Home » Incredible PBX (Page 39)

Category Archives: Incredible PBX

The Most Versatile VoIP Provider: FREE PORTING

Firewalls 101: Why Every Asterisk Server Should Have a Functioning Firewall


Part of our fundamental disagreement with the FreePBX® design can be summed up in one word: FIREWALL or the lack of a functioning firewall in the FreePBX Distro and in the functionally identical Digium product, AsteriskNOW®.1 Most of the other design choices including the controversial, non-GPL compliant Module Signature Checking mechanism are touted as failsafe ways to detect altered systems even though changes in FreePBX MySQL tables and Asterisk config files can be modified easily without triggering alerts. In short, the Band-Aid® approach to module tampering does nothing to address the fundamental problem, prevention of unauthorized intrusions in the first place.

Some would contend that the included Fail2Ban product is specifically designed to prevent unauthorized intrusions by locking out the bad guys after a certain number of failed login attempts. Assuming Fail2Ban were functioning properly, which does not appear to be the case, putting all your eggs in the Fail2Ban basket also ignores several critical shortcomings in Fail2Ban. First, it has been documented that powerful servers such as Amazon EC2 and Twitter botnets give hackers almost unlimited intrusion attempts before Fail2Ban ever gets a time slice sufficient to scan logs for intrusion attempts. Second, Fail2Ban provides no protection against stealthy distributed bruteforcing activity. For example, if a botnet with 770,000 PCs attacked your server and each PC executed only two login attempts, Fail2Ban never gets triggered even assuming your server could handle the load and Fail2Ban got sufficient server resources to actually scan your logs. Finally, Fail2Ban provides no protection against Zero Day vulnerabilities where an intruder basically walks right into your server because of an unidentified vulnerability lurking in the existing code. Unfortunately, these are not hypothetical situations but regular occurrences over the past 10 years of Asterisk and FreePBX development. In a nutshell, that’s why you need a real firewall. It completely blocks all access to your server by unauthorized users all of the time.

Numerous companies have intentionally exposed Asterisk® servers to the public Internet in a continuing effort to identify problems before they affect "real servers." We know of no similar efforts with a platform that includes FreePBX as an integral component of the server. Why? Because the potential for Zero Day Vulnerabilities in a platform of modular design is enormous. One vulnerable component in FreePBX and the entire house of cards collapses because of the blank check server access that a compromised FreePBX asterisk user account gives to an intruder. It’s the fundamental reason that services such as Apache were engineered to run with different user credentials than a root user in the real world. In essence, the current FreePBX design with Asterisk has elevated asterisk user credentials to allow root-like access to almost every server file and function with the exception of SSH access. And SSH access becomes all but unnecessary given the scope of the GUI functionality provided within FreePBX and the escalated privileges it enjoys.

On FreePBX-based Asterisk servers, the absence of any user account separation means Asterisk, Apache, and FreePBX services all operate under the single asterisk user account. If any piece collapses due to a vulnerability, the intruder gets the keys to the castle including read/write access to Asterisk and FreePBX manager credentials and config files as well as broad MySQL access. This, in turn, exposes your VoIP account credentials in addition to facilitating SQL injection into any and all FreePBX database tables. Because FreePBX "hides" numerous settings in over a hundred MySQL tables, the Asterisk DB, and dozens of Asterisk config files, once the asterisk user account access is compromised, many of the major components on your server could be cleverly reconfigured without leaving much of a hint that your server had been compromised. In fact, VoIP account credentials could be extracted and used elsewhere with no traceable footprint back to your server. For all you would know, your provider compromised your credentials rather than the other way around. Just another reminder that keeping a credit card on file for automatic replenishment with VoIP providers is a very bad idea!

Providing the asterisk user with these broad permissions was a (poor) design choice. Why was it done? To make it easy for the developers to alter virtually everything on your Asterisk server using FreePBX’s integrated Module Admin component. Root user permissions are never required to do much of anything other than server platform upgrades once the FreePBX Distro or AsteriskNOW product is installed. That’s exactly the design one would expect to find in a commercial, closed source software platform. But it’s unusual in the open source community to put it charitably. We trust we’ve made the case why a rock-solid firewall with any product that uses FreePBX modules is absolutely essential. FreePBX is a wonderful GUI, but use of the platform without a properly configured, fully functional firewall could be financially catastrophic not to mention the serious damage it could cause to others including the good reputation of Asterisk in the Internet community.

Our objective next week will be to help you implement a functioning Linux-based software firewall on the FreePBX Distro and AsteriskNOW platforms. It’s FREE! Not only will this improve the security of your server, but it will deny the bad guys a platform from which to launch mischievous acts against the rest of us. Unless you’re running Asterisk on a Cloud-based platform, do all of us a favor NOW! Run, don’t walk, to your nearest electronics store (including WalMart and BestBuy) and purchase one of the dozens of inexpensive NAT-based routers. Install it between the Internet and your server TODAY! This is the one we use, but there are plenty from which to choose including our refurbished one.2


NEWS FLASH:
Download the new FUD-Free Firewall for FreePBX Distro and AsteriskNOW.

Originally published: Monday, August 3, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Technically, IPtables is running on the FreePBX Distro and AsteriskNOW platforms; however, it’s sole function is to act as the shutdown mechanism for Fail2Ban-detected breaches. It does not independently examine packets. There is no functioning iptables config file. From our vantage point, serving as the Fail2Ban traffic cop doesn’t qualify as a functioning firewall since it lacks any of the traditional IPtables rules that manage PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING of packets. []
  2. Where prices are competitive or availability is a factor, we often recommend Amazon because Amazon provides financial support to Nerd Vittles through our referral links. We encourage everyone to shop independently and purchase products from suppliers that best meet your own requirements. []

Decisions, Decisions: Choosing the SOHO Asterisk Platform That’s Best For You

Each year we like to revisit the topic of choosing the best Asterisk® platform for deployment in the home and small business environment. No solution is obviously right for everybody. But we think it’s important to sketch out the relevant factors that need careful evaluation before you begin the installation process.

Our focus today is open source, GPL platforms with Asterisk for home or SOHO deployments. That excludes a broad swath of equally capable commercial or proprietary alternatives including ThirdLane, Switchvox, and FreePBX® Distro as well as many unified communications solutions that do not rely upon the Asterisk telephony engine including FreeSWITCH, ShoreTel, Cisco, 3CX, and many others. If your requirements exceed telephony support for more than a few dozen employees, our recommendation is to hire a consultant that can assist you in that decision-making process.

When It Comes to Hardware, Size Matters!

Even in the telephony world, it’s true. Size Matters! Choosing an Asterisk platform for your home and choosing a telephony platform for a call center are very different beasts. Our traditional recommendation for home and SOHO deployments was to go with dedicated hardware with an appropriately sized Atom processor, RAM, and hard drive. In the words of Bob Dylan, "The Times They Are A Changin’." With the nosedive in Cloud processing costs and the emergence of powerful desktop virtual machine platforms, that may no longer be the smartest solution. First, it puts you in the hardware business which means you’ll have to deal with hardware failures and backups and redundancy. Second, depending upon where you live, it may not be cost-effective to maintain your own server. Electricity and Internet connectivity cost real money above and beyond hardware costs.

For home or SOHO deployments, it also depends upon what other computers already are in use around your house or office. For example, if you have a $2,000 iMac with a $100 backup drive running Carbon Copy Cloner each night, then you’ve already got a fully redundant server platform in place. You really don’t need a dedicated server for telephony to support a handful of telephones. VirtualBox® running any of the Incredible PBX™ solutions is free, and it’s fully capable of meeting your telephony requirements with no additional hardware investment.1 If your iMac’s main drive crashes, you can reboot from the attached USB backup drive with a single keystroke and never miss a beat. For those dead set on running dedicated hardware for your home or SOHO telephone system, there’s really no reason to spend more than $35 for a Raspberry Pi®. With its new quad-core processor and gig of RAM, it can meet or exceed any requirements you may have. Buy a second microSD card for redundancy and call it day as far as hardware is concerned.

If you’d prefer to separate your telephone system from your house or small office, a Cloud-based setup may be a better fit. Our Platinum sponsor, RentPBX,2 offers a worldwide collection of servers and will host your Asterisk-based PBX for $15 a month (Coupon Code: NOGOTCHAS) on a platform that rarely, if ever, goes down. If you like to tinker but also prefer a Cloud solution, consider Digital Ocean ($5 a month for a virtual machine) or Vultr ($2.50 a month) or HiFormance ($13/year). All four support Nerd Vittles with referral revenue which helps us keep the lights on.

NEWS FLASH: RentPBX now offers all of the new Incredible PBX builds with the Incredible PBX GUI. Tutorials available here: CentOS platform or Ubuntu platform. Use the NOGOTCHAS coupon code for $15/mo. pricing.

That’s our latest take on SOHO hardware. If you have additional questions or concerns, come join the PIAF Forum and take advantage of our hundreds of gurus who will give you all of the free advice you could ever want.

I’ve Got My Hardware Platform. Now What?

The next step is choosing an Asterisk telephony platform. That used to be easy. There was Plain Ol’ Asterisk if you were a guru or there was Asterisk@Home if you wanted a GUI to guide you through the telephony maze. Now it’s more complicated. There are a number of different Linux platforms. There are a number of different Asterisk versions. And there are a number of different GUIs that support Asterisk. So let’s work our way down the list starting with the Linux platform.

Choosing the Best Linux Platform for Asterisk

The gold standard for Asterisk servers has always been CentOS, a GPL clone of RedHat Enterprise Linux. It, too, is now owned by Red Hat. The old adage was that nobody ever got fired for recommending IBM. In the Asterisk community, that remains true with CentOS. Unfortunately, CentOS now comes in several flavors. There’s CentOS 6 or CentOS 7 which is a very different beast. For Asterisk deployments, you can’t go wrong with CentOS 6. It works well on the latest dedicated hardware and is supported on all virtual machine platforms.

As with choosing a language, you now have a choice of Linux platforms. There’s RedHat/CentOS, or Debian, or Ubuntu, or even Raspbian for the Raspberry Pi hardware. Unfortunately, the RedHat-CentOS and Debian-Ubuntu-Raspbian platforms have completely different languages, much like French and Spanish. The Linux packages that are included in the platforms also have different names. If you’re a Linux aficionado and you already have a favorite, stick with what you love. If you’re planning to deploy a Raspberry Pi, stick with Raspbian. For everyone else, CentOS 6 still is your best bet for now.

Choosing the Best Asterisk Platform

Believe it or not, there are many organizations still running their telephone systems using Asterisk 1.4 or 1.8 even though Digium support for those platforms ended years ago. In the commercial world, it is not uncommon to see telephone systems that are more than a decade old. With Asterisk, things are quite different. There’s a new version every year. Fortunately, Digium has adopted a new support philosophy and every other release (more or less) now is anointed with the LTS (Long Term Support) moniker. An LTS release gets four years of bug fixes and five years of security updates as opposed to the other releases that come with one year of bug fixes and two years of security updates. It’s still not 10 years, but it’s certainly better than wrestling with Asterisk updates annually.

We think there remains a need to reconsider these timetables. New updates have become so complex that the releases typically are almost two years into their life cycle before there is anyone that treats the releases as anything more than experimental. This was especially true of Asterisk 12 which was a terrific new product that provided dramatic improvements particularly in the SIP area. Unfortunately, it reached end-of-life status before most folks even had an opportunity to use it. Our recommendation remains Asterisk 13 which is an LTS version that’s rock-solid.

Choosing a GPL-Compliant GUI

Most of the GUIs for Asterisk have one primary purpose. They are code generators for the Asterisk telephony engine, nothing more. With each of them, you can turn off your web server after using the graphical user interface, and your phone system will continue to work as designed. The exception to that is Wazo which is an awesome real-time implementation of Asterisk. The only drawback is its steep learning curve.

In the top right sidebar of Nerd Vittles, you’ll find a colorful list of all the Asterisk distributions we support. The good news for you is they’re all free. So take a little time and load up several of them. Kick the tires until you find one that is easy for you to deploy. Our personal favorite remains Incredible PBX® 13-13, but you can’t go wrong with Issabel® or Wazo. Rome wasn’t built in a day so don’t expect to master Asterisk in a couple of hours. We’ve been at it for ten years and still learn something new almost every day. And that’s the fun of it.

A 3-Click Decision Tree for Asterisk

Now that you have the background, we also wanted to provide a simple Decision Tree tool that will guide you through choosing the Asterisk GPL aggregation that best meets your needs. After you’ve made your selections, the utility will point you to the tutorials that will walk you through downloading, installing, and using the platform of your choice. Just click here to get started. Enjoy!

Originally published: Monday, June 22, 2015  Updated: Wednesday, February 21, 2018



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. We will introduce the all-new Incredible PBX GUI platform for VirtualBox next week on Nerd Vittles. If you’re in a hurry, the Pioneer’s Edition now is available with a tutorial to get you started on the PIAF Forum. []
  2. Some of our links refer users to service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from some of these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Introducing Incredible PBX 13 for CentOS 6 and 7


[iframe-popup id="4″]
If you’re looking for the latest and greatest pure GPL, open source Asterisk® 13 aggregation with a pure GPL, open source graphical user interface, then today’s another lucky day for you. Last week, we introduced the Ubuntu 14 edition of Incredible PBX™ for Asterisk 13, and this week we have the CentOS/Scientific Linux flavor to share. This is an independent aggregation based solely upon GPL code. Unlike the competition, the operating system and cloud repository to support the product also are pure GPL open source code. And the Incredible PBX installers themselves are pure GPL open source code. You are more than welcome (encouraged!) to examine, improve, and share your discoveries.

Incredible PBX for CentOS 6.9 and 7 follows our standard install procedure which means it’s up to you to first create a CentOS 6.7 or 7 platform. If you prefer Scientific Linux or Oracle Linux, feel free to start there. All work equally well as a base platform and are supported by a worldwide group of developers. Once your OS platform is in place, simply run the Incredible PBX installer. After 30-60 minutes of whirring, you’ll end up with an awesome (free) state-of-the-art Asterisk-based VoIP server with the very latest LTS version of Asterisk 13 as well as dozens of turnkey Incredible PBX applications. So enjoy a nice lunch while the Incredible PBX installer works its magic. No user intervention is required during the installation procedure. All text-to-speech (TTS) applications work out of the box. You can add Google’s Speech Recognition to many Incredible PBX applications by following our 5-minute tutorial. And a GPL installation script for free faxing with HylaFax and AvantFax is also included. Be sure to download the latest Incredible Fax installer!

Installing a Base CentOS Operating System

CAUTION: Installing Incredible PBX on the CentOS 7 platform is still a work in progress that is suitable for pioneers only. For production systems, stick with 6.9.

Let’s begin by installing 64-bit CentOS 6.9 or 7 on your favorite hardware or Desktop. Or you may prefer to use a Cloud provider1 that already offers a preconfigured CentOS image. In the latter case, you can skip this section.

For those using a dedicated hardware platform or wishing to install CentOS as a virtual machine, the drill is the same. Start by downloading the 64-bit CentOS 6.9 minimal ISO or the CentOS 7 minimal ISO or . Burn the ISO to a DVD unless you’ll be booting from the ISO on a virtual machine platform such as VirtualBox. On virtual platforms, we recommend at least 1GB RAM and a 20GB dedicated drive. For VirtualBox, here are the settings:

Type: Linux
Version: RedHat 64-bit
RAM: 1024MB
Default Drive Options with 20GB+ space
Create
Settings->System: Enable IO APIC and Disable HW Clock (leave rest alone)
Settings->Audio: Enable
Settings->Network: Enable, Bridged
Settings->Storage: Far right CD icon (choose your ISO)
Start

Boot your server with the ISO, and start the CentOS install. Here are the simplest installation steps:

Choose Language and Click Continue
Click: Install Destination (do not change anything!)
Click: Done
Click: Network & Hostname
Click: ON
Click: Done
Click: Begin Installation
Click: Root Password: password, password, Click Done twice
Wait for Minimal Software Install and Setup to finish
Click: Reboot

Configuring CentOS for Incredible PBX

Now log into your server as root and issue the following commands to put the basic pieces in place and to reconfigure your Ethernet port as eth0. Make a note of your IP address so you can log in with SSH.

setenforce 0
yum -y install net-tools nano wget tar
yum -y upgrade --skip-broken
# decipher your server's IP address
ifconfig
# patch grub and ignore errors if your server doesn't use it
sed -i 's|quiet|quiet net.ifnames=0 biosdevdame=0|' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
# for older CentOS/SL 6 platforms, perform 3 steps below:
#wget http://incrediblepbx.com/update-kernel-devel
#chmod +x update-kernel-devel
#./update-kernel-devel
reboot

If you’re on a virtual machine platform, now would be a good time to make an export or backup of your CentOS image. The minimal install is about 500MB. Don’t forget to first remove your hardware address (HWADDR) and network UUID from /etc/sysconfig/network-scripts/ifcfg-enp0s3 or whatever file name was assigned to your hardware. The saved image will be bootable with DHCP network support anywhere down the road.

NEWS FLASH: For those wanting to test things out using VirtualBox, a Scientific Linux 7.1 Remix image (2GB) is now available on SourceForge. It gets you to right here in the install process.

Installing Incredible PBX with CentOS

Adding Incredible PBX to a running CentOS 6.9 or 7 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Be sure to use SSH (or Putty on a Windows machine) to begin because the installer locks the firewall down to your local network and the IP address of the machine from which you perform the install. Log into your new server as root at the IP address you deciphered in the ifconfig step in the CentOS installation procedure above.

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that their setups do NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX install.

NOTE: To more clearly identify packaging as we move forward, there has been a change in the Incredible PBX naming and numbering scheme. Henceforth, the file name and version reflects the Asterisk version, the GUI version, the Incredible PBX release number, and the OS platform. For example, incrediblepbx13-12.0-centos tells you the product includes Asterisk 13, the version 12 GUI, .0 release number, and the CentOS platform.

cd /root
wget http://incrediblepbx.com/incrediblepbx13-12.2-centos.tar.gz
tar zxvf incrediblepbx*
#./create-swapfile-DO
./IncrediblePBX*

Once you have agreed to the license agreement and terms of use, press Enter and go have a long cup of coffee. The Incredible PBX installer runs unattended so find something to do for the next 30-60 minutes unless you just like watching code compile. When the installation is complete, reboot your server and log back in as root. You should be greeted by something like this showing the status of the major apps as well as your free RAM and DISK space:

Perform the following steps:

Make your root password very secure: passwd
Create admin password for GUI access: /root/admin-pw-change
Set your correct time zone: /root/timezone-setup
Create admin password for web apps: htpasswd /etc/pbx/wwwpasswd admin
Make a copy of your Knock codes: cat /root/knock.FAQ
Decipher IP address and other info about your server: status

Incredible PBX includes an automatic update utility which downloads important updates whenever you log into your server as root. We recommend you log in once a week to keep your server current.

You can access the Incredible PBX GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display.

Choose Incredible GUI Administration from the Admin menu of the Kennonsoft GUI (shown above) by clicking on User to switch. The default username is admin and the password is what you set when the install completed. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for your 701 extension and voicemail account: Applications -> Extensions -> 701. If you’re behind a hardware-based firewall, verify the NAT setting: YES.

Soft Phone Setup with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension
701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:


DEMO - Allison's IVR Demo
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to set up a free Google Voice account. Google has threatened to shut this down but as this is written, it still works. We will have an update for OAUTH authentication support soon. The safer long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Google Voice: Plain-Text Passwords

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX. It’s free at least through 2013. Google Voice no longer is by invitation only so, if you’re in the U.S. or have a friend that is, head over to the Google Voice site and register.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. Google used to permit outbound Gtalk calls using a fake CallerID, but that obviously led to abuse so it’s over! You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

UPDATE: Google has improved things… again. You may not see the options documented above at all. Instead, you may be presented with the new Google Voice interface which does not include the Google Chat option. But fear not. At least for now there’s still a way to get there. After you have set up your new phone number, click on (1) Settings -> Phone Numbers and then click (2) Transfer (as shown below). That returned the old UI. Make sure the Google Chat option is selected and disable forwarding calls to default phone number.



One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in the GUI. After logging in with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

Google Voice: Using OAuth Credentials

If you’re one of the five people on Earth that does not yet have a Gmail account, start there. Once you’ve set up your Gmail account and logged in, open a new browser tab to access the Google Voice site. Accept the Google Terms and Privacy Policy. Then choose a new Phone Number in your favorite area code. NOTE: Before Google will assign you a number, you must enter an existing U.S. phone number to verify your identity and location as well as to use for initially forwarding calls. Once your account is set up, you will get an email asking that you verify your email address. Once you’ve done that, you’ll be prompted to login to your Google Voice account again. When you do so, you’ll be prompted to Install the Hangouts Dialer app to make VoIP calls from Android. Do NOT install the dialer, or you may break the ability to use your Google Voice number with Asterisk. Instead, click X to close the dialog box.

UPDATE: Google continues to tighten up on obtaining more than one Google Voice number from the same computer or the same IP address. If this is a problem for you, here’s a workaround. From your smartphone, install the Google Voice app from iPhone App Store or Google’s Play Store. Then open the app and login to your new Google account. Choose your new Google Voice number when prompted and provide a cell number with SMS as your callback number for verification. Once the number is verified, log out of Google Voice. Do NOT make any calls. Now head back to your PC’s browser and login to http://google.com/voice. You will be presented with the new Google Voice interface which does not include the Google Chat option. But fear not. At least for now there’s still a way to get there. After you have set up your new phone number and opened the Google Voice interface, click on the 3 vertical dots in the left sidebar (it’s labeled More). When it opens, click Legacy Google Voice in the sidebar. That will return you to the old UI. Now click on the Gear icon (upper right) and choose Settings. Make sure the Google Chat option is selected and disable forwarding calls to whatever default phone number you set up.

Next, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Then click Save Settings. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now it’s time to obtain your OAuth 2 credentials. Even though it’s a bit more work on the front end, the good news is you won’t have to worry about your Google Voice trunks failing when Google phases out plain-text passwords. The other good news is you won’t be passing your plain-text Google Voice credentials across the Internet for everyone in the world to see.

While you’re still logged into your Google Voice account, you need to obtain a refresh_token which is what you’ll use instead of a password when setting up your Google Voice account with XiVO. Here’s how.

1. Be sure you are still logged into your Google Voice account. If not, log back in at https://www.google.com/voice.

2. Go to the Google OAUTH Playground using your browser while still logged into your Google Voice account.

3. Once logged in to Google OAUTH Playground, click on the Gear icon in upper right corner (as shown below).

  3a. Check the box: Use your own OAuth credentials
  3b. Enter Incredible PBX OAuth Client ID:

466295438629-prpknsovs0b8gjfcrs0sn04s9hgn8j3d.apps.googleusercontent.com

  3c. Enter Incredible PBX OAuth Client secret: 4ewzJaCx275clcT4i4Hfxqo2
  3d. Click Close

4. Click Step 1: Select and Authorize APIs (as shown below)

  4a. In OAUTH Scope field, enter: https://www.googleapis.com/auth/googletalk
  4b. Click Authorize APIs (blue) button.

5. Click Step 2: Exchange authorization code for tokens

  5a. Click Exchange authorization code for tokens (blue) button

  5b. When the tokens have been generated, Step 2 will close.

6. Reopen Step 2 and copy your Refresh_Token. This is the "password" you will need to enter (together with your Gmail account name and 10-digit GV phone number) when you add your GV trunk in the Incredible PBX GUI. Store this refresh_token in a safe place. Google doesn’t permanently store it!

7. Authorization tokens NEVER expire! If you ever need to remove your authorization tokens, go here and delete Incredible PBX Google Voice OAUTH entry by clicking on it and choosing DELETE option.

Switch back to your Gmail account and click on the Phone icon at the bottom of the window to place one test call. Once you successfully place a call, you can log out of Google Voice and Gmail.

Now you’re ready to set up your Google Voice trunk in the GUI. After logging in with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work with these simple settings in the GUI: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

Incredible PBX Security Model for CentOS

Incredible PBX for CentOS joins our previous Ubuntu build as our most secure turnkey PBX implementation. As configured, it is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. The latest release also includes Port Knocker for simple, secure access from any remote computer or smartphone. You can get up to speed on how the technology works by reading the Nerd Vittles tutorial. Your Port Knocker credentials are stored in /root/knock.FAQ together with activation instructions for your server and mobile devices. The NeoRouter VPN client also is included for rock-solid, secure connectivity to remote users. Read our previous tutorial for setup instructions. As configured, nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. You can whitelist additional IP addresses by running the command-line utility /root/add-ip. You can remove whitelisted IP addresses by running /root/del-acct. Incredible PBX is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking. We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. And it’s your phone bill. 😉

The IPtables firewall is a complex piece of software. If you need assistance with configuring it, visit the PIAF Forum for some friendly assistance.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX server, simply copy the image to a server running Asterisk 13 and the same version of the Incredible PBX GUI. Then run /root/incrediblerestore. Doesn’t get much simpler than that.

Incredible PBX Automatic Update Utility

Every time you log into your server as root, Incredible PBX will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along.

In the meantime, we encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie.

Originally published: Monday, July 13, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.





Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Introducing Incredible PBX 13-12 with Incredible GUI for the Ubuntu 14 Platform


[iframe-popup id="7″]

Two months ago we turned the page on Asterisk® GUIs by introducing a new GUI that hopefully provides the best of both worlds. It preserves the GPL components of the FreePBX® product that many of us have nurtured for almost a decade while removing the commercial pieces that have introduced some friction into the equation for users and companies that simply wished to deploy or redistribute a graphical user interface for Asterisk in accordance with the free GPL licenses under which the product and its components were licensed. We followed up by opening up the cloud component which serves as the lynchpin for GPL module administration within the GUI itself. We remain hopeful that these two tweaks will encourage Sangoma, the new owner of the FreePBX project, to do the right thing and get the non-commercial pieces of the project back on the right track moving forward. As we’ve stressed all along, we do not want to tarnish the incredibly hard work that dozens of developers in the open source community have poured into both of these projects over the past decade. We continue to be amazed at what they’ve been able to achieve, and we salute their accomplishments. The Asterisk 12 and 13 revolution never would have happened without the contributions of the FreePBX development team. We think the new Incredible PBX GUI stands as a testament to what can be accomplished while preserving the true spirit of open source development and the terms of the GPL licenses under which this product and its numerous modules are licensed.

Today we take the next step in the journey with release of a production-ready version of Asterisk 13 LTS for the Ubuntu 14 platform. It has all the bells and whistles to which you have become accustomed including Incredible Fax featuring HylaFax and AvantFax. It also includes literally dozens of turnkey applications that show off the very best features of Asterisk. In addition to Incredible PBX, you also gain unfettered access to our new GPL repository to maintain release 12 of the GUI. No strings, no gotchas, and no murky licenses. Pure GPL in Plain View!

Why Not Use FreePBX 13? Glad you asked. Despite the freepbx.org facelift1 and the eternal message that "The ‘Free’ Stands for Freedom," it turns out the business practices haven’t changed much since the Sangoma takeover. If your idea of "freedom" is a closed source VoIP platform with no way to emulate the repository used to manage and upgrade the "GPL" components in FreePBX 13 and no way to install the FreePBX 13 GUI or its "GPL" components other than switching to the proprietary FreePBX Distro, then FreePBX 13 may be just the ticket. If you’d prefer a RealGPL platform that lets you choose which components you’d like on your server, then keep reading. And drop the Sangoma and Digium honchos a note and let them know how you feel about FREEDOM.

William J. Wignall, President and CEO
Sangoma Technologies
100 Renfrew Drive, Suite 100
Markham ON L3R 9R6 CANADA

Danny Windham, CEO
Digium, Inc.
445 Jan Davis Drive Northwest
Huntsville, AL 35806 USA

Mark Spencer, Founder and CTO
Digium, Inc.
445 Jan Davis Drive Northwest
Huntsville, AL 35806 USA

Update: A GPL release of FreePBX 13 beta miraculously appeared shortly after publication of this article. Still no GPL repository is available that is compatible with the integrated Admin Module component of the product.

Building an Ubuntu 14.04 Platform for Incredible PBX

As a result of the trademark and copyright morass, we’ve steered away from the bundled operating system in favor of a methodology that relies upon you to put in place the operating system platform on which to run PBX in a Flash or Incredible PBX. The good news is it’s easy! With many cloud-based providers2, you can simply click a button to choose your favorite OS flavor and within minutes, you’re ready to go. With many virtual machine platforms such as VirtualBox, it’s equally simple to find a pre-built Ubuntu 14.04 image or roll your own.

If you’re new to VoIP or to Nerd Vittles, here’s our best piece of advice. Don’t take our word for anything! Try it for yourself in the Cloud! You can build an Ubuntu 14.04 image on Digital Ocean in under one minute and install today’s Incredible PBX for Ubuntu 14.04 in about 15 minutes. Then try it out for two full months. It won’t cost you a dime. Use our referral link to sign up for an account. Enter a valid credit card to verify you’re who you say you are. Create an Ubuntu 14.04 (not 14.10!) 512MB droplet of the cheapest flavor ($5/mo.). Go to the Billing section of the site, and enter the following promo code: UBUNTUDROPLET. That’s all there is to it. A $10 credit will be added to your account, and you can play to your heart’s content. Delete droplets, add droplets, and enjoy the free ride!

For today, we’ll walk you through building your own stand-alone server using the Ubuntu 14.04 mini.iso. If you’re using Digital Ocean in the Cloud, skip down to Installing Incredible PBX 13-12 (HINT: 13 tells you the Asterisk release and 12 tells you the GUI release). If you’re using your own hardware, to get started, download the 64-bit Ubuntu 14.04 "Trusty Tahr" Minimal ISO from here. Yes, the 32-bit platform is also supported. Now burn the ISO to a CD/DVD or thumb drive and boot your dedicated server from the image. Remember, you’ll be reformatting the drive in your server so pick a machine you don’t need for other purposes.

For those that would prefer to build your Ubuntu 14.04 Wonder Machine using VirtualBox on any Windows, Mac, or existing Linux Desktop, here are the simple steps. Create a new virtual machine specifying the 64-bit version of Ubuntu. Allocate 1024MB of RAM (512MB also works fine with a swap file) and at least 20GB of disk space using the default hard drive setup in all three steps. In Settings, click System and check Enable I/O APIC and uncheck Hardware Clock in UTC Time. Click Audio and Specify then Enable your sound card. Click Network and Enable Network Adapter for Adapter 1 and choose Bridged Adapter. Finally, in Storage, add the Ubuntu 14.04 mini.iso to your VirtualBox Storage Tree as shown below. Then click OK and start up your new virtual machine. Simple!

Here are the steps to get Ubuntu 14.04 humming on your new server or virtual machine once you’ve booted up. If you can bake cookies from a recipe, you can do this:

UBUNTU mini.iso install:
Choose language
Choose timezone
Detect keyboard
Hostname: incrediblepbx < continue >
Choose mirror for downloads
Confirm archive mirror
Leave proxy blank unless you need it
< continue >
** couple minutes of whirring as initial components are loaded **
New user name: incredible
< continue >
Account username: incredible
< continue >
Account password: makeitsecure
< continue >
Encrypt home directory < no >
Confirm time zone < yes >
Partition disks: Guided - use entire disk and set up LVM
Confirm disk to partition
Write changes to disks and configure LVM
Whole volume? < continue>
Write changes to disks < yes> < -- last chance to preserve your disk drive!
** about 15 minutes of whirring during base system install ** < no touchy anything>
** another 5 minutes of whirring during base software install ** < no touchy anything>
Upgrades? Install security updates automatically
** another 5 minutes of whirring during more software installs ** < no touchy anything>
Software selection: *Basic Ubuntu server (only!)
** another couple minutes of whirring during software installs ** < no touchy anything>
Grub boot loader: < yes>
UTC for system clock: < no>
Installation complete: < continue> after removing installation media
** on VirtualBox, PowerOff after reboot and remove [-] mini.iso from Storage Tree & restart VM
login as user: incredible
** enter user incredible's password **
sudo passwd
** enter incredible password again and then create secure root user password **
su root
** enter root password **
apt-get update
apt-get install ssh -y
sed -i 's|without-password|yes|' /etc/ssh/sshd_config
sed -i 's|yes"|without-password"|' /etc/ssh/sshd_config
sed -i 's|"quiet"|"quiet text"|' /etc/default/grub
update-grub
ifconfig
** write down the IP address of your server from ifconfig results
reboot
** login via SSH to continue **

Installing Incredible PBX 13-12 on Your Ubuntu 14.04 Server

Adding Incredible PBX 13-12 to a running Ubuntu 14.04 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your new server as root at the IP address you deciphered in the ifconfig step at the end of the Ubuntu install procedure above. First, make sure to run the update step for Ubuntu below before you begin the install. This is especially important if you’re using a cloud-based Ubuntu 14 server.

ALERT: Ubuntu has introduced a new MySQL bug in their June, 2016 upgrade. Do NOT run apt-get upgrade, or Incredible PBX installation will fail.

apt-get update && touch /root/COPYING

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that the DO Ubuntu setup does NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX 13-12 install. Log back in as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx13-12.2-ubuntu14.tar.gz
tar zxvf incrediblepbx*
apt-get install dialog
#./create-swapfile-DO
./Incredible*

Once you have agreed to the license agreement and terms of use, press Enter and go have a 30-minute cup of coffee. The Incredible PBX installer runs unattended so find something to do for a bit unless you just like watching code compile. When you see "Have a nice day", your installation is complete. Hit the Enter key to reboot the server unless you need to add additional entries to your firewall whitelist.

Once the server restarts, log back in as root and you should be greeted with a status display that looks something like this after the Automatic Update Utility runs:

Assuming you’ve already created a very secure root password (update it by running passwd), perform the following 5 Steps to get everything locked down:

  1. Create an admin password for GUI access: /root/admin-pw-change
  2. Create an admin password for Apache web access: htpasswd /etc/pbx/wwwpasswd admin
  3. Configure the correct timezone for your server: /root/timezone-setup
  4. Retrieve your PortKnocker setup like this: cat /root/knock.FAQ
  5. Add IPtables WhiteList entries for remote access: /root/add-ip or /root/add-fqdn

Incredible PBX includes an automatic update utility which downloads important updates whenever you log into your server as root. We recommend you log in once a week to keep your server current. Now would be a good time to log out and back into your server at the Linux command line to bring your server up to current specs.

You can access the Incredible PBX GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display.

When the Kennonsoft menu (shown above) appears, click on the User tab to open the Admin menu. Then click on Incredible GUI Administration to access the Incredible PBX GUI. The default username is admin with the password you created above. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for default 701 extension and voicemail: Applications -> Extensions -> 701.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. You can dial a few of these to get started or, better yet, take Allison’s Incredible PBX IVR for a spin by dialing D-E-M-O (3366). NOTE: The Voice Recognition options will not work until you first enter your credentials (covered below).

123 - Reminders
222 - ODBC Demo (use acct: 12345)
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

The next step is establishing an interface on your PBX to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use an existing (free) Google Voice account. Google has threatened to shut this down but as this is written, it still works with previously set up Google Voice accounts. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Incredible PBX Wholesale Providers Access

Nerd Vittles has negotiated a special offer that gives you instant access to 300+ wholesale carriers around the globe. In lieu of paying the $650 annual fee for the service, a 13% wholesale surcharge is assessed to cover operational costs of TelecomsXchange. In addition, TelecomsXchange has generously offered to contribute a portion of the surcharge to support the Incredible PBX open source project. See this Nerd Vittles tutorial for installation instructions and signup details.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax 11, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Google Voice account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Use a previously configured and dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX 11.

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you’re probably out of luck. Google has disabled the option in newly created accounts as well as some old ones that had Google Chat disabled. Now go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

UPDATE: Google has improved things… again. You may not see the options documented above at all. Instead, you may be presented with the new Google Voice interface which does not include the Google Chat option. But fear not. At least for now there’s still a way to get there. After you have set up your new phone number, click on (1) Settings -> Phone Numbers and then click (2) Transfer (as shown below). That returned the old UI. Make sure the Google Chat option is selected and disable forwarding calls to default phone number.



One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in the GUI. After logging in with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

And here’s another way to access Google Voice securely using an inexpensive commercial SIP gateway:

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work by entering these simple settings in the GUI: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

Adding Voice Recognition to Incredible PBX

To support many of our applications, Incredible PBX has included Google’s speech recognition service for years. These applications include Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), and Wolfram Alpha for Asterisk (4747), all of which use Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for "personal and development use." If you meet those criteria, keep reading. Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

Now you’re ready to try out the speech recognition apps. Dial 949 and say the name of a city and state/province/country to get a current weather forecast from Yahoo. Dial 411 and say "American Airlines" to be connected to American.

To use Wolfram Alpha by phone, you first must install it. Obtain your free Wolfram Alpha APP-ID here. Then run the one-click installer: /root/wolfram/wolframalpha-oneclick.sh. Insert your APP-ID when prompted. Now dial 4747 to access Wolfram Alpha by phone and enter your query, e.g. "What planes are overhead." Read the Nerd Vittles tutorial for additional examples and tips.

A Few Words about the Incredible PBX Security Model for Ubuntu

Incredible PBX for Ubuntu 14 is a very secure, turnkey PBX implementation. As configured, your server is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. Nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. Incredible PBX is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking.

You can whitelist additional IP addresses for remote access in several ways. First, you can use the command-line utilities: /root/add-ip and /root/add-fqdn. You can also remove whitelisted IP addresses by running /root/del-acct. Second, you can dial into extension 864 (or use a DID pointed to extension 864 aka TM4) and enter an IP address to whitelist. Before Travelin’ Man 4 will work, you’ll need to add credentials for each caller using the tools in /root/tm4. You must add at least one account before dial-in whitelisting will be enabled. Third, you can temporarily whitelist an IP address by successfully executing the PortKnocker 3-knock code established for your server. You’ll find the details and the codes in /root/knock.FAQ. Be advised that IP addresses whitelisted with PortKnocker (only!) go away whenever your server is rebooted or the IPtables firewall is restarted. For further information on the PortKnocker technology and available clients for iOS and Android devices, review the Nerd Vittles tutorial.

HINT: The reason that storing your PortKnocker codes in a safe place is essential is because it may be your only available way to gain access to your server if your IP address changes. You obviously can’t use the command-line tools to whitelist a new IP address if you cannot gain access to your server at the new IP address.

We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. If you use a hardware-based firewall, be sure to map the three PortKnocker ports to the internal IP address of your server!

The NeoRouter VPN client also is included for rock-solid, secure connectivity for remote users. Read our previous tutorial for setup instructions.

As one would expect, the IPtables firewall is a complex piece of software. If you need assistance configuring it, visit the PIAF Forum for some friendly assistance.

Adding Incredible Fax 11 to Your Server

Once you’ve completed the Incredible PBX install, log out and log back in to load the latest automatic updates. Then reboot. Now you’re ready to continue your adventure by installing Incredible Fax 11 for Ubuntu. Special thanks to Josh North for all his hard work on this! The latest download includes the Incredible Fax 11 installer, but it needs updating. Follow this tutorial to load the appropriate update onto your server. Then just run the script:

cd /root
./incrediblefax11_ubuntu14.sh

Accept all of the defaults during the installation process. IMPORTANT: Once you complete the install, reboot your server. After rebooting, log into the GUI and choose Module Admin and enable the AvantFax module. When you log out of the GUI, there now will be an option for AvantFax on the GUI’s main login screen. Choose it and enter admin:password to login and change your default password. You also can set your AvantFax admin password by logging into the Linux CLI and… /root/avantfax-pw-change.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX server, simply copy the image to a server running Asterisk 13 and the Incredible PBX 13-12 GUI. Then run /root/incrediblerestore. Doesn’t get much simpler than that.

Incredible PBX Automatic Update Utility

Every time you log into your server as root, Incredible PBX will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along. Also be sure to check the PBX in a Flash RSS Feed inside the GUI for the latest security alerts.

Mastering the Incredible PBX Applications

Your next stop should be a quick read of the Application User’s Guide for Incredible PBX. Even though the target audience was Raspberry Pi users, the feature set is identical, and this guide will tell you everything you need to know about the dozens of applications for Asterisk that have been installed on your new server.

We also want to encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie. Come join us!

Originally published: Wednesday, July 8, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Ironically, the word "GPL" only appears once on the FreePBX web site, and that’s to remind you that Sangoma’s commercial "modules are not Open Source GPL and are only designed to work with CentOS or RHEL systems." []
  2. With some providers including ones linked in this article, Nerd Vittles receives referral fees which assist in keeping the Nerd Vittles lights burning brightly. []

60 Seconds to Real Independence: Incredible PBX GUI Comes to VirtualBox

As we continue the march toward a truly free, RealGPL, open source VoIP platform for Asterisk®, we couldn’t think of a better time of the year for this announcement. Today we’re pleased to introduce our first virtual machine platform with an Incredible PBX™ GUI image that you can install in less than 60 seconds on virtually any desktop computer in the world. When the install is finished you’ll have the latest Asterisk 11 running atop Scientific Linux™ 6.6 with version 12 of the new Incredible PBX GUI. You’ll also have the very first Asterisk aggregation with native support for OAUTH authentication and secure communications using Google Voice. And it’s all FREE. No Gotchas!

Think of Incredible PBX as the glue stick that assembles all the necessary VoIP components into a state of the art Linux platform and holds them together seamlessly. As with all Incredible PBX builds, you also get the full complement of goodies including dozens of text-to-speech apps, voice dialing, SMS messaging, free fax support, reminders and wakeup calls, and SECURITY! The difference with the VirtualBox® platform is you get a turnkey install of everything on any desktop computer in less than one minute! That includes Windows PCs, Macs, Linux desktops, and even Solaris machines.

Is VirtualBox merely a sandbox for experimentation? Absolutely not. With any of the beefier desktop computers today, running Incredible PBX as a 24/7 VirtualBox image is every bit as feature rich with stellar performance, and it’s equivalent to using dedicated hardware. And there are some added advantages. Obviously, deploying a turnkey VoIP platform in under a minute is a major plus. But, unlike using a dedicated Linux platform, you also get the ability to take snapshots of your system and do full backups in minutes instead of the hours required to bring down dedicated hardware, load a different backup application using a different operating system, perform a backup, and then reboot your VoIP server. And your backups won’t just run on the one server on which the backup was performed. You can restore the backup to any other computer that can run VirtualBox. For any of you that came from a network management background, you know what a big deal that really is. And there’s one more bonus. With Incredible Backup and Restore, you can move to dedicated hardware running the same operating system with Asterisk 11 and the same version of the Incredible PBX GUI in minutes.

Need to deploy VoIP servers at dozens of sites around the globe? Not a problem with VirtualBox. Just send a preconfigured VirtualBox image to each site and install VirtualBox on a local desktop computer. In 60 seconds, you’ll have a functional VoIP server including interconnectivity to all of your other VoIP servers with a virtual private network already in place to provide secure VoIP connectivity between all of your sites.

Are there security compromises using the VirtualBox platform? Not at all. Incredible PBX comes preconfigured with the Linux IPtables firewall that is locked down to a whitelist of local area networks, preferred providers, and your own IP addresses. You can expand the whitelist using the add-ip and add-fqdn scripts or use PortKnocker and Travelin’ Man 4 tools to let remote users gain instant access.

So What’s All the GPL Fuss About? It’s about FREEDOM, the freedom to use or not use the GPL modules you wish to use without enduring false alerts that your system has been compromised and without being blocked from removing components that produce revenue for Sangoma®… as the GPL requires. It’s about FREEDOM to redistribute or resell the product AS IS… as the GPL requires. It’s about FREEDOM to examine and modify ALL of the source code using ALL of the tools and components necessary, not just ones Sangoma has chosen to provide… as the GPL requires. It’s about FREEDOM to add GUI components to your server with No Gotchas whether or not the individual modules were produced by Sangoma… as the GPL requires.


If you support the GPL and use open source projects, then you owe it to yourself and to the GPL community to get up to speed and get involved! Can’t we all just get along? You bet… when everyone does what they’ve agreed to do. Spend an hour or two of your Independence Day reading some of the Nerd Vittles commentary on FreePBX® and the GPL.

BUY 3 STAMPS and let Sangoma and Digium hear from you. Don’t be shy. It’s about your FREEDOM.

William J. Wignall, President and CEO
Sangoma Technologies
100 Renfrew Drive, Suite 100
Markham ON L3R 9R6 CANADA

Danny Windham, CEO
Digium, Inc.
445 Jan Davis Drive Northwest
Huntsville, AL 35806 USA

Mark Spencer, Founder and CTO
Digium, Inc.
445 Jan Davis Drive Northwest
Huntsville, AL 35806 USA

Getting Started. For today, we’ll provide a refresher course on loading VirtualBox and the Incredible PBX virtual image. Then we want to spend a little time explaining the secret sauce that goes into building these images so that you can do it yourself either to migrate to a different network or to deploy at multiple sites. It’s called open source for a reason! When we’re finished, you’ll know everything we’ve learned about deploying VirtualBox machines and, unlike Grandma and some GUI platforms, we won’t leave an important ingredient out of the recipe just to be sure you never forget how good Grandma’s cookies really were. So let’s get started.

Installing Oracle VM VirtualBox

Oracle’s virtual machine platform inherited from Sun is amazing. It’s not only free, but it’s pure GPL2 code. VirtualBox gives you a virtual machine platform that runs on top of any desktop operating system. In terms of limitations, we haven’t found any. We even tested this on an Atom-based Windows 7 machine with 2GB of RAM, and it worked without a hiccup. So step #1 today is to download one or more of the VirtualBox installers from VirtualBox.org or Oracle.com. Our recommendation is to put all of the 100MB installers on a 4GB thumb drive.1 Then you’ll have everything in one place whenever and wherever you happen to need it. Once you’ve downloaded the software, simply install it onto your favorite desktop machine. Accept all of the default settings, and you’ll be good to go. For more details, here’s a link to the Oracle VM VirtualBox User Manual.

Downloading the Incredible PBX GUI Virtual Machine

A word of warning on the front end. Today’s Incredible PBX image featuring Asterisk 11 for VirtualBox is huge! The Scientific Linux 6.6 image with version 12 of Incredible PBX GUI is nearly 3GB. Be patient. You only have to download it once. Just click on the 11-12.3 .OVA image in this SourceForge link and start the download to your desktop. Then go have a nice lunch.

Importing & Configuring Incredible PBX Virtual Machines in VirtualBox

You only perform the import step one time. Once imported into VirtualBox, Incredible PBX is ready to use. There’s no further installation required, just like an OpenVZ template… only better. Double-click on the .ova file you downloaded to begin the procedure and load it into VirtualBox. When prompted, be sure to check the Reinitialize the Mac address of all network cards box and then click the Import button. Once the import is finished, you’ll see a new Incredible PBX virtual machine in your VM List on the VirtualBox Manager Window. We need to make a couple of one-time adjustments to the Incredible PBX VM configuration to account for differences in sound and network cards on different host machines.

Click on the Incredible PBX Virtual Machine in the VM List. Then click Settings -> Audio and check the Enable Audio option and choose your sound card. Save your setup by clicking the OK button. Next click Settings -> Network. For Adapter 1, check the Enable Network Adapter option. From the Attached to pull-down menu, choose Bridged Adapter. Then select your network card from the Name list. Then click OK. Finally, click Settings -> System, uncheck Hardware clock in UTC time, and click OK. That’s all the configuration that is necessary for your Incredible PBX Virtual Machine. The rest is automagic.

Running Incredible PBX Virtual Machines in VirtualBox

Once you’ve imported and configured the Incredible PBX Virtual Machine, you’re ready to go. Highlight IncrediblePBX Virtual Machine in the VM List on the VirtualBox Manager Window and click the Start button. The boot procedure with your chosen operating system will begin just as if you had installed Incredible PBX on a standalone machine. You’ll see a couple of dialogue boxes pop up that explain the keystrokes to move back and forth between your host operating system desktop and your virtual machine. Remember, you still have full access to your desktop computer. Incredible PBX is merely running as a task in a VirtualBox window. Always gracefully halt Incredible PBX just as you would on a dedicated computer.

Here’s what you need to know. To work in the Incredible PBX Virtual Machine, just left-click your mouse while it is positioned inside the VM window. To return to your host operating system desktop, press the right Option key on Windows machines or the left Command key on any Mac. For other operating systems, read the dialogue boxes for instructions on moving around. To access the Linux CLI, login as root with the default password: password. To access Incredible PBX GUI with a browser, point to the IP address of your virtual machine. Then, in the Administrator window, click on Incredible GUI Administration. Login as admin with the admin password you set below. For the security of your server, we recommend that you log in to the Linux CLI at least once a week so that Incredible PBX updates get applied to your server regularly. This is critically important if you care about your phone bill.

When logging in for the first time, Incredible PBX will go through some setup steps and then reboot. Login again to complete the setup. status will always provide a snapshot of your system. To shut down Incredible PBX gracefully, click in the VM window with your mouse, log in as root, and type: halt. Be sure to complete the following setup steps from the Linux CLI:

  • Change your root password: passwd
  • Set your Incredible GUI admin password: /root/admin-pw-change
  • Set the admin password for web apps: htpasswd /etc/pbx/wwwpasswd admin
  • Set your correct time zone: /root/timezone-setup
  • Add WhiteList entries to firewall if needed: /root/add-ip or /root/add-fqdn
  • Store PortKnocker credentials in a safe place: cat /root/knock.FAQ
  • Enable Incredible Fax support if desired: /root/incrediblefax11.sh
  • Login to your NeoRouter VPN server if desired: /root/neorouter-login

Upgrading Modules with Module Admin in the GUI. The GUI includes a Module Administration component in the Admin tab which will let you check online for new modules and upgrade to newer releases. Once you have added or updated any modules, you will get some nasty error messages in the System Status display because we allow installation of all GPL-compatible modules, not just those of Sangoma. It’s one of the proprietary gotchas that we have been writing about. Simply click on the X option in the upper right corner of each window to remove the warnings. Log out of the GUI. Then login to your Linux CLI as root and issue the following command to permanently clear the error messages: gui-fix. Now you can log back in and the warning messages will be gone… until you add or update modules again. Sangoma calls it a feature. 🙄

Command Line Management of Incredible PBX with VirtualBox

One of the real beauties of VirtualBox is you don’t have to use the VirtualBox GUI at all. The entire process can be driven from the command line. Other than on a Mac, here is the procedure to import, configure, and run Incredible PBX:
 
VBoxManage import IncrediblePBX-11-12.3-SL66.ova
VBoxManage modifyvm "IncrediblePBX-11-12.3-SL66" --nic1 nat
VBoxManage modifyvm "IncrediblePBX-11-12.3-SL66" --acpi on --nic1 bridged
VBoxHeadless --startvm "IncrediblePBX-11-12.3-SL66" &
# Wait 1 minute for Incredible PBX to load. Then decipher IP address like this:
VBoxManage guestproperty get "IncrediblePBX-11-12.3-SL66" /VirtualBox/GuestInfo/Net/0/V4/IP
# Now you can use SSH to login to Incredible PBX at the displayed IP address
# Shutdown the Incredible PBX Virtual Machine with the following command:
VBoxManage controlvm "IncrediblePBX-11-12.3-SL66" acpipowerbutton

On a Mac, everything works the same way except for deciphering the IP address. Download our findip script for that. Be sure to plug in the correct name of your virtual machine: ./findip IncrediblePBX-11-12.3-SL66

Deploying Google Voice Secure Communications with Incredible PBX

As with all prior releases of Incredible PBX, free calling in the U.S. and Canada with Google Voice is an integral component of this GPL platform. You still add Google Voice trunks using the GUI in exactly the same way: Connectivity -> Google Voice (Motif). What has changed under the covers with this release is what happens behind the scenes. Google has warned (for years) that they plan to phase out plain text passwords using your actual Google Voice credentials. This is for your protection! Unfortunately, until today, the only way to take advantage of the new OAUTH authentication method with Asterisk was to use one of the external SIP gateways to Google Voice. Now you no longer have to. The new 11-12.3 release of Incredible PBX adds native OAUTH authentication support to Asterisk and the Incredible PBX GUI. When prompted for the password in setting up your Google Voice accounts in the GUI, now you’ll enter your OAUTH token instead of your plain text password. It’s that easy. Obviously, you first need to obtain a free OAUTH token for each of your Google Voice accounts that you wish to activate. This tutorial on the PIAF Forum will walk you through the simple, one-time procedure.

IMPORTANT: Once you have added one or more Google Voice trunks in the GUI, you must restart Asterisk to activate the trunks: amportal restart

We want to take a moment and express our heartfelt thanks to Ryan Tilton of GVsip.com for setting up and maintaining the free platform to support OAUTH tokens for Google Voice. And a special shoutout to Martin Dindos (a.k.a. @dziny on the PIAF Forum) for his truly Herculean efforts in getting this to work properly with Asterisk 11, no small feat. This is yet another amazing testament to how the open source community should really function. Thank you!

Preparing Incredible PBX Virtual Machine for Backups & Migration

To us, the most compelling feature of the virtual machine platform is the ease with which you can make a perfect backup of your server in minutes! From that backup, you can restore a working platform in the same 60 seconds it took to build today’s platform on your desktop. One of the drawbacks as the Linux operating systems have become more turnkey is the shortcut that was implemented on both the RedHat and Debian/Ubuntu platforms to store your network setup so that the server reboots more quickly. While that’s fine for rebooting on the same server, it’s a real problem if you attempt to move your setup to different hardware or a new network because your network configuration will not load properly on the new platform. That means no IP address! Here’s the easy way to assure that things will actually work after the move. It assumes you will have a DHCP server at the new location just as you did at your existing site.

The Easy Way. If you have console access after the VM image is restored on the new platform (which means you don’t need a network IP address for the server in order to log in as root), then the easy way to prepare any of the Incredible PBX machines for relocation is to issue the following commands before you halt the system and make a VirtualBox backup:

touch /etc/update_hostconfig
touch /etc/update_serverconfig
rm -f /etc/ssh/ssh_host*
rpm -e openssh-server openssh-xinetd
yum -y install openssh-server openssh-xinetd
rm /etc/ssh/*.rpmsave

Once you have halted the server, edit both the sound card and network card settings and disable both of them in VirtualBox Manager. Then choose File -> Export Appliance from the VirtualBox title bar and create an .ova backup image on your desktop. You now have an image that is similar to the Incredible PBX image that you originally downloaded, except it has all of your data and settings. All you have to do is repeat the install drill above at the new location using the .ova image you created and log in with whatever your current root password happens to be. You’ll get a two-pass automatic setup just as you did when you began today’s adventure.

The only drawback to this procedure is the fact that the extension 701 and default DISA passwords as well as your firewall configuration will be initialized when you first boot from your .ova image at the other location. Aside from that, you’ll have a clean platform with new SSH and DUNDI credentials as well as mostly sanitized log files.

What’s Next. Now that you have a functioning server, it’s time to learn all about the Incredible PBX applications that are ready for use. Jump over to the latest Nerd Vittles application tutorial for a quick look at what’s available. Even though it was written for the Asterisk-GUI, everything will work exactly the same way. That’s the beauty of the Incredible PBX platform. Enjoy!

Originally published: Monday, June 29, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Our forum is extremely friendly and is supported by literally hundreds of Asterisk gurus.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Many of our purchase links refer users to Amazon when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from Amazon to help cover the costs of our blog. We never recommend particular products solely to generate Amazon commissions. However, when pricing is comparable or availability is favorable, we support Amazon because Amazon supports us. []

Introducing Incredible PBX and the New Incredible GUI for the Raspberry Pi 2


[iframe-popup id="3″]
We’ve been huge fans of the Raspberry Pi since its introduction. And the Raspberry Pi 2 with its quad-core processor and gig of RAM transformed the platform from a tinkerer’s dream machine into a production workhorse. Four months ago, we introduced our Gotcha-Free PBX with Asterisk® 11 for the new platform. But Asterisk-GUI had a steep learning curve, and Digium now has officially discontinued support of what we believe was a terrific product with enormous potential. So today we’re pleased to introduce the all-new Incredible PBX with the Incredible PBX GUI running the very latest Asterisk 11.18 release together with all of the GPL-compatible PBX GUI modules you’ve known and loved for the past decade. No strings, no trademark gotchas, just pure GPL code that you can share and embellish as you see fit without legal retribution from us.

Target Audience: Home or SOHO/SBO seeking a GPL PBX with a web-based Graphical User Interface

Default Configuration: Asterisk 11 with Incredible PBX GUI, Kennonsoft GUI, and NANPA dialplan

Platform: Raspbian 7 running on a Raspberry Pi 2

Standard Memory: 1024MB

Recommended Disk: 16GB+

Default Trunks: Google Voice, CallCentric, DIDlogic, Future-Nine, IPcomms, Les.net, Vitelity, VoIP.ms1

Feature Set: SMS messaging, VPN, Reminders, ConfBridge Conferencing, AsteriDex, Voicemail, Email, IVR, News, Weather, Voice Dialer, Wolfram Alpha, Today in History, TM3 Firewall WhiteList, Speed Dialer, iNUM and SIP URI (free) worldwide calling, OpenCNAM CallerID lookups, DISA, Call Forwarding, CSV CDRs

Administrator Utilities: Incredible Backup/Restore, Automatic Updater, Asterisk Upgrader, phpMyAdmin, Timezone Config, Plug-and-Play Trunk Configurator, WebMin, External IP Setup, Firewall WhiteList Tools

As if that weren’t enough good news, we also are pleased to introduce our new 10-Layer Network Security Model for future Incredible PBX builds including today’s Raspberry Pi edition.

  1. Preconfigured IPtables Linux Firewall
  2. Preconfigured Travelin’ Man 3 WhiteLists
  3. Randomized Port Knocker for Remote Access
  4. TM4 WhiteListing by Telephone (optional)
  5. Fail2Ban Log Monitoring for SSH, Apache, Asterisk
  6. Randomized Ultra-Secure Passwords
  7. Automatic Security Updates & Bug Fixes
  8. Asterisk Manager Lockdown to localhost
  9. Apache htaccess Security for Vulnerable Web Apps
  10. Security Alerts via RSS Feeds in Kennonsoft and Incredible PBX GUIs

No single network security system can protect you against zero-day vulnerabilities that no one has ever seen. Just ask the FreePBX® folks. Deploying multiple layers of security is not only smart, it’s essential with today’s Internet topology. It works much like the Bundle of Sticks from Aesop’s Fables. The more sticks there are in your bundle, the more difficult it is to break them apart. If a vulnerability suddenly appears in the Linux kernel, or in Asterisk, or in Apache, or in your favorite web GUI, you can continue to sleep well knowing that other layers of security have your back. No one else in the telecommunications industry has anything even close. It’s all open source GPL code so we would encourage everyone to get on board and do their part to make the Internet a safer place!

Getting Started with Incredible PBX and Incredible PBX GUI (RasPi 2 Edition)

Here’s a quick overview of the installation and setup process for Incredible PBX featuring the Incredible PBX GUI:

  1. Install Linux for Raspberry Pi 2 – Install Raspbian 7 Platform
  2. Configure Raspbian 7 – Optimize Raspbian 7 for Incredible PBX
  3. Download and Install Incredible PBX + Incredible PBX GUI
  4. Install Incredible Fax with HylaFax/AvantFax (optional)
  5. Set Up Passwords for Incredible PBX
  6. Configure Trunks using Incredible PBX GUI
  7. Connect a Softphone using Incredible PBX GUI

1. Install Raspbian 7 Platform for Raspberry Pi 2

For those with Raspberry Pi experience, this is the same drill you’ve performed a dozen times before. For newbies, here’s the procedure. You’ll need a microSD card of at least 8GB, and we strongly recommend a 16GB or 32GB Type 10 card for Incredible PBX. We’ve tested both the SanDisk and Transcend cards, and they work great.

Begin by downloading the RASPBIAN Wheezy image from RaspberryPi.org to your desktop. After you’ve unzipped the image, you need to get it moved to your microSD card. RaspberryPi.org has excellent tutorials that will walk you through the process using a Linux, Mac, or Windows desktop platform. Don’t forget to unmount the card before removing it!

Once you have your microSD card ready to go, plug it into the slot on the back of the Raspberry Pi 2 and then plug in the power cord. On your attached monitor, you can follow the boot up process. When the login prompt appears, log in as user pi with the password raspberry. Choose text mode for bootups!

2. Optimizing Raspbian 7 for Incredible PBX

The first time you boot up your Raspberry Pi 2 with Raspbian 7, it will run the raspi-config script. This allows you to make a number of changes to your Raspberry Pi environment to maximize performance. Let’s take advantage of it.

Option 1. Expand the File System to fill your SD card. Otherwise, there’s insufficient disk space to complete the install.

Advanced Options. Enable Remote SSH access to your Raspberry Pi 2.

Tab to the Finish option and press ENTER. Then choose Reboot and YES.

After the reboot, log back in as pi:raspberry and set a very secure root password: sudo passwd root. Decipher your IP address so that you can log in as root via SSH: ifconfig.

We strongly recommend completing the install by logging in as root using a desktop computer via SSH or Putty (for Windows). This gives you the ability to scroll back up and find errors if something happens to come unglued during the install process. It also assures that your desktop computer will be whitelisted in the automated setup of the IPtables firewall.

3. Install Incredible PBX on Your Raspberry Pi 2

Adding Incredible PBX to the Raspberry Pi 2 is easy. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your Raspberry Pi 2 as root at the IP address you deciphered in the ifconfig step at the end of the Raspbian install procedure above.

Now let’s begin the Incredible PBX install. After logging in as root, issue the following commands. The install takes less than an hour and runs unattended so there’s no need to watch unless you’re curious about how sausage is made. Remember, as part of the build process, we compile all of the major components for Incredible PBX from source. And you can review the open source GPL script to see how it’s done if you have an interest or wish to embellish. It’s Gotcha-Free code so go for it and share your discoveries. After all, that’s what open source is all about!

cd /root
wget http://incrediblepbx.com/incrediblepbx11-12.2.raspbian.tar.gz
tar zxvf incrediblepbx11-12.2.raspbian.tar.gz
rm -f incrediblepbx11-12.2.raspbian.tar.gz
./IncrediblePBX11-12.2-raspbian.sh

4. Install Incredible Fax for Incredible PBX (optional)

Administrators have been trying to stomp out faxing for at least two decades. Here’s a hint. It ain’t gonna happen. So go with the flow and add Gotcha-Free Faxing to your server. It’ll be there when you need it. And sooner or later, you’ll need it. This install script is simple enough for any monkey to complete. Run the script and enter the email address for delivery of your faxes. Then, if you’re in the U.S. or Canada, press the Enter key to accept every default entry during the HylaFax and AvantFax installation steps. For other countries, read the prompts and answer accordingly.

cd /root
./incrediblefax11_raspi2.sh

When the installation finishes, reboot your server to bring faxing on line. After rebooting, change your AvantFax admin password: /root/avantfax-pw-change. You can access the AvantFax GUI with your browser by logging in as admin with your admin password from the previous step suing either the Kennonsoft admin menu (pictured below) or from within the Incredible PBX GUI itself by clicking on the AvantFax tab.

Outgoing faxes using standard document attachments can be created using the AvantFax GUI. The faxes will be sent out using your default outbound dial rules. You can add a dial prefix in sending a fax with AvantFax to force the call out a particular trunk that has been preconfigured in the Incredible PBX GUI.

Incoming faxes will be delivered to the email address you specified when installing Incredible Fax; however, incoming faxes will be ignored until you configure a destination DID to accept the faxes. For the incoming route of the destination DID, specify:

5. Initial Configuration of Incredible PBX

Incredible PBX is installed with the preconfigured IPtables Linux firewall already in place. It implements WhiteList Security to limit server access to private LANs, your server’s IP address, your desktop computer’s IP address, and a few of our favorite SIP providers. You can add additional entries to this WhiteList whenever you like using the add-ip and add-fqdn tools in /root. There’s also an Apache security layer for our web applications. And the Incredible PBX GUI has its own security methodology. Finally, we randomize extension and DISA passwords as part of the initial install process. Out of the starting gate, you won’t find a more secure VoIP server implementation anywhere. After all, it’s your phone bill.

Even with all of these layers of security, here are 10 Quick Steps to better safeguard your server. You only do this once, but failing to do it may lead to security issues you don’t want to have to deal with down the road. So DO IT NOW!

First, log into your server as root with your root password and do the following:

Make your root password very secure: passwd
Set your correct time zone: ./timezone-setup
Restart Asterisk: amportal restart
Create admin password for main GUI: /root/admin-pw-change
Create admin password for web apps: htpasswd -b /etc/pbx/wwwpasswd admin newpassword
Make a copy of your other passwords: cat passwords.FAQ
Make a copy of your Knock codes: cat knock.FAQ
Decipher IP address and other info about your server: status

Second, log into your server as admin using a web browser pointed to your server’s IP address and change your extension 701 extension and voicemail passwords:

Click USERS tab in Incredible PBX GUI
Click Incredible PBX GUI Administration
Log in as user: admin with admin-pw-change password

Last but not least, Incredible PBX includes an automatic update utility which downloads important updates whenever you log into your server as root. We recommend you log in once a week to keep your server current. Now would be a good time to log out and back into your server at the Linux command line to bring your Raspberry Pi 2 up to current specs.

6. Configure Trunks with Incredible PBX

Now for the fun part. If this is your first VoIP adventure, be advised that this ain’t your grandma’s phone system. You need not and should not put all your eggs in one basket when it comes to telephone providers. In order to connect to Plain Old Telephones, you still need at least one provider. But there is nothing wrong with having several. And a provider that handles an outbound call (termination) need not be the same one that handles an incoming call (origination) and provides your phone number (DID). We cannot recommend Vitelity highly enough, and it’s not just because they have financially supported our projects for almost a decade. They’re as good as VoIP providers get, and we use lots of them. If you’re lucky enough to live in the U.S., you’d be crazy not to set up a Google Voice account. It’s free as are all phone calls to anywhere in the U.S. and Canada. The remaining preconfigured providers included in Incredible PBX are equally good, and we’ve used and continue to use almost all of them. So pick a few and sign up. You only pay for the calls you make with each provider so you have little to lose by choosing several. The PIAF Forum includes dozens of recommendations on VoIP providers if you want additional information.

With the preconfigured trunks in Incredible PBX, all you need are your credentials for each provider and the FQDN of their server. Log into Incredible PBX GUI Administration as admin using a browser. From the System Status menu, click Connectivity -> Trunks. Click on each provider you have chosen and fill in your credentials including the host entry. Be sure to uncheck the Disable Trunk checkbox! Fill in the appropriate information for the Register String. Save your settings by clicking Submit Changes. Then click the red Apply Config button.

7. Configure a Softphone for Incredible PBX

We’re in the home stretch now. You can connect virtually any kind of telephone to your new PBX. Plain Old Phones require an analog telephone adapter (ATA) which can be a separate board in your computer from a company such as Digium. Or it can be a standalone SIP device such as ObiHai’s OBi100 or OBi110 (if you have a phone line from Ma Bell to hook up as well). SIP phones can be connected directly so long as they have an IP address. These could be hardware devices or software devices such as the YateClient softphone. We’ll start with a free one today so you can begin making calls. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum when you’re ready to get serious about VoIP telephony.

We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Applications _> Extensions -> 701 and write down your SIP/IAX Password. You can also find it in /root/passwords.FAQ. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password is assigned to the extension. Click OK to save your entries.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

DEMO - Apps Demo
123 - Reminders
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
TODAY - Today in History

If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

IMPORTANT: Do NOT under any circumstances take Google’s bait to switch from Google Chat to Hangouts, or you will forever lose the ability to use Google Chat with Incredible PBX. Also be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. Good News! You’re in luck. Google has apparently had a change of heart on discontinuing Google Chat support so it’s enabled by default in all new Google Voice accounts. Once you’ve created a Gmail and Google Voice account, go to Google Voice Settings and click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you’ve adjusted your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to configure your Google Voice account in Incredible PBX. You can do it from within the Incredible PBX GUI by choosing Connectivity -> Google Voice. Once you’ve entered your credentials, you MUST restart Asterisk from the command line, or Google Voice calls will fail.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

If you have difficulty finding the Google Chat option after setting up a new Google Voice account, follow this tutorial.

NOTE: There are all sorts of rumors circulating again that the Google Voice free ride may be coming to a close. We’ve heard this song before, but who knows?? Whether true or not, you are well advised to not rely solely on Google Voice for your phone calls. That’s the real beauty of a PBX. So take advantage of it!

Another option is to use one of the inexpensive SIP Gateways to Google Voice. HINT: The Simonics trunk in the Incredible PBX GUI is preconfigured. All you’ll need is your credentials.

Adding Speech Recognition Support to Incredible PBX

To support many of our applications, Incredible PBX has included Google’s speech recognition service for years. These applications include Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), and Wolfram Alpha for Asterisk (4747), all of which use Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for "personal and development use." If you meet those criteria, keep reading. Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

To use Wolfram Alpha by phone, you first must obtain a free Wolfram Alpha APP-ID. Then issue the following command replacing APP-ID with your actual ID. Do NOT change the yourID portion of the command:

sed -i "s|yourID|APP-ID|" /var/lib/asterisk/agi-bin/4747

Now you’re ready to try out the speech recognition apps. Dial 949 and say the name of a city and state/province/country to get a current weather forecast from Yahoo. Dial 411 and say "American Airlines" to be connected to American.

To access Wolfram Alpha by phone, dial 4747 and enter your query, e.g. "What planes are overhead." Read the Nerd Vittles tutorial for additional examples and tips.

OK, Smarty Pants: Show Me the Beef!

We know what some of you are thinking. "What does a fast food worker really know about VoIP and Gotcha-Free PBXs?? Before wasting a bunch of time on this, show me the beef!" Fair enough. Sit by your phone and click the Call Me icon below. Type in a fake name and your real phone number. Click the Connect button, answer your phone when it rings, and press 1. You’ll be connected to the Incredible PBX IVR. Pick an option from the menu of choices and take the Incredible PBX apps for a spin on our dime… actually it’s Google’s dime. Everything you see and hear is part of what you get with Incredible PBX for the Raspberry Pi 2 including the ability to set up your own click-to-dial web interface exactly like this one. The demo just happens to be running on our hardware instead of yours. So… what are you waiting for? Click away and try Incredible PBX for yourself. And, by the way, nobody besides the NSA and Google will be monitoring your call. 😉



Nerd Vittles Demo IVR Options
1 – Call by Name (say “Delta Airlines” or “American Airlines” to try it out)
2 – MeetMe Conference (password is 1234)
3 – Wolfram Alpha (say “What planes are overhead?”)
4 – Lenny (The Telemarketer’s Worst Nightmare)
5 – Today’s News Headlines
6 – Weather Forecast (say the city and state, province, or country)
7 – Today in History
8 – Speak to a Real Person (or maybe just voicemail if we’re out)

Homework Assignment: Mastering the Incredible PBX Feature Set

Now would be a good time to explore the Incredible PBX applications. Continue reading there. If you have questions, join the PBX in a Flash Forums and take advantage of our awesome collection of gurus. There’s an expert available on virtually any topic, and the price is right. As with Incredible PBX, it’s absolutely free.

Originally published: Monday, June 8, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Vitelity and Google provide financial support to Nerd Vittles and the Incredible PBX project. []

Introducing Incredible PBX 11-12 with Incredible GUI for the Ubuntu 14 Platform

On May 15, we turned the page on Asterisk® GUIs by introducing a new GUI that hopefully provides the best of both worlds. It preserves the GPL components of the FreePBX® product that many of us have nurtured for almost a decade while removing the commercial pieces that have introduced some friction into the equation for users and companies that simply wished to deploy or redistribute a graphical user interface for Asterisk in accordance with the free GPL licenses under which the product and its components were licensed. Last week we did much the same thing with the essential cloud component which serves as the lynchpin for GPL module administration within the GUI itself. Hopefully, these two tweaks will encourage Sangoma, the new owner of the FreePBX project, to do the right thing and get the non-commercial pieces of the project back on the right track moving forward. What we did not want to do was tarnish the incredibly hard work that dozens of developers in the open source community have poured into this project over the past decade. We continue to be amazed at what they’ve been able to achieve, and we salute their accomplishments. The Asterisk 12 and 13 revolution never would have been achieved without the contributions of the FreePBX development team. We think the new Incredible PBX GUI stands as a testament to what can be accomplished while preserving the true spirit of open source development and the terms of the GPL licenses under which this product and its numerous modules were licensed.

Two weeks ago, we introduced the all-new Incredible PBX with Incredible GUI for CentOS, Scientific Linux, and Oracle Linux. Last week we added a Cloud-based GPL repository and all the tools necessary to maintain it. Today we’re pleased to release the production-ready version for the Ubuntu 14 platform with all the bells and whistles including Incredible Fax featuring HylaFax and AvantFax. Today’s release mimics the functionality of the previous build for the CentOS platform with literally dozens of turnkey applications that show off the very best features of Asterisk®. In addition to Incredible PBX, you also get our new GPL repository to maintain release 12 of the GUI. No strings, no gotchas, and no murky licenses. Pure GPL!

Building an Ubuntu 14.04 Platform for Incredible PBX

As a result of the trademark and copyright morass, we’ve steered away from the bundled operating system in favor of a methodology that relies upon you to put in place the operating system platform on which to run PBX in a Flash or Incredible PBX. The good news is it’s easy! With many cloud-based providers1, you can simply click a button to choose your favorite OS flavor and within minutes, you’re ready to go. With many virtual machine platforms such as VirtualBox, it’s equally simple to find a pre-built Ubuntu 14.04 image or roll your own.

If you’re new to VoIP or to Nerd Vittles, here’s our best piece of advice. Don’t take our word for anything! Try it for yourself in the Cloud! You can build an Ubuntu 14.04 image on Digital Ocean in under one minute and install today’s Incredible PBX for Ubuntu 14.04 in about 15 minutes. Then try it out for two full months. It won’t cost you a dime. Use our referral link to sign up for an account. Enter a valid credit card to verify you’re who you say you are. Create an Ubuntu 14.04 (not 14.10!) 512MB droplet of the cheapest flavor ($5/mo.). Go to the Billing section of the site, and enter the following promo code: UBUNTUDROPLET. That’s all there is to it. A $10 credit will be added to your account, and you can play to your heart’s content. Delete droplets, add droplets, and enjoy the free ride!

For today, we’ll walk you through building your own stand-alone server using the Ubuntu 14.04 mini.iso. If you’re using Digital Ocean in the Cloud, skip down to Installing Incredible PBX 11-12 (HINT: 11 tells you the Asterisk release and 12 tells you the GUI release). If you’re using your own hardware, to get started, download the 64-bit Ubuntu 14.04 "Trusty Tahr" Minimal ISO from here. Then burn it to a CD/DVD or thumb drive and boot your dedicated server from the image. Remember, you’ll be reformatting the drive in your server so pick a machine you don’t need for other purposes.

For those that would prefer to build your Ubuntu 14.04 Wonder Machine using VirtualBox on any Windows, Mac, or existing Linux Desktop, here are the simple steps. Create a new virtual machine specifying the 64-bit version of Ubuntu. Allocate 1024MB of RAM (512MB also works fine with a swap file) and at least 20GB of disk space using the default hard drive setup in all three steps. In Settings, click System and check Enable I/O APIC and uncheck Hardware Clock in UTC Time. Click Audio and Specify then Enable your sound card. Click Network and Enable Network Adapter for Adapter 1 and choose Bridged Adapter. Finally, in Storage, add the Ubuntu 14.04 mini.iso to your VirtualBox Storage Tree as shown below. Then click OK and start up your new virtual machine. Simple!

Here are the steps to get Ubuntu 14.04 humming on your new server or virtual machine once you’ve booted up. If you can bake cookies from a recipe, you can do this:

UBUNTU mini.iso install:
Choose language
Choose timezone
Detect keyboard
Hostname: incrediblepbx < continue >
Choose mirror for downloads
Confirm archive mirror
Leave proxy blank unless you need it
< continue >
** couple minutes of whirring as initial components are loaded **
New user name: incredible
< continue >
Account username: incredible
< continue >
Account password: makeitsecure
< continue >
Encrypt home directory < no >
Confirm time zone < yes >
Partition disks: Guided - use entire disk and set up LVM
Confirm disk to partition
Write changes to disks and configure LVM
Whole volume? < continue>
Write changes to disks < yes> < -- last chance to preserve your disk drive!
** about 15 minutes of whirring during base system install ** < no touchy anything>
** another 5 minutes of whirring during base software install ** < no touchy anything>
Upgrades? Install security updates automatically
** another 5 minutes of whirring during more software installs ** < no touchy anything>
Software selection: *Basic Ubuntu server (only!)
** another couple minutes of whirring during software installs ** < no touchy anything>
Grub boot loader: < yes>
UTC for system clock: < no>
Installation complete: < continue> after removing installation media
** on VirtualBox, PowerOff after reboot and remove [-] mini.iso from Storage Tree & restart VM
login as user: incredible
** enter user incredible's password **
sudo passwd
** enter incredible password again and then create secure root user password **
su root
** enter root password **
apt-get update
apt-get install ssh -y
sed -i 's|without-password|yes|' /etc/ssh/sshd_config
sed -i 's|yes"|without-password"|' /etc/ssh/sshd_config
sed -i 's|"quiet"|"quiet text"|' /etc/default/grub
update-grub
ifconfig
** write down the IP address of your server from ifconfig results
reboot
** login via SSH to continue **

Installing Incredible PBX 11-12 on Your Ubuntu 14.04 Server

Adding Incredible PBX 11-12 to a running Ubuntu 14.04 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your new server as root at the IP address you deciphered in the ifconfig step at the end of the Ubuntu install procedure above. First, make sure to run the update step for Ubuntu below before you begin the install. This is especially important if you’re using a cloud-based Ubuntu 14 server.

WARNING: As of early June, 2016, Ubuntu has introduced a bug in their latest MySQL upgrade. Do NOT run apt-get upgrade for the time being, or your Incredible PBX install will fail.

apt-get update && touch /root/COPYING

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that the DO Ubuntu setup does NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX 11-12 install. Log back in as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx11-12.2-ubuntu14.tar.gz
tar zxvf incrediblepbx*
#./create-swapfile-DO
./Incredible*

Once you have agreed to the license agreement and terms of use, press Enter and go have a 30-minute cup of coffee. The Incredible PBX installer runs unattended so find something to do for a bit unless you just like watching code compile. When you see "Have a nice day", your installation is complete. Write down your admin password for the GUI as well as your three "knock" ports for PortKnocker. If you forget your admin password or wish to change it, just run: /root/admin-pw-change. Retrieve your PortKnocker setup like this: cat /root/knock.FAQ.

Log out and back in as root and you should be greeted with a status display that looks something like this after the Automatic Update Utility runs:

Perform the following steps:

Make your root password very secure: passwd
Set your correct time zone: ./timezone-setup
Restart Asterisk: amportal restart
Create admin password for web apps: htpasswd -b /etc/pbx/wwwpasswd admin newpassword
Make a copy of your other passwords: cat passwords.FAQ
Make a copy of your Knock codes: cat knock.FAQ
Decipher IP address and other info about your server: status

Incredible PBX includes an automatic update utility which downloads important updates whenever you log into your server as root. We recommend you log in once a week to keep your server current. Now would be a good time to log out and back into your server at the Linux command line to bring your server up to current specs.

You can access the Incredible PBX GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display.

When the Kennonsoft menu (shown above) appears, click on the User tab to open the Admin menu. Then click on Incredible GUI Administration to access the Incredible PBX GUI. The default username is admin with the randomized password you wrote down above. If desired, you can change them after logging into the GUI by clicking Admin -> Administrators -> admin. Enter a new password and click Submit Changes then Apply Config. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for default 701 extension and voicemail: Applications -> Extensions -> 701.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

123 - Reminders
222 - ODBC Demo (use acct: 12345)
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

The next step is establishing an interface on your PBX to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use an existing (free) Google Voice account. Google has threatened to shut this down but as this is written, it still works with previously set up Google Voice accounts. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax 11, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Google Voice account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Use a previously configured and dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX 11.

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you’re probably out of luck. Google has disabled the option in newly created accounts as well as some old ones that had Google Chat disabled. Now go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in the GUI. After logging in with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

And here’s another way to access Google Voice securely using an inexpensive commercial SIP gateway:

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work by entering these simple settings in the GUI: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

Adding Speech Recognition to Incredible PBX

To support many of our applications, Incredible PBX has included Google’s speech recognition service for years. These applications include Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), and Wolfram Alpha for Asterisk (4747), all of which use Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for "personal and development use." If you meet those criteria, keep reading.

First, log into your server as root and issue the following commands:

# for Ubuntu and Debian platforms
apt-get clean
apt-get install libjson-perl flac -y
# for RedHat and CentOS platforms
yum -y install perl-JSON
# for all Linux platforms
cd /var/lib/asterisk/agi-bin
mv speech-recog.agi speech-recog.last.agi
wget --no-check-certificate https://raw.githubusercontent.com/zaf/asterisk-speech-recog/master/speech-recog.agi
chown asterisk:asterisk speech*
chmod 775 speech*
nano -w speech-recog.agi

Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

Now you’re ready to try out the speech recognition apps. Dial 949 and say the name of a city and state/province/country to get a current weather forecast from Yahoo. Dial 411 and say "American Airlines" to be connected to American.

To use Wolfram Alpha by phone, you first must install it. Obtain your free Wolfram Alpha APP-ID here. Then run the one-click installer: /root/wolfram/wolframalpha-oneclick.sh. Insert your APP-ID when prompted. Now dial 4747 to access Wolfram Alpha by phone and enter your query, e.g. "What planes are overhead." Read the Nerd Vittles tutorial for additional examples and tips.

A Few Words about the Incredible PBX Security Model for Ubuntu

Incredible PBX for Ubuntu 14 is a very secure, turnkey PBX implementation. As configured, your server is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. Nobody can access your PBX without your credentials AND an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. Incredible PBX is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking.

You can whitelist additional IP addresses for remote access in several ways. First, you can use the command-line utilities: /root/add-ip and /root/add-fqdn. You can also remove whitelisted IP addresses by running /root/del-acct. Second, you can dial into extension 864 (or use a DID pointed to extension 864 aka TM4) and enter an IP address to whitelist. Before Travelin’ Man 4 will work, you’ll need to add credentials for each caller using the tools in /root/tm4. You must add at least one account before dial-in whitelisting will be enabled. Third, you can temporarily whitelist an IP address by successfully executing the PortKnocker 3-knock code established for your server. You’ll find the details and the codes in /root/knock.FAQ. Be advised that IP addresses whitelisted with PortKnocker (only!) go away whenever your server is rebooted or the IPtables firewall is restarted. For further information on the PortKnocker technology and available clients for iOS and Android devices, review the Nerd Vittles tutorial.

HINT: The reason that storing your PortKnocker codes in a safe place is essential is because it may be your only available way to gain access to your server if your IP address changes. You obviously can’t use the command-line tools to whitelist a new IP address if you cannot gain access to your server at the new IP address.

We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. If you use a hardware-based firewall, be sure to map the three PortKnocker ports to the internal IP address of your server!

The NeoRouter VPN client also is included for rock-solid, secure connectivity for remote users. Read our previous tutorial for setup instructions.

As one would expect, the IPtables firewall is a complex piece of software. If you need assistance configuring it, visit the PIAF Forum for some friendly assistance.

Adding Incredible Fax 11 to Your Server

Once you’ve completed the Incredible PBX install, log out and log back in to load the latest automatic updates. Then reboot. Now you’re ready to continue your adventure by installing Incredible Fax 11 for Ubuntu. Special thanks to Josh North for all his hard work on this! The latest download includes the Incredible Fax 11 installer. So just run the script:

cd /root
./incrediblefax11_ubuntu14.sh

Accept all of the defaults during the installation process. IMPORTANT: Once you complete the install, reboot your server. After rebooting, log into the GUI and choose Module Admin and enable the AvantFax module. When you log out of the GUI, there now will be an option for AvantFax on the GUI’s main login screen. Choose it and enter admin:password to login and change your default password. You also can set your AvantFax admin password by logging into the Linux CLI and… /root/avantfax-pw-change.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX 11 server, simply copy the image to a server running Asterisk 11 and the Incredible PBX 11-12 GUI. Then run /root/incrediblerestore. Doesn’t get much simpler than that.

Incredible PBX Automatic Update Utility

Every time you log into your server as root, Incredible PBX will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along. Also be sure to check the PBX in a Flash RSS Feed inside the GUI for the latest security alerts.

Mastering the Incredible PBX Applications

Your next stop should be a quick read of the Application User’s Guide for Incredible PBX. Even though the target audience was Raspberry Pi users, the feature set is identical, and this guide will tell you everything you need to know about the dozens of applications for Asterisk that have been installed on your new server.

We also want to encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie. Come join us!

Originally published: Monday, June 1, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. With some providers including ones linked in this article, Nerd Vittles receives referral fees which assist in keeping the Nerd Vittles lights burning brightly. []

Top 3 Asterisk Security Tips for 2014: WhiteLists, WhiteLists, and WhiteLists

We’ve devoted a lot of energy to Asterisk security over the years with our Primer on Avoiding the $100,000 Phone Bill and our 20 Failsafe Tips and our SIP Navigation Guide plus numerous tutorials on deployment of Virtual Private Networks to secure your servers and phones including NeoRouter, PPTP, and Easy OpenVPN among others. But, when it comes to ease of installation and use with rock-solid security, nothing comes close to deployment of WhiteLists with the IPtables Linux firewall that’s included at no cost with every major Linux distribution and with all of the Asterisk® aggregations including PBX in a Flash™ and Incredible PBX™. So we’re kicking off the summer with a careful look at the methodology behind IPtables and the Travelin’ Man™ tools developed to reduce the learning curve for new users.

Security, of course, is all about the "bundle of sticks." As we learned from Aesop’s Fables, the more sticks you bundle together, the more difficult it is to break the stick. We are by no means advocating that you drop all of the other tools at your disposal to improve the security of your Asterisk security. So, before we dive into WhiteLists, let’s spend a little time covering some of the other tools that are available and why those tools should not be relied upon exclusively.

1. Hardware-based Firewall. The PBX in a Flash project has cautioned users for years not to run Asterisk-based servers connected to the Internet without a hardware-based firewall between your server and the public Internet. Is it failsafe? No. Some hardware-based firewalls have been compromised either by the bad guys or by the NSA. Pardon the redundancy. The other problem with hardware-based firewalls is that they’re generally not available with cloud-based solutions. As the price of cloud computing has dropped and the cost and headaches of maintaining your own hardware has increased, more and more folks are considering cloud-based alternatives. Yes. Hardware-based firewalls should be deployed whenever possible. No. They won’t resolve all security concerns.

2. Fail2Ban. Once upon a time, a number of us thought that Fail2Ban was the answer to all security issues with Asterisk-based servers. In a nutshell, Fail2Ban scans your logs searching for failed attempts to log in to either SSH, FTP, Apache, SIP, or an email account. After a small number of failed attempts, Fail2Ban blocks further access from the IP address initiating the requests. There are two problems with Fail2Ban. First, software developers of the affected services continue to "improve" things with new and different error messages when login failures occur. Since Fail2Ban is searching for specific word matches to identify unsuccessful logins, the whole security mechanism fails when the "magic words" change unless everyone is extremely vigilant in maintaining the "magic word" lists AND updating the Fail2Ban rules on all of your servers. Our experience suggests that the bad guys find the new "magic words" long before everyone else which means there are gaping holes in Fail2Ban regularly. The other problem is supercomputers such as Amazon EC2 which makes enormous computing resources available to every Tom, Dick, and Harry. We’re mostly worried about the Dick that can hammer your little server every second with hundreds of thousands of attempts to crack your SIP or SSH passwords. The problem this poses is that most Linux servers never allocate a sufficient time slice to Fail2Ban to scan your Asterisk, Apache, and SendMail logs. Instead of blocking a bad guy after 3 failed login attempts, a bad guy using EC2 may be able to perform several hundred thousand login attempts before Fail2Ban ever detects a problem. Yes. Fail2Ban helps against the bad guy manually keying in passwords. No. Fail2Ban is all but worthless against a sophisticated denial of service attack on your server.

3. Virtual Private Networks. The beauty of virtual private networks (VPNs) is that all of your Internet traffic is encrypted and tunneled through private IP addresses that others can’t intercept. That was the theory until Edward Snowden came along and spoiled the NSA’s party. Yes. We’ve known that PPTP VPNs were vulnerable for a good long while. No. We didn’t know that the NSA (and presumably others) may have had the keys to your castle much longer… regardless of the VPN topology you may be using. The other problem with VPNs is that you need VPN connections for every device connecting to your server. Unfortunately, VPN technology is only available on a small number of SIP telephones, and the supported OpenVPN topology is one of the more difficult VPNs to deploy on a Linux server. Are VPNs better than nothing? Absolutely. Does a VPN provide failsafe communications security over the open Internet? Probably not.

4. Nothing Beats Secure Passwords. Amen. There was a time when some Asterisk-based servers were routinely set up with extension passwords of 1234 or the extension number itself. And outbound SIP trunks were deployed with no dialing rules. And administrators opened accounts with SIP providers with automatic credit card replenishment whenever the accounts ran out of money to cover calls. And no safeguards were put in place to restrict international calling. Little did these folks know that registering to a SIP extension on an Asterisk server provided a blank check for making unlimited calls to anywhere on the planet. Thus was born the $100,000 phone bill. Yes. Nothing Beats Secure Passwords for root, for SIP accounts, and for SIP and IAX trunks connected to commercial providers. But you also need to implement dialing rules for outbound calls that allow your callers to reach only the destinations desired, not the world. And your accounts with providers should always include limits and restrictions on international calls and should never include automatic credit card replenishment.

5. BlackLists. There was a time when blacklisting IP addresses was believed to be the ultimate solution to Internet security problems. Sounds great, doesn’t it? Just set up a database with the IP addresses of all the bad guys in the world, and all our problems will be solved. Problem #1: A new bad guy is born every minute. Problem #2: The bad guys learned how to use VPNs and other random IP address masquerading sites to disguise their true identity. Problem #3: Security vulnerabilities in many Windows-based machines allowed the bad guys to take control of these computers and do their dirty work from there. Problem #4: There are actually some good guys that live in Russia and China. Problem #5: The bad guys learned to poison the "bad guy list" to block essential services such as DNS, Google, Amazon, Netflix, Pandora, and your favorite bank and credit card companies. Yes. The theory of blacklists sounded great. No. Blacklists not only don’t work. They’re downright dangerous.

WhiteLists with IPtables: The Knight in Shining Armor

For the past few years, our Internet security focus has turned toward defining a methodology that works with all PBX in a Flash and Incredible PBX servers, whether they’re dedicated servers behind a hardware-based firewall or public on a cloud-based shared host. And the conclusion we’ve reached is that nothing beats the IPtables Linux firewall for rock-solid Internet security. The reason is its deep integration into the Linux kernel itself through Netfilter, "a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack." Wikipedia provides an excellent overview for those with an interest. For our purposes, suffice it to say that IPtables examines inbound and outbound packets before any further processing occurs on your server. With our default setup, we typically allow all outbound traffic from your server. For inbound traffic, if the iptables rules permit access, the packet comes in for processing. If not, the packet dies at the door with no acknowledgement that it was even received. In laymen’s terms, if someone attempts to scan your server to determine whether web or SIP services are available, there will be no response at all unless packets from the scanning server’s IP address are permitted in the iptables rules configured on your server. You can determine which rules are in force with this command: iptables -nL.

The basic configuration and syntax of iptables rules can be daunting to those unfamiliar with the territory. And thus was born Travelin’ Man 3, our open source tool to simplify configuration of IPtables by allowing administrators to define WhiteList entries describing the types of services that were allowed access to a server from specified external IP addresses. The basic rules of the Travelin’ Man 3 setup for iptables are these: (1) outbound packets are unrestricted, (2) forwarded, established, and related packets are permitted, (3) inbound packets from the private LAN are unrestricted, but (4) inbound packets from the public Internet are dropped unless permitted by a specific iptables rule. Those rules include certain basic services such as time synchronization (TCP 123) as well as WhiteListed IP address entries for specific or generic services.

Installation is easy. Log into your PBX in a Flash as root and issue the following commands. NOTE: Travelin’ Man 3 is optionally available as part of Incredible PBX installs on the CentOS, Scientific Linux, and PIAF OS platforms. It is preinstalled on the Raspberry Pi and BeagleBone Black platforms with RasPBX. You can determine if it’s already installed on your server with this command: ls /root/secure-iptables. If the script exists, you’ve already got Travelin’ Man installed, but it may not be running so keep reading…

cd /root
wget http://incrediblepbx.com/travelinman3.tar.gz
tar zxvf travelinman3.tar.gz
yum -y install bind-utils
./secure-iptables

Because PBX in a Flash and Incredible PBX servers are primarily designed to support telephony, Travelin’ Man 3 further simplifies the iptables setup by whitelisting the IP addresses of a number of the leading VoIP providers. These include Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. For the complete list: cat /etc/sysconfig/iptables (CentOS) or cat /etc/network/iptables (RasPBX).

The real beauty of Travelin’ Man 3 is you aren’t limited to our WhiteList. You can add your own entries easily using the TM3 scripts that are included in the /root directory. secure-iptables initializes your iptables setup and also lets you define a primary IP address or fully-qualified domain name (FQDN) that will always have access to your server. You must run this script at least once to activate IPtables on all platforms!

Once you have run secure-iptables, you can whitelist additional IP addresses by running add-ip. You can whitelist additional FQDNs by running add-fqdn. You can delete either IP addresses or FQDNs by running del-acct. As noted previously, you can check what’s authorized with the command: iptables -nL.

We’ve also included a custom script to restart IPtables gracefully: iptables-restart. The reason is because using the traditional restarting mechanism in IPtables will leave your server vulnerable (and IPtables inoperative) if a particular FQDN cannot be resolved. The iptables-restart script takes another approach and removes the offending rule from your whitelist, alerts you to the problem, and then restarts iptables without the offending entry. So all existing rules are put back in place and function as you would expect.

Finally, Travelin’ Man 3 includes a script that allows you to utilize FQDNs for users that may have ever-changing dynamic IP addresses. Steps #4, #5, and #6 in the original Travelin’ Man 3 tutorial will walk you through the Administrator set up which only takes a minute or two and never has to be touched again. Basically, a cron job script is employed to check for changes in the dynamic IP addresses you have identified with FQDNs. If changes are found, IPtables is restarted which updates the IP addresses accordingly.

Unfortunately, there was one group of end-users that weren’t covered by the Travelin’ Man 3 setup. This group included traveling salespeople or vacationing individuals that may land in a different city every night. Rather than relying upon an administrator to provide access to home base, these frequent travelers needed their own tool to manage their IP address as it changed. While this was supported through a web interface in Travelin’ Man 2, that setup exposed your web server to the public Internet and was burdensome for administrators to initially configure. Most importantly, it didn’t manage remote IP address access using IPtables which made coexistence with TM3 difficult. Thus was born Travelin’ Man 4.

Introducing Travelin’ Man 4: Managing WhiteList Access by Telephone

Travelin’ Man 4 is a new add-on for an existing Travelin’ Man 3 setup. It’s for those that wish to allow traveling individuals to manage their own whitelist access to PBX in a Flash or Incredible PBX using a telephone. An Administrator preconfigures accounts and passwords for the travelers together with the services to which they will have access on the server. Using any cellphone or hotel phone, the traveler simply dials a preconfigured number to access an IVR that will prompt the user for an account number and PIN. Unless you have a spare DID, you can grab a free one from IPkall.com to use with your Travelin’ Man 4 IVR. Once a user is successfully logged in, the IVR will prompt for the user’s IP address to be whitelisted on the server. Enter it using this format: 12*34*56*78.

Within a couple minutes, the new IP address will be properly formatted and then whitelisted in IPtables, and the traveler will be sent an email acknowledging that the account has been activated. Once the account is activated, the traveler can use a SIP softphone application such as Zoiper on any iPhone or Android phone or a softphone on any desktop computer to place and receive calls as well as to check voicemail on the remote PBX in a Flash server. For anyone that doesn’t know their current IP address, a quick visit to WhatIsMyIP.com will tell you. Travelin’ Man 4 is licensed under GPL2 so download a free copy. Then read the tutorial and give it a whirl. Enjoy!

Originally published: Wednesday, May 21, 2014



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…