Home » Cloud Computing (Page 9)
Category Archives: Cloud Computing
Migrating Painlessly from Incredible PBX 13-13 to 16-15
Asterisk® 13 will be 6 years old this October. That’s like three lifetimes in VoIP years. So let’s face it. It’s time to start making plans to move on up. The latest LTS version is Asterisk 16 which gets you another 4+ years with security fixes. We won’t dwell on the shortcomings of PJsip in Asterisk 13 and the fact that chanSIP is getting long in the tooth. So the sooner you migrate the better off you will be. Thanks to the latest FreePBX® 15 Backup & Restore module and some great tips from @DavidFoxworth and @Kenn10 on the PIAF Forum, 16-15 migration should be painless. We’re a little late with this week’s article because we wanted to finish the script to also let you migrate your Call Detail Records as well. Now it’s soup.
If you’re just getting started with Incredible PBX® 16-15 then you’ll get all of today’s additions as part of your initial install. Just follow our this tutorial. If you want to deploy Incredible PBX 16-15 as a public server on the Internet, this tutorial will walk you through that upgrade.
Beginning the Incredible PBX 13-13 Migration
For anyone that’s been involved with Asterisk and FreePBX, you already know what a pain it was to move from one release to another. It’s still not quite automatic, but it’s damn close. You can’t perform an in-place migration to move from Asterisk 13 and FreePBX 13 to Asteerisk 16 with FreePBX 15. So you’ll need to first bring up an Incredible PBX 16-15.1 platform that is separate and apart from your already functioning Incredible PBX 13-13.10 server. Once you’ve done that, use add-ip to whitelist the IP address of your 13-13 server on the 16-15 PBX and whitelist the IP address of your 16-15 server on the 13-13 PBX. This will make it easy to copy files between the two servers.
In addition to the whitelisting procedure above, there are three more steps to complete on the Incredible PBX 13-13 server. First, you’ll need to update the backup module:
cd /root ./gpl-install-fpbx backup
Next, login to the GUI as admin using a browser and make a backup of your FreePBX components. Access Admin -> Backup & Restore and click Backup Wizard. Give the backup a name and description: incrediblepbx. Choose to run the backup Monthly. Choose Yes for voicemails, recordings, and CDR data. Choose Email Notifications and enter your email address. For Remote Save, choose No. Your backup will be saved locally in /var/spool/asterisk/backup/incrediblepbx. Click Finish.
Click the Pencil icon under incrediblepbx Actions to edit the files to be backed up. Using the + icon, make your Items list look like the following:
Click Save & Run button when you’ve made the necessary changes to kick off the backup. Unless you want monthly backups, you can click the trashcan icon under incrediblepbx Actions to remove the task we just created once the backup completes.
Copy the backup file from /var/spool/asterisk/backup/incrediblepbx to your desktop PC.
Finally, let’s back up your Call Detail Records (cdr/cel) which won’t get imported with the FreePBX 15 restore utility. Log in to the Linux CLI as root and issue the following commands to create the CDR backup and copy it to your 16-15 server. Replace the xx’s with the IP address of your 16-15 server.
cd /root mysqldump -u root -ppassw0rd --single-transaction --quick \\ --lock-tables=false asteriskcdrdb > asteriskcdr1313.sql gzip asteriskcdr1313.sql scp asteriskcdr1313.sql.gz root@xx.xx.xx.xx:/root/asteriskcdr1313.sql.gz
Restoring Your Data to Incredible PBX 16-15
Let’s begin on the Incredible PBX 16-15 server by logging into the Linux CLI as root. Issue the following commands to set up your server platform for the Incredible PBX 13-13 import. Unless you have just installed Incredible PBX 16-15 since 3 p.m. EDT today, be sure to perform all of the steps below. It won’t hurt to do it again just to be sure you have the latest and greatest code:
cd /root wget http://incrediblepbx.com/newbackup16-15.tar.gz tar zxvf newbackup16-15.tar.gz rm -f newbackup16-15.tar.gz ./install-backup
Next, login to the GUI as admin using your favorite browser. The new FreePBX 15 backup module is still a little rough around the edges, but it will get the job done. And that’s what matters. From the FreePBX Dashboard, choose Admin -> Backup & Restore. Be prepared. It will blow up. Not to worry. Click the Back button on your browser once or twice to return to the FreePBX Dashboard. Now repeat the drill: Admin -> Backup & Restore. This time it will work. Now click the Restore tab. Click on Upload a Backup File and choose the backup file from your desktop. Once the backup is loaded, click RunRestore button to begin. When the whirring stops, there will be an error message. Ignore it. Don’t click anything just yet. Instead, drop down to the Linux CLI again and run: /root/restore-fix
.
When it completes, return to the GUI and your browser, close the Restore dialog, and return to the Dashboard. Ignore the warning about Bind Ports. Click Settings->SIP Settings->SIP Settings (pj_sip) and scroll down to UDP. Click YES then Submit then Apply Config. We’re almost finished.
Return to the Linux CLI and run: /root/import-cdr1313 to import your 13-13 cdr and cel data. This will overwrite existing CDR data on your 16-15 server. If anyone needs to get it back, we’ll add the steps below in coming days. Stay tuned.
Known Issues with Incredible PBX 13-13 Imports
You now can use your browser to review your setup and verify that your 13-13 data came over. If you’re using CallerID Superfecta, you’ll need to enable it under Admin -> CID Superfecta. Next, access Applications -> Misc Applications and set the extension for Demo IVR to 3366. Save your settings and reload the dialplan when prompted. Be advised that Custom Destinations currently do not populate so you’ll need to cut-and-paste your entries from your 13-13 server. There should only be a few: Fax (HylaFax), Time of Day, and perhaps OutAnyWhere. OSS EndPoint Manager is not compatible with FreePBX 15 and will not be restored. Finally, verify that voicemail settings for your extensions got properly set. You may need to again enable voicemail, set a VM password, and configure email delivery of voicemails, if desired.
FIXED: Importing Ring Groups from 13-13 caused calls to fail unless Send Progress was set to No for each of the ring groups. This is no longer necessary. Voicemail data did not get restored properly. This has been fixed by running restore-fix script.
Managing CDR Data with Incredible PBX 16-15
Call Detail Records are stored in two tables in MySQL’s asteriskcdrdb database. Unlike in FreePBX 13, FreePBX 15 uses the InnoDB storage engine and a number of new fields in the cdr table so don’t attempt to merely restore your FreePBX 13 asteriskcdrdb database to FreePBX 15, or you will get a royal mess. Our conversion utility, import-cdr1313, makes it easy to migrate the data as explained above. What we didn’t do was restore any existing CDR data you may have already accumulated on your 16-15 server. But we did make a backup of the data which is stored in asteriskcdr1615new.sql. You can use this backup for two purposes. You can replace the CDR 13-13 data that we just imported with your original 16-15 data, or you can add your previous CDR 16-15 data to the 13-13 data. As stored, asteriskcdr1615new.sql will completely replace the existing contents of the asteriskcdrdb database using the command:
mysql -u root -ppassw0rd asteriskcdrdb < asteriskcdr1615new.sql
If you want to supplement the 13-13 CDR data that was imported with your previous 16-15 CDR data, it's a bit more complex. Begin by making a couple copies of the backup file and then we'll edit one of the new files:
cp asteriskcdr1615new.sql asteriskcdr1615bak.sql cp asteriskcdr1615new.sql asteriskcdr1615supp.sql nano -w asteriskcdr1615supp.sql
We need to delete two sections from the file. First, scroll down to Table structure for table `cdr`. Press Ctrl-K to cut (delete) every line until you reach Dumping data for table `cdr`. Second, scroll down further to Table structure for table `cel`. Press Ctrl-K to cut (delete) every line until you reach Dumping data for table `cel`. Now Save the modified file: Ctrl-X, Y, then ENTER. You now can append your previous 16-15 CDR data to the current CDR database with the following command:
mysql -u root -ppassw0rd asteriskcdrdb < asteriskcdr1615supp.sql
We're all human and sometimes mistakes are made. Not to worry. You can put Humpty back together again by starting with your original CDR database, adding the 13-13 CDR data again, and then supplementing it with your previous 16-15 data. Here's how.
mysql -u root -ppassw0rd asteriskcdrdb < asteriskcdr1615bak.sql ./import-cdr1313 cp asteriskcdr1615new.sql asteriskcdr1615supp.sql # make required changes described above to asteriskcdr1615supp.sql mysql -u root -ppassw0rd asteriskcdrdb < asteriskcdr1615supp.sql
Two other tips, and you'll be a CDR database expert. First, you can restore an empty (but functional) CDR database with this command:
mysql -u root -ppassw0rd asteriskcdrdb < asteriskcdrdb.sql
Finally, you can make a backup of your existing CDR database at any time with the command:
mysqldump -u root -ppassw0rd --single-transaction --quick \\ --lock-tables=false asteriskcdrdb > asteriskcdr1615latest.sql
Originally published: Monday, July 29, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Deploying an Incredible PBX 16-15 Public Server with Skyetel
Safely deploying a public-facing Asterisk® server with full FreePBX® functionality has become the Holy Grail for Nerd Vittles in 2019. Today we tackle it on our new Incredible PBX® 16-15 platform featuring the latest releases of Asterisk 16 and FreePBX 15. The icing on today’s cake is a terrific new offer from Skyetel that supplements the current Nerd Vittles BOGO offer of up to $500 in half-priced VoIP services. Beginning today, Skyetel also will start you off with a $10 credit just for opening an account here. Then, after you have had an opportunity to kick the tires and perhaps purchase a DID for a buck, you can make $9 worth of phone calls before deciding whether to take advantage of the BOGO special by making a purchase of up to $250 and having Skyetel match your contribution. Once you have funded your account, you then can also take advantage of Skyetel’s free number porting offer for the next 60 days. To get your $10 credit, just open a ticket and request the $10 Nerd Vittles credit once you’ve signed up. To get the Nerd Vittles BOGO price match and take advantage of free number porting, simply open another ticket once you have added up to $250 to your account. Effective 10/1/2023, $25/month minimum spend required.
Making the Case for a Public-Facing PBX
We’ve had some of our pioneers trying out the new Incredible PBX 16-15-PUBLIC implementation this past week, and the question arose as to why anyone would want to do this. After all, PBX in a Flash 3 and Incredible PBX for the better part of a decade have been deployed with a whitelist using the Travelin’ Man 3 firewall, and there’s never been a security issue. So why switch horses now? The short answer is mobile users with dynamic IP addresses. If all the users of your PBX are sitting behind the same NAT-based router with static IP addresses, the Travelin’ Man 3 design is perfect. The bad guys could never even see your server. But if some of your users either reside or travel outside your home base or if you want calls to follow you on your smartphone when you leave home or the office, then Travelin’ Man 3 blocked SIP access from these remote phones until their new IP addresses were whitelisted. Multiply this by dozens or hundreds of users, and network management suddenly became a full-time job. Yes, we’ve had tools such as dynamic DNS and PortKnocker to ease the pain, but it still was a knuckle-drill for mobile users. And, in today’s world, much of the workforce is quickly morphing into mobile users without a traditional desk at an office.
The world also is becoming more SIP savvy. Just as folks are learning that a $35 antenna can provide an awesome collection of 4K Ultra HD TV channels without the expense of a monthly cable bill, others are learning that a SIP telephone or softphone app on your smartphone can provide free calls to and from anybody with a SIP URI without sharing your communications with Facebook or Microsoft. Today’s PUBLIC PBX makes free worldwide SIP calling a reality.
Building the Base Platform for Incredible PBX PUBLIC
To get started today, you need to begin by installing Incredible PBX 16-15 using the latest tutorial. There still are a few bugs in the FreePBX 15 fax module so you won’t be able to successfully install and use Incredible Fax for the time being. We’ll let everyone know when the issues have been resolved.
Once you have set up your Incredible PBX 16-15.2 server, the next step is to assign one or two fully-qualified domain names (FQDNs) to your server. You can have one FQDN for registering SIP extensions and a different one for anonymous SIP (invites) access to your server, or you can use the same FQDN for both. Security through obscurity provides an extra layer of protection for your server so choose your FQDNs carefully. sip.yourname.com provides almost no protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with the FQDN for SIP registrations because registered extensions on your PBX can obviously make phone calls that cost money.
By default, Incredible PBX 16-15 configures five extensions (701-705) and a Ring Group for those extensions (777) as well as four trunks including Skyetel. It’s ready to make and receive calls as soon as you sign up with one of the four providers listed in the tutorial. You can add as many additional providers and extensions as you like and modify the ring group to meet your needs. To get started, be sure to configure the correct time zone for your server as this affects delivery of reminders. Run /root/timezone-setup. Next, set a secure password for admin access to the FreePBX GUI modules. Run /root/admin-pw-change. Then set a secure password for admin access to web applications such as AsteriDex, Reminders, and User Control Panel. Run /root/apache-pw-change. In addition to reviewing your extensions and ring group, review the default inbound route and choose the destination for the incoming calls from your provider. Finally, configure the outbound route to use the provider sequence desired. By default, it uses Skyetel for outbound calls.
Going Public with Incredible PBX 16-15
Once you’ve tested making and receiving calls with your new server, you’re ready to convert it into a public-facing PBX. In order to run the install script below, you’ll need your FQDNs that you chose above, plus a port number for future SSH/Putty access to your server, plus a list of the extensions you wish to make available for public access to your PBX. These whitelisted extensions can be reached via SIP URI from anywhere in the world by anybody. It works just like your old MaBell phone. Anybody, anywhere can dial your number. What’s changed is now the calls are free. So choose your list carefully. We recommend using the year you were born for your SSH port to keep things simple for you. Once the GO-PUBLIC-16-15 script has been run, you can only access your PBX via SSH/Putty at the new port, e.g. SSH -p 1990 root@yourFQDN.com
Now we’re ready to run the install script. It takes less than a minute. Before you begin, log out of ALL SIP extensions you have previously registered with Incredible PBX and change the server destination from an IP address to the FQDN you plan to assign to SIP registrations. Otherwise, these IP addresses will get banned while the install script is running below!
cd /root wget http://incrediblepbx.com/go-public-16-15.tar.gz tar zxvf go-public-16-15.tar.gz rm -f go-public-16-15.tar.gz ./GO-PUBLIC-16-15
A Few Words About Incredible PBX PUBLIC Security
As with all Incredible PBX servers, Incredible PBX 16-15-PUBLIC includes the Automatic Update Utility. Please don’t disable it. It’s our only way to push updates to you if some vulnerability is discovered down the road. It gets run whenever you login to your server as root using SSH/Putty. Do so regularly and follow us on Twitter for security alerts. There’s also an Incredible PBX RSS Feed that is displayed when you login to the Incredible PBX GUI with a browser. It, too, includes security alerts and should be checked regularly. It’s your phone bill.
Incredible PBX 16-15-PUBLIC uses the ipset utility in conjunction with the IPtables firewall to block several countries that have inordinately high concentrations of folks that try to break into VoIP servers. In addition, your public PBX includes the VoIP Blacklist which includes another 100,000 bad guys from around the globe. These blacklists get updated every night by a script which is run from /etc/crontab. For your own safety, don’t disable or delete /etc/update-voipbl.sh or the other components upon which it relies.
Here are some other things you should do regularly to assure that your server remains secure. Login via SSH/Putty as root and check pbxstatus after the Automatic Update Utility is run. With the exception of the fax components, all the other items should be green all the time. From the Linux CLI, run: iptables -nL
. This will show your firewall rules and whether any IP addresses have been banned by Fail2Ban. If there are banned IP addresses that are not your own, please open a thread on the PIAF Forum and let us know about it. If there are dozens of banned IP addresses, shutdown your server immediately until the problem is identified and resolved. If the IP addresses happen to be your own users because of using incorrect passwords or because of using a server IP address instead of its FQDN for SIP registrations, unban the IP address: fail2ban-client set asterisk unbanip xxx.xxx.xxx.xxx
Finally, watch the Asterisk CLI periodically for abnormal activity: asterisk -rvvvvvvvvvv
Tightening Up SSH Server Access
You obviously need a very secure root password for access to your server using SSH/Putty. Changing the TCP port for SSH access avoids the script kiddies, but it doesn’t offer much protection from a determined cracker. SSH login attempts are monitored by Fail2Ban, but Fail2Ban has issues when a determined intruder is using a powerful computing platform such as Amazon EC2. The more prudent solution is to disable SSH port access and use SSH Public Key Authentication as documented in the linked tutorial. Always, always use ssh-copy-id to copy your credentials to more than one desktop machine so that you don’t inadvertently lock yourself out of your PBX in the case of a hardware failure.
Introducing the VitalPBX Communicator
Our previous article offered some suggestions for SIP softphones. These become more important once you deploy a public-facing PBX and want to stay connected while you’re away from home or the office. If you’re using an Android smartphone even without a SIM card and provider, there is no finer softphone than the new VitalPBX Communicator. Using the Account Assistant, enter the SIP extension of your PBX as the Username. Enter the SIP extension password as the Password. For the Domain, enter the SIP registration FQDN you specified above (not the IP address of your server!). Choose UDP for the Transport. And click Login to begin. In the Network Settings, turn OFF WiFi only. If you enable Background Mode and Start At Boot Time in Advanced Settings, the softphone will remain registered and available even when you’re using other applications. On a Google Pixel 3, this consumes about 20% of the phone’s battery life from a full charge. A similar app is available for Windows-based PCs. An iPhone app is under development.
For other platforms, the Linphone application is an excellent alternative. See our previous Linphone tutorial for details. Here are the download links for each supported platform:
- Windows
- Mac
- Linux
- Web Browser (Chrome, Edge, Firefox, Safari)
- Android via Google Play
- iOS via App Store
A Word to the Wise. Our experience suggests that SIP communications with an iPhone is notoriously awful. Under identical conditions using the same application on both an iPhone and an Android phone typically results in calls failing or experiencing one-way or no audio on the iPhone. Save yourself some frustration and purchase ANY Android phone for SIP communications (HINT: With the exception of the camera, the Moto g6 is virtually identical in shape and performance to Google’s Pixel 3 at less than one-third the cost). As noted, no SIM card is required. WiFi works perfectly. If you want a cell phone provider, check out Mint Mobile’s dirt cheap offering ($15/mo. for unlimited calls and text plus 3GB of LTE data). Nerd Vittles (and you) receive a perk when you use our link to sign up for service.
Special Thanks: We want to give an extra special tip of the hat to the PIAF Forum members who assisted in working the kinks out of the last two weeks’ Incredible PBX 16-15 offerings. We also wish to thank JavaPipe LLC for a number of DDOS tips and tricks in securing CentOS 7 with IPtables.
Originally published: Monday, July 22, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Enchilada Amore: It’s Incredible PBX 16-15 for CentOS 7
Just when you thought the VoIP community was running out of open source offerings, along comes last week’s Incredible PBX 16® LITE and today’s Incredible PBX 16-15 for CentOS® 7 featuring the same great feature set as the LITE version including Asterisk 16®. And now you also get the entire FreePBX® 15 GPL module collection including their new User Control Panel (UCP) and a much enhanced web GUI plus the entire Incredible PBX feature set. As with Incredible PBX LITE, it’s plug-and-play with immediate calling capability using any of four commercial SIP providers. Or you can choose one of 16 other preconfigured SIP providers, enter your credentials, and enjoy instant connectivity without worrying about SIP settings. We began the Incredible PBX 16 adventure last week. Let’s catch you up if you’re just joining.
UPDATE: A new release of Incredible PBX 16-15 is now available here. It resolves most issues with migration from Incredible PBX 13-13.
UPDATE: Turn your Incredible PBX 16-15 server into a secure public-facing PBX. Here’s how.
What’s Included? Incredible PBX 16-15 serves up a VoIP powerhouse featuring Asterisk 16, the FreePBX 15 GPL platform including User Control Panel (UCP), an Apache web server, the latest MariaDB SQL server (formerly MySQL), SendMail, and the Incredible PBX feature set including SIP, SMS, Opus, voice recognition, PicoTTS Text-to-Speech VoIP applications plus fax support, Click-to-Dial, News, Weather, Reminders, ODBC, and hundreds of features that typically are found in commercial PBXs: Conferencing, IVRs and AutoAttendants, Email Delivery of Voicemail, and much more.
Choosing a SIP Provider. Incredible PBX 16-15 comes preconfigured with support for five SIP extensions and four of the major SIP providers: Skyetel, VoIP.ms, V1VoIP, and Anveo Direct. We obviously hope you’ll choose Skyetel not only because they financially support Nerd Vittles and our open source projects, but also because it is a clearly superior platform offering crystal-clear communications and triple-redundancy so you never miss a call. Skyetel also sets itself apart from the other providers in the support department. They actually respond to issues, and there’s never a charge. As the old saying goes, they may not be the cheapest, but you get what you pay for. Even without taking advantage of Nerd Vittles half-price offer on up to $500 of Skyetel services, they’re still dirt cheap compared to the Bell Sisters and cable companies. Traditional DIDs are $1 per month. Outbound conversational calls are $0.012 per minute. Incoming conversational calls are a penny a minute, and CallerID lookups are $0.004. With all four providers, you only pay for minutes you use. Using more than one is a good idea.
Choosing a Platform for Incredible PBX 16-15
As with our other open source offerings, the platform choice for Incredible PBX 16-15 depends upon a number of factors. For most folks, you’d be crazy to go out and purchase hardware to use in your home or office when cloud-based platforms are available for about a dollar a month. Unless you plan to publicly expose your server on the Internet to facilitate remote SIP connections, the OpenVZ offerings below are perfectly adequate while in business with the cautionary note that you need off-site backups AND a tested backup plan. Three providers previously listed have closed their doors in 2019. You’ve been warned.
Provider | RAM | Disk | Bandwidth | Performance as of 12/1/19 | Cost |
---|---|---|---|---|---|
CrownCloud KVM (LA) | 1GB | 20GB + Snapshot | 1TB/month | 598Mb/DN 281Mb/UP 2CPU Core | $25/year Best Buy! |
Naranjatech KVM (The Netherlands) | 1GB | 20GB | 1TB/month | Hosting since 2005 VAT: EU res. | 20€/year w/code: SBF2019 |
BudgetNode KVM (LA) | 1GB | 40GB RAID10 | 1TB/month | Also available in U.K PM @Ishaq on LET before payment | $24/year |
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA) | 1GB | 20GB SSD | 3TB/month | Pick EGG loc'n Open ticket for last 5GB SSD | $30/year w/code: LEBEGG30 |
Installing Incredible PBX 16-15 with CentOS 7
If you’ve installed previous iterations of Incredible PBX, today’s drill is similar. Here is a thumbnail sketch of the install procedure for Incredible PBX 16-15. Begin by installing a minimal CentOS 7 (64-bit) platform or pick the CentOS 7 option with 1GB RAM and 20GB of storage from your cloud provider’s menu of choices. Then log into your server as root and issue the following commands:
passwd yum -y update yum -y install net-tools nano wget tar wget http://incrediblepbx.com/incrediblepbx16-15.1.tar.gz tar zxvf incrediblepbx16-15.1.tar.gz rm -f incrediblepbx16-15.1.tar.gz # to add swap file on non-OpenVZ cloud platforms with no swap file ./create-swapfile-DO # kick off Phase I install ./IncrediblePBX16-15.sh # after reboot, kick off Phase II install ./IncrediblePBX16-15.sh # add HylaFax/AvantFax, if desired ./incrediblefax16.sh # set desired timezone ./timezone-setup # display your passwords ./show-passwords # remember to enable TUN/TAP if using VPS Control Panel with OpenVZ # reconfigure PortKnocker if installing on an OpenVZ platform echo 'OPTIONS="-i venet0:0"' >> /etc/sysconfig/knockd service knockd restart # set up NeoRouter VPN client, if desired nrclientcmd # check network speed wget -O speedtest-cli https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py chmod +x speedtest-cli ./speedtest-cli
WebMin is also installed and configured as part of the base install. The root password for access is the same as your Linux root password. We strongly recommend that you not use WebMin to make configuration changes to your server. You may inadvertently damage the operation of your PBX beyond repair. WebMin is an excellent tool to LOOK at how your server is configured. When used for that purpose, we highly recommend WebMin as a way to become familiar with your Linux configuration.
Planning Ahead for That Rainy Day
If you haven’t already learned the hard way, let us save you from a future shock. Hardware fails. All of it. So spend an extra hour now so that you’ll be prepared when (not if) disaster strikes. First, once you have your new PBX configured the way you plan to use it, make a backup of your PBX by running the Incredible Backup script: /root/incrediblebackup16
Copy down the name of the backup file that was created. You’ll need it in a few minutes.
Second, build yourself an identical VirtualBox platform on your desktop PC. It’s the same steps as outlined above.
Next, create a /backup folder on your VirtualBox PBX and copy the backup file from your main server to your VirtualBox server and restore it after logging in to VirtualBox PBX as root:
mkdir /backup scp root@main-pbx-ip-address:/backup/backup-file-name.tar.gz /backup/. /root/incrediblerestore16 /backup/backup-file-name.tar.gz
Complaints that you "forgot" to make a backup and your hardware has failed or your provider has gone out of business are not welcomed. We’re sorry for your loss. Case closed.
Completing the Incredible PBX Setup Procedure
Unless your desktop PC and server are both on the same private LAN, the install procedure should be performed from a desktop PC using SSH or Putty. This will insure that your desktop PC is also whitelisted in the Incredible PBX firewall. Using the console to perform the install is NOT recommended as your desktop PC will not be whitelisted in the firewall. This may result in your not being able to log in to your server. Once you have network connectivity, log in to your server as root from a desktop PC using your root password. Accept the license agreement by pressing ENTER.
Kick off the Phase I install. Once your server reboots and you log back in as root, start the Phase II install. All of your passwords will be randomly assigned with the exception of the root user Linux password. You can set it at any time by issuing the command: passwd
. With the exception of your root user password, the remaining passwords can be displayed using the command: /root/show-passwords
.
Finally, if your PBX is sitting behind a NAT-based router, you’ll need to redirect incoming UDP 5060 and UDP 10000-20000 traffic to the private IP address of your PBX. This is required for all of the SIP providers included in the Incredible PBX 16-15 default build. Otherwise, inbound calls will fail.
Configuring Skyetel for Incredible PBX 16-15
If you’ve decided to go with Skyetel, here’s the drill. Sign up for Skyetel service and take advantage of the Nerd Vittles BOGO special. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request the BOGO credit for your account by referencing the Nerd Vittles special offer. Skyetel will match your deposit of up to $250 which gets you up to $500 of helf-price calling. Credit is limited to one per person/company/address/location. Effective 10/1/2023, $25/month minimum spend required.
Skyetel does not use SIP registrations to make connections to your PBX. Instead, Skyetel utilizes Endpoint Groups to identify which servers can communicate with the Skyetel service. An Endpoint Group consists of a Name, an IP address, a UDP or TCP port for the connection, and a numerical Priority for the group. For incoming calls destined to your PBX, DIDs are associated with an Endpoint Group to route the calls to your PBX. For outgoing calls from your PBX, a matching Endpoint Group is required to authorize outbound calls through the Skyetel network. Thus, the first step in configuring the Skyetel side for use with your PBX is to set up an Endpoint Group. Here’s a typical setup for Incredible PBX 16-15:
- Name: MyPBX
- Priority: 1
- IP Address: PBX-Public-IP-Address
- Port: 5060
- Protocol: UDP
- Description: my.incrediblepbx.com
To receive incoming PSTN calls, you’ll need at least one DID. On the Skyetel site, you acquire DIDs under the Phone Numbers tab. You have the option of Porting in Existing Numbers (free for the first 60 days after you sign up for service) or purchasing new ones under the Buy Phone Numbers menu option.
Once you have acquired one or more DIDs, navigate to the Local Numbers or Toll Free Numbers tab and specify the desired SIP Format and Endpoint Group for each DID. Add SMS/MMS and E911 support, if desired. Call Forwarding and Failover are also supported. That completes the VoIP setup on the Skyetel side. System Status is always available here.
Configuring VoIP.ms for Incredible PBX 16-15
To sign up for VoIP.ms service, may we suggest you use our signup link so that Nerd Vittles gets a referral credit for your signup. Once your account is set up, you’ll need to set up a SIP SubAccount and, for Authentication Type, choose Static IP Authentication and enter your Incredible PBX 16-15 server’s public IP address. For Transport, choose UDP. For Device Type, choose Asterisk, IP PBX, Gateway or VoIP Switch. Order a DID in their web panel, and then point the DID to the SubAccount you just created. Be sure to specify atlanta1.voip.ms as the POP from which to receive incoming calls.
Configuring V1VoIP for Incredible PBX 16-15
To sign up for V1VoIP service, sign up on their web site. Then login to your account and order a DID under the DIDs tab. Once the DID has been assigned, choose View DIDs and click on the Forwarding button beside your DID. For Option #1, choose Forward to IP Address/PBX. For the Forwarding Address, enter the public IP address of your server. For the T/O (timeout) value, set it to 2o seconds. Then click the Update button. Under the Termination tab, create a new Endpoint with the public IP address of your server so that you can place outbound calls through V1VoIP.
Configuring Anveo Direct for Incredible PBX 16-15
To sign up for Anveo Direct service, sign up on their web site and then login. After adding funds to your account, purchase a DID under Inbound Service -> Order DID. Next, choose Configure Destination SIP Trunk. Give the Trunk a name. For the Primary SIP URI, enter $[E164]$@server-IP-address. For Call Options, select your new DID from the list. You also must whitelist your public IP address under Outbound Service -> Configure. Create a new Call Termination Trunk and name it to match your server. For Dialing Prefix, choose six alphanumeric characters beginning with a zero. In Authorized IP Addresses, enter the public IP address of your server. Set an appropriate rate cap. We like $0.01 per minute to be safe. Set a concurrent calls limit. We like 2. For the Call Routing Method, choose Least Cost unless you’re feeling extravagant. For Routes/Carriers, choose Standard Routes. Write down your Dialing Prefix and then click the Save button.
Before you can make outbound calls through Anveo Direct from your PBX, you first must configure the Dialing Prefix that you wrote down in the previous step. Log into the GUI as admin using a web browser and edit the Anveo-Out trunk in Connectivity -> Trunks. Click on the custom-Settings tab and replace anveo-pin with your actual Dialing Prefix. Click Submit and Apply Config to complete the setup.
By default, incoming Anveo Direct calls will be processed by the Default inbound route on your PBX. If you wish to redirect incoming Anveo Direct calls using DID-specific inbound routes, then you’ve got a bit more work to do. In addition to creating the inbound route using the 11-digit Anveo Direct DID, enter the following commands after logging into your server as root using SSH/Putty:
cd /etc/asterisk echo "[from-anveo]" >> extensions_custom.conf echo "exten => _.,1,Ringing" >> extensions_custom.conf echo "exten => _.,n,Goto(from-trunk,\${SIP_HEADER(X-anveo-e164)},1)" >> extensions_custom.conf asterisk -rx "dialplan reload"
Configuring a Softphone for Incredible PBX 16-15
We’re in the home stretch now. You can connect virtually any kind of telephone to your new PBX. Plain Old Phones require an analog telephone adapter (ATA) which can be a separate board in your computer from a company such as Digium. Or it can be a standalone SIP device such as ObiHai’s OBi100 or OBi110 (if you have a phone line from Ma Bell to hook up as well). SIP phones can be connected directly so long as they have an IP address. These could be hardware devices or software devices such as the YateClient softphone. We’ll start with a free one today so you can begin making calls. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum when you’re ready to get serious about VoIP telephony.
We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You can find them by running /root/show-passwords
. You’ll need the IP address of your server plus your extension 701 password. In the YateClient, fill in the blanks using the IP address of your Server, 701 for your Username, and whatever Password was assigned to the extension when you installed Incredible PBX. Click OK to save your entries.
Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:
DEMO - Apps Demo 123 - Reminders 947 - Weather by ZIP Code 951 - Yahoo News TODAY - Today in History LENNY - The Telemarketer's Worst Nightmare
If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store. For Android users, check out the terrific new VitalPBX Communicator. Works flawlessly with Incredible PBX.
Audio Issues with Incredible PBX 16-15
Only if you experience one-way or no audio on some calls, add your external IP address and LAN subnet in the GUI by navigating to Settings -> Asterisk SIP Settings. In the NAT Settings section, click Detect Network Settings. Click Submit and Apply Settings to save your changes.
Incredible PBX 16-15 Administration
We’ve eased the pain of administering your new PBX with a collection of scripts which you will find in the /root folder after logging in with SSH or Putty. Here’s a quick summary of what each of the scripts does.
add-fqdn is used to whitelist a fully-qualified domain name in the firewall. Because Incredible PBX 16-15 blocks all traffic from IP addresses that are not whitelisted, this is what you use to authorize an external user for your PBX. The advantage of an FQDN is that you can use a dynamic DNS service to automatically update the IP address associated with an FQDN so that you never lose connectivity.
add-ip is used to whitelist a public IP address in the firewall. See the add-fqdn explanation as to why this matters.
del-acct is used to remove an IP address or FQDN from the firewall’s whitelist.
reset-conference-pins is a script that automatically and randomly resets the user and admin pins for access to the preconfigured conferencing application. Dial C-O-N-F from any registered SIP phone to connect to the conference.
reset-extension-passwords is a script that automatically and randomly resets ALL of the SIP passwords for extensions 701-705. Be careful using this one, or you may disable existing registered phones and cause Fail2Ban to blacklist the IP addresses of those users. HINT: You can place a call to the Ring Group associated with all five extensions by dialing 777.
reset-reminders-pin is a script that automatically and randomly resets the pin required to access the Telephone Reminders application by dialing 123. It’s important to protect this application because a nefarious user could set up a reminder to call a number anywhere in the world assuming your SIP provider’s account was configured to allow such calls.
show-feature-codes is a cheat sheet for all of the feature codes which can be dialed from any registered SIP phone. It documents how powerful a platform Incredible PBX 16-15 actually is. A similar listing is available in the GUI at Admin -> Feature Codes.
show-passwords is a script that displays ALL of the passwords associated with Incredible PBX 16-15. This includes SIP extension passwords, voicemail pins, conference pins, telephone reminders pin, and your Anveo Direct outbound calling pin (if configured). Note that voicemail pins are configured by the user of a SIP extension the first time the user accesses the voicemail system by dialing *97.
update-IncrediblePBX is the Automatic Update Utility which checks for server updates from incrediblepbx.com every time you log into your server as root using SSH or Putty. Do NOT disable it as it is used to load important fixes and security updates when necessary. We recommend logging into your server at least once a week.
pbxstatus (shown above) displays status of all major components of Incredible PBX 16-15.
Forwarding Calls to Your Cellphone. Keep in mind that inbound calls to your DIDs automatically ring all five SIP extensions, 701-705. The easiest way to also ring your cellphone is to set one of these five extensions to forward incoming calls to your cellphone. After logging into your PBX as root, issue the following command to forward calls from extension 705 to your cellphone: asterisk -rx "database put CF 705 6781234567"
To remove call forwarding: asterisk -rx "database del CF 705"
Configuring SendMail with Incredible PBX 16-15
In order to receive voicemails by email delivery, outbound mail functionality from your server obviously is required. If you’ve deployed your server in your home, your Internet Service Provider probably blocks downstream mail servers such as Incredible PBX from sending mail. This is done to reduce SPAM. In this case, you will need to configure SendMail using either your ISP or Gmail as an SMTP Relay Host. Here are the steps using a Gmail account:
cd /etc/mail yum -y install sendmail-cf hostname -f > genericsdomain touch genericstable makemap -r hash genericstable.db < genericstable mv sendmail.mc sendmail.mc.original wget http://incrediblepbx.com/sendmail.mc.gmail cp sendmail.mc.gmail sendmail.mc mkdir -p auth chmod 700 auth cd auth echo AuthInfo:smtp.gmail.com \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" > client-info echo AuthInfo:smtp.gmail.com:587 \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" >> client-info echo AuthInfo:smtp.gmail.com:465 \\"U:smmsp\\" \\"I:user_id\\" \\"P:password\\" \\"M:PLAIN\\" >> client-info # Stop here and edit client-info (nano -w client-info) in all three lines. # Replace user_id with your gMail account name without @gmail.com # Replace password with your real gMail password # Be sure to replace the double-quotes shown above if they don't appear in the file!!! # Save your changes (Ctrl-X, Y, then Enter) chmod 600 client-info makemap -r hash client-info.db < client-info cd .. make systemctl restart sendmail
If your server is hosted in the cloud and your provider does not block TCP port 25, then you can send mail without using a SmartHost; however, your server's hostname must actually be real or downstream mail servers will reject your mail. You can set your server's hostname like this: hostname myserver.myhost.com. This is usually sufficient; however, it's a good idea to also add the hostname in /etc/hostname and in /etc/hosts as the first entry on 127.0.0.1 line:
127.0.0.1 myserver.myhost.com pbx.local localhost localhost.localdomain
Next, test outbound mail using this command with your actual email address:
echo "test" | mail -s testmessage yourname@youremaildomain.com
Once you are sure your emails are being delivered reliably, here's a sample GUI voicemail configuration for an extension:
Getting Started with Incredible Fax 16
Believe it or not, there still are lots of folks that use faxes in their everyday lives. If you're one of them, Incredible PBX has your back. Begin by logging into your server as root and running incrediblefax16.sh to install HylaFax and AvantFax on your server. You'll be prompted a dozen or more times for information. Answer no to the secure fax question. For the rest of the prompts, just press ENTER to accept the default entries. Rebooting your server is required when the install finishes. Once your server is back on line, there will be a new AvantFax tab in the GUI. Before proceeding, be sure to set an Apache web apps password by running /root/apache-pw-change. Next, login to AvantFax with your browser. You first will be prompted for your Apache credentials. Enter admin for the username and whatever password you set up in the previous step. Then you will be prompted for your AvantFax credentials. The default is admin:password. After you enter the username and password, you will be prompted to change your admin password. The old password is still password. Then enter your desired password twice and save the setting. The AvantFax dashboard then will display. If nothing has come unglued, you should see four green Idle icons:
You can Send Faxes from within AvantFax by choosing the Send Fax tab, or you can use one of many HylaFax clients. Google is your friend.
Receiving faxes currently has issues not the least of which are fax detection being broken and incoming faxes never reaching the specified destination. We will continue to work on this and provide updates when they become available. For the time being, the simple workaround if you're using Skyetel as your provider is to designate a DID as a fax line (Call Routing: vFax) in the Skyetel Dashboard. Then Skyetel will manage the incoming faxes without any additional configuration on your PBX. You still can send faxes from within the AvantFax GUI.
Getting Started with ODBC for Asterisk
If you're new to the ODBC World, here's a quick primer. The idea behind Open Data Base Connectivity is to simplify the task of connecting up any flavor database management system so that it can talk to applications and foreign databases without having to write custom code to support every different DBMS. ODBC serves in much the same way as a translator who sits between you and foreign visitors. With the benefit of a translator, whatever is spoken is understood on both ends of the conversation. The real beauty of ODBC is that it is conversant with almost every DBMS offering on the planet including Oracle, Informix, SAS, MS Access, DB2, SQL Server, MySQL, MariaDB, PostgreSQL, Sybase, and even dBase, FoxPro, and XDB. All you really need is the ODBC connector for your operating system plus one or more database drivers for the DBMS data sources you wish to use.
Because the FreePBX modules are driven by MySQL tables, we've included the MySQL connector for Asterisk in Incredible PBX 16-15 together with two sample applications to get you started. If you add your own MySQL databases, it's easy to connect them with ODBC by simply running the odbc-gen.sh script in /root again. The two sample applications we've included will show you how to integrate ODBC queries into your Asterisk dialplan. The code is available in odbc.conf in the /etc/asterisk folder. The first sample is a typical employee database. By dialing 222, you will be prompted to enter the employee number (12345), and the ODBC app then will look up the employee number and read you the name of the employee. The second sample is a speed dialer using the AsteriDex database. The sample entries in the database include a 3-numeric-digit DIALCODE which simply matches the first three letters of each AsteriDex name spelled out on a phone, e.g. 335 = DELta Airlines and 263 = AMErican Airlines. As you add new entries to AsteriDex, you can add dialcodes in the same way or in any other scheme you prefer. Once you have signed up with a provider so that you can make outbound calls, just dial 223 and enter the AsteriDex dialcode to place the call. Think of it as a Speed Dialer on Steroids.
Where To Go From Here
Complete documentation on the FreePBX GPL Modules is available here.
Complete documentation on the Incredible PBX additions is available here.
An introduction to configuring extensions, trunks, and routes is available here.
Originally published: Monday, July 15, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Introducing Incredible PBX 16 LITE for CentOS 7
We had a banner week with the introduction of Incredible PBX® LITE for Raspbian 10. What we heard privately from many users was that they’d always wanted a turnkey PBX that was preconfigured to make and receive calls. The irony of offering this platform without the FreePBX® GUI to celebrate Independence Day was not lost on many of our savvy supporters. And, while the bells and whistles were icing on the cake, many simply wanted a flexible VoIP platform that didn’t require going back to college. This week we’re upping the ante by introducing a similar Incredible PBX LITE platform for CentOS® 7 with a few major enhancements. First, you get the new Asterisk® 16 LTS version which will keep you chugging along with bug fixes and security updates for the next 4+ years. Second, we’ve replaced FLITE with PicoTTS for a much improved (free) text-to-speech platform. And finally, we’ve added WebMin and all the other Incredible PBX components that make Incredible PBX incredible. Will there be a new release of Incredible PBX 16 with the FreePBX GUI modules? Absolutely. And there may be a few, new surprises along the way as well. Stay tuned!
What’s Included? Despite its name, Incredible PBX LITE still serves up a VoIP powerhouse featuring Asterisk 16, an Apache web server, the latest MariaDB SQL server (formerly MySQL), SendMail, and most of the Incredible PBX feature set including SIP, SMS, Opus, voice recognition, PicoTTS Text-to-Speech VoIP applications plus fax support, Click-to-Dial, News, Weather, Reminders, and hundreds of features that typically are found in commercial PBXs: Conferencing, IVRs and AutoAttendants, Email Delivery of Voicemail, and much more.
What’s Missing? We’ve removed the entire FreePBX GUI platform while retaining most of its design engineering and feature set. We’ve also eliminated the need to run a web server or database server although they’re still there. And gone are the days of having to configure extensions and trunks as well as inbound and outbound routes before you can actually use your PBX to make your first call. The tradeoff is a noticeable performance improvement.
Choosing a SIP Provider. Incredible PBX LITE comes preconfigured to support five SIP extensions and four of the major SIP providers: Skyetel, VoIP.ms, V1VoIP, and Anveo Direct. We obviously hope you’ll choose Skyetel not only because they financially support Nerd Vittles and our open source projects, but also because it is a clearly superior platform offering crystal-clear communications and triple-redundancy so you never miss a call. Skyetel also sets itself apart from the other providers in the support department. They actually respond to issues, and there’s never a charge. As the old saying goes, they may not be the cheapest, but you get what you pay for. Even without taking advantage of Nerd Vittles half-price offer on up to $500 of Skyetel services, they’re still dirt cheap compared to the Bell Sisters and cable companies. Traditional DIDs are $1 per month. Outbound conversational calls are $0.012 per minute. Incoming conversational calls are a penny a minute, and CallerID lookups are $0.004. With all four providers, you only pay for minutes you use. Using more than one is a good idea.
Choosing a Platform for Incredible PBX 16 LITE
As with our other open source offerings, the platform choice for Incredible PBX 16 LITE depends upon a number of factors. For most folks, you’d be crazy to go out and purchase hardware to use in your home or office when cloud-based platforms are available for about a dollar a month. Unless you plan to publicly expose your server on the Internet to facilitate remote SIP connections, the OpenVZ offerings below are perfectly adequate while in business with the cautionary note that you need off-site backups AND a tested backup plan. Three providers previously listed have closed their doors in 2019. You’ve been warned.
Provider | RAM | Disk | Bandwidth | Performance as of 12/1/19 | Cost |
---|---|---|---|---|---|
CrownCloud KVM (LA) | 1GB | 20GB + Snapshot | 1TB/month | 598Mb/DN 281Mb/UP 2CPU Core | $25/year Best Buy! |
Naranjatech KVM (The Netherlands) | 1GB | 20GB | 1TB/month | Hosting since 2005 VAT: EU res. | 20€/year w/code: SBF2019 |
BudgetNode KVM (LA) | 1GB | 40GB RAID10 | 1TB/month | Also available in U.K PM @Ishaq on LET before payment | $24/year |
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA) | 1GB | 20GB SSD | 3TB/month | Pick EGG loc'n Open ticket for last 5GB SSD | $30/year w/code: LEBEGG30 |
Installing Incredible PBX 16 LITE with CentOS 7
If you’ve installed previous iterations of Incredible PBX, today’s drill is similar. Here is a thumbnail sketch of the install procedure for Incredible PBX 16 LITE. Begin by installing a minimal CentOS 7 (64-bit) platform or pick the CentOS 7 option with 1GB RAM and 20GB of storage from your cloud provider’s menu of choices. Then log into your server as root and issue the following commands:
passwd yum -y update yum -y install net-tools nano wget tar wget http://incrediblepbx.com/incrediblepbx-16-LITE.tar.gz tar zxvf incrediblepbx-16-LITE.tar.gz rm -f incrediblepbx-16-LITE.tar.gz # to add swap file on non-OpenVZ cloud platforms with no swap file ./create-swapfile-DO # kick off Phase I install ./IncrediblePBX16-LITE.sh # after reboot, kick off Phase II install ./IncrediblePBX16-LITE.sh # add HylaFax/AvantFax, if desired ./incrediblefax13.sh # set desired timezone ./timezone-setup # set new extension passwords ./reset-extension-passwords # remember to enable TUN/TAP if using VPS Control Panel with OpenVZ # reconfigure PortKnocker if installing on an OpenVZ platform echo 'OPTIONS="-i venet0:0"' >> /etc/sysconfig/knockd service knockd restart # set up NeoRouter VPN client, if desired nrclientcmd # check network speed wget -O speedtest-cli https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py chmod +x speedtest-cli ./speedtest-cli
Planning Ahead for That Rainy Day
If you haven’t already learned the hard way, let us save you from a future shock. Hardware fails. All of it. So spend an extra hour now so that you’ll be prepared when (not if) disaster strikes. First, once you have your new PBX configured the way you plan to use it, make a backup of your PBX by running the Incredible Backup script: /root/incrediblebackup13
Copy down the name of the backup file that was created. You’ll need it in a few minutes.
Second, build yourself an identical VirtualBox platform on your desktop PC. It’s the same steps as outlined above.
Next, create a /backup folder on your VirtualBox PBX and copy the backup file from your main server to your VirtualBox server and restore it after logging in to VirtualBox PBX as root:
mkdir /backup scp root@main-pbx-ip-address:/backup/backup-file-name.tar.gz /backup/. /root/incrediblerestore13 /backup/backup-file-name.tar.gz
Complaints that you "forgot" to make a backup and your hardware has failed or your provider has gone out of business are not welcomed. We’re sorry for your loss. Case closed.
Completing the Incredible PBX Setup Procedure
Unless your desktop PC and server are both on the same private LAN, the install procedure should be performed from a desktop PC using SSH or Putty. This will insure that your desktop PC is also whitelisted in the Incredible PBX firewall. Using the console to perform the install is NOT recommended as your desktop PC will not be whitelisted in the firewall. This may result in your not being able to log in to your server. Once you have network connectivity, log in to your server as root from a desktop PC using your root password. Accept the license agreement by pressing ENTER.
Kick off the Phase I install. Once your server reboots and you log back in as root, start the Phase II install. All of your passwords will be randomly assigned with the exception of the root user Linux password. You can set it at any time by issuing the command: passwd
. With the exception of your root user password, the remaining passwords can be displayed using the command: /root/show-passwords
.
Finally, if your PBX is sitting behind a NAT-based router, you’ll need to redirect incoming UDP 5060 and UDP 10000-20000 traffic to the private IP address of your PBX. This is required for all of the SIP providers included in the Incredible PBX LITE build. Otherwise, all inbound calls will fail.
Configuring Skyetel for Incredible PBX 16 LITE
If you’ve decided to go with Skyetel, here’s the drill. Sign up for Skyetel service and take advantage of the Nerd Vittles BOGO special. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request the BOGO credit for your account by referencing the Nerd Vittles special offer. Skyetel will match your deposit of up to $250 which gets you up to $500 of helf-price calling. Credit is limited to one per person/company/address/location. Effective 10/1/2023, $25/month minimum spend required.
Skyetel does not use SIP registrations to make connections to your PBX. Instead, Skyetel utilizes Endpoint Groups to identify which servers can communicate with the Skyetel service. An Endpoint Group consists of a Name, an IP address, a UDP or TCP port for the connection, and a numerical Priority for the group. For incoming calls destined to your PBX, DIDs are associated with an Endpoint Group to route the calls to your PBX. For outgoing calls from your PBX, a matching Endpoint Group is required to authorize outbound calls through the Skyetel network. Thus, the first step in configuring the Skyetel side for use with your PBX is to set up an Endpoint Group. Here’s a typical setup for Incredible PBX LITE:
- Name: MyPBX
- Priority: 1
- IP Address: PBX-Public-IP-Address
- Port: 5060
- Protocol: UDP
- Description: lite1.incrediblepbx.com
To receive incoming PSTN calls, you’ll need at least one DID. On the Skyetel site, you acquire DIDs under the Phone Numbers tab. You have the option of Porting in Existing Numbers (free for the first 60 days after you sign up for service) or purchasing new ones under the Buy Phone Numbers menu option.
Once you have acquired one or more DIDs, navigate to the Local Numbers or Toll Free Numbers tab and specify the desired SIP Format and Endpoint Group for each DID. Add SMS/MMS and E911 support, if desired. Call Forwarding and Failover are also supported. That completes the VoIP setup on the Skyetel side. System Status is always available here.
Configuring VoIP.ms for Incredible PBX LITE
To sign up for VoIP.ms service, may we suggest you use our signup link so that Nerd Vittles gets a referral credit for your signup. Once your account is set up, you’ll need to set up a SIP SubAccount and, for Authentication Type, choose Static IP Authentication and enter your Incredible PBX LITE server’s public IP address. For Transport, choose UDP. For Device Type, choose Asterisk, IP PBX, Gateway or VoIP Switch. Order a DID in their web panel, and then point the DID to the SubAccount you just created. Be sure to specify atlanta1.voip.ms as the POP from which to receive incoming calls.
Configuring V1VoIP for Incredible PBX LITE
To sign up for V1VoIP service, sign up on their web site. Then login to your account and order a DID under the DIDs tab. Once the DID has been assigned, choose View DIDs and click on the Forwarding button beside your DID. For Option #1, choose Forward to IP Address/PBX. For the Fowarding Address, enter the public IP address of your server. For the T/O (timeout) value, set it to 2o seconds. Then click the Update button. Under the Termination tab, create a new Endpoint with the public IP address of your server so that you can place outbound calls through V1VoIP.
Configuring Anveo Direct for Incredible PBX LITE
To sign up for Anveo Direct service, sign up on their web site and then login. After adding funds to your account, purchase a DID under Inbound Service -> Order DID. Next, choose Configure Destination SIP Trunk. Give the Trunk a name. For the Primary SIP URI, enter $[E164]$@server-IP-address. For Call Options, select your new DID from the list. You also must whitelist your public IP address under Outbound Service -> Configure. Create a new Call Termination Trunk and name it to match your server. For Dialing Prefix, choose six alphanumeric characters beginning with a zero. In Authorized IP Addresses, enter the public IP address of your server. Set an appropriate rate cap. We like $0.01 per minute to be safe. Set a concurrent calls limit. We like 2. For the Call Routing Method, choose Least Cost unless you’re feeling extravagant. For Routes/Carriers, choose Standard Routes. Write down your Dialing Prefix and then click the Save button.
Before you can make outbound calls through Anveo Direct from your PBX, you first must configure the Dialing Prefix that you wrote down in the previous step. Newer downloads include an add-anveo-pin script to update your PIN in Incredible PBX. If you don’t have the script, login to your server as root and use nano to edit extensions_additional.conf in the /etc/asterisk directory. Search (Ctl-W) for anveo-pin and replace anveo-pin with the 6-digit alphanumeric PIN for your account. Press Ctrl-X, Y, then Enter to save your settings. Reload your dialplan with the command: asterisk -rx "dialplan reload"
Configuring a Softphone for Incredible PBX LITE
We’re in the home stretch now. You can connect virtually any kind of telephone to your new PBX. Plain Old Phones require an analog telephone adapter (ATA) which can be a separate board in your computer from a company such as Digium. Or it can be a standalone SIP device such as ObiHai’s OBi100 or OBi110 (if you have a phone line from Ma Bell to hook up as well). SIP phones can be connected directly so long as they have an IP address. These could be hardware devices or software devices such as the YateClient softphone. We’ll start with a free one today so you can begin making calls. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum when you’re ready to get serious about VoIP telephony.
We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You can find them by running /root/show-passwords
. You’ll need the IP address of your server plus your extension 701 password. In the YateClient, fill in the blanks using the IP address of your Server, 701 for your Username, and whatever Password was assigned to the extension when you installed Incredible PBX. Click OK to save your entries.
Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:
DEMO - Apps Demo 123 - Reminders 947 - Weather by ZIP Code 951 - Yahoo News TODAY - Today in History LENNY - The Telemarketer's Worst Nightmare
If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store.
Audio Issues with Incredible PBX LITE
Only if you experience one-way or no audio on some calls, add your external IP address and LAN subnet in /etc/asterisk/sip_general_custom.conf like the following example:
nat=force_rport,comedia externip=xxx.xxx.xxx.xxx localnet=192.168.0.0/255.255.0.0
Then issue the following commands:
sed -i 's|nat=no|nat=force_rport,comedia|' /etc/asterisk/sip_additional.conf systemctl restart asterisk
Displaying Formatted CDR Data
By default, web access is limited to whitelisted IP addresses so it’s safe to access your Call Detail Report (CDR) using a browser. Unfortunately, the only browser that currently handles this with automatic formatting is Firefox. To begin, install the FireCSV extension in Firefox. Next, log in to your server as root and change to the /var/www/html folder. Issue the command ln -s /var/log/asterisk/cdr-csv/Master.csv mycdr.csv
to create a symlink to your CSV data. Now you can access your CDR data with Firefox by navigating to http://server-ip/mycdr.csv.
There’s also a simple way to display CSV files from the Linux command line using this tip from StackOverflow:
column -s, -t < /var/log/asterisk/cdr-csv/Master.csv | less -#2 -N -S
Incredible PBX LITE Administration
We've eased the pain of administering your new PBX with a collection of scripts which you will find in the /root folder after logging in with SSH or Putty. Here's a quick summary of what each of the scripts does.
add-fqdn is used to whitelist a fully-qualified domain name in the firewall. Because Incredible PBX LITE blocks all traffic from IP addresses that are not whitelisted, this is what you use to authorize an external user for your PBX. The advantage of an FQDN is that you can use a dynamic DNS service to automatically update the IP address associated with an FQDN so that you never lose connectivity.
add-ip is used to whitelist a public IP address in the firewall. See the add-fqdn explanation as to why this matters.
del-acct is used to remove an IP address or FQDN from the firewall's whitelist.
add-anveo-pin is used to add or update your Anveo Direct outbound calling PIN.
reset-conference-pins is a script that automatically and randomly resets the user and admin pins for access to the preconfigured conferencing application. Dial C-O-N-F from any registered SIP phone to connect to the conference.
reset-extension-passwords is a script that automatically and randomly resets ALL of the SIP passwords for extensions 701-705. Be careful using this one, or you may disable existing registered phones and cause Fail2Ban to blacklist the IP addresses of those users. HINT: You can place a call to the Ring Group associated with all five extensions by dialing 777.
reset-reminders-pin is a script that automatically and randomly resets the pin required to access the Telephone Reminders application by dialing 123. It's important to protect this application because a nefarious user could set up a reminder to call a number anywhere in the world assuming your SIP provider's account was configured to allow such calls.
show-feature-codes is a cheat sheet for all of the feature codes which can be dialed from any registered SIP phone. It documents how powerful a platform Incredible PBX 16 LITE actually is.
show-passwords is a script that displays ALL of the passwords associated with Incredible PBX 16 LITE. This includes SIP extension passwords, voicemail pins, conference pins, telephone reminders pin, and your Anveo Direct outbound calling pin (if configured). Note that voicemail pins are configured by the user of a SIP extension the first time the user accesses the voicemail system by dialing *97.
update-IncrediblePBX is the Automatic Update Utility which checks for server updates from incrediblepbx.com every time you log into your server as root using SSH or Putty. Do NOT disable it as it is used to load important fixes and security updates when necessary. We recommend logging into your server at least once a week.
pbxstatus (shown above) displays status of all major components of Incredible PBX 16 LITE.
Call Detail Records available in spreadsheet format at /var/log/asterisk/cdr-csv/Master.csv.
Forwarding Calls to Your Cellphone. Keep in mind that inbound calls to your DIDs automatically ring all five SIP extensions, 701-705. The easiest way to also ring your cellphone is to set one of these five extensions to forward incoming calls to your cellphone. After logging into your PBX as root, issue the following command to forward calls from extension 705 to your cellphone: asterisk -rx "database put CF 705 6781234567"
To remove call forwarding: asterisk -rx "database del CF 705"
Originally published: Monday, July 8, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Lessons Learned: Circling Back for a Second Look at OpenSIPS
Whenever we tackle a new VoIP platform especially for deployment on the open Internet, we think it’s prudent to circle back after a few weeks to review lessons learned and tie up all the loose ends. Today we’ll introduce a number of new KVM cloud providers around the globe at rock-bottom prices plus some new additions to enhance our OpenSIPS firewall design. If you’re just getting started with OpenSIPS, check out the new KVM offerings below and then hop over to our original article which now incorporates all of today’s enhancements. For those that already have deployed OpenSIPS using our previous tutorial, continue reading, and we’ll show you how to deploy the latest and greatest additions.
While we were in the midst of deploying OpenSIPS, Netflix also disclosed four TCP networking kernel vulnerabilities which are especially important to those of us using hosted cloud platforms. Depending upon your provider, these may or may not be patched promptly.
We were reminded this month that reinventing the wheel isn’t always the best solution when it comes to VoIP security. While we’re not throwing in the towel on our BadGuys list, we do want to show you how to supplement it with the VoIP Blacklist from voipbl.org. It adds over 80,000 crowd-sourced IP addresses from around the world. The other lesson learned was that blacklists invariably include some IP addresses of good guys that you actually depend upon. These typically are added to the blacklist by, you guessed it, the bad guys.
With IPtables, the first matching rule always wins so it’s important in structuring firewall rules to insert whitelisted IP addresses BEFORE the blacklist entries so you don’t inadvertently block yourself or some other resource that you actually need. This whitelist should include the IP addresses of your server and workstations as well as the IP addresses of VoIP providers upon whom you rely for communications services. With our OpenSIPS design, the firewall order of preference looks like this: (1) whitelisted IP addresses get full access, (2) blacklisted IP addresses are blocked and get no access, (3) everybody else gets SIP access.
Rather than attempting to patch the Linux kernel on all of the platforms that are being deployed, we think the prudent first step is to narrow the TCP footprint of all public-facing servers. As part of the original OpenSIPS deployment, we already had hidden web access behind the firewall except for specifically enumerated IP addresses. The second most likely TCP vulnerability would be the TCP SIP ports. While we prefer to use UDP ports for SIP access, some prefer TCP. Until the “SACK Panic” vulnerability is patched, we would strongly recommend at least temporarily discontinuing use of TCP as your SIP transport. After all, OpenSIPS is a SIP server, and the TCP SIP port would be the most likely target for mischief.
Turning back to blacklists for a moment, we’ve put together a few simple bash scripts which make it easy to deploy and update your VoIP blacklists. We’ve also developed a script that lets you move IP addresses flagged by Fail2Ban into the ipset SIPFLOOD blacklist while easing the pain of uploading your own blacklisted IP addresses to the voipbl.org site for inclusion in their list. In this way, they will be added in the next day’s blacklist collection for everyone to use. To give you a point of reference, on our half dozen, publicly-exposed honey pot servers, today’s additions to the OpenSIPS firewall have reduced attacks to less than one a day.
Choosing a KVM Platform for OpenSIPS
For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM cloud platform is a must since OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. While we previously have identified OpenVZ providers for our Incredible PBX platforms protected by the Travelin’ Man 3 firewall, pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS. So we went on the hunt to identify KVM cloud providers around the world that could offer a KVM VPS with 1GB RAM, 20GB storage, and 1TB of monthly bandwidth for about $25 a year. No small feat! But our friends at LowEndTalk have come through. Read the message thread and find an offer with a site that best meets your requirements. Many of the KVM offers require you to open a ticket to get the special pricing and configuration outlined above. Here’s a short list of our favorites, but remember to only use the KVM offerings below for OpenSIPS!
Provider | RAM | Disk | Bandwidth | Performance as of 12/1/19 | Cost |
---|---|---|---|---|---|
CrownCloud KVM (LA) | 1GB | 20GB + Snapshot | 1TB/month | 598Mb/DN 281Mb/UP 2CPU Core | $25/year Best Buy! |
Naranjatech KVM (The Netherlands) | 1GB | 20GB | 1TB/month | Hosting since 2005 VAT: EU res. | 20€/year w/code: SBF2019 |
BudgetNode KVM (LA) | 1GB | 40GB RAID10 | 1TB/month | Also available in U.K PM @Ishaq on LET before payment | $24/year |
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA) | 1GB | 20GB SSD | 3TB/month | Pick EGG loc'n Open ticket for last 5GB SSD | $30/year w/code: LEBEGG30 |
Introducing the VoIP Blacklist
We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. We’ve made this easy in two ways. First, the list gets populated every night while you sleep. At last count, there were 84,504 IP addresses. And, second, to contribute to the blacklist, run iptables -nL weekly to see if Fail2Ban has snagged any bad guys. If so, simply run the new /root/blacklist utility which will move them into your local blacklist and also format the entries for easy submission to voip.bl whenever you feel the urge. Simply issue the command cat /root/blcklist.txt to display the entries you just blacklisted. Then cut-and-paste the results and post them to the VoIP Blacklist. The whole process takes less than a minute, and you’ll be contributing to a very valuable VoIP resource while also using it.
Upgrading Existing OpenSIPS KVM/OVZ7 Platforms
If you already have installed OpenSIPS using the previous Nerd Vittles tutorial on a KVM or OVZ7 platform, then the rest of today’s article is for you. If you’re just getting started, hop over to our original article which now incorporates all of today’s enhancements including the VoIP Blacklist.
We’ve made today’s upgrade easy. Just download the OpenSIPS upgrade tarball, untar it, and run the included installer. In less than a minute, you’ll have all the new pieces without disturbing your existing configuration.
To get started, log into your KVM or OVZ7 server as root using SSH or Putty and issue these commands:
cd / wget http://incrediblepbx.com/opensips-upgrade1.tar.gz tar zxvf opensips-upgrade1.tar.gz rm -f opensips-upgrade1.tar.gz /root/opensips-upgrade1
Originally published: Monday, June 24, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Virtual Paradise: It’s Incredible PBX 13-13.10 for VMware
Let’s face it. Virtual Machines are the future of server administration. Whether you prefer your own dedicated hardware or cloud-based resources managed by you or someone else, virtual platforms are the way to go. You get more bang for the buck out of your hardware by pooling resources for multiple tasks. VMware® and VirtualBox® make it easy. Today we’re pleased to introduce our latest build for VMware. It provides the latest Asterisk® 13 and FreePBX® 13 GPL components from source in about 15 minutes.
Just download the VMware .zip image from SourceForge to your desktop and unzip it. Fire up your browser and login to your VMware Web Console. With a few mouse clicks, you’ll have a CentOS 6.10 platform in place with Incredible PBX® just a single keystroke away. It doesn’t get much easier. And, you get the very latest release of Asterisk 13 compiled from source code that you can actually examine, enhance, and share… just like the GPL license says.
Choosing a Virtual Machine Platform
Making the right deployment choice for your virtual machine platform depends upon a number of factors. We initially started out with Proxmox 4 which looked promising. After all, we had used and recommended earlier releases of Proxmox for many years until some security vulnerabilities caused us to look elsewhere. Those kernel issues are now a thing of the past, but Proxmox 4 introduced some new wrinkles. First, to stay current with software fixes and updates, you have to pay the piper by signing up for the annual support license. This turned out to be a deal breaker for a couple of reasons. It was expensive since it’s based upon the number of CPUs in your platform. In the case of the hardware shown below, that turned out to be 4 CPUs (by Proxmox’s calculation) which meant the annual support license would run nearly $400 per year. That buys an enormous number of cloud-based virtual machines without having to babysit hardware at all. So we’ve reluctantly concluded that Proxmox 4 isn’t a particularly good fit for development or production use.
We’ve already sung the praises of VirtualBox so we wont’ repeat it here. VMware also is rock-solid and has been for more than fifteen years. VMware typically runs on dedicated hardware. If you don’t have the funds for a hardware purchase to support your virtualization requirements, then VirtualBox on your desktop machine is a no-brainer. For many, however, some separation of the virtualization environment from your desktop computing environment is desirable. That choice is equally easy. VMware wins, hands down. Better yet, you can make snapshot backups of your virtual machines in seconds with a single button click. If you’ve wrestled with backups on standalone hardware with Linux, you’ll quickly appreciate the difference.
Getting Started with VMware ESXi
Many of you have VMware platforms already in place at work. For you, installing Incredible PBX 13-13.10 is as simple as downloading the image to your desktop and importing it into your existing platform. Better yet, your system administrator can do it for you. If you’re new to VMware, here’s an easy way to get started, and the software won’t cost you a dime. VMware offers a couple of free products that will give you everything you need to run a robust VMware platform on relatively inexpensive hardware. The choice is up to you.
A Free VMware Platform for SOHO Apps
Before you can download the components for the free VMware ESXi platform, you’ll need to sign up for a free account at my.vmware.com. Once you’re signed up, log in and follow these simple steps to sign up for a free ESXi license key and download the ESXi version 6 software:
- Write down your assigned License Key
- Manually download the VMware vSphere Hypervisor 6.5 ISO
- Manually download the VMware vSphere Client 6.5
Next, burn the ISO to a CD/DVD and boot your dedicated VM hardware platform with it. Follow the instructions to complete the install. Next install the vSphere Client on a Windows computer. Don’t forget to add your ESXi License Key when you complete the installation. Once the ESXi server is up and running, you can stick the hardware on a shelf somewhere out of the way. You will rarely interact with it. That’s all handled using either the VMware vSphere Client on your Windows Desktop or the VMware Web Console. Don’t forget to apply your License Key once VMware ESXi is up: Virtual Machines -> Licensing -> Apply License.
Deploy VMware Template with vSphere Client
Deploying an Incredible PBX template takes about two minutes, but first you need to download the Incredible PBX 13-13.10 template from SourceForge onto your Windows Desktop and unzip it.
Once the Incredible PBX template components are on your desktop, here are the deployment steps:
1. Login to the vSphere Client on your Windows Desktop using the root account you set up when you installed ESXi. Choose File, Deploy OVF Template.
2. Select the two Incredible PBX components from your desktop PC.
3. Click Next.
4. Give the new Virtual Machine a name.
5. IMPORTANT: Choose Thin Provision option and click Next.
6. Review your entries and click Next to create the new Virtual Machine.
7. It only takes a couple minutes to create the new Virtual Machine.
8. The Main Client window will redisplay and your new VM should now be shown in the left panel. (1) Click on it. (2) Then click the Green start icon. (3) Then click the Console Window icon.
9. When the VM’s Console Window opens, click in the window in the black area. Log into your virtual machine as root using the default password: password.
10. To complete the Incredible PBX setup, you will automatically be walked through the short installation procedure when you start the virtual machine. Following the automatic reboot, just log in a second time as root and the install will complete.
11. To add Incredible Fax support with HylaFax and AvantFax, run: /root/incrediblefax13.sh.
12. Set up the proper time zone for your server: /root/timezone-setup.
13. Next, reset your root password and make it very secure: passwd.
14. Finally reset your admin password for web access to your server: /root/admin-pw-change.
15. Reset Enchilada passwords at any time by running: /root/update-passwords.
Press Ctrl-Alt to get your mouse and keyboard out of the console window.
Installing the vSphere Web Client
If you’re lucky, you may not have a Windows machine. The downside is that the vSphere Client described above only works on the Windows platform. After a good bit of searching, we finally uncovered a simple way to install the latest vSphere Web Client. It is pure HTML5 with no Flash code! While still under development, VMware has made progress, and it shows. Most of the feature set of vSphere Client now is available from the convenience of your browser. Just point it to the IP address of your VMware server like this: https://ip-address/ui/.
Here’s how to install the vSphere Web Client:
1. Log into the console of your ESXi server as root using your root password.
2. Press F2 to Customized System.
3. Choose Troubleshooting Options.
4. Choose Enable SSH.
5. Using a Terminal window on a Mac or Linux machine or using Putty with Windows, log into the IP address of your ESXi server as root.
6. Issue the following commands to install the latest vSphere Web Client vib and disable http firewall blockage:
esxcli software vib install -v http://download3.vmware.com/software/vmw-tools/esxui/esxui-signed-latest.vib esxcli network firewall ruleset set -e true -r httpClient
7. Using a web browser, login to the web client as root at https://ESXi-server-IP-address/ui/
8. Should you ever wish to remove the web client from your server:
esxcli software vib remove -n esx-ui
9. You may wish to disable SSH access when you’re finished. Just repeat steps 1-4 above.
Here’s what a typical Incredible PBX Virtual Machine looks like in the web client once you’ve added the VMware Tools to your virtual machine as documented below. There’s even a Console window.
Under the Virtual Machines tab, you now can manage and add new VMs directly.
Installing VMware Tools in a Virtual Machine
If you plan to manage your virtual machines using the vSphere Web Client and a browser, then you definitely will want to install the VMware Tools in each of your virtual machines.
For ESXi 6.0, your only choice is VMwareTools. Here’s how to install:
1. Start up your VM and login as root.
2. From the Windows vSphere Client, right click on virtual machine you started.
3. Choose Guest:Install VMware Tools.
4. Return to the Linux CLI of your virtual machine and issue the following commands. Accept all of the defaults in the installation script when it is run in the final step below:
mkdir /mnt/cdrom mount /dev/cdrom /mnt/cdrom ls /mnt/cdrom cd /tmp tar -zxvf /mnt/cdrom/VMwareTools* umount /mnt/cdrom cd vmware-tools-distrib ./vmware-install.pl
For ESXi 6.5, we prefer the new GPL VMware open-vm-tools. Here’s how to install:
1. Start up your VM and login to the VM as root using SSH or Putty.
2. From the Linux CLI, issue the following commands:
yum -y install --enablerepo=epel open-vm-tools reboot
Special thanks to John Borhek (@unsichtbarre on the PIAF Forum) for the VMware lessons. 🙂
That should be enough tutorial for today. Enjoy your new VMware platform.
Continue Reading: Configuring Extensions, Trunks & Routes
Don’t Miss: Incredible PBX Application User’s Guide covering the 31 Whole Enchilada apps
Originally published: Monday, December 18, 2017 Updated: Monday, June 17, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
The One-Minute Installer: Deploying Asterisk on the Internet
Last week we introduced a new methodology for deploying Incredible PBX® and Asterisk® on the wide open Internet. And this week we’ve put all the pieces together in a One-Minute Installer that will transform any Incredible PBX 13-13.10 server into a public-facing server platform in under a minute. Today you not only get the cupcake, but also some of the sprinkles in the form of tips or scripts to whitelist providers and users, to adjust countries on the blacklists, to add IP addresses to the blacklist, and to update our default VoIP Blacklist which now blocks over 83,000 suspicious IP addresses worldwide. Stay tuned for more.
Is It Safe?
Let’s first cover our deployment strategy so you can decide whether a public facing PBX is the right choice for you or your organization. What we mean by "exposed to the Internet" is that all of your SIP traffic is opened for public access. It doesn’t mean everybody gets free admission, but it does allow everyone to come to the door and at least knock. We still protect web access to your server with a whitelist of IP addresses, and SSH access is hidden behind a port number of your choice to protect you from the script kiddies. Is it as safe as the traditional Incredible PBX platform that is totally hidden from public view by the Travelin’ Man 3 firewall whitelist? Obviously not. But what you gain is what we had with the traditional Ma Bell phone system. Anybody can call you, but it’s up to you to determine whether to answer or block the calls. The major difference is there was a cost of calling random numbers in the old days. With VoIP technology, all of the calls are free so long as the caller has an Internet connection and a SIP client. We believe the platform is relatively safe today, but there is always a chance of SIP flooding or some zero-day vulnerability that could put your server at risk. If you’re not comfortable with that risk, now would be a good time to stop reading. Stick with the traditional Incredible PBX platform and avoid the worries of SIP attacks. The bad guys can’t see your server, and you still can be reached by calls to your PSTN number.
Changing Your Mindset About Security
Deploying a public-facing PBX does require an attitude adjustment. Behind the security of an airtight firewall, passwords for extensions, voicemail, and trunks didn’t much matter because the bad guys couldn’t find you much less get the necessary access to attempt to decipher your passwords. THAT HAS NOW CHANGED! You should immediately create new passwords that are as secure as you would use for your bank account because some folks will be trying to figure them out shortly. And, once they do, if you have VoIP services that allow calls to anywhere, your phone bill can skyrocket in a matter of minutes. You’ve been warned. If you have automatic replenishment of funds with one or more VoIP providers, change that now. And set up low balance notifications instead. Fund your VoIP provider accounts with amounts you can stand to lose in a worst case scenario. Better safe than sorry… and broke!
Choosing FQDNs for Your Server
There’s another important safeguard in today’s implementation, and that’s fully-qualified domain names (FQDNs) for your server. Without knowing your FQDN, nobody will be able to make a SIP connection to your PBX. Guessing your IP address won’t help because we automatically block all of those calls. And, once any caller attempts to connect in that way, they will be blocked from further access for a very long time by the Fail2Ban service. You have the option of using a single FQDN for both incoming calls and for registering SIP phones to your extensions. You also may use two separate FQDNs, one for incoming calls from the public and another for SIP phone registrations. Despite what some pundits would say, security through obscurity matters. Using less obvious FQDNs dramatically reduces the likelihood that your server can be attacked. This is especially important in the case of a SIP registration FQDN. Making this FQDN as obscure as possible protects your server in much the same way that a password would. So give serious consideration to whether your FQDN will be known or guessed by the general public. If so, deploy a second obscure one for registrations.
Deployment Prerequisites
That’s all we’re going to say about security. We’re now going to turn our attention to deployment. Before running the One-Minute Installer, there are some prerequisites. Here’s the short list:
- Functioning Incredible PBX 13-13.10 server with CentOS 6
- KVM (not OpenVZ) Cloud Platform with 1GB+ RAM
- Public, Static IPv4 Address for your server
- One or two FQDNs pointed to your server
- Whole Enchilada installed, if desired
- Incredible Fax installed, if desired (requires reboot)
- Preconfigured extensions & voicemail accounts with SECURE PASSWORDS
We’ve provided the link above to get your Incredible PBX 13-13.10 server up and running. This must be deployed on a Cloud-based KVM platform using CentOS 6 on a KVM (not OpenVZ) platform with a static IP address and a minimum of 1GB of RAM and a 20GB disk. The KVM platform is mandatory because we’ll be using ipset (which won’t work with OpenVZ platforms) to block entire countries as well as to set up our VoIP Blacklist. You’ll need at least one and preferably two FQDNs pointed to the IP address of your PBX. If you plan to use the Incredible PBX apps, then make sure to install the Whole Enchilada and Incredible Fax components before you transform your PBX into a public-facing server. And, as previously mentioned, tighten up ALL of your passwords for SSH and web access as well as for all of your extension secrets and voicemail PINs. It’s also a good idea to create the extensions you plan to make available for incoming calls although these can be added later as well.
UPDATE: CentOS 7 support with Incredible PBX 13-13.10 now has been added.
Choosing a KVM Platform
There are numerous cloud providers that offer a KVM platform. Choosing one that’s a perfect fit depends upon your budget obviously. For rock-solid dependability and little risk of provider implosion, we recommend Digital Ocean, Vultr, and OVH.1 If you’re just experimenting and can recover if your provider happens to suddenly go out of business, then the LowEndBox KVM offerings will save you some money. We don’t recommend CloudAtCost.
Converting to a Public-Facing PBX
Once you’ve completed the steps above and verified that your PBX is functioning reliably, you’re ready to download and run the One-Minute Installer to convert Incredible PBX into a public-facing server.
WARNING: Before you proceed, make certain that you log out any extensions that are registered using the IP address of the PBX as opposed to the FQDN of your server. Otherwise, these extensions may find their IP addresses locked out by Fail2Ban since SIP extension registrations by IP address will be blocked once the conversion to a public server is finished. After the update, if you find extensions that won’t register, the first thing to do is to issue the command: iptables -nL. See if the extension’s IP address is blocked. If it is, change the extension’s SIP registration to point the FQDN of the server as opposed to its IP address. Then you can unblock the IP address with this command using the extension’s actual IP address:
fail2ban-client set asterisk unbanip xxx.xxx.xxx.xxx
Now let’s proceed. Log into your server as root with SSH/Putty and issue these commands:
cd /root wget http://incrediblepbx.com/go-public.tar.gz tar zxvf go-public.tar.gz rm -f go-public.tar.gz ./GO-PUBLIC
Modifying the Blocked Countries List
As part of the install, all of the IP addresses from a number of countries were blocked using ipset in conjunction with the IPtables firewall. You can add or change the countries being blocked by making modifications in two places: (1) /etc/sysconfig/iptables beginning at line #69 and (2) /etc/blockem.sh on line #7. Be advised that every country blocked in IPtables requires a separate DROP line and the same country must also be enumerated on line #7 in /etc/blockem.sh. Otherwise, the IPtables firewall startup will fail when your server is rebooted or when IPtables is restarted. If a country is blocked on line #7 in /etc/blockem.sh but a DROP line is not added to /etc/sysconfig/iptables, then that country’s IP addresses will NOT be blacklisted when IPtables is restarted or your server is rebooted. Simply stated, the countries blocked in IPtables must match the country list in /etc/blockem.sh. For a current list matching countries with their international country code abbreviations, go here.
Blacklist Update Methodology
As configured, the country blacklists are only updated when the /etc/blockem.sh script is run. This occurs whenever you reboot your server or when you manually run the script. The VoIP Blacklist is updated nightly by a cron job which runs the /etc/update-voipbl.sh script.
Adding Extensions to Your SIP WhiteList
For the time being, you can manually adjust the extension listing that controls incoming SIP call access to your PBX. Only extensions included in this list are made available to receive incoming calls using the SIP URI syntax of 701@your.fqdn.com. First, you will need to edit extensions_override_freepbx.conf in /etc/asterisk. Once you’ve saved your changes, reload your dialplan: asterisk -rx "dialplan reload"
Beginning on line 31 of extensions_override_freepbx.conf, you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. Below them are the extensions you whitelisted when you ran the One Minute Installer above. The 13 entry in each line of the dialplan is required for all extensions to be enabled. You can add additional extensions by cloning the syntax of one of the existing entries. Be sure to enter the new extension number in BOTH places on each line that you add. The first entry corresponds to the left side of the SIP URI, e.g. 947@your.FQDN.com. The second entry tells Asterisk the extension to which to send the incoming call. Samples also are provided in the comments for redirecting incoming calls to outbound destinations. See also last week’s article.
exten => 947,13,Dial(local/947@from-internal) exten => 951,13,Dial(local/951@from-internal) exten => news,13,Dial(local/951@from-internal) exten => weather,13,Dial(local/947@from-internal)
Adding IP Addresses to Your IPtables BlackList
You can manually add BlackList entries to your server using ipset; however, keep in mind that these entries will be overwitten when the VoIP Blacklist is updated each night. The recommended procedure is to first add them to ipset using the following command with the actual IP address to be blacklisted: ipset add voipbl xx.xx.xx.xx
Then visit the VoIP BlackList site and add the same IP address in the Blacklist Submission form. Multiple IP addresses can be added by separating every entry with a space.
Adding IP Addresses to Your IPtables WhiteList
You can whitelist additional IP addresses to enable access to your PBX that takes precedence over the blacklists by using the existing add-ip and add-fqdn utilities included in the /root folder. These were both modified to accommodate the public-facing Incredible PBX design.
Last week we got bitten by the age-old problem with BlackLists, namely that the bad guys populate them with IP addresses of places you actually want to go, such as CallCentric and Skyetel. Without a whitelist of safe sites, a blacklist is worse than worthless. So the way this works in Incredible PBX is the whitelist entries are moved to the top of the pecking order so that they take precedence in IPtables processing. The IPtables design works like this. Once a packet qualifies as safe by being accepted, the rest of the IPtables rules are ignored. Enjoy!
Originally published: Monday, June 10, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
- Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. [↩]
Safely Deploying Incredible PBX on the Wide Open Internet
We’ve previously documented the benefits of SIP URI calling. Because the calls are free from and to anywhere in the world, the use case is compelling. The drawbacks, particularly with Asterisk® servers, have primarily centered around the security implications of exposing SIP on a publicly-accessible server. Today we want to take another look at an open Internet SIP implementation for Asterisk based upon the pioneering work of Dr. Lin Song back in the PBX in a Flash heyday. We’ve embellished Lin’s original IPtables creation and our original article with some additional security mechanisms for Fail2Ban, Asterisk, FreePBX®, and Travelin’ Man 3. Special thanks also for a terrific tutorial from JavaPipe. All of today’s implementation is open source code which you are more than welcome to use or improve pursuant to GPL3.
July 22 UPDATE: New Incredible PBX 16-15-PUBLIC deployment tutorial is now available here.
Consider this. If everyone in the world had an accessible SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends upon your platform. With Asterisk they look like this: SIP/somebody@FQDN.yourdomain.com. On SIP phones, SIP URIs look like this: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have “dialed” a SIP URI, the destination SIP device will ring just as if the called party had a POTS phone. Asterisk® processes SIP URIs in much the same way as calls originating from commercial trunk providers except anonymous SIP calls are blocked.
While we have tested today’s design extensively including implementation of a cloud-based server with no security issues since deployment over four months ago, we still don’t recommend this SIP design for mission-critical PBXs because there remain some security risks with denial of service attacks and zero-day vulnerabilities. For these deployments, Incredible PBX® coupled with the Travelin’ Man 3 firewall which blocks SIP access except from whitelisted IP addresses and FQDNs has no equal. When properly deployed, the bad guys cannot even see your server much less attack it. A typical use case for today’s new SIP design would be a public Asterisk server that provides anonymous SIP access to the general public without any exposure to the corporate jewels. For example, we’ve put up a demonstration server that provides news and weather reports. In the corporate world, an equivalent deployment might provide access to a product database with pricing and availability details. Our rule of thumb before deploying today’s platform would be to ask yourself what damage could be inflicted if your server were totally compromised. If the answer is zero, then proceed. Otherwise, stick with Incredible PBX and the Travelin’ Man 3 firewall. The ideal platform for deployment using the same rule of thumb as above is one of the $1 a month cloud platforms.
Provider | RAM | Disk | Bandwidth | Performance as of 12/1/19 | Cost |
---|---|---|---|---|---|
CrownCloud KVM (LA) | 1GB | 20GB + Snapshot | 1TB/month | 598Mb/DN 281Mb/UP 2CPU Core | $25/year Best Buy! |
Naranjatech KVM (The Netherlands) | 1GB | 20GB | 1TB/month | Hosting since 2005 VAT: EU res. | 20€/year w/code: SBF2019 |
BudgetNode KVM (LA) | 1GB | 40GB RAID10 | 1TB/month | Also available in U.K PM @Ishaq on LET before payment | $24/year |
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA) | 1GB | 20GB SSD | 3TB/month | Pick EGG loc'n Open ticket for last 5GB SSD | $30/year w/code: LEBEGG30 |
Overview. There are a number of moving parts in today’s implementation. So let’s briefly go through the steps. Begin with a cloud-based installation of Incredible PBX. Next, we’ll upgrade the Fail2Ban setup to better secure a publicly-accessible Asterisk server. We’ll also customize the port for SSH access to reduce the attack rate on the SSH port. You’ll need a fully-qualified domain name (FQDN) for your server because we’ll be blocking all access to your server by IP address. If you want to allow SIP URI calls to your server, you’ll need this FQDN. If you want to also allow SIP registrations from this same FQDN, then a single FQDN will suffice; however, with OpenVZ platforms, we recommend using a different (and preferably more obscure) FQDN for SIP registrations since registered users have an actual extension on your PBX that is capable of making outbound calls which usually cost money. In this case, the obscure FQDN performs double-duty as the equivalent of a password to your PBX. For example, an FQDN such as hk76dl34z.yourdomain.com would rarely be guessed by an anonymous person while sip.yourdomain.com would be fairly obvious to attempted intruders. But that’s your call.
Using whatever FQDN you’ve chosen for SIP registrations, we’ll add an entry to /etc/asterisk/sip_custom.conf that looks like this: domain=hk76dl34z.yourdomain.com
. That will block all SIP registration attempts except from that domain. It will not block SIP invitations! The next step will be to add a new [from-sip-external] context to extensions_override_freepbx.conf. Inside that context, we’ll specify the FQDN used for public SIP URI connections to your server, e.g. sip.yourdomain.com
. This will block SIP invitations except SIP URIs containing that domain name. We’ll also define all of the extensions on your Asterisk server which can be reached with SIP URI invitations. These could be actual extensions, or ring groups, or IVRs, or Asterisk applications. The choice is yours. These SIP URI authorizations can be either numeric (701@sip.yourdomain.com) or alpha (weather@sip.yourdomain.com) or alphanumeric (channel7@sip.abc.com). Finally, we’ll put the new IPtables firewall rules in place and adjust your existing iptables-custom setup to support the new publicly-accessible PBX. For example, we’ll still use whitelist entries for web access to your server since anonymous users would cause nothing but mischief if TCP ports 80 and 443 were exposed. It’s worth noting that KVM platforms provide a more robust implementation of IPtables that can block more types of nefarious traffic. We’ve supplemented the original article with a KVM update below. With OpenVZ platforms, we have to rely upon Asterisk to achieve IP address blocking and some types of packet filtering. So why not choose a KVM platform? It’s simple. These platforms typically cost twice as much as equivalent OpenVZ offerings. With this type of deployment, KVM is worth it.
Installing Incredible PBX Base Platform
Today’s design requires an Incredible PBX platform on a cloud-based server. Start by following this tutorial to put the pieces in place. We recommend you also install the Whole Enchilada addition once the base install is finished. Make sure everything is functioning reliably before continuing.
Upgrading the Fail2Ban Platform
Because this will be a publicly-accessible server, we’re going to tighten up the Asterisk configuration in Fail2Ban and lengthen the bantime and findtime associated with Fail2Ban’s Asterisk log monitoring. We also recommend that you whitelist the IP addresses associated with your server and PCs from which you plan to access your server so that you don’t inadvertently block yourself.
Log into your server as root and issue the following commands. When the jail.conf file opens in the nano editor, scroll down to line 34 and add the IP addresses you’d like to whitelist to the existing ignoreip settings separating each IP address with a space. Then press Ctrl-X, Y, then Enter to save your changes. Verify that Fail2Ban restarts successfully.
cd /etc/fail2ban wget http://incrediblepbx.com/fail2ban-public.tar.gz tar zxvf fail2ban-public.tar.gz rm -f fail2ban-public.tar.gz nano -w jail.conf service fail2ban restart
If you ever get locked out of your own server, you can use the Serial Console in your VPS Control Panel to log into your server. Then verify that your IP address has been blocked by issuing the command: iptables -nL
. If your IP is shown as blocked, issue this command with your address to unblock it: fail2ban-client set asterisk unbanip 12.34.56.78
Obtaining an FQDN for Your Server
Because we’ll be blocking IP address SIP access to your server, you’ll need to obtain one or perhaps two FQDNs for your server. If you manage DNS for a domain that you own, this is easy. If not, you can obtain a free FQDN from ChangeIP here. Thanks, @mbellot.
For the FQDN that you’ll be using for SIP registrations on your server, configure Asterisk to use it by logging into your server as root and issuing the following command using your new FQDN, e.g. xyz.yourdomain.com. Thanks, @ou812.
echo "domain=xyz.yourdomain.com" >> /etc/asterisk/sip_custom.conf
SECURITY ALERT: Never use the SIP URI MOD on a server such as this one with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.
Customizing the [sip-external-custom] Context
All FreePBX-based servers include a sip-external-custom context as part of the default installation; however, we need a customized version to use for a publicly-accessible PBX. You can’t simply update the context in /etc/asterisk/extensions.conf because FreePBX will overwrite the changes the next time you reload your dialplan. Instead we have to copy the context into extensions_override_freepbx.conf and make the changes there. So let’s start by copying the new template there with the following commands:
cd /tmp wget http://incrediblepbx.com/from-sip-external.txt cd /etc/asterisk cat /tmp/from-sip-external.txt >> extensions_override_freepbx.conf rm -f /tmp/from-sip-external.txt nano -w extensions_override_freepbx.conf
When the nano editor opens the override file, navigate to line #10 of the [from-sip-external] context and replace xyz.domain.com with the FQDN you want to use for SIP invites to your server. These are the connections that are used to actually connect to an extension on your server (NOT to register). As noted previously, this can be a different FQDN than the one used to actually register to an extension on your server. Next, scroll down below line #27, and you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. The 13th position in the dialplan is required for all authorized calls.
exten => 947,13,Dial(local/947@from-internal) exten => 951,13,Dial(local/951@from-internal) exten => news,13,Dial(local/951@from-internal) exten => weather,13,Dial(local/947@from-internal)
You can leave these in place, remove them, or add new entries depending upon which extensions you want to make publicly accessible on your server. Here are some syntax examples for other types of server access that may be of interest.
; Call VoIP Users Conference exten => 882,13,Dial(SIP/vuc@vuc.me) exten => vuc,13,Dial(SIP/vuc@vuc.me) ; Call Default CONF app exten => 2663,13,Dial(local/${EXTEN}@from-internal) exten => conf,13,Dial(local/2663@from-internal) ; Call Bob at Local Extension 701 exten => 701,13,Dial(local/${EXTEN}@from-internal) exten => bob,13,Dial(local/701@from-internal) ; Call Default Inbound Route thru Time Condition exten => home,13,Goto(timeconditions,1,1) ; Call Inbound Trunk 8005551212 exten => 8005551212,13,Goto(from-trunk,${DID},1) ; Call Lenny exten => 53669,13,Dial(local/${EXTEN}@from-internal) exten => lenny,13,Dial(SIP/2233435945@sip2sip.info) ; Call any toll-free number (AT&T Directory Assistance in example) exten => information,13,Dial(SIP/18005551212@switch.starcompartners.com)
Once you’ve added your FQDN and authorized SIP URI extensions, save the file: Ctrl-X, Y, then Enter.
One final piece is required to enabled anonymous SIP URI connections to your server:
echo "allowguest=yes" >> /etc/asterisk/sip_general_custom.conf
Now restart Asterisk: amportal restart
UPDATE for DialPlan Junkies: We received a few inquiries following publication inquiring about the dialplan design. We’ve taken advantage of a terrific feature of Asterisk which lets calls fall through to the next line of a dialplan if there is no match on a Goto(${EXTEN},13) command. For example, if a caller dials ward@sip.domain.com and there is a line 12 in the dialplan directing the call to ward,13 which exists, call processing will continue there. However, if the extension does not exist, the call will not be terminated. Instead, if there exists a more generic line 13 in the dialplan, e.g. exten => _X.,13,Goto(s,1), call processing will continue there. We use this trick to then redirect the call to an ‘s’ extension sequence to announce that the called extension could not be reached. It’s the reason all of the whitelisted extensions have to have the same line 13 designation so that call processing can continue with the generic line 13 when a specific extension match fails.
Configuring IPtables for Public SIP Access
You may recall that, with Incredible PBX, we bring up the basic IPtables firewall using the /etc/sysconfig/iptables rules. Then we add a number of whitelist entries using /usr/local/sbin/iptables-custom. We’re going to do much the same thing with today’s setup except the rule sets are a bit different. Let’s start by putting the default iptables-custom file in place:
cd /usr/local/sbin wget http://incrediblepbx.com/iptables-custom-public.tar.gz tar zxvf iptables-custom-public.tar.gz rm -f iptables-custom-public.tar.gz nano -w iptables-custom
When the nano editor opens, scroll to the bottom of the file. You’ll note that we’ve started a little list of notorious bad guys to get you started. Fail2Ban will actually do a pretty good job of managing these, but for the serious recidivists, blocking them permanently is probably a good idea. In addition to the bad guys, you’ll want to whitelist your own IP addresses and domains so that you don’t get blocked from FreePBX web access to your server. The syntax looks like the following two examples:
/usr/sbin/iptables -I INPUT -s pbxinaflash.dynamo.org -j ACCEPT /usr/sbin/iptables -I INPUT -s 8.8.8.8 -j ACCEPT
Whenever you make changes to your IPtables configuration, remember to restart IPtables using the following command ONLY: iptables-restart
Now let’s put the final IPtables piece in place with the default IPtables config file:
cd /etc/sysconfig wget http://incrediblepbx.com/iptables-public.tar.gz tar zxvf iptables-public.tar.gz rm -f iptables-public.tar.gz nano -w iptables
When the nano editor opens the file, scroll down to line 55 which controls the TCP port for SSH access to your server. We strongly recommend you change this from 22 to something in the 1000-2000 range. HINT: Your birth year is easy to remember. In the next step, we’ll make the change in your SSH configuration as well.
Next, scroll down to lines 148 and 149. Replace YOUR_HOSTNAME.no-ip.com on both lines with the FQDN of your server that will be used to accept SIP invitations (connections) on your server. These entries have no effect on SIP registrations which we covered above!
Once you’ve made these changes, save the file BUT DO NOT RESTART IPTABLES JUST YET.
Securing the SSH Access Port
TCP port 22 is probably one of the most abused ports on the Internet because it controls access to SSH and the crown jewels by default. Assuming you changed this port in the IPtables firewall setup above, we now need to change it in your SSH config file as well. Edit /etc/ssh/sshd_config and scroll down to line 12. Change the entry to: Port 1999 assuming 1999 is the port you’ve chosen. Be sure to remove the comment symbol (#) at the beginning of the line if it exists. Then save the file.
You’ll also want to update the SSH port in Fail2Ban. Edit /etc/fail2ban/jail.conf and search for port=ssh. In the [ssh-iptables] context, change the entry to port=1999 assuming 1999 is your chosen port. Save the file and reboot your server. Then you should be all set.
Dealing with the Bad Guys
You’ll be amazed how quickly and how many new friends you’ll make on the public Internet within the first few hours. You can watch the excitement from the Asterisk CLI by logging into your server as root and issuing the command: asterisk -rvvvvvvvvvv
. Another helpful tool is to monitor your IPtables status which will show IP addresses that have been temporarily blocked by Fail2Ban: iptables -nL
. This will catch most of the bad guys and block them. But some are smarter than others, and many know how to spoof IP addresses in SIP packets as you will quickly see. Unlike on KVM platforms, IPtables on most OpenVZ platforms cannot search packets for text strings which is a simple way to block many of these attackers. HINT: You get what you pay for. And, in some cases, attackers disguise their address or use yours. We’ve now found that ${SIPURI} holds the caller’s true identity so we’ve updated the code accordingly. Whether to permanently block these guys is completely up to you. A typical SIP INVITE before such a call is dropped only consumes about 100 bytes so it’s usually not a big deal. You also can manually block callers using the Fail2Ban client with the desired IP address: fail2ban-client set asterisk banip 12.34.56.78
.
Additional Security on KVM Platforms
As we mentioned above, a KVM platform provides considerably more security for your public-facing server because you can block entire countries using the ipset extension to IPtables. You can read all about it here. After considerable discussion and suggestions on the PIAF Forum, we would offer the following code which blocks the countries we have identified as causing the majority of problems. First, modify your /etc/sysconfig/iptables configuration and insert the following code in the IPSPF section of the script around line 93. You can change the list of blocked countries to meet your own needs. Just be sure to make the same country-code changes in the blockem.sh script which we will cover in step 2. A list of available country codes can be found here. Save your changes, but do NOT restart IPtables just yet.
-A IPSPF -m set --match-set cn src -j DROP -A IPSPF -m set --match-set ru src -j DROP -A IPSPF -m set --match-set ps src -j DROP -A IPSPF -m set --match-set kp src -j DROP -A IPSPF -m set --match-set ua src -j DROP -A IPSPF -m set --match-set md src -j DROP -A IPSPF -m set --match-set nl src -j DROP -A IPSPF -m set --match-set fr src -j DROP -A IPSPF -m set --match-set SIPFLOOD src -j DROP
Second, we want to add a new /etc/blockem.sh script and make it executable (chmod +x /etc/blockem.sh
). With the exception of the SIPFLOOD entry which is our custom Bad Guys List, make sure the country list in line #5 below matches the dropped countries list you added to IPtables in step #1 above.
#!/bin/bash cd /etc wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxvf - for i in \\ cn ru ps kp ua md nl fr do /usr/sbin/ipset create -exist $i hash:net for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done done wait sleep 5 wget http://incrediblepbx.com/badguys.tar.gz tar zxvf badguys.tar.gz rm -f badguys.tar.gz /usr/sbin/ipset restore -! < /etc/SIPFLOOD.zone wait sleep 5 service iptables restart wait sleep 5 /usr/local/sbin/iptables-custom wait sleep 5 service fail2ban restart wait exit 0
Third, try things out by running the script: /etc/blockem.sh
. Verify that IPtables is, in fact, blocking the listed countries: iptables -nL
.
Finally, we recommend adding the script to /etc/rc.d/rc.local replacing the existing iptables-restart line. In that way, it gets run whenever you reboot your server.
In choosing a KVM platform, we've had good luck with the $5/month Digital Ocean platform where you still can get a $50 credit to kick the tires for 60 days, Vultr (similar pricing to D.O. also with a $50 credit). With either of these providers, you can add automatic backups for an extra dollar a month. In the bargain basement (may not be here tomorrow) category, we like the following providers. Many other low-cost options are documented on the LowEndBox site. Just don't invest more than you can afford to lose... and make a backup.1
Connecting a SIP Phone to OpenSIPS or LinPhone
If you followed along in our OpenSIPS adventure, then it's easy to test some SIP URI calls to your new server. You can connect virtually any kind of SIP telephone or endpoint to OpenSIPS. Another easy way to try out SIP calling is to first set up a free LinPhone Account.
You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we'll get you started with one of our favorite (free) softphones, YateClient. It's available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for your OpenSIPS or LinPhone account you've previously created. You’ll need the IP address of your OpenSIPS server or LinPhone's FQDN (sip.linphone.org) plus your account’s password. Fill in the Yate Client template using the IP address or FQDN as well as your Username and whatever Password you assigned to the account when you created it. Click OK to save your entries.
Once the Yate softphone shows that it is registered, try a test call to one of the SIP URIs you authorized on your new Asterisk server or try ours:
If you don't happen to have an OpenSIPS server or a LinPhone SIP account to play with but you have another Asterisk server, then the simple way to enable SIP URI extensions is by editing /etc/asterisk/extensions_custom.conf. In the [from-internal-custom] context, add an extension that can be used to contact any desired SIP URI. Then reload your dialplan: asterisk -rx "dialplan reload"
. Now dial that extension (2468 in the following example) from any phone connected to your Asterisk server. The entry would look something like this to call our SIP URI for the latest weather forecast:
NEWS FLASH: A new One-Minute Installer to use Incredible PBX on the open Internet is now available here.
Originally published: Monday, June 3, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
- Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. [↩]