Posts tagged: sip

The Gotcha-Free PBX: Simon Telephonics New SIP Gateway for Google Voice

We promised you that free Google Voice calling in the U.S. and Canada would soon be available on every Asterisk® platform whether the platform supported Asterisk Motif or not. And this week we’re covering the second SIP gateway offering for Google Voice. We introduced Bill Simon’s first Google Voice gateway back in June of 2012. This time around the latest iteration features secure OAUTH authentication so there’s no need to divulge your Google Voice credentials. Once you’ve set up your account on the Simonics Google Voice Gateway site,1 you simply create a standard SIP trunk on your Asterisk server or SIP device of choice, and PRESTO! You get secure authentication to Google Voice without worrying whether Google will drop support for insecure authentication methods such as Asterisk Motif down the road. And you can set all of it up for a one-time setup fee. For Nerd Vittles readers, you get $1 off the current $5.99 fee by using this link. Unlike last week’s GVsip offering, the new Simonics service includes free CallerID name lookups plus the ability to connect multiple devices at multiple sites and communicate between the devices using some clever SIP magic. You also can map incoming calls to any SIP URI rather than just the destination from which you register a Google Voice account. This new gateway is a real winner!

Why do this? There are several reasons aside from the free calls and free phone number. First, Google has warned for years that insecure authentication to Google Voice is going away. It hasn’t yet which is the reason Asterisk Motif logins still work. When Google finally pulls the plug (and they will), your Google Voice days are over using the Asterisk platform. Second, some of the Asterisk aggregations such as Elastix® never supported Google Motif. Hence, free Google Voice calling wasn’t available at all to those using the Elastix platform. That limitation is now a thing of the past. You can create a simple SIP trunk and begin enjoying free Google Voice calling in the U.S. and Canada just like some of the rest of us have been doing for years. Third, Google Voice support was the sole reason that many have stuck with the FreePBX® GUI despite the gotchas. Now you have a choice. Any Incredible PBX™ or Asterisk-GUI™ server now supports Google Voice without your having to worry about constant changes to the Asterisk Motif driver to support refinements at the Google Voice end. Now it’s a pure SIP trunk using pure SIP technology as far as Asterisk is concerned. The only limitation is the one imposed by Google. You need to reside in the United States to use Google Voice even though free calling is available to the U.S. and Canada.

If you have difficulty finding the Google Chat option after setting up a new Google Voice account, follow this tutorial.

1. Using your favorite browser, log in to the Google Voice account you wish to associate with the Simonics SIP gateway. Be sure that you’ve enabled Google Chat in your Google Voice setup.

2. Using a separate tab of your browser, connect to the Simonics Google Voice Gateway site.

3. Go through the steps to register your Google Voice account with the Simonics Google Voice gateway and obtain your credentials.

4a. For those using FreePBX or Elastix, use another tab of your browser to open the GUI interface and create a new SIP trunk using your new SIP login credentials. Replace 8005551212 with your actual Google Voice number and YOUR-SIP-PW with your actual Simonics SIP password in BOTH the PEER Details and Registration String. Add your Google Voice number to the end of the Registration String like this: GV18005551212:YOUR-SIP-PW@gvgw.simonics.com/8005551212

4b. For those using Incredible PBX for Asterisk-GUI, simply download and run our One-Click Installer. You’ll need your Simonics SIP account name and password plus a two-digit dialing prefix to use for outbound calls. It’s that simple!

cd /root
wget http://incrediblepbx.com/simonics-addon.tar.gz
tar zxvf simonics-addon.tar.gz
rm -f simonics-addon.tar.gz
./simonics-addon.sh

Once you’ve finished running the script, your trunk will be up and running. There’s no requirement for steps #5 and #6 with Asterisk-GUI. If desired, jump to Step #7 to set up a SIP URI for your incoming calls.

5. Create an Inbound Route for your incoming calls using the 10-digit number you entered at the end of the Registration String in step #4a.

6. Create an Outbound Route for outgoing calls that should be handled by your Google Voice trunk. The CallerID number will be your Google Voice number. You cannot change it.

7. If you’d prefer to send incoming calls to a designated SIP URI instead of the server that registered with the Simonics gateway, enter the address in the format: pbx@myserver.xyz. For additional details, read our previous article on SIP URIs.

8. Repeat this setup procedure for as many Google Voice accounts as you wish to activate using the steps above. If you’re using Incredible PBX for Asterisk-GUI, remember to edit the script and change the TRUNK=simonics entry to something like TRUNK=simonics2. Also use a unique two-digit dialing prefix for each trunk. Be sure to logout of your previous Google account before repeating the drill. Enjoy!


Don’t forget to List Yourself in Directory Assistance with your new IPkall PSTN number so everyone can find you by dialing 411. And be sure to add your new number to the Do Not Call Registry to block telemarketing calls.

Originally published: Monday, April 13, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. In addition to substantial technical assistance, Simon Telephonics is also a financial contributor to the Nerd Vittles project. []

The Gotcha-Free PBX: Harnessing SIP URIs for Free Worldwide Calling

We continue the Incredible PBX for Asterisk-GUI adventure today with a close look at SIP URIs, those email-like addresses that are the fundamental building blocks for VoIP technology. Consider this. If everyone in the world had a SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends a bit upon your platform. In the Asterisk® world, they look like this: SIP/somenameORnumber@FQDN.yourdomain.com. On many SIP phones, you enter SIP URIs in the following format: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have “dialed” a SIP URI, the destination SIP device will ring just as if they had a POTS phone. And Asterisk processes SIP URIs in much the same way as other calls originating from trunks. As noted, SIP URI calls of any duration to anywhere are free. And, of course, Incredible PBX is also free with No Gotchas!

In our original articles on Incredible PBX for Asterisk-GUI, we covered outbound calls to SIP URIs, and we’ll briefly review that procedure today. Then we’ll move on to setting up one or more SIP URIs for your own server so that you can receive incoming SIP URI calls. We’ll show you how to route them to any destination you like, both internal and external. We’ll also address the security implications of enabling SIP URI calling on your server. You don’t want the whole world calling into your server to make outbound calls on your nickel. We’ll also walk you through a safer SIP methodology in which you use a service provider as a SIP intermediary to better protect the security of your server. And finally, we’ll show you how to interconnect your new SIP URIs to real telephone numbers at zero cost. Then your friends without a SIP URI still can call you from any POTS or cellphone in the world.

SIP URI Calling with Incredible PBX for Asterisk-GUI

With one line of dialplan code, you can add Speed Dials for free SIP URI calling worldwide. The dialplan code is stored in the [CallingRule_SIP_URI] context in extensions_custom.conf. Just clone one of the existing entries, designate a speed dial number to connect to the SIP URI, and enter the SIP URI for the destination. Numerous SIP providers support assignment of SIP URI’s to existing DIDs for unlimited free calling from anywhere in the world. Here’s a sample using a speed dial code of 53669 (L-E-N-N-Y). Use it for your telemarketers: exten = 53669,1,Dial(SIP/2233435945@sip2sip.info).

Choosing a SIP URI Strategy with Incredible PBX for Asterisk-GUI

Before we actually create SIP URIs on your own server to receive anonymous calls, let’s walk through the available implementation strategies so that you can make an informed choice on how best to proceed. Keeping in mind that SIP URIs consist of an identifier and a fully-qualified domain name (FQDN) or IP address, one option is to use the same domain that you use for your company. We don’t recommend this approach because it makes it easy to guess where your SIP resources reside. Another option is to use a really obscure FQDN with your SIP URIs. Something like k43X20.mycompany.com or, for dynamic addresses, something like k43X20.dyndns.org makes more sense. In the next section, we’re going to lock down SIP access to your server to this FQDN so the more obscure the FQDN the safer you will be. Security through obscurity still works wonders. A third option is to use the IP address of your server instead of an FQDN. That’s a bad choice because of programs like SIPVicious that the bad guys use to scan the Internet for potential SIP targets to be hacked.

An alternative approach worth considering is to use a provider such as VoIP.ms as a SIP intermediary. In this scenario, you create a sub-account and assign an obscure extension number to that account. This in turn generates a SIP URI that can be used to connect to that account from your server by simply registering a VoIP.ms trunk in Incredible PBX. Once the trunk is registered, incoming SIP URI calls to your VoIP.ms sub-account will be forwarded (without cost) to your server without exposing Asterisk to SIP guest access at all. The wrinkle with this option is that VoIP.ms has often indicated that they plan to charge a reduced fee for these connections at some point. However, to date, they’ve never done it. If VoIP.ms shifts gears down the road, you obviously can as well. For the time being, we would encourage you to take advantage of this free service option. It remains our first choice for SIP URI implementation because there is no need to expose SIP resources on your server at all. VoIP.ms takes care of all the SIP security headaches leaving you to enjoy free calling. In the screenshot we’ve shown above, assuming your VoIP.ms account number was 12345, the SIP URI to connect to this sub-account would be 123458005551212@houston.voip.ms assuming you registered your trunk with the houston.voip.ms server.

Creating Your Own SIP URIs with Incredible PBX for Asterisk-GUI

The procedure for creating one or more SIP URIs on your own Incredible PBX server is straight-forward:

  1. For servers behind a hardware-based firewall, map UDP 5060 (SIP) to your server
  2. Enable allowguest access in [general] context of sip.conf
  3. Create desired SIP URIs in [public] context of extensions.conf

1. Unless your server is sitting on the public Internet without a hardware-based firewall, you’ll need to map UDP port 5060 (SIP) from the firewall to the private LAN address of your server. Otherwise incoming SIP calls will never reach Incredible PBX. Most routers have a Port Forwarding tab in which you designate the port to be forwarded, the type of port, and the destination IP address. Consult the manual for your router/firewall for detailed instructions.

2. Changing the allowguest setting in the [general] context of sip.conf is mandatory since the purpose of SIP URI calling is to accept calls from unregistered users. The risk, of course, is that anyone in the world with an Internet connection can attempt to connect to your server. More on that later. For now, issue this command after logging into your server as root:

sed -i 's|allowguest=no|allowguest=yes|' /etc/asterisk/sip.conf

Once you issue this command and restart Asterisk, the setup of Incredible PBX for Asterisk-GUI is to route anonymous SIP calls to the [public] context in extensions.conf. Only extensions in this context will be exposed to anonymous callers. This is important. NEVER change the destination context for these calls to one that provides unrestricted access to the calling resources on your server. The reason should be obvious. But, in case it isn’t, this would permit anonymous callers to use all of your trunks to place outbound calls to anywhere… on your nickel. $100,000 phone bills are the usual result.

3. There are two important facets in creating your own SIP URIs for anonymous access to your server. As touched upon previously, the first is choosing an obscure FQDN for your server. This is a really important layer of security for a couple of reasons: (1) your anonymous caller has to know the actual FQDN of your server in order to reach you and (2) in the next step we’re going to lock down your server to only allow anonymous SIP access from this FQDN. So choose carefully. The second consideration is deciding which server resources you wish to expose for SIP URI access. Do you wish to permit SIP URI calls only to a specific extension or ring group, or perhaps a custom IVR just for SIP URI callers, or perhaps a conference or DISA access (very dangerous)?

You can deploy more than one SIP URI. For each one, you’ll need a destination for the incoming call and an identifier or extension. Identifiers could be numeric, alphanumeric, or pure alpha characters. For example, 8005551212, joe6001, and accounting are all perfectly acceptable. The resultant SIP URI would be something like joe6001@k43X20.mycompany.com.

As noted, for each destination on your server that you wish to enable for SIP URI access, you add a line of dialplan code to the [public] context in extensions.conf. The syntax is identical to what you’ve previously used in routing incoming trunk calls to a destination except we’ll restrict connections to those matching the identifier you’ve chosen for each SIP URI. Here are some examples to get you started.

To route SIP URI accounting@k43X20.mycompany.com to Ring Group #1:
exten = accounting,n,Goto(ringroups-custom-1,s,1)

To route SIP URI joe6001@k43X20.mycompany.com to Extension 6001:
exten = joe6001,n,Goto(default,6001,1)

To route SIP URI demo@k43X20.mycompany.com to the Nerd Vittles demo IVR:
exten = demo,n,Goto(voicemenu-custom-2,s,1)

To route SIP URI lenny@k43X20.mycompany.com to an outside SIP URI:
exten = lenny,1,Dial(SIP/2233435945@sip2sip.info)

To route SIP URI conference@k43X20.mycompany.com to the default conference at extension 2663:
exten = conference,1,Goto(conf_bridge,2663,1)

To route SIP URI weather@k43X20.mycompany.com to the Weather by ZIP Code application:
exten = weather,1,Goto(CallingRule_extensions_custom,947,1)

To route SIP URI 800directory@k43X20.mycompany.com to Directory Assistance using Google Voice trunk:
exten = 800directory,1,Dial(Motif/GoogleVoice/18005551212@voice.google.com)

Securing Your Server with SIP URI Implementations

There are two important security steps once you have enabled anonymous SIP URI calling to your server. The first line of defense is to harden the IPtables Firewall to only permit anonymous SIP access to the specific FQDN you plan to use for your SIP URI callers. The second is to harden Asterisk to disallow requests for domains not serviced by your server.

1. Edit the IPv4 rules for your operating system. On the CentOS-compatible platforms, it’s /etc/sysconfig/iptables. On the Debian/Ubuntu/Raspbian platforms, it’s /etc/iptables/rules.v4. Toward the end of the file and just above the final fail2ban entries, insert the following code using your actual FQDN in the first line:

-A INPUT -p udp --dport 5060 -m string --string "@k43X20.mycompany.com" --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP
-A INPUT -p udp -m udp --dport 5060 -j DROP

2. Run the following commands substituting your actual FQDN in the first line to lock down Asterisk to only your FQDN for anonymous SIP connections:

sed -i '/\[general\]/a ;domain=k43X20.mycompany.com' /etc/asterisk/sip.conf
sed -i '0,/;domain/s/;domain/domain/' /etc/asterisk/sip.conf
sed -i '0,/;allowtransfer=no/s/;allowtransfer=no/allowtransfer=no/' /etc/asterisk/sip.conf
sed -i '0,/; allowexternaldomains=no/s/; allowexternaldomains=no/allowexternaldomains=no/' /etc/asterisk/sip.conf

3. Restart your firewall: iptables-restart

4. Restart Asterisk: asterisk-restart

5. Done!

Interconnecting a SIP URI with a Free PSTN Phone Number

Wouldn’t it be nice if all your friends and business associates without SIP URI capability could still call you using a traditional PSTN number? Well, it’s your lucky day because www.ipkall.com provides just what you need, a free phone number in the Seattle area that you can connect to an existing SIP URI on your server.

When folks call the Seattle number, they will be connected to your server using whatever routing you chose for the SIP URI in the previous section. So sign up for a number, enter your email address and the SIP URI for the calls, and wait for the confirmation email identifying your new telephone number. The only catch is that you need to receive at least one call a month to keep the number. Aside from that, there are no restrictions on use of the PSTN numbers. Enjoy!


Don’t forget to List Yourself in Directory Assistance with your new IPkall PSTN number so everyone can find you by dialing 411. And be sure to add your new number to the Do Not Call Registry to block telemarketing calls.

Originally published: Wednesday, March 25, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for Incredible PBX users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For Incredible PBX users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Midnight Madness: Introducing Incredible PBX 12 with Asterisk 12 and FreePBX

The number “12” always has held mystical prominence in our culture and so it is with Asterisk®. Just over 12 months ago, Digium first introduced Asterisk 12 at AstriCon in Atlanta and heralded a major change in the direction of the product. It was more than a wholesale revamping of the Asterisk feature set. There was a revolutionary new development methodology thanks to the untiring efforts of Matt Jordan and his incredibly talented development team. Unlike Asterisk releases of old, there were no serious breakages in existing applications and, where there were changes, they were carefully documented for all the world to see. Thank you, Matt & Co.

The release of Asterisk 12 also set in motion the development of FreePBX® 12 by the equally talented FreePBX Dev Team. What began as an effort simply to integrate all of the new components in Asterisk 12 quickly evolved into a major rewrite of the graphical user interface for Asterisk, no small feat given its history of starts and stops spanning nearly a decade of development. Just last week, FreePBX 12 was pronounced stable and production ready. If you thought Asterisk 12 was revolutionary, just wait until you try FreePBX 12. Simply amazing work by the FreePBX Development Team. Thank you.

While PBX in a Flash has offered a preview edition of Asterisk 12 and FreePBX 12 for quite a while, we’ve held off releasing the stand-alone Incredible PBX 12 for a number of reasons. First and foremost, we wanted Incredible PBX 12 to remain pure open source to point the way for others that want to enhance Asterisk 12 and FreePBX 12. Second, there were more than a few rough edges with both products that simply needed some time to evolve. The one year anniversary of Asterisk 12 and the stable release of FreePBX 12 seemed a fitting occasion to add our turnkey implementation of Incredible PBX to the mix.

The real beauty of Incredible PBX: there is no smoke and there are no mirrors. What you see is what you get. You begin with a base install of the Linux operating system. And then the open source Incredible PBX installer adds all of the pieces to integrate air-tight security with Asterisk 12, FreePBX 12, text-to-speech technology and dozens of applications for Asterisk into a seamless platform for either experimentation or production use. You can review the source code and embellish it as you see fit! Protecting your deployment is the IPtables firewall with a WhiteList for authorized user access coupled with Fail2Ban to monitor access attempts. This isn’t merely a security toolkit. Your server is actually locked down from the moment you complete the Incredible PBX install. Authorizing additional users is accomplished using simple administrator scripts. Or end-users can employ PortKnocker and Travelin’ Man 4 to simplify remote access. Automatic updates for security fixes and enhancements are an integral component of Incredible PBX. If the security alerts of the past month haven’t convinced you that updates are critically important, you probably should stop hosting your own PBX. Backups and restores also are simple. And the complete open source feature set of both Asterisk and FreePBX is activated to facilitate your development efforts. In short, you gain nothing by installing the individual components yourself, and you may lose a lot. With Incredible PBX, the heavy lifting has all been done for you with documented, open source code that makes it simple to add your own tweaks as desired. That’s what open source is all about!

We’ve chosen Ubuntu 14.04 as the platform on which to begin the Incredible PBX 12 adventure. More releases will follow in due course. But Ubuntu 14.04 is an extremely stable and well-supported LTS release of Linux that warrants a careful look. After all, the primary objective here is a stable telephony platform. The Ubuntu 14.04 LTS platform offers that in spades.

Building an Ubuntu 14.04 Platform for Incredible PBX 12

As a result of the trademark and copyright morass, we’ve steered away from the bundled operating system in favor of a methodology that relies upon you to put in place the operating system platform on which to run PBX in a Flash or Incredible PBX. The good news is it’s easy! With many cloud-based providers1, you can simply click a button to choose your favorite OS flavor and within minutes, you’re ready to go. With many virtual machine platforms such as VirtualBox, it’s equally simple to find a pre-built Ubuntu 14.04 image or roll your own.

If you’re new to VoIP or to Nerd Vittles, here’s our best piece of advice. Don’t take our word for anything! Try it for yourself in the Cloud! You can build an Ubuntu 14.04 image on Digital Ocean in under one minute and install Incredible PBX 12 for Ubuntu 14.04 in under 30 minutes. Then try it out for two full months. It won’t cost you a dime. Use our referral link to sign up for an account. Enter a valid credit card to verify you’re who you say you are. Create an Ubuntu 14.04 (not 14.10!) 512MB droplet of the cheapest flavor ($5/mo.). Go to the Billing section of the site, and enter the following promo code: UBUNTUDROPLET. That’s all there is to it. A $10 credit will be added to your account, and you can play to your heart’s content. Delete droplets, add droplets, and enjoy the free ride!

For today, we’ll walk you through building your own stand-alone server using the Ubuntu 14.04 mini.iso. If you’re using Digital Ocean in the Cloud, skip down to Installing Incredible PBX 12. If you’re using your own hardware, to get started, download the 32-bit or 64-bit Ubuntu 14.04 “Trusty Tahr” Minimal ISO from here. Then burn it to a CD/DVD or thumb drive and boot your dedicated server from the image. Remember, you’ll be reformatting the drive in your server so pick a machine you don’t need for other purposes.

For those that would prefer to build your Ubuntu 14.04 Wonder Machine using VirtualBox on any Windows, Mac, or existing Linux Desktop, here are the simple steps. Create a new virtual machine specifying either the 32-bit or 64-bit version of Ubuntu. Allocate 1024MB of RAM (512MB also works fine!) and at least 20GB of disk space using the default hard drive setup in all three steps. In Settings, click System and check Enable I/O APIC and uncheck Hardware Clock in UTC Time. Click Audio and Specify then Enable your sound card. Click Network and Enable Network Adapter for Adapter 1 and choose Bridged Adapter. Finally, in Storage, add the Ubuntu 14.04 mini.iso to your VirtualBox Storage Tree as shown below. Then click OK and start up your new virtual machine. Simple!

Here are the steps to get Ubuntu 14.04 humming on your new server or virtual machine once you’ve booted up. If you can bake cookies from a recipe, you can do this:

UBUNTU mini.iso install:
Choose language
Choose timezone
Detect keyboard
Hostname: incrediblepbx < continue >
Choose mirror for downloads
Confirm archive mirror
Leave proxy blank unless you need it
< continue >
** couple minutes of whirring as initial components are loaded **
New user name: incredible
< continue >
Account username: incredible
< continue >
Account password: makeitsecure
< continue >
Encrypt home directory < no >
Confirm time zone < yes >
Partition disks: Guided - use entire disk and set up LVM
Confirm disk to partition
Write changes to disks and configure LVM
Whole volume? < continue>
Write changes to disks < yes> < -- last chance to preserve your disk drive!
** about 15 minutes of whirring during base system install ** < no touchy anything>
** another 5 minutes of whirring during base software install ** < no touchy anything>
Upgrades? Install security updates automatically
** another 5 minutes of whirring during more software installs ** < no touchy anything>
Software selection: *Basic Ubuntu server (only!)
** another couple minutes of whirring during software installs ** < no touchy anything>
Grub boot loader: < yes>
UTC for system clock: < no>
Installation complete: < continue> after removing installation media
** on VirtualBox, PowerOff after reboot and remove [-] mini.iso from Storage Tree & restart VM
login as user: incredible
** enter user incredible's password **
sudo passwd
** enter incredible password again and then create secure root user password **
su root
** enter root password **
apt-get update
apt-get install ssh -y
sed -i 's|without-password|yes|' /etc/ssh/sshd_config
sed -i 's|yes"|without-password"|' /etc/ssh/sshd_config
ifconfig
** write down the IP address of your server from ifconfig results
reboot
** login via SSH to continue **

Installing Incredible PBX 12 on Your Ubuntu 14.04 Server

Adding Incredible PBX 12 to a running Ubuntu 14.04 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your new server as root at the IP address you deciphered in the ifconfig step at the end of the Ubuntu install procedure above.

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that their Ubuntu setup does NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX 12 install. Log back in as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx12.tar.gz
tar zxvf incrediblepbx12.tar.gz
rm incrediblepbx12.tar.gz
#./create-swapfile-DO
./IncrediblePBX12.sh

The installer will first upgrade your Ubuntu 14.04 build to the latest modules. Then it will reboot. Rerun the installer again to kick off the Incredible PBX 12 installation process. Once you have agreed to the license agreement and terms of use, press Enter and go have a 30-minute cup of coffee. The Incredible PBX 12 installer runs unattended so find something to do for a bit unless you just like watching code compile. When you see “Have a nice day”, your installation is complete. Write down your your three “knock” ports for PortKnocker. You can retrieve your PortKnocker setup like this: cat /root/knock.FAQ. Next, set your admin password for FreePBX 12 by running /root/admin-pw-change. Set your correct time zone by running /root/timezone-setup. To be sure your FreePBX module signatures are current, issue the following two commands:

amportal a ma refreshsignatures
amportal a r

Log out and back in as root and the automatic update utility will bring your system current with security fixes and enhancements. Then you will be greeted with a status display shown at the top of this article.

You can access the Asterisk 12 CLI by typing: asterisk -rvvvvvvvvvv

You can access the FreePBX 12 GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display. The default username is admin with the admin password you set up above. If desired, you also can change it in FreePBX Administration by clicking Admin -> Administrators -> admin. Enter a new password and click Submit Changes then Apply Config. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for default 701 extension and voicemail: Applications -> Extensions -> 701.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX 12. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

123 - Reminders
222 - ODBC Demo (use acct: 12345)
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use an existing (free) Google Voice account. Google has threatened to shut this down but as this is written, it still works with previously set up Google Voice accounts. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX 12. If you want to use the inbound fax capabilities of Incredible Fax, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using FreePBX. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Google Voice account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Use a previously configured and dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX 12.

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you’re probably out of luck. Google has disabled the option in newly created accounts as well as some old ones that had Google Chat disabled. Now go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in FreePBX 12. After logging into FreePBX with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. If you want unanswered calls to be routed to Google Voice for transcription, check the box. Be advised that IVR calls typically are not “answered” so check that box as well if you plan to use an IVR to respond to incoming Google Voice calls.

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work with these simple settings in FreePBX: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

Adding Speech Recognition to Incredible PBX 12

To support many of our applications, Incredible PBX has included Google’s speech recognition service for years. These applications include Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), and Wolfram Alpha for Asterisk (4747), all of which use Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for “personal and development use.” If you meet those criteria, keep reading. Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

1. Using an existing Google/Gmail account to join the Chrome-Dev Group.

2. Using the same account, create a new Speech Recognition Project.

3. Click on your newly created project and choose APIs & auth.

4. Turn ON Speech API by clicking on its Status button in the far right margin.

5. Click on Credentials in APIs & auth and choose Create New Key -> Server key. Leave the IP address restriction blank!

6. Write down your new API key or copy it to the clipboard.

7. Log into your server as root and issue the following commands:

# for Ubuntu and Debian platforms
apt-get clean
apt-get install libjson-perl flac -y
# for RedHat and CentOS platforms
# yum -y install perl-JSON
# for all Linux platforms
cd /var/lib/asterisk/agi-bin
mv speech-recog.agi speech-recog.last.agi
wget --no-check-certificate https://raw.githubusercontent.com/zaf/asterisk-speech-recog/master/speech-recog.agi
chown asterisk:asterisk speech*
chmod 775 speech*
nano -w speech-recog.agi

8. When the nano editor opens, go to line 70 of speech-recog.agi: my $key = "". Insert your API key from Step #6 above between the quotation marks and save the file: Ctrl-X, Y, then Enter.

Now you’re ready to try out the speech recognition apps. Dial 949 and say the name of a city and state/province/country to get a current weather forecast from Yahoo. Dial 411 and say “American Airlines” to be connected to American.

To use Wolfram Alpha by phone, you first must install it. Obtain your free Wolfram Alpha APP-ID here. Then run the one-click installer: /root/wolfram/wolframalpha-oneclick.sh. Insert your APP-ID when prompted. Now dial 4747 to access Wolfram Alpha by phone and enter your query, e.g. “What planes are overhead.” Read the Nerd Vittles tutorial for additional examples and tips.

A Few Words about the Incredible PBX 12 Security Model for Ubuntu

Incredible PBX 12 for Ubuntu 14.04 is an extremely secure turnkey PBX implementation. As configured, it is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. As installed, nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. Incredible PBX 12 is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking.

You can whitelist additional IP addresses for remote access in several ways. First, you can use the command-line utilities: /root/add-ip and /root/add-fqdn. You can also remove whitelisted IP addresses by running /root/del-acct. Second, you can dial into extension 864 (or use a DID pointed to extension 864 aka TM4) and enter an IP address to whitelist. Before Travelin’ Man 4 will work, you’ll need to add credentials for each caller using the tools in /root/tm4. You must add at least one account before dial-in whitelisting will be enabled. Third, you can temporarily whitelist an IP address by successfully executing the PortKnocker 3-knock code established for your server. You’ll find the details and the codes in /root/knock.FAQ. Be advised that IP addresses whitelisted with PortKnocker (only!) go away whenever your server is rebooted or the IPtables firewall is restarted. For further information on the PortKnocker technology and available clients for iOS and Android devices, review the Nerd Vittles tutorial.

HINT: The reason that storing your PortKnocker codes in a safe place is essential is because it may be your only available way to gain access to your server if your IP address changes. You obviously can’t use the command-line tools to whitelist a new IP address if you cannot gain access to your server at the new IP address.

We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. If you use a hardware-based firewall, be sure to map the three PortKnocker ports to the internal IP address of your server!

The NeoRouter VPN client also is included for rock-solid, secure connectivity for remote users. Read our previous tutorial for setup instructions.

As one would expect, the IPtables firewall is a complex piece of software. If you need assistance configuring it, visit the PIAF Forum for some friendly assistance.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX 12 server, simply copy the image to a server running Asterisk 12 and FreePBX 12 and run /root/incrediblerestore. Doesn’t get much simpler than that.

A Word About FreePBX Module Signatures

FreePBX 12 has implemented a new checksum mechanism to assure that modules are intact. Special thanks to the FreePBX Development Team for their work in extending this feature to modules outside the FreePBX-support modules. If other modules (other than ODBC configuration files) show invalid or missing signatures, you should do some investigating promptly!

Adding Incredible Fax to Your Server

Once you’ve completed the Incredible PBX install, log out and log back in to load the latest automatic updates. Then reboot. Now you’re ready to continue your adventure by installing Incredible Fax for Ubuntu. Special thanks to Josh North for all his hard work on this!

cd /root
rm incrediblefax11_ubuntu14.sh
wget http://incrediblepbx.com/incrediblefax11_ubuntu14.sh
chmod +x incrediblefax11_ubuntu14.sh
./incrediblefax11_ubuntu14.sh

Just plug in your email address for delivery of your incoming faxes in PDF format. Then accept all of the defaults during the installation process. Once you complete the install, reboot your server. Then log in as root again and set your AvantFax admin password: /root/avantfax-pw-change. Now you can access both FreePBX 12 and AvantFax by pointing your browser to the IP address of your server. Please note that we’ve had problems logging into AvantFax with some versions of the Chrome browser. Works great with Firefox!

Next, log into FreePBX and set an Inbound Route for incoming faxes to Custom Destination: Fax (hylafax). Then try sending a fax to the phone number and be sure it arrives in your email.

You also can try enabling fax detection with any Google Voice number. Just edit the inbound route for the DID and make it look like this:

Incredible PBX 12 Automatic Update Utility

Every time you log into your server as root, Incredible PBX 12 will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along (again).

Where To Go Next?

Once you get Incredible PBX installed, you’ll want to read up on the dozens of applications for Asterisk which are included in the Incredible PBX feature set. We’ve previously covered this in a separate article for the Raspberry Pi platform, but the applications are the same. Here’s a link to the tutorials.

You can follow updates to Incredible PBX 12 in this thread on the PIAF Forum.

We would also encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie. Come join us!

Originally published: Monday, November 3, 2014 Updated: Monday, December 1, 2014


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. With some providers including ones linked in this article, Nerd Vittles receives referral fees which assist in keeping the Nerd Vittles lights burning brightly. []

Obivoice = OBi Heaven: Dumping Google Voice for Less Than 10¢ a Day

What a difference a week makes! When we wrote last week’s article about netTALK and their terrific pricing, we were pleased to report that at least one company could offer a drop-in replacement for Google Voice without breaking the bank. But, alas, all is not well in netTALK Land. For openers, the Better Business Bureau revoked their accreditation last June because of failure to respond to or resolve technical complaints. And a recent SEC Filing paints a fairly bleak picture of the company’s financial condition. Special thanks to Gershom1624 for his sleuthing efforts. This merely reinforces the difficulty of providing reliable, unlimited VoIP service at the $2.50 a month price point. But we firmly believe $2.50 is the magic price point, and it is achievable with some safeguards for the provider, i.e. residential service, no call centers, no 10,000 minutes-a-month customers. My mom loved the telephone, but she never spent 5 hours a day on the telephone. There also has to be some tradeoff in the level of support customers can expect. If customers tie up expensive support reps with multiple calls, the pricing matrix falls apart very quickly. And that brings us to this week.


Let’s review the Wish List for those that missed last week’s article. We want a drop-in replacement for Google Voice on both the OBi110 (stand-alone with any POTS telephone) and Asterisk® (PBX) platforms. It needs to provide unlimited (within reason) calling in the U.S. and Canada. It needs a feature set that is fairly comparable to Google Voice. It needs to include E911 service because the federal government says so. We don’t care much about support as long as the setup process is well-documented, the service is reliable, and calls sound great. Charging for support requests to resolve issues that aren’t the company’s fault is perfectly fine with us. But the price point for unlimited calling needs to be $2.50 a month, i.e. $30 a year or $60 every two years for the math-challenged. We’d prefer no tips, taxes, or fees. We want to keep our existing number. And, lest we forget, the company must promise to stay in business and never raise prices… forever.

Suppose we could find you a company that, with a 2-year commitment, could provide all of the above (minus the last sentence) plus fax support including a web page to send outgoing faxes from attachments, free calling and a mobile app for your iOS and Android devices, Visual Voicemail with voicemail transcription as well as email delivery of voicemail messages, call forwarding, call waiting, CallerID spoofing for any number you own, and unbelievable customer service. Not sure about the service? How about a 30-day free trial with 60 free minutes?

Let us introduce you to Obivoice. Don’t be alarmed by the one-year price of $40. The two-year price is just $60. But it doesn’t cost you a nickel to sign up and try the service. Obivoice is a pure SIP provider so the setup with PBX in a Flash™ or an OBi110™ takes only a couple minutes. Here’s the SIP trunk setup for PBX in a Flash using FreePBX®. All you need is your SIP credentials and phone number once you’ve signed up for an account. Plug in your 10-digit phone number in the Outbound CallerID and Register String, replace 1234 with your Account Number in the username, fromuser, and Register String, and replace yourpassword with your real Password in the secret and Register String.

Next, build yourself an Inbound Route with your 10-digit DID and point it to your favorite PBX destination. Finally, create an Outbound Route using obivoice as the Trunk Sequence, and you’re all set. It doesn’t get any easier than that.

We don’t think you will but, if you need assistance setting this up, head over to the PIAF Forum where there’s a lively discussion about Obivoice already.

The OBi110 setup is just as easy. Plug in sms.intelafone.com as the ProxyServer and OutboundProxy in your ITSP Profile, add your SIP credentials in the SP1 Voice Services dialog, and forward (or transfer) your existing Google Voice number to Obivoice. Done! Obivoice’s complete tutorial is available here.

Let us close with our own customer service story. We were so excited about this new service when it was announced yesterday that we actually clicked the wrong button and signed up for the wrong plan. Of course, it only takes a minute to get that sinking feeling in your stomach when you know you’ve screwed up. So late yesterday (Sunday night!) I opened a support ticket and asked to either cancel the wrong plan so that I could reenlist or to transfer to the $60 two-year plan. At 1:30 a.m. this morning, I got an email back from customer service indicating that the plan had been adjusted and that I had been billed for the price difference. WOW!

Run, don’t walk, to sign up for Obivoice. It’s that great!

p.s. The Obivoice jingle in their YouTube video is as good as their calls. We want it for our Music on Hold!

Originally published: Monday, January 13, 2014




Need help with Asterisk? Visit the PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for all of us.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity. 


Some Recent Nerd Vittles Articles of Interest…

Newbie’s SIP Navigation Guide for Asterisk: Is It Safe?

It’s Back to School Time at Nerd Vittles today with a wrap-up of our series exploring the symbiotic relationship between SIP and Asterisk® including the most important consideration of all: SIP Security 101, a quick-and-dirty look at the security implications of using SIP with Asterisk. If you read nothing else before you begin your VoIP adventure, move today’s article to the top of your list. It might save you a personal fortune! Think of it as winning the lottery without even buying a ticket. Then we’ll summarize some safe approaches to using SIP with Asterisk. And finish up with a novel way to implement free SIP calling using almost any telephone: POTS phone, cellphone, or any SIP phone.

Asterisk Boot Camp: SIP Security 101

By default, most Asterisk systems including those relying upon FreePBX® are configured to deny anonymous SIP calls. If your server has a fully-qualified domain name, it means SIP calls to 201@myserver.com will fail. Since SIP URI calls are free from anywhere in the world, that’s a big deal. The million dollar question is why not just enable anonymous SIP calling on your Asterisk server and call it a day. Then anybody can call any extension on your PBX. That’s half of the answer actually: “Then anybody can call any extension on your PBX.” If that were the only exposure by opening up SIP to anonymous callers, many of us could probably live with that. After all, that’s how POTS phones worked for almost 100 years. The difference, of course, is anonymous SIP calls are free and often undetectable regardless of where the calling party happens to actually be. Unlike HTTP requests which preclude users from spoofing the IP address, SIP requests have no such limitation. That means a SIP packet can knock on your door masquerading as a SIP packet initiated from your own server.

Unfortunately, when you expose UDP port 5060 and your Asterisk server to any and all SIP traffic sent your way from the Internet, it means any kind of SIP packet can be sent to your server for processing. That includes login requests to extensions and trunks as well as SIP packets with all sorts of vile code embedded in the SIP headers.

SIP can be used for DDoS attacks from inside or outside of the network, and it is the SBC or other border controller device’s job to handle those types of issues. Common attacks include SIP registration floods, endpoint spoofing, and ENUM attacks.

Without boring you with the details, suffice it to say that SIP vulnerabilities have been discovered regularly in all flavors of Asterisk… as recently as a few weeks ago. And, Asterisk 12 is just around the corner with an entirely new approach to SIP. So, before you open your server to anonymous SIP attacks, ask yourself whether you (and your wallet) believe that we’ve seen the last of the SIP vulnerabilities. Keep in mind that, if an attacker gains access to your server, everything is vulnerable including not only your internal extension credentials but also your account names and passwords with all of your providers. Once they have those, they don’t need access to your server any longer. They can run up phone bills on your nickel using direct connections to your providers.

Believe it or not, there was actually a SIP exploit several years ago where the bad guys embedded some code in a SIP packet that crashed the server when anyone happened to look at the SIP entry in their call logs or CDR reports using a browser. And, before the crash, it relayed some of your most prized Asterisk secrets to the attacker. Remember, many Asterisk passwords are stored in plain text on your server. If you don’t believe it, try these commands after logging into your server and switching to the asterisk user (the user account that runs Asterisk and your Apache web server):1

su asterisk
cat /etc/asterisk/manager.conf
asterisk -rx "database show"
mysql -uroot -ppassw0rd asterisk -e "SELECT keyword,data FROM sip"

If that last one doesn’t scare the crap out of you, then Let Me Google That For You. The simple answer would have been to cleanse SIP headers before writing the contents to the logs. But the “purists” won that battle maintaining that such action would bastardize the call logs by failing to document everything in exactly the way it was received.

So much for security!

As long as we have very secure passwords for trunks and extensions, doesn’t Fail2Ban block hacking attacks after several unsuccessful login attempts? Unfortunately, that depends on the performance of your server and the one being used by the attacker. Remember, neither Asterisk nor the Linux kernel, scans SIP traffic for malware. Fail2Ban operates on the data after the fact by scanning entries in your server logs for matching patterns which you define. And these entries are written to the logs only after Asterisk or your web server has processed the packets. If it turns out the attacker is using a gazillion-horsepower server in the cloud, then your poor little server never gets enough processing time with Linux to actually scan the Asterisk log for failed login attempts. What that means is the attacker can execute thousands, if not tens of thousands, of SIP attempts before Fail2Ban ever springs into action even when you’ve set the threshold for blocking an IP address to as few as three failed login attempts.

We want to stress that this isn’t a diatribe against the developers with regard to security. The point is some of the fundamental design choices made with regard to Asterisk and FreePBX do not lend themselves to safe deployment on a public-facing server without additional layers of security. In the case of PBX in a Flash™, it’s the reason we have implemented Apache-level security on the FreePBX web assets in addition to an IPtables firewall and Fail2Ban. For history lovers, keep in mind that, when Asterisk@Home and trixbox® were in their heyday, none of these safeguards were provided.

We’re going to postpone discussion of SIP encryption and SRTP because of its complexity. Suffice it to say, it’s just coming into its own with Asterisk 11, and it raises new problems of its own, e.g. finding compatible phones. You can try it out using our PBX in a Flash WebRTC Virtual Machine. And here is today’s must-read article on the subject.

What’s the bottom line with SIP exposure of your Asterisk server to the Internet? The short answer is DON’T especially if you’re new to the VoIP and Asterisk world. You’re simply asking for a $100,000 phone bill. Ma Bell & Friends don’t really care who makes calls on your nickel. And, remember, keeping your server behind a hardware-based firewall with no Internet port exposure does not affect your ability to make or receive calls using registered providers. That includes SIP, IAX2, Google Voice, and PSTN calls. It also doesn’t affect your ability to make free outbound SIP URI calls to anywhere in the world even with no provider registrations.

Safely Integrating SIP URIs into Asterisk

The long answer is there is a relatively safe way to implement SIP access to your server from the Internet. First, you can use registered trunks with reputable providers to provide SIP connectivity to your server. This includes PSTN calls to DIDs as well as SIP URI calls in many cases. Let the providers worry about SIP attacks while your server sits safely behind a hardware-based firewall with NO Internet port exposure! There are better tools than Asterisk to avoid SIP disasters and protect against malicious SIP attacks. You can protect yourself by keeping a minimal amount of money in your provider accounts with no automatic replenishment from a credit card. Second, for those that need to connect remote phones to your Asterisk server, you can use Firewall WhiteLists with IPtables to restrict access to only the good guys. Travelin’ Man 3 sets up WhiteLists for PBX in a Flash servers in a couple of minutes.

What you can’t do is rely upon BlackLists of IP addresses to keep the bad guys out. If you’ve ever played Whac-A-Mole, you can appreciate the difficulty of using BlackLists to secure your server. The bad guys can change their identity by simply using different IP addresses or by using the IP address of a compromised PC such as the one sitting in your grandma’s kitchen. In addition, the bad guys have become experts in inserting important (safe) IP addresses in BlackLists which, of course, is extremely problematic if one of those IP addresses happens to be one of your SIP providers.

The silver lining of Asterisk is the ability to make and receive free calls to and from anywhere in the world using SIP URIs. They look like email addresses, but SIP URIs actually connect calls via SIP between SIP servers and endpoints regardless of where they may be on the Internet. In the “old days,” advertising a SIP URI for inbound call access to your server meant exposing Asterisk to anonymous SIP traffic. Not any more! Simply sign up for a (pre-paid) account on VoIP.ms or a FREE account at either sip2sip.info or Anveo.com, follow one of our tutorials to register your account, and you’ll automatically have a free SIP URI for your Asterisk server. No Internet port exposure of your Asterisk server is ever required!

Instead of using some-account-number@atlanta.voip.ms or some-account-number@sip2sip.info as your SIP URI, most folks will prefer a SIP URI that matches your existing domain, if you happen to have one. This Nerd Vittles article will walk you through the process of converting your VoIP.ms or Sip2Sip URI into something more manageable: yourname@yourdomain.com. And, thanks to RentPBX, everyone is more than welcome to use the PBX in a Flash cloaking servers on the east and west coast to manage the SIP URI translation magic. If you happen to be (or would like to become) a PBX in a Flash Forum Guru, there’s another option. We’ll host your vanity SIP URI @pbxinaflash.com using your forum name. Just drop us a note on the forum for details. We’re always looking for subject matter experts on the forum. You don’t have to be an expert in everything, just one topic. If you qualify, please let us know and WELCOME!

Dialing SIP URI Calls with iNUM Using Any Telephone

We’ve saved the best for last again. The only problem with SIP URIs is how to dial them. Most phones don’t have a full keyboard. While you can certainly create a few Speed Dial (Custom) Extensions in FreePBX using sip/joe@schmo.com as the SIP URI dial string for the extension, this isn’t feasible on a bigger scale. What makes more sense is to actually use a phone number to connect the call. We previously have documented the iNum solution that’s available through a number of providers including VoIP.ms and LocalPhone. These calls used to be free with Google Voice until Google changed their mind. Now they’re 3¢ a minute. But they’re still free calls with most providers. The only real drawback is the length of the phone number. 883510009901997 is a little hard to remember, even to call Lenny. And, with RentPBX, you need a prefix of 011 to add insult to injury. But, hey, the calls are free to anywhere.

There’s a better way that actually uses your SIP URI to make the call. It’s John Todd’s brainchild, FreeNUM with ISN. As the image shows, ISN numbers are easy to remember and easy to dial. Instead of an @ symbol for email, you use an * symbol for you know what. And you still get Lenny! The trick to ISN dialing is that we pass a number such as 1234*1061 to a DNS server that knows how to translate the numeric sequence into a SIP URI that looks like this: 1234@pbxinaflash.com. It takes the number after the asterisk and resolves it to a fully-qualified domain name which is preconfigured at freenum.org. And the result is inter-domain numeric SIP addressing using ordinary telephone instruments.

The Asterisk setup using FreePBX is simple. The FreeNUM trunk should look like this:

The Outbound Route should look like this:

The dialplan context to tack on the end of /etc/asterisk/extensions_custom.conf looks like this:

[freenum]
exten => _X.,1,Set(TIMEOUT(absolute)=10800)
exten => _X.,2,NoOp(Number to Call: ${EXTEN})
exten => _X.,3,Set(isnresult=${ENUMLOOKUP(${EXTEN},sip,,1,freenum.org)})
exten => _X.,4,GotoIf($["${isnresult}"=""]?6:5)
exten => _X.,5,Dial(SIP/${isnresult},40,r)
exten => _X.,6,Background(ss-noservice)
exten => _X.,7,Congestion
exten => _X.,8,Hangup
exten => h,1,Hangup
exten => i,1,Hangup
exten => T,1,Hangup

For those using Incredible PBX™, the good news is you already have it. Just pick up an extension on your system and dial 1234*1061 to give Lenny a piece of your mind. It works exactly like this SIP URI: sip/1234*1061@freenum.org. For everyone else, believe it or not, we’ve already written about this back when some of you still were in diapers. So read the article for all the details and ISN registration instructions. You will note that in more recent versions of Incredible PBX (including what we’ve shown above), the ** prefix for ISN calls has been eliminated. Now you can dial ISN calls just as described in the FreeNUM literature. We’ve also migrated our ISN domain from sip.pbxinaflash.com to pbxinaflash.com to simplify DNS administration. For PBX in a Flash Forum Gurus, we’ll be happy to set you up with your own free ISN number in the pbxinaflash.com domain as well.

Dialing SIP URI Calls with IPKall Using Any Telephone

There’s yet another option. With an IPKall DID from one of several Seattle area codes, you can interconnect your SIP URI with every PSTN phone in the world. And it’s free. Just make at least one inbound call a month, and the phone number is yours to keep. Here’s the easy way to do it. Just sign up for a free DID at www.ipkall.com. After choosing an area code for your free number, you’ll be prompted for the following information.

Here’s what you’d enter using your free Sip2Sip URI:

  • Phone Number: 323XXXXXXX
  • SIP Proxy: sip2sip.info
  • Email Address: your-email-address
  • Password: some-password-to-get-back-into-your-account

Here’s what you’d enter using your free Anveo SIP URI:

  • Phone Number: 1555ACCOUNTNUMBER
  • SIP Proxy: sip.anveo.com:5010
  • Email Address: your-email-address
  • Password: some-password-to-get-back-into-your-account

Once you’ve completed the form, submit it and wait for your new phone number to be delivered in your email. You should get it within a couple minutes so check your spam folder if you don’t see it. Congratulations! You’ve done everything you need to do for anyone to call you using either your SIP URI or your new DID from IPkall.

It’s worth noting that IPKall recycles DIDs that aren’t used for 30 days. If you use Incredible PBX, the easiest way to assure you don’t lose your number is to set up a weekly recurring Telephone Reminder that calls your IPkall number.

But How Do I Make VoIP Calls to Plain Old Telephones?

We’ve spent a lot of time on free SIP solutions for inbound calls, but inevitably you’re going to need a way to call Plain Old Telephones whether they be customers or friends and family. To make outbound calls or terminations in VoIP parlance, you’re going to need an account with a VoIP provider. If you’re in the United States, you still can get one or more free Google Voice accounts. These accounts let you make unlimited calls to anywhere in the U.S. and Canada. Both PBX in a Flash and Incredible PBX come preconfigured to support Google Voice calling. The scuttlebutt is this may be the last year of the free ride so it’s probably a good idea to try some other alternatives. It’s a good idea anyway because Google has made an art form of “improving” things and breaking VoIP calling periodically. Here’s our “Best of the Best” list of pay-by-the-minute VoIP providers for US48 calls. Lower cost providers are available to call some destinations, but the vendors below provide flat-rate per minute pricing to all US48 destinations. Trunks to support most of these providers also come preconfigured in Incredible PBX. With most of these providers, you set up an account and deposit a small pot of money. When you make calls, the cost of the call is debited from your account. When you run out of money, you can’t make any more calls. For the sake of redundancy, having multiple providers is a very good idea. It costs you nothing to have multiple providers until you actually make calls. Enjoy!

* Free iNUM DID and free worldwide iNUM calling. Tutorial here.


Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number.
 

 

Deals of the Week. There’s still an amazing deal on the street, but you’d better hurry. A new company called Copy.com is offering 20GB of free cloud storage with no restrictions on file size uploads (which are all too common with other free offers). Copy.com has free sync apps for Windows, Macs, and Linux systems. To take advantage of the offer, just click on our referral link here. We get 5GB of extra storage which will help avoid another PIAF Forum disaster.

Originally published: Monday, September 9, 2013




Need help with Asterisk? Visit the PBX in a Flash Forum.


 

We are pleased to once again be able to offer Nerd Vittles’ readers a 20% discount on registration to attend this year’s 10th Anniversary AstriCon in Atlanta. Here’s the Nerd Vittles Discount Code: AC13NERD.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. On the Raspberry Pi platform, substitute “raspberry” for “passw0rd” in the MySQL example. []

A Second Look at Grandstream’s UCM6100 Asterisk PBX & Some SIP Surprises

What a difference a couple months make! For those that are keeping an eye on the UCM6100 Asterisk® PBX from Grandstream, we wanted to provide some additional insights based upon two firmware updates that Grandstream has released since the PBX was first introduced earlier this summer. The short version of this story is Grandstream has addressed most of the open source issues and they’ve resolved well over a hundred bugs. In addition, they’ve published excellent documentation on the PBX in addition to a tutorial on how to interconnect the UCM6100 with other devices including FreePBX®-based Asterisk servers such as PBX in a Flash. So we are pleasantly surprised by Grandstream’s efforts to address many of the concerns that were raised by some of us in the open source community.

UPDATE: Here’s a newer Asterisk appliance for under $30.

Let’s talk about functionality. While the system is still closed in the sense that you can’t add your own Asterisk dialplan code, there’s a lot to like about an under $300 turnkey PBX platform that offers 2 FXO and 2 FXS ports plus most of the feature set you’d find in a $5,000 to $10,000 PBX. And, yes, it even does faxing. The device is especially appealing for organizations that have numerous satellite offices with minimal technical expertise on site. Did we mention you also can backup and restore or even clone multiple units in a matter of minutes using the web-based GUI and an SD card.

We’ve saved the best for last. The silver lining may very well be the functionality boost you’ll get from the addition of a $100 OBi202 device with a Bluetooth adapter.1 This dynamic duo provides turnkey Google Voice support plus Bluetooth cellphone integration which means your cellphone becomes a transparent component in your PBX. When you’re in the office, calls to your cellphone can be managed through the PBX. When the Internet dies, outbound calls from users of the PBX can be routed out through your cellphone. And there’s support for up to three more SIP trunks from many of your favorite providers. Here’s a quick tutorial on how to integrate sip2sip.info and free SIP URIs.

If you glance up at the status screen shot, you’ll see that we have a SIP trunk registered to our primary PBX in a Flash server for transparent calling between extensions on both systems, a Google Voice trunk registered with the OBi202 for free calling in the U.S. and Canada, a second analog trunk registered to the Bluetooth port on the OBi202 to handle cellphone connectivity, a SIP extension registered to a Yealink T46G desktop SIP phone, and an analog extension registered to a collection of Panasonic analog (DECT) cordless phones. We have a Conference Room preconfigured and a Parking Lot to support 5 calls. In addition, there’s voicemail for each extension and an IVR setup (shown below) with virtually the same options you’d have with FreePBX. This is not some half-baked, crippled PBX. Mark Spencer & Co. developed the Asterisk-GUI which is what lies under the UCM6100 covers… and it shows.

Are we switching and dumping PBX in a Flash, Incredible PBX, and FreePBX? Of course not. But, having supported dozens of remote sites staffed with a handful of employees and no technical staff in a prior life, all I can say is this device would have been a godsend. It’s worth a careful look as a supplement to a full-featured central office Asterisk PBX.

Some SIP Surprises to Celebrate the End of Summer

Cloak & Dapper. If you like the clothes, then you’ll love this addition for your PBX. We’ve been exploring SIP URIs and free calling recently, and the one addition that many were clamoring for was an easy way to translate a SIP URI from sip2sip.info or voip.ms into an address using your own domain. By cloaking the address, your email and your “phone address” actually can match. So you can use joe@schmo.com for your email address and joe@schmo.com for your SIP URI as well. Unfortunately, DNS doesn’t speak SIP directly so it takes a little data manipulation to make this work. @w1ve, one of the PIAF resident gurus, actually discovered the sipcloak.org service in New Zealand. But, because of geographical limitations and the fact that it’s not open source, we preferred a home-grown solution. Thanks to the genius of Bill Simon, the magic of YATE, and the hosting generosity of RentPBX2, we now have redundant SIP cloaking servers on the east and west coasts of the United States. To use the service, just add the following records to DNS substituting your own domain and user entries. Once installed, you can receive SIP URI calls using bert@schmo.com or ernie@schmo.com. The PHP source code customized for YATE is available on GitHub. Our extra special thanks to Bill, Diana, and Iman who made this possible!

_sip._udp.schmo.com. IN SRV 10 10 5060 east.pbxinaflash.com.
_sip._udp.schmo.com. IN SRV 10 10 5060 west.pbxinaflash.com.
sip-bert.schmo.com. IN TXT "123@sip2sip.info"
sip-ernie.schmo.com. IN TXT "456@sip2sip.info"

Introducing SIP.US. We’re delighted to introduce a new SIP trunking provider and supporter for the PBX in a Flash project. While Vitelity3 remains the perfect choice for those wanting stellar reliability and pay-as-you-go convenience at rock-bottom pricing, there are organizations that actually need dedicated SIP trunks with an unlimited calling option. And, of course, in the VoIP world, redundancy is a good thing. With today’s special offer for PBX in a Flash users, SIP.US finally hits the $20 magic price point that many of us have clamored for. They also have an incredibly simple and secure module for FreePBX that makes setup a breeze. Here are some of the other advantages the SIP.US service offers:

The signup process couldn’t be easier. Sign up at our link using the PIAF promo code. Choose a free DID and obtain your security PIN for the FreePBX module from SIP.US. Finally, download the SIP.US module for FreePBX to your desktop and install it using Module Admin. Activate the module and enter your security PIN when prompted. That’s it! SIP.US handles the rest of the FreePBX setup process automagically. Give them a try. We think you’ll be delighted.


Deals of the Week. There are a couple amazing deals on the street, but you’d better hurry. ObiHai has all of their telephone adapters on sale at Amazon this week. Click on the Obi110 link in the sidebar to check out the latest pricing. A new company called Copy.com is offering 20GB of free cloud storage with no restrictions on file size uploads (which are all too common with other free offers). Copy.com has free sync apps for Windows, Macs, and Linux systems. To take advantage of the offer, just click on our referral link here. We get 5GB of extra storage which will help avoid another PIAF Forum disaster.

Originally published: Tuesday, August 27, 2013




Need help with Asterisk? Visit the PBX in a Flash Forum.


 

We are pleased to once again be able to offer Nerd Vittles’ readers a 20% discount on registration to attend this year’s 10th Anniversary AstriCon in Atlanta. Here’s the Nerd Vittles Discount Code: AC13NERD.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. Some of our purchase links refer users to Amazon when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from Amazon to help cover the costs of our blog. We never recommend particular products solely to generate Amazon commissions. However, when pricing is comparable or availability is favorable, we support Amazon because Amazon supports us. []
  2. The $15 a month RentPBX hosting special for PBX in a Flash servers in the Cloud is still available through the link in the right sidebar of Nerd Vittles. Better hurry! []
  3. Vitelity has been and remains a loyal financial backer of the Nerd Vittles and PBX in a Flash projects. We appreciate Vitelity’s continuing support and encourage all of our readers to try out their service with the special pricing included toward the end of this article. []

Ringbinder theme by Themocracy