Nerd Vittles

Posts tagged: security

Sleep Like a Baby: 20 Failsafe Tips to Enhance Asterisk PBX Security

We often tell the tale of the early Asterisk@Home days when almost every server was configured with no firewall, unlimited web access, and a 201 extension with a password of either 201 or 1234. What could possibly go wrong? Remember this Monday morning newspaper headline? “Small business gets $120,000 phone bill after hackers attack VoIP phone.” News.com.au ran this story back in 2009: “Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours… 115,000 international mobile calls were made… over a six month period.”

Much has changed over the past ten years in Asterisk® Land. And, to get everyone in the football mood, today we want to do a little sofa quarterbacking and take a fresh look at security applying some 20-20 hindsight to everything we’ve all learned over the years. Whether you’re running PBX in a Flash or Incredible PBX in your basement or on a virtual machine in the cloud somewhere, security matters and the checklist that follows hopefully will assist everyone in tightening up your systems so that you or your company aren’t the next headline waiting to happen.

PBX in a Flash Security Alert: Run upgrade-programs then upgrade-fixes to secure your server today!

1. Review PIAF Security Alerts Daily. We devote a lot of time to making sure PBX in a Flash and Incredible PBX are secure. But stuff happens! For privacy and security reasons, we don’t push fixes to your server. You have to go get them. If you never see the alerts, our attention to security is for naught. Here are 3 Easy Ways to Keep Informed:

Subscribe to the PBX in a Flash RSS Security Feed
Follow @NerdUno on Twitter
Review the RSS Feed in the PIAF Dashboard with a browser

Every security alert has a link to a solution. Finally, visit the PIAF Forums and click on the What’s New link. It only takes a minute to scan the list for security issues.

2. Hardware-Based Firewall Protection. Unless your PBX is operating on a shared server in the cloud, always run it on a private LAN behind a hardware-based firewall with no Internet port exposure. The one exception would be for those with remote telephone extensions, and we’ll get to that in a minute. The cheapest consumer grade router/firewall provides more security for your server than all of the other security mechanisms combined. Use it!

3. The Linux iptables Firewall. All PBX in a Flash and Incredible PBX servers have the iptables firewall in place. With PBX in a Flash, you have to configure it yourself unless you deploy Travelin’ Man 3. With Incredible PBX, iptables is preconfigured if you opt to install Travelin’ Man 3 as part of the installation process. It doesn’t do much good to have iptables if it’s not functioning. So check it regularly and especially after rebooting your server. On CentOS-based systems, issue the command: iptables -nL. On the Raspberry Pi, type: iptables-save. You should see a list with a lot of permitted IP addresses for preferred providers. If not, restart iptables and then check it again. To restart iptables on CentOS: service iptables restart. On the Raspberry Pi, issue the command: iptables-restore /etc/network/iptables. If you discover that your iptables firewall was not functioning and you’re running PBX in a Flash or Travelin’ Man 3, a security alert has been issued to address the problem. You can get the security fix here.

4. IP Address Filtering. Even with remote phones and dynamic IP addresses, it often is relatively easy to narrow down the range of permissible IP addresses that should have access to your server. With the Linux iptables firewall, you can implement dynamic DNS FQDNs for your remote users. With many hardware-based firewalls, you can’t. But often you can limit remote access to a range of IP addresses. A little protection is still better than none. With a hardware-based firewall, these IP address ranges usually can be changed via web access to your firewall. The minute it takes to make necessary changes is well worth the effort. Just make sure your hardware-based firewall has a long password with upper and lower case letters as well as numbers and non-alphanumeric characters if your firewall supports them.

5. Fail2Ban Access Monitoring. On PBX in a Flash and CentOS-based Incredible PBX servers, fail2ban is activated to limit access attempts to protected resources such as SIP extensions, SSH, and Apache. It is not infallible particularly in this age of megaservers such as Amazon’s S3 service. Because fail2ban reads your logs looking for failed login attempts, it can be defeated with powerful servers attempting thousands of access attempts simultaneously because fail2ban never gets sufficient Linux resources to read logs and block access. It’s better than nothing, but not by much.

6. Deploy WhiteLists for Remote Access. If your server is in the Cloud (meaning it is directly exposed to the Internet) or if you have remote extensions directly connected to your server, your primary line of defense against the bad guys is your iptables firewall. We’ve tried many designs with the objective of letting the good guys in while keeping the bad guys out. The one failsafe solution is IP address WhiteLists. What this means is, if an IP address is listed as safe in iptables, then connections to certain resources from that IP address are permitted. Otherwise, your server remains invisible to the outside world. We have a couple of tools to assist you in setting this up. Travelin’ Man 2 lets authorized users manage their remote IP addresses themselves through a simple browser interface to your server. Travelin’ Man 3 lets a system administrator manage remote IP addresses using both permitted IP addresses and fully-qualified domain names. In the case of remote users with dynamic IP addresses, DynDNS management tools can be deployed on Macs, Windows machines, and Android devices to automatically update FQDNs used in conjunction with Travelin’ Man 3. As noted previously, a security alert has been issued with Travelin’ Man 3. You can get the security fix here.

7. Remote Access with User Agent Knocking. A new approach to remote user access uses a derivative of the original Sunshine Networks port knock utility. With jeffmac’s new design, you define a customized “User Agent” string on your remote phones and then define iptables rules that permit access from SIP devices that attempt server connections using one of these obscure user agent strings. Here’s how to deploy it. To use this approach you’ll need remote phones that permit customization of the user agent string or that have sufficiently obscure, predefined user agent strings that wouldn’t lend themselves to dictionary-style, brute force hacking attempts by the bad guys.

8: Implement VPNs for PBX Systems. There are install scripts for PBX in a Flash to deploy a NeoRouter VPN or a PPTP VPN. Either or both of them can be installed and configured in minutes! VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. Encourage remote users to deploy softphones on their Windows and Mac machines, and use secure, VPN access to connect to your server using these softphones.

9. Don’t Use ‘Normal Ports’ for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you’ve done. Read that last sentence again. It’s important! With a hardware-based firewall, this is easy. dLink routers call them Virtual Servers. Other routers have similar functionality. Here is a typical entry:

HTTP 192.168.0.150 TCP 22/2319 Allow All Always
This entry redirects a specified port to a different port for Internet access. Don’t do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. WE STRONGLY DISCOURAGE EVER OPENING HTTP ACCESS TO YOUR SERVER FROM THE INTERNET. But you may need SSH access from remote locations. For example, port 22 typically is the default SSH port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) SSH access, simply remap TCP port 22 to some obscure port and change it periodically. For example, you might redirect TCP port 22 to port 2319. Once the setting is saved, you access SSH like this from the Internet: ssh -p 2319 root@pbx.mydomain.com. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don’t use these numbers obviously! Make up your own.

The key here is that 2 minutes work every month will keep SSH access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 22 every night while you’re sleeping. As previously mentioned, most of these routers also will let you block access to certain ports during certain hours of the day. If you’re sleeping, there’s really not much need to provide SSH access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world’s best crackers reside in countries where daytime happens to be nighttime in the U.S.

10. Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our guess is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn’t Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. It may seem obvious but really secure passwords really do matter. And it’s more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, multiply this advice by 10. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). Remember, it’s your phone bill.

11: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn’t begin to describe some of what lies under the FreePBX covers. While the FreePBX Dev Team is vigorously rewriting much of this old code, some of it still lingers. Our recommendation is to make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to any Asterisk PBX goes like this. Don’t! And, for FreePBX web access from the Internet. Never! If the bad guys ever get into FreePBX, the security of your PBX has been compromised… permanently! This means you need to start over with all-new passwords and install a fresh system. You can’t fix every possible hole that has been opened on a FreePBX-compromised system!

12. Choosing VoIP Providers. So long as you use reputable VoIP providers that support registration of your SIP and IAX accounts, NO INTERNET PORT EXPOSURE TO YOUR SERVER IS EVER REQUIRED! If a VoIP provider doesn’t support SIP/IAX account registration, don’t use them! Add your public and private IP addresses in FreePBX’s Asterisk SIP Settings module to eliminate one-way audio issues.

13. Never Activate Auto-Replenishment. If you’re using VoIP providers that you pay by the minute, do your wallet a favor. Never, ever activate auto-replenishment on your accounts. By manually controlling the money flow to your accounts, you automatically insulate yourself from a huge phone bill. If something does come unglued, your financial exposure is limited to the preauthorized amount in each of your VoIP provider accounts.

14. Tighten Up International Calling. Almost every VoIP provider gives you the option of restricting international calls. If you don’t make international calls, use it! If you do make international calls, implement Outbound Routes in your FreePBX® dial plan with designated country codes. If you never call Africa, China, or cruise ships in international waters, make sure your dialplan doesn’t allow these calls.

15. Time of Day Calling Restrictions. Whether your server is for business or home use, time of day restrictions can save you a bundle. If remote telephone extensions are a must have for your server, chances are that those extensions don’t place calls in the middle of the night. Almost every hardware-based router/firewall allows creation of time of day rules for access. Implement these restrictions to minimize exposure to those that are hacking while you’re sleeping.

16. Minimize Simultaneous Calls. Especially with pay-as-you-go VoIP providers, often there is no limit to the number of simultaneous calls that can be placed from a trunk on your server. If someone manages to gain access to your accounts or your server, that can be really bad news. Some providers offer tools to restrict the number of simultaneous calls that can be placed. Take advantage of it to limit your financial exposure. Similarly, FreePBX includes a Maximum Channels option when you configure a Trunk. Don’t leave it blank. Set it to what you need to meet your needs.

17. Outbound Route Passwords. For outbound routes to international numbers and 900 numbers, always take advantage of the FreePBX Outbound Route option to prompt for a password. Just enter a numeric Route Password when you configure these outbound routes, and FreePBX will handle the rest.

18. IP Address Filtering with Asterisk Extensions. With the number of Asterisk SIP vulnerabilities reported over the years, suffice it to say IP address filtering at the Asterisk extension level is not something you should rely upon exclusively to protect your server. But it’s better than nothing. And, when used in conjunction with the other security mechanisms we’ve outlined, it provides another layer of security for your server. The extension setup in FreePBX includes the permit field which can be used to limit connections to a particular extension based upon an IP address or range of IP addresses. In addition, Travelin’ Man 2 deploys additional permit tables using an include list in sip_custom_post.conf in conjunction with include files for specified extensions, e.g. 701.inc, to define additional authorized IP addresses.

To restrict an extension to a private LAN address with a FreePBX extension entry in permit like this: 192.168.0.0/255.255.255.0. Then you can broaden this restricted access with specified WhiteList addresses using an include file in /etc/asterisk that looks like this:

[701](+) permit=150.155.90.143/255.255.255.255

You, of course, would also have to authorize the specified IP address in your iptables configuration as well. That’s essentially how Travelin’ Man 2 works.

19: Check Your Logs Every Day. We’re still dumbfounded by the following quote from the article we cited above: “115,000 international mobile calls were made using the small business’s VoIP system over a six month period.” Six months and they never checked their call logs? FreePBX provides an incredibly simple way to review your call logs. Click the CDR Reports link and look at your call log showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day!

20: Do Some Reading… Regularly. No security implementation is complete without a little regular effort on your part: reading. If you’re going to manage your own network or PBX, then you need to keep abreast of what’s happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the FreePBX Forum, and Asterisk News. Aside from reviewing your call logs, it’s the best 15 minutes you could spend to safeguard your system.

Originally published: Monday, October 1, 2012

Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.

Need help with Asterisk? Visit the PBX in a Flash Forum.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest…

Posted in Technology, Telephony by ward, Monday, October 1, 2012 5:38 am Comments (1)

Tags: asterisk, IncrediblePBX, piaf, security

Travelin’ Man 3: Securing a PBX in a Flash or VoIP in the Cloud Server

UPDATE: Be sure to read about the latest enhancement to Travelin' Man 3 here.

We're big fans of playing with our own VoIP hardware. It has the advantage of allowing the installation of everything behind a secure, hardware-based firewall thereby eliminating almost all of the security issues associated with VoIP telephony. With PBX in a Flash™ and its Zero Internet Footprint™, you can run a secure VoIP server in your home or office with no port exposure to the Internet. This setup, of course, assumes that you have the necessary bandwidth to support Internet telephony and that you possess the necessary skill set to maintain your own Linux® server running Asterisk®, FreePBX®, Apache®, SendMail®, PHP®, and on and on. Not everyone does. And, of course, there are thousands of organizations in which employees and their phones are not colocated with the home office VoIP communications server. And, believe it or not, there are folks that run their VoIP server on the public Internet without any firewall protection. For all of you, today's your lucky day.

Lest you think that we've bitten off more than we can chew, we want to acknowledge the dozens of thought-provoking comments on the PIAF Forums that ultimately led to today's new release. That is the hidden beauty of open source development. So, thank you dad311, atsak, tbrummell, Hyksos, markieb, Ramblin, darmock, lowno, blanchae, bmore, vcallaway, jroper, mag, briankelly63, mbellot, phonebuff, The Deacon, Astrosmurfer, frontline, ou812, LostTrunk, lgaetz, kh40s, rossiv, and all of our other gurus that make the PIAF Forums a great place to learn something new every day.

Thanks to our good friends at RentPBX, who provide terrific technical and financial support to both Nerd Vittles and the PBX in a Flash project, you don't have to roll your own. And your phones can be anywhere because your communications server sits on the public Internet. If cost is a factor or for those outside the United States that need a U.S. presence to take advantage of services such as Google Voice, the $15 a month price point using the PIAF2012 coupon code makes RentPBX more than competitive with what it would cost you in electricity, Internet bandwidth, and hardware resources to do it yourself... minus the headaches. You get a stable PBX in a Flash or Incredible PBX platform from the git-go. In addition, issues of jitter and latency all but disappear from the VoIP equation because you can choose the site of your hosted PBX from a worldwide list of Internet POPs including five regions in the U.S. as well as Canada and Europe. Many sit within a few milliseconds of the Internet backbone.

What you don't have with a hosted PBX solution is a hardware-based firewall sitting between your server and the Big, Bad Internet. With PBX in a Flash, the risk is lessened because the IPtables Linux Firewall is baked into the fabric of PBX in a Flash. For a comprehensive overview of how IPtables works, read this article. It explains IPtables better than any book you could buy.

Today we're pleased to introduce Travelin' Man 3™, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce. We'll quickly cover the mechanics of this new IPtables methodology that allows you to secure your hosted PBX without compromising flexibility. The nitty gritty details of IPtables and firewalls we'll leave for you to explore at your leisure.

And, speaking of leisure, we always get the question: "Have you tested it?" For frequent readers of Nerd Vittles, you already know the answer. We eat our own dog food! In the case of Travelin' Man 3, we gave it a healthy workout just last week from the deck of the Carnival Fantasy as we passed by Cape Canaveral and in Key West with 4G service, and finally in several ports with WiFi access in the Bahamas. The beauty of the new design is you'll know instantly if it's not working because you'll never get your VoIP SIP phone to connect back to your VoIP server. We had zero problems using nothing more than an Android phone for both DynDNS updates and Bria SIP phone service. Being a pioneer isn't always easy, but... Somebody's gotta do it™.

Unlike previous iterations of Travelin' Man, version 3 lets you configure remote phone access from the server and keep one or hundreds of phones in sync even with changing IP addresses using dynamic DNS update software at the sites of the remote phones. Whether the site is a remote office or a floating hotel room, any PC or Mac whether it's a desktop or netbook can automatically manage the dynamic DNS updates while keeping all of the local phones securely connected to the VoIP Cloud. And any jail-broken iPhone can manage the updates as well. With Android phones, it's even better. You have your pick of several great apps: DynDNS Client, Dynamic DNS Client, or Dynamic DNS Updater. We've found the DynDNS Client to be nearly perfect. As we'll explain in a minute, this version of Travelin' Man is not compatible with prior versions so you'll need to choose either the manual methodology of previous iterations or version 3 which does it automagically.

A New Approach to WhiteLists. Our new approach to IPtables is to lock down your server using a WhiteList of safe IP addresses and fully-qualified domain names (FQDNs) that should be given access to your hosted VoIP server. Then we'll periodically check to see if the IP addresses associated with the FQDNs have changed and make the necessary adjustments automatically. If any intruder attempts to access any port on your PBX, their packets are simply discarded by IPtables so the bad guys never know your server exists.

We've experimented with BlackLists for VoIP security, and the bottom line is they just don't work because of inherent problems with reliability and completeness. You spend your entire day updating lists of the bad guys only to discover that they've morphed to thousands of new IP addresses. Think Whack-A-Mole. IP addresses can easily be changed, and zombies have made attacks from third-party PCs a daily occurrence. Earlier this month, Nerd Vittles was hit with a denial of service attack from 30,000+ zombie PCs. This was in spite of the fact that we already block well over 100,000 IP addresses with the world's finest blacklists. Now it's 130,000. Of course, none of the owners of these PCs had any idea how their computers were being used. I'm reminded of a famous judge's secretary who received a knock at her door one Sunday morning from the FBI. They informed her that she was using her computer to host porno movie downloads. I won't offend your tender sensibilities by repeating what she actually told those "young men."

There's also the problem of dynamic IP addresses which means an address that was used by a bad guy yesterday may be handed out by the same ISP to your grandma tomorrow. And it didn't take the bad guys long to poison blacklists with IP addresses that you actually need for services such as DNS or network time services. If you've ever had an IP address that ended up on one of the major blacklists, you know what a hassle it is to get your IP address unBlacklisted. The Soup Nazi has nothing on these folks.

Bottom Line: Public web sites are pretty much forced to use BlackLists because they want their sites to be generally accessible. With a VoIP server, we have the luxury of choice, and WhiteLists are much more effective for server security.

Overview. Our recommended design works like this. Block everything. Then permit packets from known hosts and non-routable IP addresses only, and limit known hosts to only the services they actually need. For example, a VoIP provider such as Vitelity that is providing a DID for your inbound calls doesn't need web access to your server. They need SIP and RTP access. Nothing more. The same goes for a remote user: SIP and RTP access so their SIP phone works. Nothing more. You, as Administrator, need complete access to the server but only from a specific, defined IP address. We, of course, don't want IPtables to have to inspect and filter every single packet flowing into and out of your server because that would bog things down. And we don't want users on your private LAN and remote users with dynamic IP addresses to have to wrestle with updating their phones just to stay connected. So, we've opened up all non-routable IP addresses and, once we've verified that a remote site is authorized access, then subsequent packets flowing into and out of the server for that IP address will be passed along without additional packet inspection. And once we set up the FQDN for a remote user, local dynamic DNS update clients can be used to automate the process of keeping IP addresses current. Then, every few minutes, we'll let your server check whether there's been a change in any users' dynamic IP addresses. If so, we'll simply refresh the IP addresses of all FQDNs using an IPtables restart to bring the phones back to life. To end users, The Phones Just Work™.

Finally, a word about security for VoIP in the Cloud servers. If you run a virtual machine from any hosting provider with wide open access to SIP, IAX, and web services, it's just a matter of time before your server is going to be compromised, period! If you foolishly use credit card auto-replenishment for one or more of your hosting providers then you might as well mail a blank check to the bad guys and wait for them to cash it. Today's tools will take you less than a minute to permanently lock down your server. So... JUST DO IT™.

To give you some idea of how far the Android platform has come, here are a couple screenshots of our Samsung 4G Skyrocket smartphone running three simultaneous VoIP apps all day, every day: Bria SIP extension to our PIAF2 server in Charleston, CSipSimple extension to our RentPBX VM in California, and GrooveIP session with Google Voice. Try that on your 3G iPhone 4S.

We're officially releasing this for RentPBX users running PBX in a Flash or Incredible PBX 3™. These folks have been our pioneers for a very long time, and we like to take care of them first. Properly installed, Travelin' Man 3 should work fine on any PIAF™ or Incredible PBX system. We'll make a backup of /etc/sysconfig/iptables before replacing your IPtables setup with the PIAF default setup. It assumes ALL of your traffic is flowing on eth0. If that's not the case, don't use it without major modifications! We would hasten to add that Travelin' Man 3 is licensed as GPL2 open source software. So it's available NOW to everyone to use or to embellish as they see fit. We hope every provider of VoIP services offering virtual machines in the cloud as well as those without a hardware-based firewall to protect your Asterisk server will take advantage of the opportunity to customize and deploy this code for their particular IPtables environment. To paraphrase Bill Clinton: "It's your phone bill, stupid!"

Deploying Travelin' Man 3. Here's how to deploy Travelin' Man 3 on your server. In Step #1, we run secure-iptables. This locks down virtually all IP ports and services in the original IPtables configuration for PBX in a Flash to either the IP address or the FQDN of the administrator. Be advised that this setup uses the default ports for all PIAF services, e.g. SSH, WebMin, HTTP, etc. If you use custom ports, you'll need to modify the script accordingly. If the administrator is on the move or has a dynamic IP address on his or her desktop or notebook PC/Mac that will be used to administer the cloud server, then use an FQDN, not a static IP address, when you run secure-iptables.

Step #2 is automatic and is part of secure-iptables. It opens SIP and IAX port access for "trusted providers" such as Google, Vitelity, etc. This is covered in detail below. We also open accessibility from non-routable IP addresses. You obviously can close or limit private LAN access, if desired. We included it for the benefit of those running and administering PBX in a Flash on private LANs where internal security is not a concern.

In Step #3, we'll let you set up additional access for other providers, users, and phones. You get your choice of up to 9 separate services in addition to the whole enchilada, and each account gets a name and a file to keep track of the latest IP address entry: somename.iptables. These are stored in /root. Don't delete them! New accounts can be added using either a static IP address (add-ip) or an FQDN (add-fqdn). These accounts also can be deleted whenever necessary (del-acct). You can rerun secure-iptables whenever you like, but it automatically deletes all custom user accounts. Here's the list of services from which to choose. Mix and match as desired to meet your own requirements.

0 - All Services
1 - SIP (UDP)
2 - SIP (TCP)
3 - IAX
4 - Web
5 - WebMin
6 - FTP
7 - TFTP
8 - SSH
9 - FOP

Just a word of caution. IPtables stores its setup in /etc/sysconfig/iptables, but it actually runs from an image in memory on your Linux server. As part of the load process, IPtables converts all FQDNs stored on disk to static IP addresses. This speeds up firewall processing enormously. While it's possible to add IPtables rules in memory without writing them to disk (as in the original Travelin' Man design), don't do it with Travelin' Man 3! You will lose these settings whenever IPtables is restarted by running any of the above scripts or whenever a refresh of FQDN IP addresses becomes necessary. Whatever you do, never ever run the command: service iptables save. This command is used to write the IPtables entries in memory to disk. In doing so it writes only static IP addresses to disk. This will erase (a.k.a. ruin) your Travelin' Man 3 FQDN setup and force you to start over with Step #1. Otherwise, none of your FQDN's would ever get refreshed because they've all disappeared and become static IP addresses.

IPtables also has a major shortcoming IMHO. We support FQDNs in IPtables to make it more flexible. However, a failed FQDN during an IPtables restart will cause IPtables not to load at all. We have worked around this by adding our own restart command which you should always use: iptables-restart. You've been warned.

Locking Down Your Server. While there's still time, let's spend a minute and lock down your server to the public IP address of the PC that you use to administer the system. If you don't know the public IP address of the desktop machine you use to manage your server, then click on this link using a browser on that machine, and our web site will tell you the IP address.

Now log into your virtual machine as root using SSH and issue the following commands:

cd /root
wget http://incrediblepbx.com/travelinman3.tar.gz
tar zxvf travelinman3.tar.gz
yum -y install bind-utils
./secure-iptables

When prompted for the FQDN or IP address of your Administrator PC, use the FQDN if you have one. Otherwise, type in the IP address and press the Enter key. Agree to the terms of service and license agreement by pressing Enter. When the IPtables file displays, verify that you have typed your FQDN or IP address correctly, or you will lock yourself out of your own server. Press Ctrl-X to exit the editor, and then press Enter to update IPtables and save your new configuration.

NOTE: If you are running PBX in a Flash in a cloud environment, be sure to add an entry to Travelin' Man 3 with the IP address of your cloud server. ifconfig will tell you what the IP address is. To add the entry, issue the command: /root/add-ip cloud 12.34.56.78 using your actual cloud IP address.

WARNING: If you use an FQDN for your Administrator PC and it points to a dynamic IP address, be sure to also add this same FQDN using add-fqdn. Otherwise, IP address changes will not be detected, and you may lock yourself out of your own server.

Nobody can access your server except someone seated at your PC or on your private LAN with your login credentials. You can repeat this process as often as you like because each time the script is run, it automatically restores your original IPtables configuration. Now let's grant access to your SIP providers and those using remote SIP or IAX phones.

Using DynDNS to Manage FQDNs. The key ingredient with Travelin' Man 3 is automatic management of dynamic IP addresses. When a user or even the administrator moves to a different location or IP address, we don't want to have to manually adjust anything. So what you'll first need is a DynDNS account. For $20 a year, you can set up 30 FQDNs and keep the IP addresses for these hostnames current 24-7. For $30 a year, you can manage 75 hostnames using your own domain and execute up to 600,000 queries a month. That's more than ample for almost any small business but, if you need more horsepower, DynDNS.com can handle it. What we recommend is setting up a separate FQDN for each phone on your system that uses a dynamic IP address. This can include the administrator account if desired because it works in exactly the same way. When the administrator extension drops off the radar, a refresh of IPtables will bring all FQDNs back to life including the administrator's account. Sounds simple? It is.

Preparation. Before we make further modifications to IPtables in Step #3, let's make a list of all the folks that will need access to your VoIP Server in the Cloud. For each entry, write down the name of the person, server, or phone as well as the type of entity which needs server access. Then provide either the static IP address or FQDN for each entry. If one or more of your IP addresses are dynamic (meaning the ISP changes them from time to time), we'll cover managing dynamic IP addresses in a minute. For now, just make up a fully-qualified domain name (FQDN) for each dynamic IP address using one of the available DynDNS domains. For static IP addresses, use the FQDN or the IP address. HINT: FQDNs make it easy to remember which entry goes with which provider.

Make a list of your providers NOT in this list: Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. The providers listed above are already enabled in the secure-iptables setup script. We call them Trusted Providers only because we trust them and have personally used all of them. We consider them reliable folks with whom to do business. It doesn't mean others aren't. It simply means these are ones we have tested with good results over the years. The only providers you'll need to add are ones we haven't provided. Also be sure to check whether the FQDNs of the providers above cover the server for your account. If not, you'll need to manually add those FQDNs as well. Keep in mind that trusted providers will have full SIP and IAX access to your server so stick with tried-and-true providers for your own safety. The PBX in a Flash Forum and DSL Reports are good sources of information on The Good, The Bad, and The Ugly.

Finally, list with a name each phone that will be connected to an extension on your server. If you have 10 traveling salesmen, then you might want to name them all by last name and also provide FQDNs with their last names, e.g. smith.dyndns.org and jones.dyndns.org. No spaces or punctuation in names or FQDNs! We strongly recommend using FQDNs wherever you can because it means zero work for you when a provider changes an IP address. Here's the table we use:

Name
Type: Person, Provider, Server, Phone
IP Address Type: Static or Dynamic
FQDN or IP Address
Services Desired: SIP, IAX, Web, FTP, SSH, etc.

Step #3: Adding Authorized Users. Now take your list and add each account to your server while logged in as root and positioned in the /root directory. For static IP addresses, use add-ip. For dynamic IP addresses and FQDNs, run add-fqdn and plug in the FQDN for each account. When one of your accounts needs to be removed, just run del-acct from the /root folder on your server and plug in the name of the account to delete. If a user changes from a static IP address to a dynamic IP address or vice versa, just delete the user and then add them again with the new IP address or FQDN. All of the accounts are stored in /root and have names like this: name.iptables.

Step #4: Setting Up DynDNS Client Updates. There are actually two pieces in the Dynamic DNS update puzzle. At the end-user side, you need to deploy a DynDNS update client on the same subnet as the phone of your user. See the links above to download the update software you prefer. In the case of cellphones with SIP phone capability, this could be as simple as installing the DynDNS update client directly on the phone itself. Plug in your DynDNS credentials as well as the FQDN associated with the particular phone, and the rest is automatic.

Step #5: Setting Up IPtables Auto-Refresh. Finally, we need a way for your server to discover when a refresh of FQDNs becomes necessary because someone's IP address has changed. The simplest way to do this is to automatically run a simple script (ipchecker) that polls the DNS authoritative server to determine whether the dynamic IP address associated with an FQDN has changed. If so, we'll update the account.iptables file to reflect the new IP address and then restart IPtables. This will refresh all IP addresses associated with FQDNs. If all or most of your users spend time sleeping each day, you may wish to run the script only during certain (waking) hours of the day so your server has less of a load. The other consideration is how often to check. The guideline here is how long can any user live without their SIP phone being connected to your server. 10 minutes may be reasonable for some. 60 minutes may suffice for others. For us, it's 3 minutes. It's your choice. The way Travelin' Man 3 works is, whenever at least one account has an IP address change, it will trigger a restart of IPtables to do an IP address refresh for all of the FQDNs.

The top of the ipchecker script in /root looks like this:

#!/bin/bash

# Insert the account filenames to be checked below
# Remember to increment the account[#] for new entries

account[0]=larry.iptables
account[1]=curly.iptables
account[2]=moe.iptables

# ipchecker (c) Copyright 2012, Ward Mundy & Associates LLC.

You'll need to edit the script (nano -w /root/ipchecker) and modify the section in bold to reflect the actual FQDN account names you've created on your server that are associated with dynamic IP addresses only. You don't want to monitor accounts with static IP addresses or FQDNs that never get updated. When those extensions are off-line, it's not because their IP address changed, and restarting IPtables won't really help to improve the situation. Be sure to increment the account[n] array for each new account that you want to monitor and use the exact format shown in the example above. Before you enter an account in the script, display the contents of the file using cat /root/accountname.iptables. Make certain that the file includes BOTH an FQDN, then a space, and then an IP address. If not, delete the account (del-acct) and add it again using add-fqdn.

Once you've entered all of your accounts with dynamic IP addresses, save the script: Ctl-X, Y, then Enter. Run the script manually now to be sure it works as you intended: /root/ipchecker. Be advised that typos that list accounts that don't exist will cause problems. Error checking consumes processing cycles by requiring additional queries so we've left it out. That means it's solely up to you to check your account names for accuracy. And, remember, only include accounts that have dynamic IP addresses with FQDNs.

Step #6: Automating FQDN Refreshes with Cron. Finally, you'll need to add an entry to the bottom of /etc/crontab using nano. If you wanted the script to run 24 hours a day at 10 minute intervals, here's the command:

*/10 * * * * root /root/ipchecker > /dev/null

If you wanted the script to only run between the hours of 8 a.m. and 9 p.m. (server time zone) at 10 minute intervals, then you'd use something like this:

*/10 8-21 * * * root /root/ipchecker > /dev/null

On our RentPBX complimentary account which we use while traveling, we actually set the interval to 3 minutes. Since the DNS lookups use dig, changes on Android phones using the DynDNS client are almost instantaneous even with automatic switching between WiFi and cellular service. Finally, be sure to type date on your server and verify which time zone your cloud server thinks it's in! Adjust the times in /etc/crontab accordingly.

Be sure to check back here periodically for updates and follow the latest happenings about Travelin' Man 3 in this thread on the PIAF Forums. Enjoy!

Originally published: Thursday, March 29, 2012 Updated: April 19, 2014

UNLESS YOU DISCONTINUE USING FQDN'S WITH IPTABLES, IT IS ABSOLUTELY ESSENTIAL THAT YOU MONITOR YOUR SERVER DAILY IF YOU ARE RELYING EXCLUSIVELY UPON IPTABLES AS YOUR FIREWALL PROTECTION MECHANISM AND YOU ARE USING FQDN'S AS PART OF YOUR CENTOS SECURITY METHODOLOGY!

Need help with Asterisk? Visit the NEW PBX in a Flash Forum.

whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

Posted in Internet/Web, Networking, Technology, Telephony by ward, Thursday, March 29, 2012 4:50 am Comments (11)

Tags: asterisk, cloud computing, IncrediblePBX, piaf, security, sip, sip phone, voip

FreePBX Backdoor Passwords Pose Asterisk Security Threat

Whether it’s forgetting to change a default password or not removing an additional password that you didn’t even know existed, some new revelations this week about FreePBX security are worth a minute of your time. There’s more disappointing news. The bad guys are getting smarter and much more dangerous.

If you’re new to Asterisk®, FreePBX® is the terrific, web-based graphical user interface that turns Asterisk into a user-friendly PBX that even mere mortals can use. It is bundled as part of every Asterisk aggregation including PBX in a Flash, trixbox, Elastix, and Asterisk Now. With the exception of PBX in a Flash, you may not know it’s there, but it is.

Years ago when FreePBX was in its infancy, the developers set up a way that administrators could still get into their system even if they forgot their administrator password. Typing admin:admin as the username:password combination basically gave you the keys to the castle in the default FreePBX install. That worked great in the days before folks exposed their systems to direct Internet web access which is a really BAD IDEA by the way.

Some of the aggregations shipped with a default username and password combination of maint and password. And for visually-impaired users, an automatic installer was crafted which set a default password of passworm. While users were encouraged to change these default passwords, many unfortunately didn’t heed the advice. According to one unnamed provider that recently saw a spike in illegal calling activity, his attempt to log in to some of his customer’s systems using password as the administrator password yielded a list of 50 vulnerable systems in under an hour!

And then there was this week’s Elastix revelation that the developers had embedded an additional backdoor password in their distribution that very few knew about… except the bad guys unfortunately. According to Xorcom:

It recently came to our attention that it is possible to login to the Elastix server unembedded FreePBX Web interface (http://address/admin) with user name ‘asteriskuser’ and password ‘eLaStIx.asteriskuser.2oo7′. The user name and password are the same user name and password used by FreePBX to access the ‘asterisk’ MySQL database. They are defined in the parameters AMPDBUSER and AMPDBPASS in the /etc/amportal.conf file.

What could possibly go wrong? Well, everything! Over the past few years, what typically happened with these vulnerable systems was that the buy guys obtained an extension password and began making free calls on your nickel until you checked your FreePBX call log or received your phone bill. That was then.

Here’s the latest bad guy scenario. The intruder logs into your FreePBX GUI using the default administrator password using a very sophisticated script which extracts all of your extension numbers, all of your trunk credentials, and, of course, all of your passwords. The script then hides a BOT on your server that “phones home” whenever any change is made in your account names or passwords. Finally, rather than using your server to make calls, the bad guys now use their own servers with your provider credentials to make free calls. So the first notice you receive of the intrusion is when your credit card is maxed out because you stupidly chose credit card auto-replenishment when you set up your VoIP account with your favorite provider.

SO… how do you fix it? Well, first you need to check whether your system is vulnerable. Using a browser, attempt to log into FreePBX at http://yourIPaddress/admin and use the following username:password combinations:

admin:admin
admin:password
admin:passworm
maint:admin
maint:maint
maint:password
maint:passworm
wwwadmin:password
wwwadmin:wwwadmin
wwwadmin:admin
asteriskuser:eLaStIx.asteriskuser.2oo7

Be aware that on some systems using Fail2Ban such as PBX in a Flash, three consecutive failed logins may lock you out of your system for a lengthy period of time. On these systems, we recommend you first stop Fail2Ban: service fail2ban stop. Don’t forget to restart it after your testing: service fail2ban start.

If you gain access to your system using any of the above credentials and the web interface your server is exposed to the Internet, then you’ve got a problem. Do NOT just change your password thinking all is well. As mentioned, your new credentials are likely being transmitted to the bad guys before you can say “I’m S-C-R-E-W-E-D.” Instead, you should reformat your drive, contact all of your trunk providers and change your credentials. Then reinstall a NEW system using your new credentials AND new extension passwords. DON’T FORGET TO CHANGE YOUR DEFAULT PASSWORD! On PBX in a Flash and Incredible PBX systems, it’s easy. Just log into your server as root, enter the command passwd-master, and answer the prompts. Think up a very secure password… as if your bank account depended on it. It does! Finally, read our Primer on Asterisk Security. Be safe!

Originally published: Friday, April 15, 2011

Changes in PBX in a Flash Distribution. In light of the events outlined in our recent Nerd Vittles article and the issues with Asterisk 1.8.4, the PIAF Dev Team has made some changes in our distribution methodology. As many of you know, PBX in a Flash is the only distribution that compiles Asterisk from source code during the install. This has provided us enormous flexibility to distribute new releases with the latest Asterisk code. Unfortunately, Asterisk 1.8 is still a work in progress to put it charitably. We also feel some responsibility to insulate our users from show-stopping Asterisk releases. Going forward, the plan is to reserve the PIAF-Purple default install for the most stable version of Asterisk 1.8. Currently, we think that dubious title belongs to Asterisk 1.8.3.3 even though it has its own share of surprises. Other versions of Asterisk 1.8 (newer and older) will be available through a new configuration utility which now is incorporated into the PIAF 1.7.5.6.2 ISO.

Here’s how it works. Begin the install of a new PIAF system in the usual way by booting from the CD and pressing Enter to load the most current version of CentOS 5.6. When the CentOS install finishes, your system will reboot. Remove the CD, accept the license agreement, and choose the PIAF-Purple option to load the default version of Asterisk 1.8. Or exit to the Linux CLI if you want a different version. Log into CentOS as root with your root password. Then issue a command like this: piafdl -p 184 (loads Asterisk 1.8.4), piafdl -p 1833 (loads Asterisk 1.8.3.3), or piafdl -p 1832 (loads Asterisk 1.8.3.2). If there should ever be an outage on one of the PBX in a Flash mirrors, you can optionally choose a different mirror for the payload download by adding piafdl -c for the .com site, piafdl -d for the .org site, or piafdl -e for the .net site. Then add the payload switch of your choice, e.g. piafdl -c -p 184.

Bottom Line: If you use the piafdl utility to choose a particular version of Asterisk 1.8, you are making a conscious decision to accept the consequences of your particular choice. We would have preferred implementation of a testing methodology at Digium® before distribution of new Asterisk releases; however, that doesn’t appear to be in the cards. So, as new Asterisk 1.8 releases hit the street, they will be made available through the piafdl utility until such time as our PIAF Pioneers independently establish their reliability.

Need help with Asterisk? Visit the PBX in a Flash Forum or Wiki.
Or Try the New, Free PBX in a Flash Conference Bridge.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest…

Posted in Technology, Telephony by ward, Friday, April 15, 2011 6:52 am Comments (7)

Tags: asterisk, IncrediblePBX, piaf, security

Avoiding a $100,000 Phone Bill: VoIP WhiteList for IPtables

It’s been almost a year since we last wrestled with VoIP security for Asterisk®. With Christmas just around the corner, it seemed like a fitting time for a report card. Suffice it to say, the bad guys have not stood still. Attacks have become much more frequent and more sophisticated as VoIP systems have proliferated. A year ago we saw brute force attacks with thousands of password attempts on VoIP servers. These attacks could easily be detected by Fail2Ban. What we are seeing today are one and two hit drive-bys that usually are initiated from Windows zombies or hosted accounts established with stolen credit cards. These VoIP attacks fly under the radar unless you review your logs every day. Have the creeps gotten more patient? No, just smarter. They now understand the VoIP security model that has been deployed on systems like PBX in a Flash, and they simply work around it. Two hits per server, and they’re off to the next IP address only to return in a few hours to try two more. Are these attempts successful? Well, here’s the latest recipient of a $100,000 phone bill so the answer would appear to be affirmative.

We continue to wrestle with new security approaches to better protect Asterisk VoIP systems, and we’ve stumbled upon another golden arrow for your security quiver. Our Incredible PBX platform continues to offer the very best security solution because it is designed to sit safely behind a hardware-based firewall with virtually no exposure to the Internet. But such deployments assume that both your server and your phones are all safely ensconced behind a hardware-based firewall. If it turns out that you want to deploy a SIP phone for use by grandma or you’ve decided you’d like to try hosted PBX service from a provider such as rentpbx.com,¹ then there either need to be holes opened in the firewall or there is no hardware firewall protection in the case of hosted service.

Over the past few weeks, we’ve explored a number of new security approaches to better protect your Asterisk server. These include The SunshineNetworks Knock as well as VoIP Black Lists and VoIP White Lists. If you’re technically savvy, you’ll want to carefully consider “The Knock” for all of your SIP phones exposed to the Internet.

We spent a good bit of time considering various VoIP BlackList solutions. As the name implies, a list of the bad guys’ IP addresses is fed into IPtables which then blocks access to your server from these addresses. Sounds good, right? One approach with a BlackList is to block all IP addresses from “problem countries.” The methodology to implement this solution can be found in this thread on the PIAF Forums. The problem, of course, is identifying the “problem countries.” Another option was to implement an IPtables Blacklist based upon the work of the VoIP Blacklist Project. Perhaps ironically, the VoIP Blacklist Project actually blocks the IP addresses of both Nerd Vittles and PBX in a Flash, and emails requesting removal of our IP address were ignored. To save time, the VoIP Blacklist Project employs CIDR Masks which can blacklist hundreds of thousands of IP addresses in one fell swoop. Problem is that a lot of innocent people get caught in the net, and there’s no easy way out without maintaining the blacklist yourself. The final dagger in the black list approach is zombies. Insecure Windows machines have been compromised by the droves worldwide and particularly in the United States. So identifying all of these now-malicious systems is not unlike playing Whack-a-Mole. When you block one of them, six more pop up. So, after giving it the good old college try, our view of VoIP Blacklists should be obvious. No, thanks. There are very real risks that the bad guys can and have poisoned existing blacklists with safe IP addresses, and the number of Windows zombies grows geometrically making it all but impossible to have or maintain a blacklist that affords any real protection.

These results with black lists led us to the conclusion that the only real security mechanism that could protect many VoIP servers today was a VoIP WhiteList for IPtables. As the name implies, we want to identify the IP addresses of every SIP and IAX trunk and extension on your server and then feed those addresses into IPtables so that the only access to VoIP resources on your server is from these addresses. Today’s VoIP WhiteList for IPtables consists of two bash scripts: one queries the MySQL database in which FreePBX stores all of the trunk and extension information for your server and the other populates IPtables with the results of the queries. We would hasten to add that a similar white list is equally important for SSH access to your server although we think it is better to implement an SSH WhiteList on your hardware-based firewall. In this way, you can adjust the SSH white list via web browser while traveling without locking yourself out of your Asterisk server.

Prerequisites. To use today’s VoIP WhiteList for IPtables, you’ll need either a current version of PBX in a Flash or Incredible PBX. Other aggregations will also work provided your system is FreePBX-based (version 2.6 or later), has IPtables already installed and functioning properly, and has an /etc/sysconfig/iptables configuration file that closely matches the stock PBX in a Flash design. We’ll leave it to you to make that call after reviewing the scripts.

VoIP WhiteList Design. We’ve designed the VoIP WhiteList for IPtables to be modular. There’s a firewall-whitelist-gen.sh script which extracts from MySQL the list of IP addresses used by your trunks and extensions. This text-based list is stored in /etc/firewall.whitelist. You can manually add and delete entries from the list once it is populated.You also can rerun the script at any time to generate a fresh catalog of WhiteList IP addresses based upon your current trunk and extension settings. This script also enables access to your server from the public IP address of your server as well as all non-routable IP addresses. Finally, it modifies /etc/sudoers slightly so that Travelin’ Man can be used to add dynamic IP addresses on the fly. We’ll cover that below.

The second script is firewall-whitelist.sh, and it is used to actually implement your new VoIP WhiteList in IPtables. The changes take effect immediately. It also can be run again to update these entries if you manually add or delete IP addresses in /etc/firewall.whitelist. This script always creates a backup copy of your previous /etc/sysconfig/iptables file and names it iptables.timestamp where the timestamp is the date and time of your last update, e.g. iptables.12012010-083841 was created on Dec. 1, 2010 at 08:38:41. If you should ever shoot yourself in the foot, simply copy one of the iptables backup files to /etc/sysconfig/iptables and then restart IPtables: service iptables restart.

WARNINGS: In order to implement the WhiteList, the script removes the existing IPtables entries which permit SIP and IAX access from anywhere using UDP ports 4569 and 5000 to 5082. If you have edited these entries in any way, you’ll need to remove them and restart IPtables before running firewall-whitelist.sh. Otherwise, your more general firewall entries will leave your system vulnerable to access from IP addresses not in your VoIP WhiteList.

If your system is running on a hosted server, you’ll need to make a couple of additions to /etc/sysconfig/iptables and restart IPtables (service iptables restart) before running firewall-whitelist.sh, or you may lock yourself out of your own server. Be sure to add the public IP address of your server, and also add the IP address from which you are making changes to your server. Each entry should look like the following example using your actual IP addresses. And the entries should be added above the COMMIT line in the same section of the iptables file as the existing UDP 10000:20000 ACCEPT entry:

-A INPUT -s 222.222.222.222 -j ACCEPT

Installing the VoIP WhiteList for IPtables. Installation is easy. Just log into your server as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/firewall-whitelist.tar.gz
tar zxvf firewall-whitelist.tar.gz
./firewall-whitelist-gen.sh
./firewall-whitelist.sh

If you installed one of the beta versions of the VoIP WhiteList from the PIAF Forums, then you’ll need to do a little housecleaning before actually running either of the scripts. Just edit /etc/sysconfig/iptables and clean out all of the entries that contain 5000:5082 as well as any entries nearby that include the non-routable IP addresses, e.g. 192.168.0.0. Finally, if there are entries beginning with -A WHITELIST, delete those as well. Then restart IPtables: service iptables restart. Thank you for your testing and feedback!

Deploying Remote SIP Phones. What remains is some method for connecting remote SIP phones with dynamic IP addresses. Our Travelin’ Man application was specifically designed to provide this support although the initial version only opened the necessary IP address for Asterisk access. The latest release also provides the necessary IPtables support. You have two options: either remove the old version and supporting directories under /var/www/travelman or edit the index.php file in each subdirectory you’ve created and make the change shown in this post on the PIAF Forums. Enjoy!

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

Some Recent Nerd Vittles Articles of Interest…

We gratefully acknowledge the contributions of rentpbx.com to the PBX in a Flash Development Team. In addition to hosted accounts to test PBX in a Flash in the hosted environment, rentpbx.com also has contributed technical assistance particularly as it relates to our Google Voice-Asterisk integration efforts. [↩]

Posted in Internet/Web, MP3 Devices, Networking, Technology, Telephony by ward, Friday, December 3, 2010 12:39 pm Comments (1)

Tags: asterisk, firewall, freepbx, IncrediblePBX, iptables, piaf, security, voip

The Incredible PBX: Meet the New Kid on the Block

As much as we loved the moniker, the Orgasmatron build was in desperate need of a name change to more accurately describe its true heritage. We didn't look too far for just the right name. Meet The Incredible PBX!

Thanks to the Zero Internet Footprint™ design, it's the most secure Asterisk®-based PBX around. What this means is The Incredible PBX™ has been engineered to sit safely behind a NAT-based, hardware firewall with no port exposure to your actual server.¹ And you won't find a more full-featured Personal Branch Exchange™.

NEWS FLASH: The Incredible PBX is now available for Asterisk 1.8! Go here.

Coming January 19: Incredible PBX 11 & Incredible Fax for Asterisk 11 and FreePBX 2.11

The Incredible PBX is much more than just a name change. In addition to all of the Orgasmatron magic including free calling in the U.S. and Canada courtesy of Google Voice, you now get some terrific new features tailored to meet the needs of the individual: randomly generated passwords for all of your extensions, free Skype support and a new backup module both of which we'll introduce over the next few weeks. And CallerID Superfecta now is preconfigured to work out of the box with support from dozens of providers worldwide.

The Incredible PBX Inventory. For those wondering what's included with The Incredible PBX, here's a feature list of components you get in addition to the base install of PBX in a Flash with CentOS 5.4, Asterisk 1.4, FreePBX 2.6, and Apache, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin. Please note that A2Billing, Cepstral TTS, Hamachi VPN, and Mondo Backups are optional and may be installed using provided scripts.

A2Billing (/root/nv/install-a2billing)
Amazon S3 Cloud Computing
AsteriDex
CallerID Superfecta (FreePBX Module adds Names to CID Numbers)
CallWho for Asterisk
Cepstral TTS for 32-bit, Asterisk 1.4 2 (/root/nv/install-cepstral.sh)
Preconfigured Email That Works with SendMail
Extensions (16 preconfigured with random passwords)
FAX Module using nvfax
FONmail
FreePBX Backups
Gizmo5 (Free Calls to Gizmo5 users worldwide: 1747xxxxxxx*1089)
Google Voice (preconfigured)
Hamachi VPN (/root/nv/install-hamachi.x)
Hotel-Style Wakeup Calls (FreePBX Module)
ISN: FreeNum SIP Calling from Any Phone
MeetMe Conference Bridge (just dial C-O-N-F)
Mondo Full System Backups (/root/nv/install-diskbackup.x)
NewsClips from Yahoo
ODBC Database Support
PogoPlug Cloud Computing
Reminders by Phone and Web
SIP URI Outbound Calling (call any SIP URI worldwide for free)
Skype Inbound & Outbound Calling (Available 4/26)
TeleYapper
Tide Reports with xTide
Trunk Lister Script (/root/nv/trunks.sh)
Trunks (Vitelity, Fonica, SIPgate, IPkall, and ENUM)
Twitter Interface (Make Free Calls and Send SMS Messages)
Weather by Airport Code
Weather by ZIP Code
Worldwide Weather
Zaptel Updater (/root/nv/zaptel-update.sh)

Prerequisites. Here's what you'll need to get started:

Broadband Internet connection
$200 PC³ on which to run The Incredible PBX or a Proxmox VM
dLink Router/Firewall. Low Cost: $35 WBR-2310 Best: DGL-4500
Free Google Voice account (Available in U.S. without an invite at this link)
Free SIPgateOne residential account (U.S. cell to get SMS invite) OR
Free IPkall IAX account (recommended for international users)

Installing The Incredible PBX. The installation process is simple and straight-forward. Just don't skip any steps. Here are the 5 Steps to Free Calling, and The Incredible PBX will be ready to receive and make free U.S./Canada calls:

1. Install the latest version of PBX in a Flash
2. Download & run The Incredible PBX installer
3. Set up your two provider accounts
4. Configure a softphone or SIP telephone
5. Run the configure-gv credentials installer

Installing PBX in a Flash. Here's a quick tutorial to get PBX in a Flash installed. We recommend you install the latest 32-bit version of PBX in a Flash. This new build works much better with newer hardware including Atom-based computers and newer network cards. Unlike other Asterisk aggregations, PBX in a Flash utilizes a two-step install process. The ISO only installs the CentOS 5.5 operating system. Once installed, the server reboots and downloads a payload file that includes Asterisk, FreePBX, and many other VoIP and Linux utilities. We use virtually identical payloads for all versions of PBX in a Flash.

Download the 32-bit, PIAF 1.6 version from Google, SourceForge, Vitelity, Cybernetic Networks, or AdHoc Electronics. The MD5 checksum for the file is e8a3fc96702d8aa9ecbd2a8afb934d36. Or, if you are feeling really adventurous or if you have new, bleeding edge hardware, try our new 32-bit, PIAF 1.7 build which features CentOS 5.5. This new release is available from SourceForge or Google Docs. The MD5 checksum for the PIAF 1.7 build is 184cdb00142ccdd814b11de23fb00082.

Download the brand-new 32-bit PIAF 1.7.5.5. from SourceForge or one of our download mirrors. Burn the ISO to a CD. Then boot from the installation CD and type ksalt press the Enter key to begin.

WARNING: This install will completely erase, repartition, and reformat EVERY DISK (including USB flash drives) connected to your system so disable any disk you wish to preserve! Press Ctrl-C to cancel the install.

On some systems you may get a notice that CentOS can't find the kickstart file. Just tab to OK and press Enter. Don't change the name or location of the kickstart file! This will get you going. Think of it as a CentOS 'feature'.

At the keyboard prompt, tab to OK and press Enter. At the time zone prompt, tab once, highlight your time zone, tab to OK and press Enter. At the password prompt, make up a VERY secure root password. Type it twice. Tab to OK, press Enter. Get a cup of coffee. Come back in about 5 minutes. When the system has installed CentOS, it will reboot. Remove the CD promptly. After the reboot, ~~choose A~~ choose PIAF-Silver option. Have a 10-minute cup of coffee. After installation is complete, the machine will reboot a second time. Log in as root with your new password and execute the following commands:

update-scripts
update-fixes
status

When prompted, change the ARI password to something really obscure. You're never going to use it! You now have a PBX in a Flash base install. On a stand-alone machine, it takes about 30 minutes. On a virtual machine, it takes about half that time. Write down the dynamic IP address assigned to your server after running the status command. You'll need it shortly.

NOTE: So long as your system is safely sitting behind a hardware-based firewall, we do NOT recommend running update-source with The Incredible PBX. The version of Asterisk installed from our payload file is very stable.

Running The Incredible PBX Installer. Log into your server as root and issue the following commands to download and run The Incredible PBX installer:

cd /root
wget http://incrediblepbx.com/incrediblepbx.x
chmod +x incrediblepbx.x
./incrediblepbx.x

Have another 15-minute cup of coffee. It's a great time to consider a modest donation to the Nerd Vittles project. You'll find a link at the top of the page. When the installer finishes, READ THE SCREEN!

Here's a short video demonstration of the Incredible PBX installer process:

Either a free SIPgate One residential phone number or an IPkall number is a key component in today’s project. If you are eligible, we strongly recommend a SIPgate One residential account for The Incredible PBX. However, you may elect to use an IPkall account as an alternative. Both are free; however, you cannot register The Incredible PBX to IPkall's servers so you'll need to punch a hole in your firewall to receive incoming calls from Google Voice and IPkall. This step is not necessary with SIPgate accounts since there is a permanent registered connection between The Incredible PBX and SIPgate's servers!

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work! Continue reading whichever section below applies to you.

Configuring SIPgate. If you live in the U.S. and have a cellphone, we'd recommend the SIPgate option since no adjustment of your hardware-based firewall is required. Otherwise, skip to the IPkall setup below. Step #1 is to request a SIPgate invite at this link. You'll need to enter your U.S. cellphone number to receive the SMS message with your invitation code. Don't worry. You can erase your cellphone number from your account once it is set up and working properly. Once you receive the invite code, enter it and choose the option to set up a residential account. Next, choose a phone number and write it down. The area code really doesn't matter because Google Voice is the only one that will be calling this number after we get things set up. For now, leave your cellphone number in place so that you can receive your confirmation call from Google Voice in the next step. After that, you'll want to revisit SIPgate and remove all parallel calling numbers. Finally, click on the Settings link and write down your SIP ID and SIP Password. You'll need these in a few minutes to complete the configuration of The Incredible PBX. Now place a call to your new SIPgate number and make certain that your cellphone rings before proceeding.

Configuring IPkall. If you're using IPkall as your intermediate provider, first log in to your hardware-based firewall/router and map UDP port 4569⁴ to the private IP address that you just wrote down. This tells your firewall to pass all IAX2 traffic from the Internet directly to your new server. Don't worry. We have severely restricted which IP addresses can actually send IAX data through the PBX in a Flash IPtables firewall which is an integral part of this build. And, remember, no hardware firewall adjustments are necessary if you're using SIPgate instead of IPkall.

After your firewall is properly configured, you'll need to register for a free IPkall number. This is actually a two-step process. Set it up as a SIP connection when you first register. Then we'll change it to IAX once your new phone number is provided. So your initial IPkall request should look like this:

We recommend area code 425 for your requested number because IPkall appears to have lots of them. If they don't have an available number, your request apparently goes in the bit bucket. You'll know because IPkall typically turns these requests around in a few minutes. Don't worry about the mothership entry. We'll change it shortly. The other issue here is your public IP address. If you have a dedicated IP address, no worries. Just plug in the IP address for SIP Proxy. If it's dynamic, then you'll need to set up a fully-qualified domain name (FQDN) with a provider such as dyndns.com. Once you've got it set up, enter your credentials in the Dynamic DNS tab of your hardware-based firewall to assure that your dynamic IP address is always synchronized with your FQDN. Then enter the FQDN for your SIP Proxy address in the IPkall form. Be sure to make up a VERY secure password. Now send it off and wait for the return email with your new phone number.

When you receive your new phone number, you'll need to revisit the IPkall site and log in with your phone number and the password you chose above. Make the changes shown below using your actual IPkall phone number instead of 4259876543:

It's worth stressing that these settings are extremely important so check your work carefully. Be sure the IAX option is selected. Be sure there are no typos in your two phone number entries. And be sure your FQDN or public IP address is correct. Then save your new settings.

TIP: Be aware that IPkall cancels an assigned phone number after 30 consecutive days of inactivity. If you will be using your number infrequently, it's a good idea to schedule a Weekly Reminder to call the number with a prerecorded message. This will assure that your number stays functional.

Configuring Google Voice. Google Voice no longer is by invitation only so, if you're in the U.S. or have a friend that is, head over to the Google Voice site and register. After you've chosen a telephone number, plug in your new SIPgate or IPkall number as the destination for your Google Voice calls and choose Office as the Phone Type.

Google places a test call to your number so you'll have to delay it a bit for IPkall. If you're using SIPgate, go ahead and tell Google to place the test call which will be forwarded to your cellphone. Enter the two-digit code that's displayed when you're prompted to do so. With IPkall, wait until we finish running the credentials configurator below.

While you're still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

Call Screening - OFF
Call Presentation - OFF
Caller ID (In) - Display Caller's Number
Caller ID (Out) - Don't Change Anything
Do Not Disturb - OFF

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

If you're using SIPgate and you've confirmed your number, revisit SIPgate and remove all parallel calling numbers including your cell number.

Adding Your Credentials to The Incredible PBX. We're ready to insert your credentials and SIPgate/IPkall information into The Incredible PBX. You'll need several pieces of information: your 10-digit Google Voice phone number, your Google Voice account name (which is the email address you used to set up your GV account), your GV password (no spaces!), and your 10-digit SIPgate or IPkall RingBack DID. You'll also need to reenter your passwd-master password which is used to configure CallerID Superfecta. Finally, you'll need to tell the configurator whether you're using a SIPgate or IPkall account. In the case of SIPgate, you'll also be prompted to enter your SIP ID and SIP password. These are NOT the same as your account credentials!!

Log back into your server as root and issue the following command to kick off the configurator: ./configure-gv.x. Check your entries carefully. If you make a typo in entering any of your data, press Ctrl-C to cancel the script and then run it again!! Once you've checked and double-checked your entries, press Enter and The Incredible PBX setup will be completed. You'll need to press Enter again when the script finishes to reboot your PBX. After the reboot, your system will have randomly-generated passwords for every extension and voicemail box that is preconfigured on your system. The DISA password also has been changed. We generate five-digit passwords. If you will sleep better with longer passwords, be our guest. They are easily reset using the FreePBX web interface described elsewhere in this article.

Finally, log back into your server as root and issue the following command to obtain the password for extension 701 which we'll need to configure your softphone in the next step:

mysql -uroot -ppassw0rd -e"select id,data from asterisk.sip where id='701' and keyword='secret'"

The result will look something like the following where 701 is the extension and 18016 is the randomly-generated extension password exclusively for your Incredible PBX:

+-----+-------+
id data
+-----+-------+
701 18016
+-----+-------+

Configuring a SIP Phone. There are hundreds of terrific SIP telephones and softphones for Asterisk-based systems. Once you get things humming along, you'll want a real SIP telephone, and you'll find lots of recommendations on Nerd Vittles. For today, let's download a terrific (free) softphone to get you started. We recommend X-Lite because there are versions for Windows, Mac, and Linux. So download your favorite from this link. Install and run X-Lite on your Desktop. At the top of the phone, click on the Down Arrow and choose SIP Account Settings, Add. Enter the following information using your actual password for extension 701 and the actual IP address of your Incredible PBX server instead of 192.168.0.251. Click OK when finished. Your softphone should now show: Available.

If you're using SIPgate as your provider with Google Voice, you're ready to place a test call. If you're using IPkall, we still need to verify your IPkall number with Google Voice. Return to Google Voice and tell it to place the test call to your IPkall number which you've already entered as your destination number. Your softphone will ring momentarily. Enter the two-digit code provided by Google Voice, and you're all set.

Incredible PBX Test Flight. The proof is in the pudding as they say. So let's try two simple tests. First, from another phone, call your Google Voice number. Your softphone should begin ringing shortly. Answer the call and make sure you can send and receive voice on both phones. Hang up. Now let's place an outbound call. Using the softphone, dial your cellphone number. Google Voice should transparently connect you. Answer the call and make sure you can send and receive voice on both phones. If everything is working, congratulations!

Here's a brief video demonstration showing how to set up a softphone to use with your Incredible PBX, and it also walks you through several of the dozens of Asterisk applications included in your system.

Solving One-Way Audio Problems. If you experience one-way audio on some of your phone calls, you may need to adjust the settings in /etc/asterisk/sip_custom.conf. Just uncomment the first two lines by removing the semicolons. Then replace 173.15.238.123 with your public IP address, and replace 192.168.0.0 with the subnet address of your private network. Save the file and restart Asterisk with the command: amportal restart.

Learn First. Explore Second. Even though the installation process has been completed, we strongly recommend you do some reading before you begin your VoIP adventure. VoIP PBX systems have become a favorite target of the hackers and crackers around the world and, unless you have an unlimited bank account, you need to take some time learning where the minefields are in today's VoIP world. Start by reading our Primer on Asterisk Security. We've secured all of your passwords except your root password and your passwd-master password, and we're assuming you've put very secure passwords on those accounts as if your phone bill depended upon it. It does! Also read our PBX in a Flash and VPN in a Flash knols. If you're still not asleep, there's loads of additional documentation on the PBX in a Flash documentation web site.

Choosing a VoIP Provider. For this week, we'll point you to some things to play with on your new server. Then, in the subsequent articles below, we'll cover in detail how to customize every application that's been loaded. Nothing beats free when it comes to long distance calls. But nothing lasts forever. So we'd recommend you set up another account with Vitelity using our special link below. This gives your PBX a secondary way to communicate with every telephone in the world, and it also gets you a second real phone number for your new system... so that people can call you. Here's how it works. You pay Vitelity a deposit for phone service. They then will bill you $3.99 a month for your new phone number. This $3.99 also covers the cost of unlimited inbound calls (two at a time) delivered to your PBX for the month. For outbound calls, you pay by the minute and the cost is determined by where you're calling. If you're in the U.S., outbound calls to anywhere in the U.S. are a little over a penny a minute. If you change your mind about Vitelity and want a refund of the balance in your account, all you have to do is ask.

The VoIP world is new territory for some of you. Unlike the Ma Bell days, there's really no reason not to have multiple VoIP providers especially for outbound calls. Depending upon where you are calling, calls may be cheaper using different providers for calls to different locations. So we recommend having at least two providers. Visit the PBX in a Flash Forum to get some ideas on choosing alternative providers.

A Word About Security. Security matters to us, and it should matter to you. Not only is the safety of your system at stake but also your wallet and the safety of other folks' systems. Our only means of contacting you with security updates is through the RSS Feed that we maintain for the PBX in a Flash project. This feed is prominently displayed in the web GUI which you can access with any browser pointed to the IP address of your server. Check It Daily! Or add our RSS Feed to your favorite RSS Reader. Be safe!

Kicking the Tires. OK. That's enough tutorial for today. Let's play. Using your new softphone, begin your adventure by dialing these extensions:

D-E-M-O - Incredible PBX Demo (running on your PBX)
1234*1061 - Nerd Vittles Demo via ISN FreeNum connection to NV
17476009082*1089 - Nerd Vittles Demo via ISN to Google/Gizmo5
Z-I-P - Enter a five digit zip code for any U.S. weather report
6-1-1 - Enter a 3-character airport code for any U.S. weather report
5-1-1 - Get the latest news and sports headlines from Yahoo News
T-I-D-E - Get today's tides and lunar schedule for any U.S. port
F-A-X - Send a fax to an email address of your choice
4-1-2 - 3-character phonebook lookup/dialer with AsteriDex
M-A-I-L - Record a message and deliver it to any email address
C-O-N-F - Set up a MeetMe Conference on the fly
1-2-3 - Schedule regular/recurring reminder (PW: 12345678)
2-2-2 - ODBC/Timeclock Lookup Demo (Empl No: 12345)
2-2-3 - ODBC/AsteriDex Lookup Demo (Code: AME)
Dial *68 - Schedule a hotel-style wakeup call from any extension
1061*1061 - PBX in a Flash Support Conference Bridge
882*1061 - VoIP Users Conference every Friday at Noon (EST)

Click above. Enter your name and phone number. Press Connect to begin the call.

Homework. Your homework for this week is to do some exploring. FreePBX is a treasure trove of functionality, and The Incredible PBX adds a bunch of additional options. See if you can find all of them. Also check out Tweet2Dial which uses Twitter to make Google Voice calls, send free SMS messages, and manage your Incredible PBX.

Be sure to log into your server as root and look through the scripts added in the /root/nv folder. You'll find all sorts of goodies to keep you busy. s3cmd.faq tells you how to quickly activate the Amazon S3 Cloud Computing service. And, if you've heeded our advice and purchased a PogoPlug, you can link to your home-grown cloud as well. Just add your credentials to /root/pogo-start.sh. Then run the script to enable the PogoPlug Cloud on your server. All of your cloud resources are instantly accessible in /mnt/pogoplug. It's perfect for off-site backups which we'll cover in a few weeks.

Don't forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number. Finally, try out the included Stealth AutoAttendant by dialing your own number and pressing 0 while the greeting is played. This will reroute your call to the demo applications option in the IVR.

Originally published: Monday, April 19, 2010

VoIP Virtualization with Incredible PBX: OpenVZ and Cloud Solutions

Adding Skype to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Adding Remotes, Preserving Security with The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Part II.

Continue reading Part III.

Continue reading Part IV.

Support Issues. With any application as sophisticated as this one, you're bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It's the best Asterisk tech support site in the business, and it's all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won't have to wait long for an answer to your questions.

Coming Soon. We haven't forgotten. We'll cover setting up multiple Google Voice accounts for simultaneous calling on multiple channels very soon. And the new (free) Skype Gateway to Asterisk for The Incredible PBX is now available. The FreePBX components already are in place to support inbound and outbound calling via Skype. You can even try a test call to our Aspire One Revo today by dialing nerdvittles from your favorite Skype client. Beginning today, this article will be available on http://IncrediblePBX.com. Then Nerd Vittles will return to our (almost) weekly schedule of new articles. Enjoy!

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

Requires a SIPgate One account. [↩]
For Asterisk 1.6 or for 64-bit systems with Asterisk 1.4 or 1.6, use the Cepstral install procedures outlined in this Nerd Vittles article. [↩]
If you use the recommended Acer Aspire Revo, be advised that it does NOT include a CD/DVD drive. You will need an external USB drive to load the software. Some of these work with CentOS, and some don't. Most HP and Sony drives work; however, we strongly recommend you purchase an external DVD drive from a merchant that will accept returns, e.g. Best Buy, WalMart, Office Depot, Office Max, Staples. [↩]
Mapping a port on your firewall to a private IP address unblocks certain Internet packets and allows them to pass through your firewall directly to an IP device "inside" your firewall for further processing. [↩]

Posted in Technology, Telephony by ward, Sunday, August 15, 2010 9:00 am Comments (61)

Tags: asterisk, firewall, orgasmatron, piaf, security, skype, voip

The Incredible PBX: Adding Remotes, Preserving Security

Unlike most Asterisk®-based PBXs which are insecure as installed and leave it to you to implement sufficient safeguards to preserve the integrity of your system, the Incredible PBX is delivered with rock-solid, air-tight security already in place. Because it is designed to operate behind a hardware- based firewall, what you'll be doing when you want to add functionality with the Incredible PBX is loosening security rather than tightening it. The trick, of course, is to do it in a way that doesn't compromise the overall integrity of your system. As delivered, the Incredible PBX relies upon four layers of network security: a hardware-based firewall of your choice¹, a preconfigured IPtables software-based Linux firewall, preconfigured Fail2Ban to monitor your logs for suspicious activity and to block specific IP addresses when abuse is detected, and random passwords for all extensions and DISA connections.

If you installed the Incredible PBX using SIPgate as the intermediate provider with Google Voice, then your hardware-based firewall should have no ports opened and forwarded to your server. If you used IPkall, then only UDP 4569 has been opened and forwarded to your server. And the Incredible PBX IPtables setup for IAX restricts access to just a few IP addresses to support IPkall.

There are obviously situations in which you will want or need additional connectivity. The most likely one involves activation of SIP telephones at remote locations, such as a branch office, or Grandma's house or a relative in college. The other obvious use is with cellphones and PDAs that support SIP clients such as Android phones, iPhones, and iPads.²

What we'd recommend you not do is open the SIP floodgate to your PBX by providing unrestricted inbound SIP access, but we'll show you how if you really want or need this functionality. As desirable as this can be, it is accompanied by an array of security issues that really are not worth the risks unless you know what you're doing and you're willing to stay on top of security updates and keep your system patched.

Let's first tackle how to provide limited inbound SIP functionality without selling the farm. If the remote site has a fixed IP address, the procedure to allow remote access to your server is fairly straight-forward: just map the SIP ports on the hardware-based firewall to your server (UDP 5000:5082 and UDP 10000:20000) and then restrict SIP access using IPtables to the remote IP address as well as the subnet of your private LAN. You can decipher your private subnet by running status. If your server's IP address is 192.168.0.123, then your private subnet would be 192.168.0.0. The IPtables firewall settings are stored in /etc/sysconfig/iptables. Edit that file and find the line that looks like this:

-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT

Delete or comment out this entry with a leading # and insert new entries that look like the following using the public IP address(es) you wish to add plus the private subnet:

-A INPUT -p udp -m udp -s 141.146.20.10 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 141.146.20.11 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT

After making the changes, save the file: Ctrl-X, Y, then Enter. Then restart IPtables: service iptables restart.

Unfortunately, in many situations, the remote phone or cellphone uses an Internet connection with a dynamic IP address. So we don't know the actual IP address that will be assigned. There are a number of solutions to this problem, and we'll rank them in our order of preference. First, spend the $200 and install another Incredible PBX at the remote site. Then the two servers can be linked with IAX connections between the servers making connectivity between the systems totally transparent. Second, install VPN routers at both sites and use a private IP address to establish connectivity with the host system. In this situation, you will have the equivalent of a fixed IP address for the remote device which makes it the equivalent of the fixed IP address solution above. Third, install OpenVPN on your host system and purchase a SIP phone or cellphone that supports VPN connectivity. Most of the high-end SNOM SIP phones have this functionality as do Android phones, iPhones, and iPads. With this setup you also have the equivalent of a fixed IP address, even though it's on a virtual private network. Fourth, talk to the Internet service provider at your remote site and obtain the range of IP addresses that DHCP hands out to those using their services... or just make an educated guess.³

BEFORE Activating Full SIP Connectivity. OK. We hear you. You travel for a living, and the IP address of your cellphone changes hourly, all day, every day of the year. Then, yes, you are a candidate for a full-fledged Asterisk server with unlimited SIP access. Before covering how, let's review what responsibilities go with running such a server. Bear in mind that one compromised SIP password or otherwise vulnerable application on your server (including Asterisk, FreePBX, SSH, and hundreds of others), and you may very well be the proud owner of a whopping phone bill. And we're not talking hundreds of dollars. It could very well be tens of thousands of dollars. And it doesn't take weeks or months. It could be a few hours.

Baker's Dozen SIP Security Checklist

1. Keep Asterisk Current & Patched
2. Keep FreePBX Current & Patched
3. Make Frequent Backups
4. Visit PBX in a Flash Forums Regularly
5. Subscribe to PBX in a Flash RSS Feed
6. Secure Alphanumeric Extension Passwords
7. Secure DISA, VMail, Root, FreePBX Passwords
8. Lock Down Extensions with Deny/Permit
9. Turn Off Recurring Payments with Providers
10. Restrict Trunks to 1-2 Simultaneous Calls
11. Tighten Dialplan by Removing Wildcards
12. Eliminate Intl & Toll Calls With Providers
13. Check FreePBX Call Logs Daily for Abuse

Baker's Dozen SIP Security Checklist. Before opening the floodgates, let's review what you need to do. First, you'll need to run the very latest version of Asterisk... all the time. This means you need to monitor asterisk.org, and keep your system up to date by running update-scripts, update-source, and update-fixes regularly. The default version of Asterisk on current PBX in a Flash and Incredible PBX builds is extremely reliable, but it contains SIP and IAX vulnerabilities which should not be exposed directly to the Internet! Second, you need to run the latest version of FreePBX and apply all patches as they are released. Third, you need to make frequent backups appreciating that sometimes the Asterisk and FreePBX developers get things horribly wrong, and stuff that used to work no longer does. Believe it or not, they're human! Fourth, you need to visit the PBX in a Flash Forums daily and keep abreast of security alerts and bug reports on CentOS, Asterisk, and FreePBX. Fifth, you need to subscribe to the PBX in a Flash RSS Feed which provides regular security alerts when there are reported problems. Sixth, you need to really secure your extension passwords with very long, complex alphanumeric passwords. Ditto for your root and FreePBX passwords! Seventh, for DISA and voicemail, these passwords need to be numeric, complex, and extra long. Eighth, you need to lock down as many of your extensions as possible with deny/permit settings to restrict the IP addresses of those extensions. If you only have one or two remote SIP extensions with dynamic IP addresses, then all of the rest should have deny/permit entries! Ninth, turn off recurring payments with all of your telephony providers and keep minimal funds available in all of your accounts. This means you'll have to monitor these accounts to make sure they are not deactivated for lack of funds. Tenth, restrict all of your trunks to one or at most two simultaneous calls to reduce your call exposure in the event someone breaks into your system. Eleventh, tighten up your Trunk Dial Rules and eliminate any entries that would permit calls to anywhere in the world! If you don't regularly make international calls, there's absolutely no reason to have such entries in your dialplan. If you still have Ma Bell PSTN lines, this is even more important. In fact, consider eliminating long distance access to all of these trunks. Twelfth, where possible, configure your provider accounts to eliminate international and toll calls of all varieties. Finally, check your FreePBX call log every day to make certain no one is making calls on your nickel.

If you are unwilling or unable to perform these Baker's Dozen steps while continuing to monitor the sites provided and recheck your setup regularly (at least every week), don't activate unrestricted SIP access to your server.

Other Options. Consider using an intermediate provider such as voip.ms to provide SIP URI access to your server. Keep in mind that having a registered connection between your server and a VoIP provider alleviates the need to punch a hole in your firewall. So the idea here is to sign up for an inexpensive voip.ms account and set up the trunk connection with your server as either an IAX or SIP account with an always-on connection. Then voip.ms gives you the option of activating a SIP URI as part of a subaccount setup. Just create an internal extension on their server, and this will generate a SIP URI, e.g. 123456666@sip.us4.voip.ms where 12345 is your voip.ms account number and 6666 is the internal extension you created. This lets you connect directly with your server through the SIP URI from anywhere once you map this subaccount to an extension or IVR on your server. The charge for SIP URI calls is only $.001 per minute. The last step is to use this SIP URI in your remote SIP phone to connect back to your server. You can take advantage of the full range of Asterisk functions once these calls reach your server including IVRs and DISA. The approach is not only simple to implement, but it's also safe and economical.

There are some other alternatives as well. Use something like Google Voice or Ooma to redirect calls to your cellphone when you're traveling. Or buy an Ooma for Grandma or a MagicJack for Joe College. These options also are safe, secure, and quite inexpensive.

Just Released: Remote Phone Meets Travelin' Man

Activating Inbound SIP on Your Server. If you still are hell-bent on opening SIP access to your server, the Incredible PBX already is preconfigured to support it. Just map the SIP ports on your hardware- based firewall to your server (UDP 5000:5082 and UDP 10000:20000). Once activated, anyone can reach you through the following SIP URI using the actual public IP address of your server: mothership@12.34.56.78. You also can adjust the e164 trunk in FreePBX to route inbound calls to any destination desired. Then register your phone number on e164.org and others can call you at no cost using your traditional phone number. Enjoy!

The Incredible PBX: Basic Installation Guide

Adding Skype to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Basic Installation Guide, Part II.

Continue reading Basic Installation Guide, Part III.

Continue reading Basic Installation Guide, Part IV.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.

Some Recent Nerd Vittles Articles of Interest...

We, of course, continue to recommend a dLink Router/Firewall. Low Cost: $35 WBR-2310 Better: DIR-825 Best: DGL-4500 [↩]
We recommend the free SipAgent client for Android devices and the commercial Acrobits Softphone for iPods and iPads. [↩]
Adding an entry like the following would dramatically reduce the likelihood of a SIP attack: -A INPUT -p udp -m udp -s 141.146.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT [↩]

Posted in Cellular, Internet/Web, Networking, Smartphones, Technology, Telephony, Wi-Fi by ward, Monday, June 7, 2010 7:50 am Comments (16)

Tags: asterisk, firewall, freepbx, iax, IncrediblePBX, ooma, piaf, security, sip

Now Visiting:
Help the Nerdy
Links

Categories
- General
- Photography
- Technology
  - Apple Macs
  - Audio
  - Blogs
  - Cellular
  - Home Automation
  - Internet/Web
  - Microsoft PCs
  - MP3 Devices
  - Networking
  - Office Automation
  - Smartphones
  - Streaming Devices
  - Telephony
  - TiVo/ReplayTV
  - Video
  - Wi-Fi
Search
Tagcloud
android appliance asterisk backup best phone bootable flash Cellular centOS cepstral cloud computing enum fax firewall flite freenum freepbx gizmo google voice gvoice IncrediblePBX ipad iptables ivr music Networking obi openvz orgasmatron pbx piaf security sip sip phone skype SMS Streaming Devices superfecta tts twitter virtualization vitelity vm voip vpn Wi-Fi

NerdsTwitter

Tweets by @NerdUno
Google Goodies
Click Here to Sign Up NOW!

Where in the World Is Nerd Uno?

Where in the World Are You?

Seattle WA US

Meta
Calendar

July 2014

S M T W T F S

« Jun

1 2 3 4 5

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31
Site Stats

What Other Folks Are Reading

Ward Mundy's Technobabblelog

Download Incredible PBX Virtual Machine for Windows, Mac, Linux, and Solaris desktops. It's FREE!

Posts tagged: security

Sleep Like a Baby: 20 Failsafe Tips to Enhance Asterisk PBX Security

Travelin’ Man 3: Securing a PBX in a Flash or VoIP in the Cloud Server

FreePBX Backdoor Passwords Pose Asterisk Security Threat

Avoiding a $100,000 Phone Bill: VoIP WhiteList for IPtables

The Incredible PBX: Meet the New Kid on the Block

The Incredible PBX: Adding Remotes, Preserving Security

Now Visiting:

Help the Nerdy

Links

Categories

Search

Tagcloud

Google Goodies

Meta

Calendar

Site Stats

July 2014
S	M	T	W	T	F	S
« Jun
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Nerd Vittles

Ward Mundy's Technobabblelog

Download Incredible PBX Virtual Machine for Windows, Mac, Linux, and Solaris desktops. It's FREE!

Posts tagged: security

Sleep Like a Baby: 20 Failsafe Tips to Enhance Asterisk PBX Security

Travelin’ Man 3: Securing a PBX in a Flash or VoIP in the Cloud Server

FreePBX Backdoor Passwords Pose Asterisk Security Threat

Avoiding a $100,000 Phone Bill: VoIP WhiteList for IPtables

The Incredible PBX: Meet the New Kid on the Block

The Incredible PBX: Adding Remotes, Preserving Security

Now Visiting: var wau_p = wau_p || []; wau_p.push(["zwh5", "a07dce26", false]); (function() { var s=document.createElement("script"); s.type="text/javascript"; s.async=true; s.src="http://widgets.amung.us/a_pro.js"; document.getElementsByTagName("head")[0].appendChild(s); })();

Help the Nerdy

Links

Categories

Search

Tagcloud

Google Goodies

Meta

Calendar

Site Stats

Now Visiting: