure Swiss Army Knife for Asterisk

Is It Time to Get Your Buzz On?

Welcome to IP Country: A New Layer of Asterisk Security

Introducing PBX in a Flash 1.4: The Lean, Mean Asterisk Machine

Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Now Visiting:

Help the Nerdy

Links

Categories

Search

Tagcloud

Google Goodies

Meta

Calendar

Site Stats

May 2013
S	M	T	W	T	F	S
« Apr
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

Nerd Vittles

Ward Mundy's Technobabblelog

Download Incredible PBX Virtual Machine for Windows, Mac, Linux, and Solaris desktops. It's FREE!

Posts tagged: security

The Incredible PBX: Adding Remotes, Preserving Security

Orgasmatron 5.2: The Secure Swiss Army Knife for Asterisk

Is It Time to Get Your Buzz On?

Welcome to IP Country: A New Layer of Asterisk Security

Introducing PBX in a Flash 1.4: The Lean, Mean Asterisk Machine

Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security

Now Visiting: var wau_p = wau_p || []; wau_p.push(["zwh5", "a07dce26", false]); (function() { var s=document.createElement("script"); s.type="text/javascript"; s.async=true; s.src="http://widgets.amung.us/a_pro.js"; document.getElementsByTagName("head")[0].appendChild(s); })();

Help the Nerdy

Links

Categories

Search

Tagcloud

Google Goodies

Meta

Calendar

Site Stats

Now Visiting: