One of the problems with writing a blog like Nerd Vittles is it's more than double the work of your typical blog where a writer pontificates about something and then moves on. What makes Nerd Vittles a little different is that, with help from a number of very gifted developers, we actually create useful applications and then write about how to use them. So you get a bonus for the same low price: free! This obviously imposes some time constraints in order to get fresh material into your hot little hands every week.

This week we turn our attention to Asterisk Security again and unfortunately the Whole Enchilada is not yet ready. So today you get Chapter I of this topic with a comment that we're still mulling over some enhancements. When those pieces are finished or at least properly evaluated, we'll produce a sequel. Software houses spend years developing applications. And sometimes it takes us more than a week.

Let's start with a few observations which should be quite obvious to those who have wrestled with VoIP or Asterisk for a while. Internet security is a bitch. And Asterisk security is much, much worse. When a few disgruntled people can bring Twitter to its knees because they're mad about some particular tweet or Twitter user, it tells you what we're all up against. Hate to say it but we can all thank Microsoft for years of security neglect that rendered the Windows operating system less than optimum in preventing the spread and deployment of BOTs. And the tools have gotten more dangerous as well. Strangers (our euphemism for these folks) write new software, too.

If you're using PBX in a Flash (and you really should be!), you know that we've devoted enormous resources to Asterisk security. Two years ago when PBX in a Flash was introduced, the majority of people using Asterisk still were using 1234 as the extension password on all or most of their extensions. A couple $100,000 phone bills and lots of public education, and that situation hopefully is behind us. Two years ago, no Asterisk aggregation included a firewall... except PBX in a Flash. Believe it or not, there were individuals running Asterisk servers on the public Internet with a default root password of password. That added more than a few more BOTs to the Internet kettle of fish. Then there were the brute force password hacks that hit Asterisk servers thousands of times per minute guessing passwords. Nothing stood in the way of these attacks until PBX in a Flash introduced Fail2Ban which automatically blacklisted IP addresses after a certain number of failed login attempts. We followed Fail2Ban with our Atomic Flash product which provided a turnkey Hamachi VPN implementation for rock-solid safe remote computing. And, of course, there was a one-minute Hamachi VPN install script for standard PBX in a Flash systems. No other aggregation has it to this day.

The purpose of the history lesson isn't to crow about PBX in a Flash although we're mighty proud of it. Rather we wanted to make you aware that precious little development effort is actually going into security while enormous resources are devoted to things such as Internet faxing, Skype, and Google Voice integration. We'll be the first to admit that we love the latest gee whiz gizmos as much as anybody. But come on. A handful of us who do this purely for fun somehow manage to turn out loads of security enhancements while huge, for-profit companies are devoting virtually zero resources to making Asterisk, SIP, and the VoIP community safer. SIP is about as secure as whispering at a movie theater. Google releases Google Voice with SIP access protected by a 4-digit password. That approach to security needs to change, or we're all going to wake up sorry one day soon. If this is preaching to the choir, then feel free to pass this article on to one of your brethren who has not yet seen the light! Start by reading our Primer on Asterisk Security.

If you have extremely secure passwords on your Asterisk extensions and trunks, and you have deployed a properly configured firewall with Fail2Ban to protect against brute force attacks, then you're ahead of the curve insofar as Asterisk security is concerned. But what we think is still missing is access restrictions based upon what the military calls a "need to know." Simply stated, it means folks shouldn't get access of any kind to your Asterisk server unless they have a need to be there. And, if we find someone there that doesn't belong, they should be kicked off and banned from further access.

So today we have a new security tool for your Asterisk toolbox: IP Country, country-based network filtering by IP address. In a nutshell, it means configuring your Asterisk server to dramatically reduce the number of IP addresses which can reach your server at all. If you receive anonymous SIP connections from all around the globe that you actually need or if you're attacked from a BOT running on grandma's Windows machine down the block, this may not work for you, but it's another tool in your quiver of arrows. For most servers, it has the potential to reduce the vulnerability from random outside threats substantially. It's taken a lot of research to come up with much of what follows, and we want to express our special thanks to Sandro Gauci and Joe Roper for their assistance. Some of this technology has been around for many years, but unfortunately it was expensive. So we also want to express our special appreciation to MaxMind for releasing their open source GeoLite Country database which is now free for downloading. That is the critical ingredient in much of what follows. So here's a word from our sponsor:

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

Scope of Protection. An obvious question is just exactly what are we trying to protect. In our view, it's several things. First, we don't want strangers logging in to extensions on our server and making free calls around the globe using pilfered or hacked passwords. We also don't want strangers using our extensions to masquerade as us for any other purpose. Second, we don't want strangers randomly calling our server using SIP URI's that they've dreamed up. And third, we don't want strangers accessing any other applications on our server including SSH and FTP as well as web and email services.

IP Country Design. As with other security features in Asterisk, FreePBX, and IPtables, our implementation of IP Country uses permit and deny access tables that consist of authorized and unauthorized ranges of IP addresses. There's also a table with the latest GeoLite Country information which is used as the data source for your permit table. When a connection to the server is made, the IP address is checked against the permit table of authorized addresses. If there's no match, we'll consider the connection a stranger. If there is a match, then we'll check the deny table to make certain this particular IP address hasn't been banned. Unless you alter all of our scripts, your system must be using the default MySQL account name of root with a password of passw0rd. As configured in PBX in a Flash, this is NOT a security risk since MySQL access is limited to your server, and your server requires root credentials to log in.

Today's Objective. To get everyone started, we're going to tackle the first two objectives today. The solutions offered should work fine on any FreePBX-based Asterisk system... even those that hide the existence of FreePBX.

For outgoing calls, we'll introduce a new script which runs periodically to examine the IP addresses attached to every SIP and IAX extension and trunk on your Asterisk server. If a stranger's IP address is identified (as explained above), we'll add an IPtables firewall rule to permanently block access to your server from this IP address. These rules are stored in /etc/sysconfig/iptables should you ever need to remove an IP address that has been blocked. You can adjust the script execution frequency based upon the thickness of your wallet. After all, it's your phone bill. This functionality is mutually independent from the incoming call protection outlined below so you can use either or both of the functions to meet your own requirements. For systems that use enormous numbers of SIP URI's for communications around the globe, you might choose to implement just this piece for extension and trunk IP Country protection without altering your incoming dialplan at all. Keep in mind that FreePBX now supports permit and deny IP address filters on extensions, something you really should be using even if you decide against implementing the IP Country security protection layer.

For incoming calls, we're going to modify FreePBX's existing Blacklist functionality to also look up the calling IP address in our IP Country permit and deny tables. If the IP address is authorized, the call will go through. Otherwise, the call will be treated just as if the caller's number were blacklisted. Be aware that incoming calls to one of your commercial DIDs may reflect the IP address of your provider since the caller may be calling from a Plain Old Telephone rather than an IP address. The existing Blacklist functionality can be used to block these unwanted callers. If you live in the United States, you'll probably also want to call 888-382-1222 and place your DIDs in the Do Not Call database. Just call from a phone using the CallerID of the number you wish to block.

Installing GeoLite Country. To get started, log into your server as root and issue the following commands:

cd /
wget http://bestof.nerdvittles.com/applications/ipcountry/ipcountry.tgz
tar zxvf ipcountry.tgz
rm ipcountry.tgz
cd /root/ipcountry
./nv-ipcountry

Once the nv-ipcountry script begins to run, it will download and install the GeoLite Country database into MySQL. You then will be asked whether to add countries to your permit table. Since your permit table is empty at this point, the answer should be yes. You'll then get a list of country codes. Choose the two-character country code desired and type it in UPPERCASE, e.g. US. If you want to add one or more additional countries, just rerun ./nv-ipcountry and do NOT initialize the permit table (which erases all of its contents).

New GeoLite Country databases are released every month or two so get used to the procedure. You'll be using it periodically to keep your list of IP addresses current. We'll cover the update procedure after we get you up and running.

Remember: If no IP addresses for any country are added to the permit table, you will not be able to make calls or register trunks with your providers! The only default entries added to the permit table are the non-routable, private IP address ranges, e.g. 192.168.0, etc. The geolite table is merely a data repository of the latest GeoLite Country database and has no effect on the daily operation of your system! You use it only as a data source for populating your permit table.

Testing IP Country. Before we actually turn anything on, we need to be sure we're not going to blow your Asterisk system out of the water! In short, we want to make sure that every extension that's supposed to be able to make a connection to your PBX still can. And we need to make sure all of your trunk registrations still are working. While you're still in the /root/ipcountry directory, issue the following command: ./test.sh. This script will display all of your SIP and IAX connections and then will tell you whether each connection will pass muster with IP Country security in place. Each IP address should display ok. If any of them show ko, you have a problem. This means that you have an extension or trunk with an IP address that is not included in your permit table. You can scan through the show peers listings in the display to figure out which providers or extensions are associated with any problem IP addresses. Be sure it's not a bad guy first. Then you have a couple of options. You can either manually add the IP address to the permit table as outlined below. Or you can add additional countries which include the missing IP address(es). To decipher the country of any problem IP address, go to this link and plug in the IP address. Once you've made entries in your permit table to cover all of your needed IP addresses, run the test script again just to be sure everything shows ok. Do NOT proceed until you get all ok's, and don't write us if you do.

Manually Adding IP Addresses to IP Country. We've provided a command-line utility which makes it easy to add IP addresses and address ranges to either the permit or deny tables of IP Country. Be very careful using this tool! There's limited error-checking which means it's easy to create a mess. You'll find iputility.php in the /root/ipcountry folder. Since all IP addresses are stored as integers, you can use it to merely discover the integer value of an IP address, or you can actually insert IP addresses into either the permit or deny tables. Here are a few examples to show how the utility works:

./iputility.php 156.130.20.10
Returns the integer value for this IP address; no database update
./iputility.php 156.130.20.10 156.130.20.255
Returns integer values for this IP address range; no database update
./iputility.php 156.130.20.10 deny
Adds this IP address to IP Country deny table
./iputility.php 156.130.20.10 156.130.20.255 permit
Adds this address range to IP Country permit table)

A couple of points worth noting. First, all custom entries in your permit and deny tables using iputility will show a country code of AA. This makes them easy to find using phpMyAdmin if you make a mistake. Second, if you attempt to enter the same IP address range more than once, you'll get a database error since all entries in the tables must be unique. Third, remember that entries in the deny table take precedence over entries in the permit table. So, if the same IP address or address range is in both tables, access will be denied. The reason for this is to make it easy to exclude a few bad apples from a country that you might otherwise find unobjectionable. Finally, keep in mind that manual entries added to the permit table will have to be added again each time you initialize the table and insert new country IP codes after a GeoLite Country refresh. The deny table is unaffected by database refreshes. So make yourself a list of entries you manually insert into the permit table and keep it in a safe place for future reference.

Activating the IP Address Checker. In the /root/ipcountry directory, you'll find the script that we'll use to check your system periodically to be sure all of the extensions and trunks are registered at permitted IP addresses. To run the script manually, log into your server as root and type: /root/ipcountry/ip-checker.sh. When you run it, you shouldn't see any modifications to IPtables, just a string of ok's. So now we want to added the script as a cron job that will be run periodically to watch your system. Edit /etc/crontab and insert the following line at the bottom of the file:

*/1 * * * * /root/ipcountry/ip-checker.sh > /dev/null

*/1 means run the script once a minute, all day and night, every day. */5 means every 5 minutes. You make the call on how safe you'd like your system to be. If you'd like to receive an email or text message every time an IP address is blocked by ip-checker.sh, just edit the filecheck.php script, uncomment the two lines that begin with // and replace yourname@gmail.com with your email or text message address.

WARNING: For ip-checker.sh to work properly with IPtables, there are a couple of prerequisites. First, IPtables must be running on your system with the iptables file located in /etc/sysconfig. Second, your IPtables setup must include an SSH permit rule that looks like this:

-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

We use this rule as a place finder to determine where to insert new rules to block stranger's IP addresses. If you don't have the above rule, filecheck.php (used by ip-checker.sh) won't be able to insert new rules. So you'll need to manually edit filecheck.php to provide a "hook" that can be used to insert rules into your iptables file. PBX in a Flash systems come preconfigured to support this. With other aggregations, YMMV!

Activating the Incoming Call Checker. To screen incoming calls using your IP Country permit and deny tables, the setup is straight-forward assuming you are running the latest version of FreePBX 2.5. We're going to adjust the Blacklist context to also perform IP address lookups from IP Country when new calls arrive on your PBX. Just log into your server as root and add the following lines to the bottom of the extensions_override_freepbx.conf file in /etc/asterisk:

[app-blacklist-check]
include => app-blacklist-check-custom
exten => s,1,LookupBlacklist()
exten => s,n,GotoIf($["${LOOKUPBLSTATUS}"="FOUND"]?blacklisted)
exten => s,n,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
exten => s,n,GotoIf($["${TESTAT}" != ""]?hasat)
exten => s,n,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
exten => s,n,Goto(gotip)
exten => s,n(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
exten => s,n(gotip),NoOp(Gateway IP is ${FROM_IP})
exten => s,n,NoOp(IP Country Lookup in Progress...)
; put authorized special calls like sipgate's Google Voice ringbacks below
exten => s,n,GotoIf($["${FROM_IP}"="sipgate.com"]?keepon)
exten => s,n,AGI(nv-ipcountry.php|${FROM_IP})
exten => s,n,GotoIf($["${STRANGER}"="true"]?blacklisted)
exten => s,n(keepon),NoOp(** AUTHORIZED CALLER **)
exten => s,n,Return()
exten => s,n(blacklisted),Answer
exten => s,n,Wait(1)
exten => s,n,Zapateller()
exten => s,n,Playback(ss-noservice)
exten => s,n,Hangup

Make sure you remove the line-wrap in the s,n(hasat) line and any others that may have wrapped in the display above! Then save the file and reload your Asterisk dialplan: asterisk -rx "dialplan reload". You're all set! If you'd like email notices when a stranger calls and is blacklisted, edit nv-ipcountry.php in /var/lib/asterisk/agi-bin. Plug in your actual email address in the $email variable and set $emailalerts = 1.

Housekeeping 101. As we mentioned above, the pool and location of IP addresses continues to change so periodic updates are necessary, or you'll end up blocking calls that otherwise should be permitted. MaxMind updates GeoLite Country on the first day of every month so add it to your TO-DO list. We strongly recommend that you perform these steps through an SSH connection from a remote PC. Why? Because, if you forget step 1 while logged directly into your server, you could inadvertently lock yourself out of your own system if the ip-checker script happens to run while your permit table is empty. If you do it from a remote machine, you can simply move to another machine and follow these instructions properly. Otherwise, you've got a serious problem on your main server. If this server provides phones to your business, do the update when the server is idle. So here's the drill:

1. Comment out the ip-checker.sh /etc/crontab entry
2. Download new GeoLite Country database from MaxMind
3. Initialize the ipcountry.permit table
4. Add authorized countries back into ipcountry.permit table
5. Add back any custom entries to permit table
6. Test your IP Country system to make sure you get all ok's
7. Reactivate ip-checker.sh in /etc/crontab

1. Log into your server as root. To comment out the ip-checker.sh line in /etc/crontab, just add # as the first character on the line and save the file.

2. Change to the /root/ipcountry directory and run ./nv-GeoIPrefresh.

3. While still in the /root/ipcountry directory, run ./nv-ipcountry and choose 1-Yes to initialize your ipcountry.permit table.

4. Continue running or rerun ./nv-ipcountry to add each desired country to your ipcountry.permit table.

5. Run ./iputility.php to add custom IP address entries to your ipcountry.permit table. You do NOT need to reenter addresses in the deny table. It is unaffected by this update procedure.

6. Test your system again to make sure all extensions and trunks get an ok by running ./test.sh.

7. Edit /etc/crontab and remove the # at the beginning of the ip-checker.sh line and save the file.

What's Next. We're still exploring another possibility with IP Country, and that is integrating GeoLite Country directly into IPtables. This would validate every packet coming into your firewall using IP Country-like rules in IPtables. If you want to look at how it could be done, see this excellent writeup. Well, not so fast. Unfortunately, it won't compile under CentOS 5.2. Here's a link to the problem code if there are any Linux gurus in the house. Our reluctance in doing this has to do with performance. Keep in mind that, without stateful packet inspection, every single packet coming into your server would presumably trigger a database lookup. On a busy telephony system generating hundreds of thousands of packets per second, it would take a beast of a server with sufficient memory to cache the entire IP Country database in order to handle the processing load. So now we've got to either learn about or find an expert on the IPtables State Machine. If anyone wants to experiment, please share your expertise with the rest of us. There's a Google Voice invite in it for you, too.

---

whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.

---

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

---

 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 

---

Some Recent Nerd Vittles Articles of Interest...

In addition to Spoleto and the Bridge Run, Charleston has many great traditions, one of which is a prompt transition from a rainy, cold winter into sweltering summer. We got a very long spring break this year, but now we’re paying for it. After spending a couple weeks on Balsam Mountain, it was nothing short of culture shock driving back into Charleston last night. But we’re glad to be home. And this week, we celebrate summer with a list of some of our favorite vacation discoveries that didn’t involve snakes and bears. Some are related to Asterisk, and some aren’t. So here goes.

Streaming Video with Roku. If you haven’t figured out why Time Warner and Comcast have been pushing for Internet bandwidth caps, here’s a hint. Streaming video not only is killing their pipes, but more importantly (to them) it’s killing their pay-per-view and HBO/Showtime monopolies. If you enjoy (or can even remember) great television and movies without thousands of commercials, then we’ve got two discoveries that will make your summer! The first one is Roku, a little $100 device about the size and weight of a couple packs of cigarettes. You plug it into your TV and the Internet, pop the popcorn, and you’re ready for some fun. With an $8.95 Netflix subscription (which buys you one-at-a-time DVD rentals by mail), you also get unlimited movies streamed to your Roku device. It’s not their entire catalog, but it’s a substantial subset including most of the Starz catalog. The Roku player supports composite, S-video, component, and HDMI video connections as well as stereo and optical audio. A new addition allows the rental or purchase of first-run movies from Amazon (at Blockbuster prices). More offerings are promised for later this summer. Can Hulu be far behind? If you’ve been holding off purchasing a Blu-Ray player, then here’s another option. LG’s new $200 BD370 Blu-Ray Disc Player incorporates this same technology in addition to YouTube access. We haven’t used the BD370 yet, but we sure do want one.

Cellphones for Preteens. We laughed at our friends from Naples, Florida last summer when they were lamenting the fact that every child in their daughter’s second grade class had a cellphone except for theirs. They swore that they wouldn’t give in. That lasted until Christmas when the shiny new LG Xenon appeared. Chuckling all the way to spring, we recently met the same fate with the Samsung A767 Propel after our 9-year-old raised over $300 selling all of her old toys at the neighborhood yard sale. Bottom line: All the kids are going to have them by the time they turn 10. And with the family plans available from a number of providers, the costs are no longer prohibitive for most of us. You might as well get them trained to use cellphones responsibly while they’re young. Trust me. It’s a lot more difficult once they hit high school or college and know everything. There is a difference between adult and kid usage of cellphones. They rarely make a call. But you’ll want an unlimited texting plan. And none of the kids want an iPhone. They much prefer one the newer phones that includes a full keyboard for texting. Apple, are you listening?

If you go down this road with the rest of us that swore we wouldn’t do it, demand two things: (1) that your kids not use cellphones while driving and (2) that they not hold cellphones up to their ears while making calls. The jury is still out on whether cellphone usage leads to brain tumors. But it seems pretty obvious when you review the research provided by organizations not funded by the cellphone industry. Remember the tobacco companies swore that cigarettes were safe for decades, and they paid good money for authoritative-sounding research to back them up. Read this. And watch this. Then decide whether you want to gamble with the lives of your children. Better safe than sorry.

Deals, Deals, and More Deals. If you always shop for technology purchases at the same few stores, then send us a check for all the money we’re about to save you. There’s a green eBates coupon in the right pane just below that will usually save you 1-5% on all your technology and clothing purchases and just about anything else. It costs nothing to use it, and you’ll get $5 just for signing up. So do we. To go with those savings, there are some bargain web sites that you won’t want to miss. Our old favorite is TechBargains, but there’s also a new kid on the block, DealNews. Check ‘em out. You’ll find something you just can’t live without… at bargain basement prices.

SMS Messaging with Asterisk. We’ve always lamented the fact that Asterisk had no built in SMS messaging capability. This is primarily because the cellphone providers keep a fairly tight lock on the SMS business since it’s their Cash Cow. There is a simple solution actually.

Virtually all of the cellphone providers have an Email-to-SMS gateway that can be used for sending SMS messages to their customers. For example, to send a message to a cellphone subscriber on the AT&T network, you just send an email message to 6781234567@txt.att.net. Click here for a complete list of the email gateway addresses.

That got us to thinking how simple it really would be to create a bash script that delivered the same message to every provider used by your friends. Who cares if all but one of the messages goes in the bit bucket. Your SMS message still will get delivered. For example, in the United States, if you’ve covered AT&T, Verizon, Alltel, Sprint, T-Mobile, US Cellular, Cricket, and Nextel, that pretty much gets 99% of the cellphones. If there’s a service that we’ve left out that you really need, just add another line to the bash script with the domain of that carrier.

So, log into your server as root and create a bash script named sms.sh that looks like the following: nano -w sms.sh

#!/bin/bash

# Script for sending SMS messages
# For additional cell carriers, see:
# http://en.wikipedia.org/wiki/List_of_carriers_providing_Email_or_Web_to_SMS

msg=”Just testing the new SMS batch script.”
subj=”SMS Message”
num2call=”8431234567″

echo “$msg” | mail -s “$subj” $num2call@message.alltel.com
echo “$msg” | mail -s “$subj” $num2call@txt.att.net
echo “$msg” | mail -s “$subj” $num2call@sms.mycricket.com
echo “$msg” | mail -s “$subj” $num2call@messaging.nextel.com
echo “$msg” | mail -s “$subj” $num2call@messaging.sprintpcs.com
echo “$msg” | mail -s “$subj” $num2call@tmomail.net
echo “$msg” | mail -s “$subj” $num2call@email.uscc.net
echo “$msg” | mail -s “$subj” $num2call@vtext.com

Fill in the msg, subj, and num2call fields. Press Ctl-X, Y, then Enter to save your file. Then make it executable: chmod +x sms.sh. Now give it a try: ./sms.sh

You can alter the sender address for your emails from the default of root by inserting an entry like the following in /etc/mail/genericstable: root    joeschmo@gmail.com. Then restart SendMail: service sendmail restart.

Micro$oft Bing. I have to admit that I’ve always had a soft spot for Microsoft. They came from humble beginnings and outsmarted almost everybody during the 80’s and 90’s… until Google entered the picture and did much the same thing to them. You’ve also got to hand it to Microsoft. They may not get it right the first, or second, or third time. But they don’t give up. And their reincarnated search engine, Bing, is worth a look. It includes an Explorer Pane that categorizes search results in a left panel that is customized to your search query. There’s also a Quick Preview providing website popups. The theory is to give you a sneak peak at a particular site to see if it’s what you’re looking for. As with many Microsoft creations, it’s just too slow at the moment to be of much value. Good idea. Not so good implementation.

A good bit already has been written about Bing’s picture and video search capabilities. Suffice it to say, once they tamed the content, it’s worth a look. Actually, it was worth a look even before they tamed the content. But give Microsoft credit, they quickly recognized that there needs to be a way to make the web accessible to younger children and students without exposing them to an endless stream of pornography. What happened to the good old days of reading National Geographic to find all that stuff?

Microsoft’s Farecast technology also is interesting. It brings new, smart tools to the process of purchasing airline and hotel accommodations. Much of this toolkit was acquired by Microsoft, but it’s pretty slick. The downside of Bing, when compared to Google, is that there seems to be a tilt toward Microsoft content in results. And there still is a lot of drill-down (aka Windows) to find exactly what you’re looking for. Both are deeply rooted in the Microsoft psyche so I doubt it’ll ever go away. But have a look anyway. It’s an interesting, new product to at least have in your search toolkit.

Let There Be Music. All-you-can-eat streaming music plans have been around for a while. But there’s never been anything quite like the new Napster service from Best Buy. $5 a month for access to 7 million songs on either your PC or a Sonos sound system is just too good to pass up. We’ve previously written about this so we won’t repeat it all here. Have a look at the article if you’re a music addict. And, if streaming DRM’d music isn’t your thing, check out this PC Mag article on Virgin Media’s new offering. It will let you download an unlimited number of MP3’s from Universal’s entire music catalog for about $20 a month. Unbelievable!

People Tracking. If you glance over to the right margin, you’ll get a good sample of Google’s Latitude offering that pinpoints your location on a Google map using GPS data from your cellphone. AT&T offers something similar for “only” $10-$15 a month. This data can be either the location of the nearest cellphone tower or, if your phone is GPS-enabled, it can be the actual GPS coordinates of your phone. There are obviously privacy issues that need to be weighed, and Google has carefully addressed most of those issues. You can restrict access to select friends, or just family, or no one at all. In coming months, we’re going to build something similar with Google Maps to display a map with the default location of incoming calls on certain color SIP phones. Stay tuned. In the meantime, feel free to monitor our summer vacation as we move from Charleston, to the beach, and back to the mountains. Not too exciting, but it may give you some ideas for future uses of this technology. For those of you with young daughters, think of it as LoJack for Parents!

Footnote: Uh, oh. Google.everything just died. 8:30 a.m., June 16. Bad way to start your day. Good time to check out Bing.

Hurricane Tracking. If hurricanes are a part of your everyday life and you haven’t visited Stormpulse.com yet, you’re missing the ultimate storm tracking site on the net. Not only do they provide up-to-the-minute predictions from all of the world’s best sources, but you also get map overlays showing virtually anything you’d ever want to know that’s weather-related. Unbelievably good! And, for a ringside seat, visit our own Pawleys Island WebCam. We’ll wave to you later this week.

Promising New Asterisk Appliance. Every now and then we read an article about a new Asterisk appliance that really shows some promise. So it is with Michael Graves’ recent writeup of Jazinga, a $1095 Asterisk appliance that does just about anything and everything a small business would ever need in a phone system using a simple but intuitive web interface. Have a look. We think you’ll agree. Very slick, indeed. Only wish it were $595 instead of $1095.

Some Great Blogs. And, speaking of blogs, there are some other telephony blogs in addition to Graves on SOHO VoIP that are worth a look from time to time. Here’s another Baker’s Dozen of our favorites in no particular order:

• Asterisk.org Blog
• FierceVoIP
• truVoIPbuzz
• Smith On VoIP
• Asterisk Guru
• Scobleizer
• VoIP Watch
• GigaOM
• Tom Keating
• Alec Saunders
• Leif Madsen
• Smith on VoIP
• Asterisk VoIP News
• Michigan Telephone Blog

FreeNum Dialing System. Another new project worth a careful look is FreeNum. Taking a page from Nextel, FreeNum lets you make SIP calls from ordinary telephones after registering your organization. The format of a FreeNum dial string looks like 1234*567 where your extension is 1234 and your ITAD (Internet Telephony Administrative Domain) number is 567. FreeNUM relies upon DNS and, as such, is perfectly suited for transparent use over the Internet. In coming weeks, we’ll have more to say about FreeNUM including a methodology for letting all PBX in a Flash systems register with a shared ITAD for transparent communications worldwide. Here’s the article.

Twitter. The entire planet is aflutter with Twitter. We finally bit the bullet, and we’d be the first to admit that Twitter fills an important gap in today’s Internet-centric 21st century world. Not only does it provide instantaneous searches of very current content, it’s also quite useful as a micro-blogging tool if you like to keep current on technology happenings without always waiting for full-blown articles to appear. Many of the topics in this article were first introduced to Twitter users over the last few weeks. So there’s much more to Twitter than periodic reports of individuals’ bathroom and sleeping habits. You can get a sampling by reviewing our Twitter entries in the right pane of this blog. And there are literally hundreds of Twitter clients to meet your every need. Here’s a link to a great Twitter FAQ. Then give Twitter a try if you haven’t already. NerdUno is looking forward to hearing from you.

Wordle.net. We’ve mentioned Wordle before, but no article on Internet fun would be complete without at least a passing reference. The way Wordle works is that you pass it some text. It then rearranges the words in a hierarchical order that exposes the word usage count of the various words in the text it examined. You can see an example below which took the subject matter from the PBX in a Flash Help Forum and passed it through Wordle. You’ll note that “Resolved” is just about the same size as “problem” and “question.” That actually speaks volumes about the quality of our forum. Give it a try. We think you’ll agree. We’ve done some other samples to give you some ideas: the Gettysburg Address, the Declaration of Independence, and MLK’s I Have A Dream speech. Try a few of your own. It’s a summertime blast. Enjoy!

---

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

---

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

---

 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 

---

Some Recent Nerd Vittles Articles of Interest…

When we began the PBX in a Flash project, one of our key design requirements to distinguish our product from other Asterisk aggregations was to include an automated, rock-solid reliable, backup solution that backed up not only Asterisk but your entire server in a way that could be restored painlessly without manually reinstalling the initial PBX in a Flash image. After almost a year in production, PBX in a Flash remains the only distribution with a complete backup solution. In the Orgasmatron builds of PBX in a Flash, we've gone a step further. Automated weekly backups to a flash drive are preconfigured. All it takes to get started is a $15 flash drive. Insert the stick and run the usbformat.sh script. Thereafter, a full backup is run each Sunday night, and the self-booting ISO images are conveniently placed on the flash drive for easy restoration of your entire system should the need ever arise.

We appreciate, however, that others running Asterisk and FreePBX need backup solutions as well. And, while today's tutorial won't get you a full system backup which is comparable to what's available on PBX in a Flash systems, what it will do is provide an automated off-site backup storage solution for all of your critical FreePBX data for pennies a day. Beginning last year, FreePBX started offering a backup solution for FreePBX data as an integral part of the FreePBX web interface. The FreePBX solution lets you define a schedule for backing up your voicemail, system recordings, system configuration, CDR, and operator panel. What the restore process won't do is put Humpty back together again without first reinstalling your operating system and Asterisk environment. For those using PBX in a Flash, you've got the best of all worlds with these two backup solutions. For everyone else, the FreePBX backup alternative is certainly better than nothing. It also is a terrific tool for moving from one distribution to another (hint!) or to a new server environment. So long as the versions of FreePBX on both systems match, users have reported excellent results.

In addition to the need to recreate your server environment from scratch, there's an additional problem with the FreePBX backup solution. It gets stored on the same drive as your Asterisk server. That works great until your hard disk dies or your house catches on fire. Backups are written to /var/lib/asterisk/backups and placed in subdirectories matching the Schedule Name you assign to the backup procedure. For reasons which will become obvious, it's a good idea to name your schedules without any spaces in the name, e.g. DailyBackup. The only thing we've really found missing in the FreePBX solution is an off-site storage option to protect you in the event of a catastrophe.

A Picture Is Worth A Thousand Words. We recently were reminded of the importance of off-site storage when a neighbor's house caught fire in the middle of the night. Fortunately, the entire family escaped without injury. But all of the contents of the home were destroyed either by the fire or by the water used to put out the fire. After being awakened by a neighbor in the middle of the night, there was less than 5 minutes to extract mom and dad and four young children from the house before it was totally engulfed in flames. Moving computers out of harm's way most assuredly was the furthest thing from their minds. Enter: Amazon S3 aka Cloud Storage. A recent InformationWeek poll found that "storage--including archiving and disaster recovery--was cited as the service category most likely to be outsourced to the cloud, ahead even of business applications."

If this is all news to you, here's a quick thumbnail on Amazon S3 from the Wikipedia:

"Amazon S3 (Simple Storage Service) is an online storage web service offered by Amazon Web Services. Amazon S3 provides unlimited storage through a simple web services interface. Amazon launched S3, its first publicly-available web service, in the United States in March 2006 and in Europe in November 2007. Since its inception, Amazon has charged end users $0.15 per gigabyte-month, with additional charges for bandwidth used in sending and receiving data. As of November 1, 2008, pricing will move to tiers where end users storing more than 50 terabytes per month will receive discounted pricing. Amazon claims that S3 uses the same scalable storage infrastructure that Amazon.com uses to run its own global e-commerce network. Amazon S3 is reported to store more than 29 billion objects as of October 2008. This is up from 14 billion objects as of January 2008, and from 10 billion in October 2007. S3 uses include web hosting, image hosting, and a back-up system. S3 comes with no guarantee that customer data will not be lost."

To give you some idea of pricing, our current FreePBX daily backups are roughly 50 megabytes in size. A new PBX in a Flash install yields a 20MB FreePBX backup. Using a cable modem connection, uploading our 50MB daily backup to Amazon S3 takes about 5 minutes and costs 2¢. Storage of a full month's worth of rotating backups would add another quarter to the monthly cost. Thus, the tab to upload and store 30 backups a month runs less than one dollar, pretty cheap insurance by any measure. And, unless you tinker with your system as much as we do, daily backups probably are overkill. The tab for weekly uploads and storage on Amazon S3 would run less than 25¢ a month assuming you remove all but the last five backups from S3 in each subsequent month. So... what are you waiting for?

Configuring Weekly Backups with FreePBX. The first step is to set up the automated backup process in FreePBX. Using a browser, open FreePBX and choose Tools, Backup & Restore. Click Add Backup Schedule and name the schedule WeeklyBackup. Select all of the radio buttons to backup everything possible with FreePBX. For the time of the backups, leave the Follow Schedule Below option selected. Choose a time for the backup by clicking on the appropriate settings. We recommend 3:05 a.m. which means you click on 5 in the minutes column and 3 in the hours column. Finally, click the Selected option button under Weekdays and then click Wednesday. Click Submit Changes to save your settings.

Creating an Amazon S3 Account. Before you can create backups on Amazon S3, you'll obviously need an account. Here's the link to sign up: http://www.amazon.com/s3. Once you sign up, you'll receive an email with this link to manage your new account. Log in using your Amazon username and password. Write down your Access Key ID. Next click on the button to generate a new Secret Access Key. Once it's generated, click on the link provided to display it. Write it down, too. You'll need both your Access Key and your Secret to use Amazon's S3 service.

Installing s3cmd to Manage Your S3 Backups. There are a number of tools available to interact with Amazon S3. We've chosen s3cmd which happens to be free and uses python which is preconfigured on PBX in a Flash systems. Another great tool is JungleDisk, but it costs $20. It uses s3sync and Ruby which you'd need to install: yum install ruby. It also requires SSL certificates which complicates things a bit. For an excellent tutorial, see Chris Sherwood's writeup. Of course, time marches on, and today we can do all of the same things at no cost. So let's get started.

To install and configure s3cmd, log into your server as root and issue the following commands:¹

cd /root
wget http://downloads.sourceforge.net/s3tools/↩
s3cmd-0.9.8.3.tar.gz?modtime=1217338796&big_mirror=0
tar zxvf s3cmd*
mv s3cmd-0.9.8.3 s3cmd
cd s3cmd
./s3cmd --configure

You'll be prompted to enter your Access Key and Secret Key to access Amazon S3. Next you'll be asked to provide an encryption password to protect your data while being transmitted to Amazon. Make up a random collection of letters and numbers. For the path to the GPG program, press Enter to choose the default: /usr/bin/gpg. Choose whether to use HTTPS to transmit your data. It's a little slower, but it's secure so we recommend choosing it. We're going to automate the backup process so you're not going to be watching the file transmission process anyway. Next, you'll be asked whether to test S3 access using the credentials you've supplied, Type y and be sure you get a success message. Otherwise, recheck your Access Key and Secret Key for typos. Finally, you'll be asked whether to save the settings. Choose Y. Your settings will be saved in /root/.s3cfg. Be sure to erase the file if you give your server to someone else!

Using the s3cmd Command Line Interface. s3cmd is a command line tool so we'll walk you through the basics before we automate the weekly backup process. There's an excellent tutorial for s3cmd that is available here, and more S3 tools are on the way. What you really need to know about S3 file storage is that files are stored in disk volumes which S3 calls buckets. You can have up to 100 buckets. Wildcards don't work the way Linux wildcards do, and S3 is picky about the use of periods. Our recommendation: don't use them for the time being. Also be aware that bucket names are like domain names. They must be unique across the S3 cloud. So... daily-backup and weekly-backup won't work on your system because we already own those buckets. The easiest naming convention is probably to use your full name or company name for the bucket name and then create directories below there for your data. For other tips, see the S3 FAQ. Now let's run down the basic list of commands in the order you typically would use them:

Create a New Bucket: s3cmd mb s3://weekly-backup (Unique on S3!)
List Your Buckets: s3cmd ls
List Bucket Contents: s3cmd ls s3://weekly-backup
Upload a File: s3cmd put file.xyz s3://weekly-backup/file.xyz
Download a File: s3cmd get s3://weekly-backup/file.xyz file.xyz
Delete a File: s3cmd del s3://weekly-backup/file.xyz
Delete a Bucket: s3cmd rb s3://weekly-backup (NOTE: Bucket must be empty!)


Automating the Off-Site Backups to Amazon S3. We now have all the pieces we need build a weekly cron script to automate the backup process to our new Amazon S3 storage facility. So let's build the script. For purposes of this example, we will assume that you have followed our instructions above in setting up the backup process with FreePBX. We obviously need to know when new backups are made so that we can configure a cron script at the proper time to copy the backup file up to the Amazon S3 server. We also need to know the name of the FreePBX directory with the backups and will assume that it's /var/lib/asterisk/backups/WeeklyBackup. Finally we need to know the name of the bucket to be created on Amazon S3 to store the backups and we'll assume it's s3://weekly-backup as we used in the examples above.

Step 1 is to build the script. Using your favorite editor, create a file and name it /root/s3backup.sh: nano -w /root/s3backup.sh. Here's what should go in it:²

#!/bin/bash
cd /var/lib/asterisk/backups/WeeklyBackup
thisbackup=`find *.gz -mtime -1 | tail -n 1`
/root/s3cmd/s3cmd put ↩
/var/lib/asterisk/backups/WeeklyBackup/$thisbackup ↩
s3://weekly-backup/$thisbackkup

Save the file: Ctrl-X, Y, then Enter and make the script executable: chmod +x s3backup.sh. Note that, for this script to actually work, you must run it on the same day AND after FreePBX has first generated a backup.

Step 2 is to create a cron job that will execute the above script shortly after 3:05 a.m. on Wednesday morning making sure we leave enough time for FreePBX to complete the backup task. To be safe, we'll set it up for 4 a.m. every Wednesday. Edit /etc/crontab and add an entry at the bottom of the file that looks like the following:

0 4 * * 3 root /root/s3backup.sh > /dev/null

If you just wanted a basic backup system using Amazon S3, congratulations! You've graduated. But there's so much more if you don't mind getting your hands a little dirty.

---

We're Getting Close. Before we tackle the techie stuff, let us pause for a moment and provide a progress report on the VPN in a Flash project. Thanks primarily to Tom King, we've made enormous progress in the last couple weeks. And, again, the accompanying picture says it better than words. We're also nearing completion of the documentation. The idea behind this project was to provide a mobile and transportable, full-featured VoIP PBX for under $500. For those with satellite offices or remote construction sites or branch offices, the Acer Aspire One is ideal. But it also can serve as a secure traveling companion for those that are often on the road. And, of course, it's an almost perfect fit for a home, a home office, a vacation home, or any hotel room with WiFi. Not only does it have an incredibly small footprint, but it also has computing power to spare with the new Intel Atom motherboard, a gig of RAM, and a 120GB hard disk. Yes, it's got wired AND wireless covered seamlessly, and it offers the Orgasmatron II build including fax capability plus the Hamachi VPN for secure connections within your own private network of servers and PCs. And our custom build offers the very latest KDE GUI with the brand-new Fedora 10 and performance to spare. The 1024x600 screen resolution you've simply got to see to believe. This photo doesn't do it justice. Plus we've added the Zoiper softphone which works nicely with the integrated microphone and speaker to let you place secure calls back through your home office PBX or directly through the fully-functional Asterisk 1.4 PBX which runs silently in the background with the new FreePBX 2.5 web interface. We hope to begin taking orders on or before the first anniversary of PBX in a Flash, November 14. For more details, click here or check out our forum posting. We now return you to your regularly scheduled program...

---

Using Fuse, s3fs, and Rsync with Amazon S3. At the outset, we want to express our special thanks to John Eberly for his article laying the foundation for much of what follows. The S3 technology has advanced dramatically since it first was introduced. So much so that you now can mount an Amazon S3 bucket as a local device on your server and use it like any other mounted device. This means you can use standard Linux tools to copy, list, delete, and move files. And you can use the built-in intelligence of tools such as rsync to actually keep directories in sync without recopying data that already exists in both locations and without manually deleting data which already has been removed from the source directory. For long time readers of Nerd Vittles, you know that rsync is one of our favorite Asterisk tools. It works flawlessly!

Unfortunately, with CentOS 5, the Linux Fuse file system installation process is a bit quirky, but here we go anyway. First, you'll need the Dag Wieers YUM repository to install some of these applications. The easiest way to activate the repository is to just execute the following commands while logged into your server as root. When we're finished with the repository, we'll delete /etc/yum.repos.d/dag.repo so that you don't accidentally use it unintentionally for other yum updates down the road:

cd /etc/yum.repos.d
wget http://pbxinaflash.net/source/s3/dag.repo
cd /root
yum -y install fuse-devel
rm /etc/yum.repos.d/dag.repo
wget http://downloads.sourceforge.net/fuse/fuse-2.7.4.tar.gz?↩
modtime=1217019944&big_mirror=0
tar zxvf fuse-2.7*
cd fuse-2.7.4
./configure
make
make install
cd ..

If you're a Linux whiz kid, you're probably scratching your head wondering why we would install an RPM version of fuse and then turn around and install it again by compiling it from source. The short answer is "hell if I know." The longer answer is that fuse won't work unless you do it this way. Sorry. If you really are a whiz kid, you can educate all of us as to why this is necessary by posting a comment.

Now that the Linux fuse file system is installed, we need one more application. It's the glue between Linux fuse and Amazon S3: s3fs. So let's download, compile, and install the s3 file system application:

cd /root
wget http://s3fs.googlecode.com/files/s3fs-r177-source.tar.gz
tar zxvf s3fs*
cd s3fs
make -f Makefile
mkdir /mnt/s3fs
cp s3fs /usr/bin/.
cd ..

Finally, to simplify mounting of your S3 file system, we need to store your Access Key and Secret Key in a config file just as was done with s3cmd above. So create a new file named /etc/passwd-s3fs and add your AccessKey:SecretKey in the file, e.g. 12345:67890


Mount S3 bucket (the unique one): s3fs weekly-backup /mnt/s3fs

Check available storage space: df -h /mnt/s3fs

Synch Backup directory with S3: rsync -avz --delete ↩
/var/lib/asterisk/backups/WeeklyBackup /mnt/s3fs

Dismount your S3 bucket: umount /mnt/s3fs


For the steps to integrate this directly into FreePBX to assure that your backups are automatically saved to S3, see Comment #1 below.

---

Hosting Provider Mega Deal. Just an FYI that the Nerd Vittles hosting provider, BlueHost, has raised the bar again on hosting services. For $6.95 a month, you can host unlimited domains with unlimited web hosting disk storage and unlimited monthly bandwidth. Free domain registration is included for as long as you have an account. It really doesn't get any better than that. And their hosting services are flawless! Just use our link. You get a terrific hosting service, and we get a little lunch money.

---

New Fonica Special. If you want to communicate with the rest of the telephones in the world, then you'll need a way to route outbound calls (terminations) to their destination. For outbound calling, we recommend you establish accounts with several providers. We've included two of the very best! These include Joe Roper's new service for PBX in a Flash as well as our old favorite, Vitelity. To get started with the Fonica service, just visit the web site and register. You can choose penny a minute service in the U.S. Or premium service is available for a bit more. Try both. You've got nothing to lose! In addition, Fonica offers some of the best international calling rates in the world. And Joe Roper has almost a decade of experience configuring and managing these services. So we have little doubt that you'll love the service AND the support. To sign up in the USA and be charged in U.S. Dollars, sign up here. To sign up for the European Service and be charged in Euros, sign up here. See the Fonica image which tells you everything you need to know about this terrific new offering. In addition to being first rate service, Fonica is one of the least expensive and most reliable providers on the planet.
 

New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 
 

---

Some Recent Nerd Vittles Articles of Interest...

1. Where you see ↩ means that you should join the text on the following line to the original line as a single line of text (usually with no intervening space). [↩]
2. In the following code, the ↩ character means to join the three lines of text into a single line with a single space between the code on each line. The difference in the two examples is you don't usually have spaces in http: requests while commands issued on the command line obviously have spaces between different parts of command. [↩]