Home » Posts tagged 'security' (Page 6)
Tag Archives: security
The Most Versatile VoIP Provider: FREE PORTING
JUST RELEASED: Visit the Incredible PBX WikiIs It Time to Get Your Buzz On?
If you’ve been on vacation for the past week without your computer and cellphone, welcome back. Here’s what you missed: Everything! Yes, in seven little days, we’ve watched in amazement as Google the Giant Internet Gorilla with unlimited financial resources jumped off the 1,000 foot cliff without a parachute and then set about discovering how to land safely. Google jumped head first into social networking with a new product, Google Buzz, and decided to kick start the project using the age-old business trick of tying the new product to an old one, in this case their 175 million existing Gmail customers.
In the process of introducing Google Buzz, Google got almost everything wrong. Ironically, it’s the only new Google product that’s ever been introduced without the beta label. We’ll let you be the judge of whether Buzz is ready for prime time. Consider the following. There was the exposure of people’s most cherished Little Black Books to complete strangers. And cross-scripting security issues have been reported with the potential of exposing users’ Google credentials which in turn provides the key to the Google Checkout castle not to mention all of your most confidential emails. Then there were complaints that customer’s geolocation data was being compromised without user authorization. If that wasn’t enough on your plate for one week, Google now has to contend with a class action lawsuit and several government investigations into its Buzz business practices. Aside from that, did we mention Google Buzz is a huge hit!
If social networking is your thing, then you’re going to love Google Buzz. Think of it as FriendFeed on Steroids. Rich multimedia and location-based services on top of everything you always loved about IRC. And, if you have an Android 2.0+ phone, it gets even better with complete integration into Google Maps 2.0.
Unfortunately, everyone has been so busy with damage control and Google bashing that there’s been precious little time to actually explore the potential for Google Buzz in the social networking community. Our brief look at the product and its potential suggests that Google has another winner on its hands. It’s just too bad it wasn’t introduced in a manner similar to Google Wave so that users (and Google) could walk before attempting to fly. Here’s our first crack at how Google Buzz could actually be integrated into the blogging community, in our case making Google Buzz an integral part of a WordPress blog. And there’s also the widget approach from MoreTechTips.net which we’ve tweaked in the right margin below our Google maps. We’ll have more to say about these methodologies in coming weeks. In the meantime, come join the fun and Get Your Buzz On.
Some Recent Nerd Vittles Articles of Interest…
Welcome to IP Country: A New Layer of Asterisk Security
One of the problems with writing a blog like Nerd Vittles is it's more than double the work of your typical blog where a writer pontificates about something and then moves on. What makes Nerd Vittles a little different is that, with help from a number of very gifted developers, we actually create useful applications and then write about how to use them. So you get a bonus for the same low price: free! This obviously imposes some time constraints in order to get fresh material into your hot little hands every week.
This week we turn our attention to Asterisk® Security again and unfortunately the Whole Enchilada is not yet ready. So today you get Chapter I of this topic with a comment that we're still mulling over some enhancements. When those pieces are finished or at least properly evaluated, we'll produce a sequel. Software houses spend years developing applications. And sometimes it takes us more than a week. 🙂
Let's start with a few observations which should be quite obvious to those who have wrestled with VoIP or Asterisk for a while. Internet security is a bitch. And Asterisk security is much, much worse. When a few disgruntled people can bring Twitter to its knees because they're mad about some particular tweet or Twitter user, it tells you what we're all up against. Hate to say it but we can all thank Microsoft for years of security neglect that rendered the Windows operating system less than optimum in preventing the spread and deployment of BOTs. And the tools have gotten more dangerous as well. Strangers (our euphemism for these folks) write new software, too. 
If you're using PBX in a Flash (and you really should be!), you know that we've devoted enormous resources to Asterisk security. Two years ago when PBX in a Flash was introduced, the majority of people using Asterisk still were using 1234 as the extension password on all or most of their extensions. A couple $100,000 phone bills and lots of public education, and that situation hopefully is behind us. Two years ago, no Asterisk aggregation included a firewall... except PBX in a Flash. Believe it or not, there were individuals running Asterisk servers on the public Internet with a default root password of password. That added more than a few more BOTs to the Internet kettle of fish. Then there were the brute force password hacks that hit Asterisk servers thousands of times per minute guessing passwords. Nothing stood in the way of these attacks until PBX in a Flash introduced Fail2Ban which automatically blacklisted IP addresses after a certain number of failed login attempts. We followed Fail2Ban with our Atomic Flash product which provided a turnkey Hamachi VPN implementation for rock-solid safe remote computing. And, of course, there was a one-minute Hamachi VPN install script for standard PBX in a Flash systems. No other aggregation has it to this day.
The purpose of the history lesson isn't to crow about PBX in a Flash although we're mighty proud of it. Rather we wanted to make you aware that precious little development effort is actually going into security while enormous resources are devoted to things such as Internet faxing, Skype, and Google Voice integration. We'll be the first to admit that we love the latest gee whiz gizmos as much as anybody. But come on. A handful of us who do this purely for fun somehow manage to turn out loads of security enhancements while huge, for-profit companies are devoting virtually zero resources to making Asterisk, SIP, and the VoIP community safer. SIP is about as secure as whispering at a movie theater. Google releases Google Voice with SIP access protected by a 4-digit password. 🙄 That approach to security needs to change, or we're all going to wake up sorry one day soon. If this is preaching to the choir, then feel free to pass this article on to one of your brethren who has not yet seen the light! Start by reading our Primer on Asterisk Security.
If you have extremely secure passwords on your Asterisk extensions and trunks, and you have deployed a properly configured firewall with Fail2Ban to protect against brute force attacks, then you're ahead of the curve insofar as Asterisk security is concerned. But what we think is still missing is access restrictions based upon what the military calls a "need to know." Simply stated, it means folks shouldn't get access of any kind to your Asterisk server unless they have a need to be there. And, if we find someone there that doesn't belong, they should be kicked off and banned from further access.
So today we have a new security tool for your Asterisk toolbox: IP Country, country-based network filtering by IP address. In a nutshell, it means configuring your Asterisk server to dramatically reduce the number of IP addresses which can reach your server at all. If you receive anonymous SIP connections from all around the globe that you actually need or if you're attacked from a BOT running on grandma's Windows machine down the block, this may not work for you, but it's another tool in your quiver of arrows. For most servers, it has the potential to reduce the vulnerability from random outside threats substantially. It's taken a lot of research to come up with much of what follows, and we want to express our special thanks to Sandro Gauci and Joe Roper for their assistance. Some of this technology has been around for many years, but unfortunately it was expensive. So we also want to express our special appreciation to MaxMind for releasing their open source GeoLite Country database which is now free for downloading. That is the critical ingredient in much of what follows. So here's a word from our sponsor:
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Scope of Protection. An obvious question is just exactly what are we trying to protect. In our view, it's several things. First, we don't want strangers logging in to extensions on our server and making free calls around the globe using pilfered or hacked passwords. We also don't want strangers using our extensions to masquerade as us for any other purpose. Second, we don't want strangers randomly calling our server using SIP URI's that they've dreamed up. And third, we don't want strangers accessing any other applications on our server including SSH and FTP as well as web and email services.
IP Country Design. As with other security features in Asterisk, FreePBX, and IPtables, our implementation of IP Country uses permit and deny access tables that consist of authorized and unauthorized ranges of IP addresses. There's also a table with the latest GeoLite Country information which is used as the data source for your permit table. When a connection to the server is made, the IP address is checked against the permit table of authorized addresses. If there's no match, we'll consider the connection a stranger. If there is a match, then we'll check the deny table to make certain this particular IP address hasn't been banned. Unless you alter all of our scripts, your system must be using the default MySQL account name of root with a password of passw0rd. As configured in PBX in a Flash, this is NOT a security risk since MySQL access is limited to your server, and your server requires root credentials to log in.
Today's Objective. To get everyone started, we're going to tackle the first two objectives today. The solutions offered should work fine on any FreePBX-based Asterisk system... even those that hide the existence of FreePBX.
For outgoing calls, we'll introduce a new script which runs periodically to examine the IP addresses attached to every SIP and IAX extension and trunk on your Asterisk server. If a stranger's IP address is identified (as explained above), we'll add an IPtables firewall rule to permanently block access to your server from this IP address. These rules are stored in /etc/sysconfig/iptables should you ever need to remove an IP address that has been blocked. You can adjust the script execution frequency based upon the thickness of your wallet. After all, it's your phone bill. This functionality is mutually independent from the incoming call protection outlined below so you can use either or both of the functions to meet your own requirements. For systems that use enormous numbers of SIP URI's for communications around the globe, you might choose to implement just this piece for extension and trunk IP Country protection without altering your incoming dialplan at all. Keep in mind that FreePBX now supports permit and deny IP address filters on extensions, something you really should be using even if you decide against implementing the IP Country security protection layer.
For incoming calls, we're going to modify FreePBX's existing Blacklist functionality to also look up the calling IP address in our IP Country permit and deny tables. If the IP address is authorized, the call will go through. Otherwise, the call will be treated just as if the caller's number were blacklisted. Be aware that incoming calls to one of your commercial DIDs may reflect the IP address of your provider since the caller may be calling from a Plain Old Telephone rather than an IP address. The existing Blacklist functionality can be used to block these unwanted callers. If you live in the United States, you'll probably also want to call 888-382-1222 and place your DIDs in the Do Not Call database. Just call from a phone using the CallerID of the number you wish to block.
Installing GeoLite Country. To get started, log into your server as root and issue the following commands:
cd /
wget http://bestof.nerdvittles.com/applications/ipcountry/ipcountry.tgz
tar zxvf ipcountry.tgz
rm ipcountry.tgz
cd /root/ipcountry
./nv-ipcountry
Once the nv-ipcountry script begins to run, it will download and install the GeoLite Country database into MySQL. You then will be asked whether to add countries to your permit table. Since your permit table is empty at this point, the answer should be yes. You'll then get a list of country codes. Choose the two-character country code desired and type it in UPPERCASE, e.g. US. If you want to add one or more additional countries, just rerun ./nv-ipcountry and do NOT initialize the permit table (which erases all of its contents).
New GeoLite Country databases are released every month or two so get used to the procedure. You'll be using it periodically to keep your list of IP addresses current. We'll cover the update procedure after we get you up and running.
Remember: If no IP addresses for any country are added to the permit table, you will not be able to make calls or register trunks with your providers! The only default entries added to the permit table are the non-routable, private IP address ranges, e.g. 192.168.0, etc. The geolite table is merely a data repository of the latest GeoLite Country database and has no effect on the daily operation of your system! You use it only as a data source for populating your permit table.
Testing IP Country. Before we actually turn anything on, we need to be sure we're not going to blow your Asterisk system out of the water! In short, we want to make sure that every extension that's supposed to be able to make a connection to your PBX still can. And we need to make sure all of your trunk registrations still are working. While you're still in the /root/ipcountry directory, issue the following command: ./test.sh. This script will display all of your SIP and IAX connections and then will tell you whether each connection will pass muster with IP Country security in place. Each IP address should display ok. If any of them show ko, you have a problem. This means that you have an extension or trunk with an IP address that is not included in your permit table. You can scan through the show peers listings in the display to figure out which providers or extensions are associated with any problem IP addresses. Be sure it's not a bad guy first. Then you have a couple of options. You can either manually add the IP address to the permit table as outlined below. Or you can add additional countries which include the missing IP address(es). To decipher the country of any problem IP address, go to this link and plug in the IP address. Once you've made entries in your permit table to cover all of your needed IP addresses, run the test script again just to be sure everything shows ok. Do NOT proceed until you get all ok's, and don't write us if you do.
Manually Adding IP Addresses to IP Country. We've provided a command-line utility which makes it easy to add IP addresses and address ranges to either the permit or deny tables of IP Country. Be very careful using this tool! There's limited error-checking which means it's easy to create a mess. You'll find iputility.php in the /root/ipcountry folder. Since all IP addresses are stored as integers, you can use it to merely discover the integer value of an IP address, or you can actually insert IP addresses into either the permit or deny tables. Here are a few examples to show how the utility works:
./iputility.php 156.130.20.10
Returns the integer value for this IP address; no database update
./iputility.php 156.130.20.10 156.130.20.255
Returns integer values for this IP address range; no database update
./iputility.php 156.130.20.10 deny
Adds this IP address to IP Country deny table
./iputility.php 156.130.20.10 156.130.20.255 permit
Adds this address range to IP Country permit table)
A couple of points worth noting. First, all custom entries in your permit and deny tables using iputility will show a country code of AA. This makes them easy to find using phpMyAdmin if you make a mistake. Second, if you attempt to enter the same IP address range more than once, you'll get a database error since all entries in the tables must be unique. Third, remember that entries in the deny table take precedence over entries in the permit table. So, if the same IP address or address range is in both tables, access will be denied. The reason for this is to make it easy to exclude a few bad apples from a country that you might otherwise find unobjectionable. Finally, keep in mind that manual entries added to the permit table will have to be added again each time you initialize the table and insert new country IP codes after a GeoLite Country refresh. The deny table is unaffected by database refreshes. So make yourself a list of entries you manually insert into the permit table and keep it in a safe place for future reference.
Activating the IP Address Checker. In the /root/ipcountry directory, you'll find the script that we'll use to check your system periodically to be sure all of the extensions and trunks are registered at permitted IP addresses. To run the script manually, log into your server as root and type: /root/ipcountry/ip-checker.sh. When you run it, you shouldn't see any modifications to IPtables, just a string of ok's. So now we want to added the script as a cron job that will be run periodically to watch your system. Edit /etc/crontab and insert the following line at the bottom of the file:
*/1 means run the script once a minute, all day and night, every day. */5 means every 5 minutes. You make the call on how safe you'd like your system to be. If you'd like to receive an email or text message every time an IP address is blocked by ip-checker.sh, just edit the filecheck.php script, uncomment the two lines that begin with // and replace yourname@gmail.com with your email or text message address.
WARNING: For ip-checker.sh to work properly with IPtables, there are a couple of prerequisites. First, IPtables must be running on your system with the iptables file located in /etc/sysconfig. Second, your IPtables setup must include an SSH permit rule that looks like this:
-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT We use this rule as a place finder to determine where to insert new rules to block stranger's IP addresses. If you don't have the above rule, filecheck.php (used by ip-checker.sh) won't be able to insert new rules. So you'll need to manually edit filecheck.php to provide a "hook" that can be used to insert rules into your iptables file. PBX in a Flash systems come preconfigured to support this. With other aggregations, YMMV!
Activating the Incoming Call Checker. To screen incoming calls using your IP Country permit and deny tables, the setup is straight-forward assuming you are running the latest version of FreePBX 2.5. We're going to adjust the Blacklist context to also perform IP address lookups from IP Country when new calls arrive on your PBX. Just log into your server as root and add the following lines to the bottom of the extensions_override_freepbx.conf file in /etc/asterisk:
[app-blacklist-check]
include => app-blacklist-check-custom
exten => s,1,LookupBlacklist()
exten => s,n,GotoIf($["${LOOKUPBLSTATUS}"="FOUND"]?blacklisted)
exten => s,n,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
exten => s,n,GotoIf($["${TESTAT}" != ""]?hasat)
exten => s,n,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
exten => s,n,Goto(gotip)
exten => s,n(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
exten => s,n(gotip),NoOp(Gateway IP is ${FROM_IP})
exten => s,n,NoOp(IP Country Lookup in Progress...)
; put authorized special calls like sipgate's Google Voice ringbacks below
exten => s,n,GotoIf($["${FROM_IP}"="sipgate.com"]?keepon)
exten => s,n,AGI(nv-ipcountry.php|${FROM_IP})
exten => s,n,GotoIf($["${STRANGER}"="true"]?blacklisted)
exten => s,n(keepon),NoOp(** AUTHORIZED CALLER **)
exten => s,n,Return()
exten => s,n(blacklisted),Answer
exten => s,n,Wait(1)
exten => s,n,Zapateller()
exten => s,n,Playback(ss-noservice)
exten => s,n,Hangup
Make sure you remove the line-wrap in the s,n(hasat) line and any others that may have wrapped in the display above! Then save the file and reload your Asterisk dialplan: asterisk -rx "dialplan reload". You're all set! If you'd like email notices when a stranger calls and is blacklisted, edit nv-ipcountry.php in /var/lib/asterisk/agi-bin. Plug in your actual email address in the $email variable and set $emailalerts = 1.
Housekeeping 101. As we mentioned above, the pool and location of IP addresses continues to change so periodic updates are necessary, or you'll end up blocking calls that otherwise should be permitted. MaxMind updates GeoLite Country on the first day of every month so add it to your TO-DO list. We strongly recommend that you perform these steps through an SSH connection from a remote PC. Why? Because, if you forget step 1 while logged directly into your server, you could inadvertently lock yourself out of your own system if the ip-checker script happens to run while your permit table is empty. If you do it from a remote machine, you can simply move to another machine and follow these instructions properly. Otherwise, you've got a serious problem on your main server. If this server provides phones to your business, do the update when the server is idle. So here's the drill:
- Comment out the ip-checker.sh /etc/crontab entry
- Download new GeoLite Country database from MaxMind
- Initialize the ipcountry.permit table
- Add authorized countries back into ipcountry.permit table
- Add back any custom entries to permit table
- Test your IP Country system to make sure you get all ok's
- Reactivate ip-checker.sh in /etc/crontab
1. Log into your server as root. To comment out the ip-checker.sh line in /etc/crontab, just add # as the first character on the line and save the file.
2. Change to the /root/ipcountry directory and run ./nv-GeoIPrefresh.
3. While still in the /root/ipcountry directory, run ./nv-ipcountry and choose 1-Yes to initialize your ipcountry.permit table.
4. Continue running or rerun ./nv-ipcountry to add each desired country to your ipcountry.permit table.
5. Run ./iputility.php to add custom IP address entries to your ipcountry.permit table. You do NOT need to reenter addresses in the deny table. It is unaffected by this update procedure.
6. Test your system again to make sure all extensions and trunks get an ok by running ./test.sh.
7. Edit /etc/crontab and remove the # at the beginning of the ip-checker.sh line and save the file.
What's Next. We're still exploring another possibility with IP Country, and that is integrating GeoLite Country directly into IPtables. This would validate every packet coming into your firewall using IP Country-like rules in IPtables. If you want to look at how it could be done, see this excellent writeup. Well, not so fast. Unfortunately, it won't compile under CentOS 5.2. Here's a link to the problem code if there are any Linux gurus in the house. Our reluctance in doing this has to do with performance. Keep in mind that, without stateful packet inspection, every single packet coming into your server would presumably trigger a database lookup. On a busy telephony system generating hundreds of thousands of packets per second, it would take a beast of a server with sufficient memory to cache the entire IP Country database in order to handle the processing load. So now we've got to either learn about or find an expert on the IPtables State Machine. If anyone wants to experiment, please share your expertise with the rest of us. There's a Google Voice invite in it for you, too.
whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.
Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest...
Introducing PBX in a Flash 1.4: The Lean, Mean Asterisk Machine
It's almost spring. So what better time to introduce version 1.4 of PBX in a Flash. It's chock full of new telephony goodies to whet your appetite for Internet Telephony. Tom King has worked his usual Magicâ„¢ to come up with a pair of new ISOs that are nothing short of spectacular. Not only is PBX in a Flash leaner and meaner, but it's now incredibly flexible and even easier to use.
You don't get the kitchen sink in PBX in a Flash ISOs. Instead you get a rock-solid CentOS 5.2 operating system with the latest CentOS kernel on which to build an Internet telephony server that meets your specific needs. Want a 64-bit operating system? We've got it. Prefer to stick with a 32-bit operating system? We've got you covered there, too. Want to experiment with Asterisk® 1.6 and DAHDI? We've got it. Prefer to stick with Asterisk 1.4 and Zaptel for a production environment? No problem. Do you prefer LVM, ext3, or SATA RAID for your disk drives? Well, take your pick. PBX in a Flash 1.4 now supports all of them. For those with a physical handicap, you now can install the complete system with no user intervention by typing ksauto at the first prompt. And, for PBX in a Flash development partners, we've got a 2-CD install set that makes generation of multiple systems with minimal Internet access a reality.
A Better Mousetrap. Asterisk-based LAMP aggregations thankfully are more plentiful today, but we think we have a better mousetrap. Here are a few reasons why? First, PBX in a Flash is the only distribution that is totally source-based with Asterisk compiled from source as part of the install. What that means is when you purchase add-on hardware and it has a problem for some reason, all of the tools are already in place for you to contact the manufacturer or reseller and have them reconfigure or recompile whatever is necessary on your system to get you back in business quickly. It also means that most of our applications are compiled from source on your specific hardware which assures a more reliable and stable software platform on which to build your telephony system.
Second, we don't release PBX in a Flash ISOs every other week. We don't have to. Every time a new security patch is released for Asterisk, the "other guys" have to create a new RPM or ISO to support it. That means your system is vulnerable for weeks or months while that process is underway. In some cases, it means installing a new ISO and starting over. I wish I had a nickel for every time I reinstalled and basically started over with Asterisk@Home or trixbox. With PBX in a Flash, you simply type update-source at the command prompt and your system is brought current without missing a beat. The total downtime for your system is typically under 15 minutes!
Third, PBX in a Flash uses a two-step install process that all but eliminates the ISO obsolescence issues that have plagued other distributions. The PBX in a Flash ISO is used to install either the 32-bit or the 64-bit CentOS 5.2 operating system and kernel. When that process completes, the installer then searches multiple sites on the Internet for our "payload file" which contains the latest, greatest version of Asterisk which is compiled on-the-fly. The payload script also installs FreePBX and many of the customized features that make PBX in a Flash unique. If you need additional functionality, we have an entire web site, pbxinaflash.org, dedicated to add-on scripts. Most of these add-on scripts install without user intervention in under a minute. So... install what you need and skip the BloatWare. Using this design, most bugs are eliminated as well without your having to do much of anything. Translation: More time to enjoy your production-quality VoIP PBX... and less all-nighters!
So today we're proud to introduce the 1.4 release of PBX in a Flash for Linux, Windows, and Macs. It's still the Lean, Mean Asterisk Machine designed to meet the needs of hobbyists as well as business users. Text-to-speech works, Bluetooth works, faxing works. FreePBX 2.5 is rock-solid and much more secure.
And, speaking of security, PBX in a Flash is the only distribution that brings you multiple layers of security out of the box. There's the preconfigured Linux IPtables firewall. And, in addition, there's the latest and greatest version of Fail2Ban which blocks malicious intruders attempting to guess your passwords and break into your system. We also recommend adding a hardware-based firewall/router to block HTTP access to your system unless you really know what you're doing. Does all of this matter? Well, it's your phone bill. Here's a link to our article about a company that recently received an unexpected $120,000 phone bill in the mail. So you decide. If you read nothing else before embarking on your VoIP adventure, read our Primer on Asterisk Security!
As some of our regular readers know, we have been very concerned with the Asterisk development strategy that continues the process of regularly deleting commands and syntaxes with each major version change. Many of us rely upon these commands in building dialplans and vertical market applications for Asterisk so it causes real problems. PBX systems break that used to work. When that happens almost annually, it's a bad thing. One way that we hope to improve the dialogue with the developers is to make it easy for more people to experiment with Asterisk 1.6. Whether you choose our 32-bit or 64-bit ISO, you also have the option to install the latest release of Asterisk 1.6 and get you involved in this process. Otherwise, we might as well look forward to annual train wrecks because of the Asterisk design strategy. You can read all about it here and here.
Getting Started with PBX in a Flash 1.4. Begin by downloading either the 32-bit or 64-bit ISO image for PBX in a Flash. Don't worry. If you try to run the 64-bit install on a system that doesn't support it, it'll just sit there so you've got nothing to lose by trying the Ferrari first. As new locations for ISO downloads come on line, we will add them to the download list. Once you've got the ISO image in hand, use your favorite tool to burn it to a bootable CD. This next step is the most important. Do some reading!! There also are loads of helpful tutorials that are free for the downloading from our support site.
What About Hardware? If you're new to all of this, let us recommend you try either one of Dell's entry-level T100 or T105 PowerEdge servers or one of the newer Intel Atom-based small-footprint PCs or netbooks such as the Acer Aspire One. On sale pricing is typically around $300. You can save an additional 2% plus $5 by using our coupon link in the right margin. These systems are just about perfect for a home or small business telephony server.
Basic Install. Once you have your new system, just insert the CD containing the pbxinaflash.iso and then reboot the machine you wish to dedicate to PBX in a Flash. After reading this tutorial and the initial prompts and warnings, choose an option and press the <Enter key> to begin the installation. If you want to first check the media for corruption, type linux mediacheck and then press the <Enter> key. When prompted, be sure to choose the option that erases all existing partitions and uses the default partition layout. Then choose your time zone and leave the UTC system clock option unchecked. Next choose a root password for your new system. Make it secure, and write it down (not on your shoe). We plan to use this password for virtually everything on your new system. The install process begins. This includes MySQL, Apache, PHP, CUPS, Samba, WebMin, Subversion, SendMail, Yum, Bluetooth support, SSL, Perl, Python, the kernel development package, and much more. In about 15 minutes depending upon the speed of your PC, the machine will reboot. Be sure to eject the CD at this point. You now must have an Internet connection to complete the install so be sure you've plugged in a 10/100 cable if you haven't done so already.
After the reboot, the system will start up with CentOS 5.2, then download and install Asterisk and FreePBX, and search for the necessary installation script and payload file on pbxinaflash.net. If that site happens to be down, the script will go to pbxinaflash.com for the same payload file. Just to repeat, if you don't have Internet connectivity, then the installation cannot complete. When the installation finishes, reboot your system and log in as root. The IP address of your PBX in a Flash system will be displayed once you log in. If it's blank, type service network restart after assuring that you have Internet connectivity and access to a DHCP server that hands out IP addresses. Typing ifconfig should display your IP address on the eth0 port. Write it down. We'll need it in a minute.
Now that you've logged in as root, you should see the IP address displayed with the following command prompt: root@pbx:~/. If instead you see bash displayed as the command prompt and it's not green, then the installation has not completed successfully. This is probably due to network problems but also could be caused by the time being set incorrectly on your server. You can't compile Asterisk if the time on your computer is a date in the past! For this glitch you have to try again. If it's a network issue, fix it and then reboot and watch for the eth0 connection to complete. Assuming it doesn't fail the second time around, the installation will continue. Likewise, if you do not have DHCP on your network, the installation will fail because the PBX will not be given an IP address. Simply type netconfig, fill in the blanks and reboot.
Four Steps to Complete the Install. There are four important things to do to complete the installation. First, from the command prompt, run genzaptelconf. This sets up your ZAP hardware as well as a timing source for conferencing. If you're using additional hardware for your Asterisk system, we recommend removing the 56K modem when you install the cards. This will help avoid interrupt conflicts. Second, decide how to handle the IP address for your PBX in a Flash server. The default is DHCP, but you don't want the IP address of your PBX changing. Phones and phone calls need to know how to find your PBX, and if your internal IP address changes because of DHCP, that's a problem. You have two choices. Either set your router to always hand out the same DHCP address to your PBX in a Flash server by specifying its MAC address in the reserved IP address table of your router, or run netconfig at the command prompt and assign a permanent IP address to your server. Be aware that netconfig no longer is a part of CentOS 5.2. We added it back in as part of the install. If you update your CentOS configuration, you will need to reinstall it by running update-scripts, then update-fixes, and then install-netconfig. If you experience problems with the process, see this message thread on the forum. The third configuration requirement probably accounts for more beginner problems with Asterisk systems than everything else combined. Read the next section carefully and do it now!
Getting Rid of One-Way Audio. There are some settings you'll need to add to /etc/asterisk/sip_custom.conf if you want to have reliable, two-way communications with Asterisk: nano -w /etc/asterisk/sip_custom.conf. The entries depend upon whether your Internet connection has a fixed IP address or a DHCP address issued by your provider. In the latter case, you also need to configure your router to support Dynamic DNS (DDNS) using a service such as dyndns.org. If you have a fixed IP address, then enter settings like the following using your actual public IP address and your private IP subnet:
externip=180.12.12.12
localnet=192.168.1.0/255.255.255.0
If you have a public address that changes and you're using DDNS, then the settings would look something like the following:
externhost=myserver.dyndns.org
localnet=192.168.0.0/255.255.255.0
(NOTE: The first 3 octets in the above localnet entries need to match your private IP addresses!)
Once you've made your entries, save the file: Ctrl-X, Y, then Enter. Reload Asterisk: amportal restart. If you assigned a permanent IP address, reboot your server: shutdown -r now.
Be aware that some people experience problems with the externhost approach outlined above. If your provider only gives you a dynamic IP address, you still can use the externip approach above so long as you have a method to frequently verify your IP address. The approach we actually use on our home network is to run a little script every 5 minutes. If it finds that your outside IP address has changed, it will automatically update your sip_custom.conf file with the new address. To use our approach, create a file in /var/lib/asterisk/agi-bin names ip.sh. Here's the code:1
#!/bin/bash
# File to log the IP Address
IPFILE='/var/log/asterisk/externip'
# Your local lan ip block
localnet=192.168.1.0
# Nothing else needs to be changed.
if [ ! -f "$IPFILE" ]; then
echo "creating $IPFILE"
echo first_time_usage > $IPFILE
fi
lastip=`cat $IPFILE`
externip=$(curl -s -S --user-agent "PIAF 1.4"↩
http://myip.pbxinaflash.com | awk 'NR==2')
if [ $externip != $lastip ]; then
# Writes new IP address (if it has changed) to file.
echo "$externip" > $IPFILE
echo "externip=$externip" > /etc/asterisk/sip_custom.conf
echo "localnet=$localnet/255.255.255.0" >>↩
/etc/asterisk/sip_custom.conf
echo "srvlookup=yes" >> /etc/asterisk/sip_custom.conf
echo "nat=yes" >> /etc/asterisk/sip_custom.conf
asterisk -rx "dialplan reload" ;
else
exit 0;
fi
exit;
On line 5, enter the internal subnet for your server as the localnet entry. This is usually 192.168.0.0 or 192.168.1.0. YMMV!
Save the file and give it execute permissions: chmod +x /var/lib/asterisk/agi-bin/ip.sh. Then make asterisk the file owner: chown asterisk:asterisk /var/lib/asterisk/agi-bin/ip.sh.
Finally, add the following entry to the bottom of /etc/crontab:
*/5 * * * * asterisk /var/lib/asterisk/agi-bin/ip.sh > /dev/null
Getting Your Machine Up to Date. Tom King, one of our lead developers, has gone to great pains to make it easy for you to always have a current system. All you have to do is type a few commands, but you do have to type them. So do it now! After logging in as root, type update-scripts to get the latest PBX in a Flash scripts installed on your system. This doesn't run them, it merely makes them available for you to run them. Once you complete this step, you can always review the latest scripting options by typing help-pbx. Now run update-fixes to apply the latest patches to your PBX in a Flash system. When it completes, you're up to date. If you want the latest version of Asterisk, it's easy! Just run update-source. In the case of PBX in a Flash 1.4, you have the latest stable version of Asterisk 1.4 or 1.6... at least for today.
Activating Email Delivery of Voicemail Messages. We've previously shown how to configure systems to reliably deliver email messages whenever a voicemail arrives unless your ISP happens to block downstream SMTP mail servers. Here's the link in case you need it. As it happens, you really don't have to use a real fully-qualified domain name to get this working. So long as the entry (such as pbx.dyndns.org) is inserted in both the /etc/hosts file and /etc/asterisk/vm_general.inc with a matching servermail entry of vm@pbx.dyndns.org (as explained in the link above), your system will reliably send emails to you whenever you get a voicemail if you configure your extensions in FreePBX to support this capability. You can, of course, put in real host entries if you prefer. For 90% of the systems around the world, if you just want your server to reliably e-mail you your voicemail messages, make line 3 of /etc/hosts look like this with a tab after 127.0.0.1 and spaces between the domain names:
127.0.0.1 pbx.dyndns.org pbx.local pbx localhost.localdomain localhost
And then make line 6 of /etc/asterisk/vm_general.inc look like the following:
serveremail=voicemail@pbx.dyndns.org
Now issue the following two commands to make the changes take effect:
service network restart
amportal restart
The command "setup-mail" can be used from the Linux prompt to set the fully-qualified domain name (FQDN) of the mail that is sent out from your server. This may help mail to be delivered from the PBX. One of things mail servers do to reduce spam is to do a reverse lookup on where the mail has come from, checking that there is actually a mailserver at the other end. You can only do this if you have set up dynamic DNS or if you have pointed a hostname at your fixed IP address. Once you have done this, and assuming your ISP is cooperative, then you will receive your voicemails via email if you wish (this is set within FreePBX),and your PBX will email you when FreePBX needs an update. You set this feature in FreePBX General Settings.
If your hosting provider blocks downstream SMTP servers to reduce spam, here's a simple way to use your Gmail account (free!) as your SMTP Relay Host. Then you never have to worry about this again!
Setting Passwords and Other Stuff. Be aware that major security issues are reported from time to time with FreePBX. We strongly recommend that you not use FreePBX admin security alone to protect your system from a web attack. It may compromise root access to your entire server. For this reason, we recommend that you log in as root and immediately run passwd-master after completing the update-scripts and update-fixes scenario. This establishes Apache htaccess security on your FreePBX web interface. After running this conversion utility, you can only log into the FreePBX admin interface with the username maint (not admin) and the password which you establish when you run the utility.
Other passwords can be set in your system with these commands:
passwd... reset your root user password
passwd-maint... reset your FreePBX maint password
passwd-wwwadmin... for users needing FOP and MeetMe access
passwd-meetme... for users needing only MeetMe access
passwd-webmin... for users needing WebMin access to your server (very dangerous!)
There's also an Administration password that you can set in the KennonSoft UI that displays when you point your browser to the IP address of your server. Do NOT use the same password here that you use elsewhere as it is not overly secure.
Configuring WebMin. WebMin is the Swiss Army Knife of Linux. It provides TOTAL access to your system through a web interface. Search Nerd Vittles for webmin if you want more information. Be very careful if you decide to enable it on the public Internet. You do this by opening port 9001 on your router and pointing it to the private IP address of your PBX in a Flash server. Before using WebMin, you need to set up a username and password for access. From the Linux prompt while logged in as root, type the following command where admin is the username you wish to set up and foo is the password you've chosen for the admininstrator account. HINT: Don't use admin and foo as your username and password for WebMin unless you want your server trashed!
/usr/libexec/webmin/changepass.pl /etc/webmin root password
To access WebMin on your private network, go to http://192.168.0.123:9001 where 192.168.0.123 is the private IP address of your PBX in a Flash server. Then type the username and password you assigned above to gain entry. To stop WebMin: /etc/webmin/stop. To start WebMin: /etc/webmin/start. For complete documentation, go here.
Updating and Configuring FreePBX. FreePBX 2.5 is installed as part of the PBX in a Flash 1.4 implementation. This incredible, web-based tool provides a complete menu-driven user interface to Asterisk. The entire FreePBX project is a model of how open source development projects ought to work. And having Philippe Lindheimer's as the Captain of the Ship is just icing on the cake. All it takes to get started with FreePBX is a few minutes of configuration, and you'll have a functioning Asterisk PBX complete with voicemail, music on hold, call forwarding, and a powerful interactive voice response (IVR) system. There is excellent documentation for FreePBX which you should read at your earliest convenience. It will answer 99% of your questions about how to use and configure FreePBX. For the one percent that is not covered in the Guide, visit the FreePBX Forums which are frequented regularly by the FreePBX developers. Kindly post FreePBX questions on their forum rather than the PBX-in-a-Flash Forum. This helps everybody. Now let's get started.
NOTE: PBX in a Flash comes with the IPtables firewall enabled on your system. If this causes problems with access to the FreePBX repository (for loading the FreePBX updates below), you can easily (and temporarily) turn off the firewall. Type help-pbx for assistance. Don't forget to restart the firewall especially if your system has any Internet exposure!
Now move to a PC or Mac and, using your favorite web browser, go to the IP address you deciphered above for your new server. Be aware that FreePBX has a difficult time displaying properly with IE6 and IE7 and regularly blows up with older versions of Safari. Be safe. Use Firefox. From the PBX in a Flash Main Menu in your web browser, click on the Administration link and then click the FreePBX button. The username and password both default to admin. Click Apply Configuration Changes, Continue with Reload, and then Refresh your browser screen. Now click the Module Administration option in the left frame once FreePBX loads. Now click Check for Updates online in the upper right panel. Next, click Download All which will select every module for download and install. The important step here is to move down the list and Deselect Speed Dials and PHPAGI from the download and install options. Once these apps have been deselected, scroll to the bottom of the page and click Process, then Confirm, then Return once the apps are downloaded and installed, then Apply, then Continue with Reload. Now repeat the process once more and do not deselect the two applications, then Process, Confirm, Return, Apply Config Changes, and Continue with Reload. Finally, scroll down the Modules listing until you get to the Maintenance section. Click on each of the following and choose Install: ConfigEdit, Sys Info, and phpMyAdmin. Then click Process, then Confirm, then Return once the apps are downloaded and installed, then Apply, then Continue with Reload. All three of these tools now are installed in the Maintenance section of the Tools tab of FreePBX. One final step, and you're good to go. An update of FreePBX has been released. Click Check for Updates online. Then choose Download and Upgrade for the Core, FreePBX Framework, and System Dashboard modules. Then click Process, then Confirm, then Return once the apps are downloaded and installed, then Apply, then Continue with Reload. You now have an up-to-date version of FreePBX. You'll need to repeat the drill every few weeks as new updates are released. This will assure that you have all of the latest and greatest software. To change your Admin password, click on the Setup tab in the left frame, then click Administrators, then Admin in the far right column, enter a new password, and click Submit Changes, Apply Configuration Changes, and Continue with reload. We're going to be repeating this process a number of times in the next section so... when instructed to Save Your Changes, that means "click Submit Changes, Apply Configuration Changes, and Continue with reload."
Choosing Internet Telephony Hosting Providers for Your System. Before you can place calls to users outside your system or to receive incoming calls, you'll need at least one provider (each) for your incoming phone number (DID) and incoming calls as well as a provider for your outbound calls (terminations). We have a list of some of our favorites here, and there are many, many others. You basically have two choices with most providers. You can either pay as you go or sign up for an all-you-can-eat plan. Most of the latter plans also have caps on minutes so it's more akin to all-they-care-for-you-to-eat, and there are none of the latter plans for business service. In the U.S. market, the going rate for pay as you go service is about 1.5¢ per minute rounded to the tenth of a minute. The best deal on DIDs is from Vitelity. They charge $3.99 a month for a DID with unlimited, free incoming calls. There's a link to the Nerd Vittles discount on this service for PBX in a Flash users below.
Before you sign up for any all-you-can-eat plan, do some reading about the service providers. Some of them are real scam artists with backbilling and all sorts of unconscionable restrictions. You need to be careful. Our cardinal rule in the VoIP Wild West is never, ever entrust your entire PBX to a single hosting provider. As Forrest Gump would say, "Stuff happens!" And life's too short to have dead telephones, even if it's a rarity.
Setting Up FreePBX to Make Your First Call. There are four components in FreePBX that need to be configured before you can place a call or receive one from outside your PBX in a Flash system. So here's FreePBX for Dummies in less than 50 words. You need to configure Trunks, Extensions, Outbound Routes, and Inbound Routes. Trunks are hosting provider specifications that get calls delivered to and transported from your PBX to the rest of the world. Extensions are internal numbers on your PBX that connect your PBX to telephone hardware or softphones. Inbound Routes specify what should be done with calls coming in on a Trunk. Outbound Routes specify what should be done with calls going out to a Trunk. Everything else is bells and whistles.
Trunks. When you sign up with most of the better ITHP's that support Asterisk, they will provide documentation on how to connect their service with your Asterisk system. If they have a trixbox tutorial, use that since it also uses FreePBX as the web front end to Asterisk. Here's an example from les.net. And here's the Vitelity support page although you will need to set up an account before you can access it. We also have covered the setups for a number of providers in previous articles. Just search the Nerd Vittles site for the name of the provider you wish to use. You'll also find many Trunk setups in the trixbox Trunk Forum. Once you find the setup for your provider, add it in FreePBX by going to Setup, Trunks, Add SIP Trunk. Our AxVoice setup (which is all entered in the Outgoing section with a label of axvoice) looks like this with a Registration String of yourusername:yourpassword@sip.axvoice.com:
allow=ulaw
authname=yourusername
canreinvite=no
context=all-incoming
defaultip=sip.axvoice.com
disallow=all
dtmfmode=inband
fromdomain=sip.axvoice.com
fromuser=yourusername
host=sip.axvoice.com
insecure=very
nat=yes
secret=yourpassword
type=friend
user=phone
username=yourusername
And our Vitelity Outbound Trunk looks like the following (labeled vitel-outbound) with no registration string:
allow=ulaw&gsm
canreinvite=no
context=from-pstn
disallow=all
fromuser=yourusername
host=outbound1.vitelity.net
secret=yourpassword
sendrpid=yes
trustrpid=yes
type=friend
username=yourusername
Extensions. Now let's set up a couple of Extensions to get you started. A good rule of thumb for systems with less than 50 extensions is to reserve the IP addresses from 192.x.x.201 to 192.x.x.250 for your phones. Then you can create extension numbers in FreePBX to match those IP addresses. This makes it easy to identify which phone on your system goes with which IP address and makes it easy for end-users to access the phone's GUI to add bells and whistles. To create extension 201 (don't start with 200), click Setup, Extensions, Generic SIP Device, Submit. Then fill in the following blanks USING VERY SECURE PASSWORDS and leaving the defaults in the other fields for the time being.
User Extension ... 201
Display Name ... Home
Outbound CID ... [your 10-digit phone number if you have one; otherwise, leave blank]
Emergency CID ... [your 10-digit phone number for 911 ID if you have one; otherwise, leave blank]
Device Options
secret ... 1299864 < -- make this unique AND secure! dtmfmode ... rfc2833 Voicemail & Directory ... Enabled voicemail password ... 1299864 <-- make this unique AND secure! email address ... yourname@yourdomain.com [if you want voicemail messages emailed to you] pager email address ... yourname@yourdomain.com [if you want to be paged when voicemail messages arrive] email attachment ... yes [if you want the voicemail message included in the email message] play CID ... yes [if you want the CallerID played when you retrieve a message] play envelope ... yes [if you want the date/time of the message played before the message is read to you] delete Vmail ... yes [if you want the voicemail message deleted after it's emailed to you] vm options ... callback=from-internal [to enable automatic callbacks by pressing 3,2 after playing a voicemail message] vm context ... default
Now create several more extensions using the template above: 202, 203, 204, and 205 would be a good start. Keep the passwords simple. You'll need them whenever you configure your phone instruments.
Extension Security. We cannot overstress the need to make your extension passwords secure. All the firewalls in the world won't protect you from malicious phone calls on your nickel if you use your extension number or something like 1234 for your extension password because the SIP and IAX ports typically are exposed to allow connections to your providers. In addition to making up secure passwords, the latest version of FreePBX also lets you define the IP address or subnet that can access each of your extensions. Use it!!! Once the extensions are created, edit each one and modify the permit field to specify the actual IP address or subnet of each phone on your system. A specific IP address entry should look like this: 192.168.1.142/255.255.255.255. If most of your phones are on a private LAN, you may prefer to use a subnet entry like this: 192.168.1.0/255.255.255.0 using your actual subnet, of course.
Outbound Routes. The idea behind multiple outbound routes is to save money. Some providers are cheaper to some places than others. We're going to skip that tutorial today. You can search the site for lots of information on choosing providers. Assuming you have only one or two for starters, let's just set up a default outbound route for all your calls. Using your web browser, access FreePBX on your server and click Setup, Outbound Routes. Enter a route name of Everything. Enter the dial patterns for your outbound calls. In the U.S., you'd enter something like the following:
1NXXNXXXXXX
NXXNXXXXXX
Click on the Trunk Sequence pull-down and choose your providers in the order you'd like them to be used for outbound calls.Click Submit Changes and then save your changes. Note that a second choice in trunk sequence only gets used if the calls fail to go through using your first choice. You'll notice there's already a 9_outside route which we don't need. Click on it and then choose Delete Route 9_outside. Save your changes.
Inbound Routes. We're also going to abbreviate the inbound routes tutorial just to get you going quickly today. The idea here is that you can have multiple DIDs (phone numbers) that get routed to different extensions or ring groups or departments. For today, we recommend you first build a Ring Group with all of the extension numbers you have created. Once you've done that, choose Inbound Routes, leave all of the settings at their default values and move to the Set Destination section and choose your Ring Group as the destination. Now click Submit and save your changes. That will set up a default incoming route for your calls. As you add bells and whistles to your system, you can move the Default Route down the list of priorities so that it only catches calls that aren't processed with other inbound routing rules.
General Settings. Last, but not least, we need to enter an email address for you so that you are notified when new FreePBX updates are released. Scroll to the bottom of the General Settings screen after selecting it from the left panel. Plug in your email address, click Submit, and save your changes. Done!
Adding Plain Old Phones. Before your new PBX will be of much use, you're going to need something to make and receive calls, i.e. a telephone. For today, you've got several choices: a POTS phone, a softphone, or a SIP phone. Option #1 and the best home solution is to use a Plain Old Telephone or your favorite cordless phone set (with 8-10 extensions) if you purchase a little device known as a Sipura SPA-3102. It's under $70. Be sure you specify that you want an unlocked device, meaning it doesn't force you to use a particular service provider. This device also supports connection of your PBX to a standard office or home phone line as well as a telephone.
Downloading a Free Softphone. Unless you already have an IP phone, the easiest way to get started and make sure everything is working is to install an IP softphone. You can download a softphone for Windows, Mac, or Linux from CounterPath. Or download the pulver.Communicator or the snom 360 Softphone which is a replica of perhaps the best IP phone on the planet. Here's another great SIP/IAX softphone for all platforms that's great, too, and it requires no installation: Zoiper 2.0 (formerly IDEfisk). All are free! Just install and then configure with the IP address of your PBX in a Flash server. For username and password, use one of the extension numbers and passwords which you set up with freePBX. Once you make a few test calls, don't waste any more time. Buy a decent SIP telephone. Visit the PBX in a Flash Forum for lots of suggestions on telephones. Our personal favorite and the phone that PBX in a Flash officially supports is the Aastra 57i or 57iCT which also includes cordless DECT phone. Do some reading before you buy.
A Word About Ports. For the techies out there that want "the rest of the story" to properly configure firewalls, here's a list of the ports available and used by PBX in a Flash:
TCP 80 - HTTP
TCP 9080 - Duplicate HTTP
TCP 22 - SSH
TCP 9022 - Duplicate SSH
TCP 9001 - WebMin
UDP 10000-20000 - RTP
UDP 5004-5082 - SIP
UDP 4569 - IAX2
UDP 2727 - Media Gateway
Where To Go From Here. The PBX in a Flash script repository at pbxinaflash.org also has gotten a facelift. That should be your next stop because it is the home of all the goodies that make PBX in a Flash shine. Tom King, the ultimate scripting guru, manages that site. So check it often. You'll also find all of our Nerd Vittles Goodies work with this new release. Most of our original collection work flawlessly with Asterisk 1.4 including AsteriDex, Yahoo News Headlines, Weather by Airport Code, Weather by Zip Code, Worldwide Weather Forecasts, Telephone Reminders, MailCall for Asterisk, and TeleYapper. We have not yet completed testing with Asterisk 1.6, but most should work. Complete documentation for each application also is provided at the link above. And, if you still have a DBT-120 Bluetooth adapter, you'll be happy to learn that it works out-of-the-box with PBX in a Flash on your new Everex Green PC. Dust off our recent article on Proximity Detection, and you should be in business in under 10 minutes. Enjoy!
Nerd Vittles Skype Gateway to Asterisk. If you haven't yet built your own Skype Gateway to Asterisk, you're missing a treat. To give you some idea of the flexibility of the gateway, pick up any Skype phone and call our Skype demo hotline: nerdvittles. It was a 5-minute project once the gateway was running.
Want a Bootable PBX in a Flash Drive? Our Atomic Flash bootable USB flash installer for PBX in a Flash has been quite the hit. Special thanks to all of our generous contributors! Atomic Flash provides all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and this USB flash installer in less than 15 minutes!
If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.2
Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next several weeks.
And it still isn't too late to make a contribution of $50 or more to the PBX in a Flash project and get a free Atomic Flash installer delivered to your door as our special thank you gift. See this Nerd Vittles article for details.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest...
Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security
Here's a headline to wake up any CEO: "Small business gets $120,000 phone bill after hackers attack VoIP phone." News.com.au actually ran this story on January 20. "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours... 115,000 international mobile calls were made using the small business's VoIP system over a six month period."
News Flash: Be sure to read our latest article introducing Travelin' Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.
For the latest Security Tips: See our most recent article.
Sad to say that folks install VoIP phone systems to save money and then completely ignore tried-and-true network security principles: hardening your system, regularly watching your logs, and periodically changing your passwords. If PBX in a Flash were a commercial offering, we'd probably keep much of what follows to ourselves and start touting our PBX systems as the only Asterisk® offering with Secure-Wrapâ„¢. That's not our world, of course, nor is it what open source is all about... which turns out to be both a blessing and a curse. We openly and jointly figure out ways to secure our Asterisk systems as well as those of our competitors. Then the bad guys get to read all about it and come up with new, more creative "solutions." The silver lining is there are millions of insecure Asterisk systems so the creeps typically move on to easier targets.
Today we'll walk you through our Top Ten Security Tips and Tricks. All of these can be implemented easily to harden your Asterisk PBX and lessen the chances of the bad guys transforming your VoIP system into a free, international payphone: you pay, they phone. In the process, we'll identify some common security blunders that accompany new system installs in hopes that you won't make the same mistakes. So let's start with the basics. If you plug your Asterisk PBX directly into the public Internet without carefully securing it, your chances of being hacked within the hour are pretty good.
Rule #1: Protect Your PBX With IPtables. PBX in a Flash systems are delivered with the IPtables firewall enabled. Leave it that way! If your Asterisk implementation doesn't have IPtables support, demand that it be added immediately or ask for assistance in adding it yourself. There is no reason not to use a freely available, open source firewall, period! And there are many good tools including WebMin (also included in PBX in a Flash distributions) to get it configured properly. With PBX in a Flash, all of the grunt work has been done for you.
Firewalls, of course, are only as good as the set of rules defined to secure your system. So only activate ports that are absolutely essential to run your PBX. For an excellent review of the ports that are opened by default in PBX in a Flash systems, see Joe Roper's summary. Think of an activated port as a hole in the dike. The more holes you add, the less secure your PBX will be. We'll leave it to you to count the holes in the dike if you choose to run your PBX without IPtables enabled. Our rule of thumb for PBX security goes something like this. If you don't need web access to your PBX, don't open ports 80 and 9080. If you don't need SSH, FTP, FOP, or WebMin access to your PBX, don't enable those ports. Better yet, don't even turn those services on unless there is a pressing need.
All of the IPtables rules are stored in /etc/sysconfig/iptables. Don't edit this file unless you know what you're doing. If you need help with the rules, post a question on the PBX in a Flash Forum. Typical response time on posted questions is under an hour on our forum. And don't forget to restart IPtables if you make changes to any of the rules: service iptables restart.
Rule #2: Protect Your PBX With A Hardware-Based Firewall. If one firewall is good protection, two firewalls are even better. As much as NAT-based firewall/routers get a bad rap, the extra layer of protection that a $50 hardware-based firewall/router delivers cannot be overstressed. Think of the software-based firewall as the tool of choice to secure your PBX on your internal LAN while the hardware-based firewall secures your system on the public Internet. We recommend the dLink WBR-2310 for home and SOHO use. It provides a reliable NAT-based router, a firewall, and excellent WiFi capability for under $50. If you've got some spare change, step up to one of dLink's Gaming Routers which we happen to use. They provide all the tools you'll need to prioritize your VoIP traffic. As with Rule #1, only open and redirect ports that are absolutely essential to use your PBX.
Rule #3: Safeguard Against Random Password Hacks. There is no better tool to protect your PBX from random password attacks than Fail2Ban 0.8.3. Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful password attempts. It updates IPtables rules to reject those IP addresses for a period of time that you can set in /etc/fail2ban/jail.conf. Originally PBX in a Flash systems were shipped with an earlier version of Fail2Ban that provided only minimal protection. If your system doesn't include the jail.conf file above, you still have the older version. Simply run our update script to get the current release:
cd /root
mkdir fail2ban
cd fail2ban
wget http://pbxinaflash.net/source/fail2ban/fail2ban-update
chmod +x fail2ban-update
./fail2ban-update
service fail2ban restart
As was true with IPtables, Fail2Ban is only as good as the rules which are defined to identify failed password attempts on your system. On PBX in a Flash systems, we now protect against web, FTP, SSH, SIP, and IAX password attempts.
If your particular Asterisk implementation lacks Fail2Ban support, you're missing a critically important (free) tool to safeguard your system from random password attacks against SSH and your protected web sites as well as your SIP and IAX extension passwords. For tips on installation, review our script that is available on this thread in the PBX in a Flash Forum.
Rule #4: Narrow Access With IP Address Restrictions. Security privileges in the U.S. government are based upon a "need to know." It's pretty simple. If you don't have a need to know the information to perform your duties, you don't get the privilege. You can use a similar technique to secure your PBX by implementing IP address restrictions. For example, if all of your extensions are housed on a private subnet of your internal LAN, then there is no reason to allow Internet access to those extensions. Similarly, for extensions outside your local network, you now can hardcode the IP address into the extension to restrict access. To implement this with Asterisk and FreePBX-based systems, you'll first need to upgrade FreePBX to at least version 2.5.1.1. Once you've upgraded, go into each extension and enter either an IP address or an IP subnet for that extension in the permit field. For an IP address, the syntax is 192.168.0.44/255.255.255.255. For an IP subnet, the syntax would look like this: 192.168.0.0/255.255.255.0. This one tip would have been worth $120,000 to the Australian company referenced above. Yes, consultants can be worth their weight in gold. 🙂
If you're as absent-minded as we are, you don't want to have to worry about remembering this each time you add a new extension to your system. So it's quite simple to change the default permit entry from 0.0.0.0/0.0.0.0 to the subnet mask of your LAN. Then you only have to adjust this entry whenever you add an extension which is not on your internal LAN. For example, if your LAN subnet is 192.168.0, then we want to replace the default entry with 192.168.0.0/255.255.255.0. The file to edit is /var/www/html/admin/modules/core/functions.inc.php. Just search for $tmparr['permit'] in BOTH the iax2 and sip sections of the file and make the value substitution preserving the single quotes on both sides of your new entries.
You also can implement both password and IP address restrictions to limit web access to your server. With Apache web servers, this is done through .htaccess files and directory restrictions in your Apache config files. On PBX in a Flash systems, htaccess password restrictions now are the default setup in all of our builds. Suffice it to say, if you can access the /admin directory on your web site from the Internet without being prompted for a password, your site probably has been compromised. Keep in mind that these passwords get cached so be sure you have cleaned out your browser cache before having a heart attack. Better yet, try this from a browser you don't ordinarily use (such as the one on your cellphone).
For additional security, you can further restrict access to your web directories by adding a list of authorized IP addresses to the .htaccess file in each subdirectory. Here's what an .htaccess file with IP address restrictions might look like. The first Allow entry is the private LAN subnet, the second is a remote site, and the third is the Hamachi VPN subnet mask:
Deny from All
Allow from 192.168.0
Allow from 68.218.222.70
Allow from 5.67
Rule #5: Don't Use 'Normal Ports' for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you've done. Read that last sentence again. It's important! With a hardware-based firewall such as the WBR-2310, this is incredibly easy. dLink calls them Virtual Servers. Here is a typical entry:
HTTP 192.168.0.150 TCP 80/2319 Allow All Always
You can simply redirect common ports to different ports for Internet access. Don't do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. For example, port 80 typically is the default web server port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) web access, simply remap TCP port 80 to some obscure port and change it periodically. For example, you might redirect TCP port 80 to port 2319. Once the setting is saved, you access the web site with a browser entry like this: http://pbx.mydomain.com:2319/. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don't use these numbers obviously! Make up your own. The key here is that 5 minutes work every month will keep web access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 80 every night while you're sleeping. Incidentally, most of these routers also will let you block access to certain ports during certain hours of the day. If you're sleeping, there's really not much need to provide SSH and web access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world's best crackers reside in countries where daytime happens to be nighttime in the United States.
Rule #6: Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our wild-assed guess (WAG) is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn't Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. The first five rules would have protected most Asterisk systems. But our WAG on the number of Asterisk PBX's that have implemented all five rules above would be less than one in a thousand. Part of that is because some of these tools weren't readily available until recently. But part of it is because most of us are just plain L-A-Z-Y.
Really secure passwords really do matter. And it's more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, make certain it has a really, really secure password. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). You've been warned. It's your phone bill and bank account!
<end of sermon>
Rule #7: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn't begin to describe some of what lies under the FreePBX covers. Make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.
Our rule of thumb on Internet web accessibility to an Asterisk PBX goes like this. Don't! But, if you must, build as many layers of protection as possible to assure that your system is not compromised. If the bad guys get into FreePBX, the security of your PBX has been compromised... permanently! This means you need to start over with all-new passwords by installing a fresh system. You simply cannot fix every possible hole that has been opened on a FreePBX-compromised system!
Rule #8: Implement VPNs for PBX Systems. PBX in a Flash has provided simple install scripts to deploy Hamachi VPNs on all of our current systems. Hopefully, the other aggregations will do likewise. In addition, we offer turnkey VPN in a Flash systems which provide this functionality out of the box. VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. We now are exploring other VPN solutions which would facilitate the use of VPN-enabled telephones such as the new offerings from SNOM.
Rule #9: Check Your Logs Every Day. We're still dumbfounded by the following quote from the article above: "115,000 international mobile calls were made using the small business's VoIP system over a six month period." Six months and they never checked their call logs? Sounds like they earned this phone bill. FreePBX provides an incredibly simple way to review your call logs. Click the Reports tab at the top of the screen and look at the bar graph showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day! It also should be noted that Ethan Schroeder has released a beta of some new monitoring software which will provide more granular monitoring of daily call volumes. For additional information or to participate in the beta, visit this link.
Rule #10: Do Some Reading... Regularly. No security implementation is complete without a little regular effort on your part: reading. If you're going to manage your own network or PBX, then you need to keep abreast of what's happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the trixbox Forum, and the FreePBX Forum. Aside from reviewing your call logs, it's the best 15 minutes you could spend to safeguard your system. We also have an RSS Feed which includes security alerts.
Update #1: Be sure to read this great new article. It has two fresh ideas for securing your system!
Update #2: Please also read this Nerd Vittles Alert about FreePBX backdoors and default passwords that was published on April 15, 2011.
Some Other Suggestions. A couple other suggestions come to mind that don't involve securing your PBX per se but nevertheless will lessen your exposure in the event of a security breach. First, if your usual calling patterns don't involve international calling or if they're limited to one or two countries, tighten up your outbound dialplan and restrict calling to countries that you actually need. It can always be changed when the need to call elsewhere arises. Second, if you use pay-as-you-go providers, never use credit card auto-replenishment. Instead, add funds periodically using the provider's web interface. The advantage of this is that, if someone does manage to break into your system, your loss will be limited to the current balance in your provider account. You'll not only save a lot of money, but you'll also get a notification that something has gone horribly wrong. Finally, a forum user mentioned one we had overlooked. If you have a mix of POTS and VoIP lines, don't put the POTS lines in the default outbound pool for toll calls. This could potentially save you lots of money.
Continue Reading Part II: The VoIP WhiteList for IPtables...
Got Some Other Ideas? 50,000 heads always are better than one when it comes to network security. If there are things we've missed, take a minute to post a comment. It'll help all of us keep our systems more secure. Good luck!
Digium® Weighs In. Since this article first appeared, Digium has released its own set of tips on SIP security. By all means, have a look!
Security Alert of the Week. A trixbox user yesterday reported that he had discovered a rootkit exploit on his server. You can could read all about it here. The 6:03 a.m. (California time) post mysteriously disappeared a few hours later... soon after the trixbox staff got to work. Another darn computer failure according to Fonality staff. 😕 We've attempted to recreate the information from Google snippets. And here's a simple test to see if you have a similar rootkit problem:
ls -all /sbin/init.zk
Want a Bootable PBX in a Flash Drive? Our bootable USB flash installer for PBX in a Flash will provide all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and our flash installer in less than 15 minutes!
If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.1
Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next couple weeks. All of the individuals whose comments were used in today's story will automatically be included in the drawing as well. Good luck to everyone and Happy New Year!!
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest...
- This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. [↩]
Free Asterisk Solutions
