Home » Incredible PBX (Page 9)
Category Archives: Incredible PBX
Introducing OpenSIPS 3 for Incredible PBX and Debian 10
Today we’re pleased to introduce an updated OpenSIPS installer for Debian 10 featuring the latest release of OpenSIPS. Our previous tutorial with Debian 8 is now obsolete, an all-too-frequent occurrence in the open source world. Today’s open source SIP server lets you connect users to make and receive free as well as commercial calls worldwide. There’s excellent documentation making it easy to integrate into our existing Incredible PBX platform without hiring a consultant. It’s also straight-forward to secure without providing free phone service to every bad guy on the planet.
OpenSIPS is a multi-functional, multi-purpose signaling SIP server used by carriers, telecoms or ITSPs for solutions like Class4/5 Residential Platforms, Trunking / Wholesale, Enterprise / Virtual PBX Solutions, Session Border Controllers, Application Servers, Front-End Load Balancers, IMS Platforms, Call Centers, and many others. Source: opensips.org
We’ve often complained that the problem with many open source projects is that the developers get so focused on making money that they skimp on the documentation to encourage consulting work or participation in expensive conferences. We have found just the opposite with OpenSIPS. In fact, much of today’s implementation is based upon an excellent tutorial by the folks at PowerPBX. Down the road, if you find yourself in need of a consultant, their services would be a good place to start. What we’ve added to the PowerPBX design is security, support for clients behind NAT-based routers, and an integration scheme for Asterisk®, FreePBX®, and Incredible PBX® platforms so that you get the best of all worlds, a public facing SIP server with the UC feature set that most organizations expect. Last but not least, our turnkey GPLv2 installer will get you up and running in about 5 minutes.
Choosing an Appropriate Platform for OpenSIPS
Let’s begin by addressing the appropriate platform for an OpenSIPS server. The server needs to have a public IP address that is static, and the server should not be situated behind a NAT-based router. It only complicates things and is beyond the scope of what we plan to address. For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM cloud platform is a must since older OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. Pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS.
Ten to twenty gigabytes of disk space should be more than ample for OpenSIPS. The amount of RAM in your server depends upon the volume of calls your server will be handling. If it’s a dozen simultaneous calls then 1GB of RAM will suffice. If it’s 100,000 calls, then take a look at this article for tips on sizing your server. For today’s implementation, you’ll need a Debian 10 platform so a low-cost KVM provider including Digital Ocean, Vultr, and OVH should be fine.1
Choosing OpenSIPS Components to Deploy
We’ve divided up today’s tutorial into bite-sized pieces so that you can pick and choose where to stop implementing and start using. You do not need to have an Asterisk server to make and receive calls with OpenSIPS. However, OpenSIPS lacks voicemail and AutoAttendant/IVR components so, if those are a requirement, then you either need a VoIP service provider that offers them, or deploy a $50 Incredible PBX for the Raspberry Pi to add the missing pieces.
What OpenSIPS offers is a free server platform for worldwide SIP communications so that you, your friends, and business associates can call or connect from anywhere using freely available SIP softphones or any of dozens of SIP telephone instruments. We’ll stick with softphones for today, but hardware-based SIP telephones are equally simple to deploy.
This is not a criticism because it is one of the best tutorials we’ve ever used but, if you want to see how complex a typical OpenSIPS server deployment is, take a look at the PowerPBX tutorial we used as a starting point with OpenSIPS. We’ve compressed most of those procedures into a turnkey installer that only requires you to enter a MySQL root password of passw0rd (with a zero) once you have your Debian 10/64 platform up and running.
Deploying a Debian 10 Server Platform
Start by choosing a cloud provider that offers the 64-bit Debian 10 minimal platform as a deployment option. Most do. As noted, we recommend a KVM platform with support for ipset making it easy to block entire countries overrun with bad guys. Choose offerings with at least 1GB RAM and a 10GB drive to get started. Configure your Debian 10 server with a fully-qualified domain name (FQDN). This is critically important with our security design because we will assign all OpenSIPS users/extensions to this FQDN and reserve your server’s IP address purely for connections from service providers and Asterisk servers. This makes it all but impossible for anyone to hack into your server since most script kiddies launch attacks on IP addresses, not FQDNs. Using an unusual FQDN adds an extra layer of security, but that’s your call. If you lack the ability to assign FQDN aliases to a domain which you own, you can obtain a free FQDN from numerous sources including ChangeIP and point it to the IP address of your OpenSIPS server.
Installing OpenSIPS on a Debian 10 Server
Now the fun begins. Log into your Debian 8 server as root and issue the following commands to prepare for the OpenSIPS install:
cd /root wget http://incrediblepbx.com/opensips3.tar.gz tar zxvf opensips3.tar.gz rm -f opensips3.tar.gz
Make sure you have logged into your Debian 10 server as root using SSH or Putty from a desktop PC that you will use to manage OpenSIPS with a browser. The reason is because this IP address automatically will be whitelisted in the OpenSIPS firewall as part of the install process. Otherwise, you will need to manually log into SSH and whitelist the IP address of your desktop PC using /root/add-ip each time you wish to access the OpenSIPS Control Panel since TCP port 80 (HTTP) is not exposed to the public Internet as a security precaution.
To begin the install, issue this command: /root/install
As the install progresses, you’ll first be prompted to choose the GRUB install device. Press the spacebar on the first entry. Then press TAB and ENTER. When prompted for the SSH configuration, choose "keep local version" and then press TAB and ENTER. For the MariaDB setup, press ENTER when prompted for the current password. Type N when prompted whether to switch to unix_socket authorization. Then type Y to change the root password. Be sure to use passw0rd (with a zero) as your MySQL password, or the install will fail. This is NOT a security risk unless your Debian 10 root user account is compromised. And, in that case, it won’t matter anyway since the MySQL password could easily be changed. Type Y to remove anonymous users. Type Y to disallow remote root logins. Type Y to reload the MySQL privilege tables.
Next you’ll be prompted to set your timezone and TZ entries. For East Coast U.S., it’s 2,49,1,1 then America/New_York. Later you’ll be prompted twice for the MySQL root password. You must enter passw0rd (with a zero). When the OpenSIPS status screen displays, type Q to exit the display. There are a couple of steps where you will be prompted for input. Correct responses are indicated before the various prompts. Pay particular attention when you are prompted to change the SSH port from TCP 22 to a port number in the 1000-2020 range as a security precaution. We recommend using the year you were born because it will be easy for you to remember. When the install finishes and you log out of your server, the next SSH login will look like this where XXXX is the SSH port you chose and yyy.yyy.yyy.yyy is the OpenSIPS server address: ssh -p XXXX root@yyy.yyy.yyy.yyy
Although most of the configuration of your OpenSIPS server will be handled using a web browser and the OpenSIPS Control Panel GUI, we’ve included a few scripts in /root to assist with maintenance of your server platform. Here’s a brief summary of the script functions:
- pbxstatus – Status of your OpenSIPS server (image sample above)
- add-ip – Temporarily WhiteList IP address until next iptables-restart
- ban-ip – Permanently Ban an IP address
- unban-ip – Unban a previously banned IP address
- log-purge – Zero out all of the major Linux log files
- opensips-check – Assures OpenSIPS and RTPproxy are running (runs automatically)
- Fail2Ban BlackLists –
iptables -nL | grep -A100000 "opensips ("
- IPset BlackList (KVM/OVZ7 platforms only) –
ipset list | sort
We secure your server in several ways: (1) by disguising the SSH port, (2) by locking down almost every port on your server with the IPtables firewall with the exception of the SIP ports, (3) by deploying Fail2Ban to scan your OpenSIPS log for errors and lock out attackers for an extended period of time, and (4) by deploying the IPset blacklist for KVM platforms. With this design, there is a symbiotic relationship between IPtables, Fail2Ban, and IPset. Therefore, it is critically important that you only restart these services using the iptables-restart command. NEVER issue other IPtables commands to restart or save your firewall settings.
Activating a SIP Server with OpenSIPS Control Panel
We don’t want to overload you on the first day with your new OpenSIPS 3 platform so we’ll walk you through the preliminary setup steps to create your SIP Domain. Then we’ll show you how to set up user accounts (also known as extensions). Finally we’ll walk you through setting up a trunk to make and receive calls from a commercial SIP provider. When we’re finished today, you’ll be able to make and receive calls using SIP URIs or DIDs which you have purchased from a provider. Then next week we’ll focus on integration of OpenSIPS with an Asterisk platform of your choice using Incredible PBX as an example. Once we’re finished, you’ll be able to handle user account registrations exclusively on your OpenSIPS server while leaving your Asterisk platform completely hidden from public exposure.
Logging into the OpenSIPS Control Panel
As deployed, the OpenSIPS Control Panel is accessible via web browser. As noted previously, HTTP Port 80 access is blocked by default unless the IP address of your desktop PC has been whitelisted either as part of the initial install or using the add-ip script in /root. Once your desktop PC’s IP address is whitelisted, point your browser to http://xxx.xxx.xxx.xxx/cp
The default Username is admin, and the default password is opensips. Once you’re logged in, immediately click on the Users icon in the upper-right corner of the dashboard. Then click the Edit Info pencil icon for user Admin and change your password. Click Save when done.
Creating Domains with OpenSIPS Control Panel
In the Left column of the Dashboard, you’ll see two tabs: Users and System. Click on the System tab to expose the available choices. Then choose the Domains option.
Domains are the essential building blocks in OpenSIPS. You can manage one or a hundred domains on a single OpenSIPS server, and each domain can have its own set of Users, Trunks/Gateways, and Dialplan rules. We’re actually going to create two domains, one for the IP Address of your OpenSIPS server and a second one for the FQDN of your OpenSIPS server. For added security, we will create all User accounts under the FQDN Domain. And we’ll reserve the IP Address Domain for DID Trunks/Gateways from registered, commercial SIP providers. This design allows attackers to attempt to register to accounts on your IP Address Domain until the cows come home, and they will never be successful because there are no existing SIP user accounts there. Keep it that way! With our OpenSIPS design, Fail2Ban will block attackers after a single failed registration attempt. And OpenSIPS itself will identify and block all SIP flood attacks using either Fail2Ban or IPset.
Now that you understand the design, let’s set up your domains. After choosing System -> Domains, enter the IP Address of your OpenSIPS server at the SIP Domain prompt. Then click Add New Domain followed by Reload on Server. Repeat the same steps to enter the fully-qualified domain name (FQDN) of your OpenSIPS server. When finished, you should see:
Creating Users with OpenSIPS Control Panel
We’ve already explained the security implications and reason for creating User accounts with your FQDN Domain only. Click on Users -> User Management -> Add New to get started. You can use Numbers (what we call Extensions in Asterisk) or Names. Our preference is to use Numbers for the User accounts and then to create Alias Names (as desired) for each User account. You can’t dial names from most SIP telephones. This also keeps the design similar to what many are used to in the Asterisk environment. A completed dialog would look something like the following. Use the Domain pull-down to choose your FQDN. Obviously, the passwords must be secure and must match. Then the Register button will be enabled to save. The actual Numbers used for Usernames are completely up to you.
Create at least a couple User accounts so that you can set up two SIP phones to call yourself and verify that everything is working. These User accounts become an integral part of the SIP URI to receive calls from any SIP phone in the world:
7701@opensips.yourdomain.com
Before you can actually answer an incoming call to your SIP URI, you’ll need to register the User account using either a softphone or SIP phone. We’ll do that next. But, first, let’s create an Alias to 7701 User so that folks can reach you by calling joe@opensips.yourdomain.com
Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the example below. Make sure that you select your FQDN Domain using the pull-downs for BOTH the Domain and Alias Domain fields. Then click Add to save.
Registering a Softphone to an OpenSIPS User Account
There are literally dozens of free SIP soft phones from which to choose. We covered some of our favorites for every platform in previous articles. For our purposes today, we recommend you choose one of the Linphone softphones which are available for the PC, Mac, Linux, Android, and iOS platforms. We also recommend signing up for a free Linphone.org SIP account which doesn’t cost you anything. For today, we will be configuring the softphone to register to your new OpenSIPS server.
Once you have downloaded and installed the Linphone client, go into the Preferences menu and make the following changes. Some depend upon your calling platform.
- Audio Codecs: PCMU, G722, PCMA
- Video Codecs: VP8, H264
- Call Encryption: None
- DTMF: RFC2833 only
- Send InBand DTMF: OFF
- Send SIP INFO DTMF: OFF
- SIP UDP 5060: Enabled
- SIP TCP 5060: Enabled
- Allow IPv6: Disabled
Then set up a new SIP Proxy account: Username (7701), Password (as defined), Domain: your FQDN not IP address, Transport: UDP, Outbound Proxy: OFF, Stun Server: stun.linphone.org, ICE: ON, AVPF: OFF, Push Notification: ON, Country Code Prefix: 1 (if required by your commercial SIP provider), Register: YES, Account Enabled: YES. HINT: You can call Alias Names via SIP URI, but you can only register to a SIP account using its actual Username.
Avoiding Lockouts with NeoRouter VPN
By design, Fail2Ban is unforgiving when it comes to failed registrations. A single failed registration will get an IP address banned for a full week. The reason is because the new bad guy strategy is to hit your server once to determine whether anybody is home. Then the creep bombards you later with an endless stream of registration attempts. With our design, nobody will be home when they return. The bad news is a single failed registration attempt by you or your users will also trigger a ban. There are several workarounds. The easiest is to set up the NeoRouter client on each of your machines including your OpenSIPS server and use the 10.0.0.x private network for access. These IP addresses never get banned. Our previous tutorial will walk you through setting up a free NeoRouter server and installing the free NeoRouter clients on your machines. The client software already is installed and running on your OpenSIPS server. It only requires that you log in using nrclientcmd
and register to your NeoRouter server to obtain a private IP address. The other option is to install OpenVPN. Our previous tutorial will walk you through that process. The advantage of OpenVPN is that it’s supported directly on many SIP telephone instruments. The 10.8.0.x addresses are already whitelisted by our OpenSIPS installer.
There are other options to unban an IP address which has accidentally been snagged. First, almost all of the cloud providers include a Console option in their web portals. Second, you can log into your server via SSH from any non-blacklisted IP address to remove the banned IP address. Once you’re logged in, simply run this command using the IP address you wish to unban: /root/unban-ip xxx.xxx.xxx.xxx
Choosing Commercial SIP Providers
Recall that you cannot register to a SIP alias on your OpenSIPS server. We’ll take advantage of this restriction in setting up incoming calls from commercial providers’ DIDs. To set up Trunks from commercial providers so that you can not only receive incoming calls but also make outbound calls over their PSTN network connections, you must use providers that support IP address authentication rather than a SIP registration. Many providers support this including our platinum sponsor, Skyetel, as well as providers such as VoIP.ms, Anveo Direct, V1VoIP, and many others. In our OpenSIPS design, you also can use DIDs from providers that support SIP URI forwarding such as CallCentric and LocalPhone; however, you are limited to receiving inbound calls only. VoIP communications really shines here because you don’t have to choose a single provider to meet all of your communications requirements.
Skyetel is by far the easiest provider to set up with OpenSIPS. See our earlier tutorial for a special offer that will get you half-price calling for up to $500. Effective 10/1/2023, $25/month minimum spend required. Once you’re registered on the Skyetel site, add a new EndPoint Group using the IP address of your OpenSIP server and designate UDP 5060 as the access port. Sign up for a DID and map it to the OpenSIPS Endpoint Group. Done. In the OpenSIPS Control Panel, navigate to System -> Dynamic Routing and click Add Gateway. Using the template below, create 5 Proxy gateways for the following Skyetel data centers:
- skyetel-NW 52.41.52.34
- skyetel-SW 52.8.201.128
- skyetel-NE 52.60.138.31
- skyetel-SE 50.17.48.216
- skyetel-EU 35.156.192.164
Begin by whitelisting the IP addresses of your SIP providers in /etc/iptables/rules.v4 just below the existing 10.8.0.0/24 rule. The entries should look like this:
-I INPUT -s 52.41.52.34 -j ACCEPT
Once you’ve entered IP addresses for your providers, issue the command: iptables-restart
Next, we need to create what Asterisk users know as an Outbound Route. This tells OpenSIPS to send dialed numbers in 11-digit format to Skyetel for termination. We’ve already created the Dial Plan rule for calling out by dialing 1 plus a 10-digit number. So, while you’re still in the Dynamic Routing section of the OpenSIPS Control Panel, click on the Rules tab at the top of the template. Then click Add Rule. Begin by clicking Add ID button and choosing Group ID 0. In the Prefix field, type 1. Now click the Add GW button 3 times after choosing the Skyetel gateways in the following order from the GW pull-down list: skyetel-nw, skyetel-sw, and skyetel-se. Those are the three currently operational Skyetel gateways. When you’re finished, your template should look like the following. Then click the Add button to save the new rule. Click Reload Server to load the new rule into OpenSIPS. Then repeat this procedure leaving the Prefix field blank so that you can make 10-digit calls as well.
Finally, we need to create what Asterisk users know as an Inbound Route. This tells OpenSIPS where to send incoming calls from our Skyetel DID. OpenSIPS handles inbound routes by defining a User Alias for the Username to which you want to route the incoming DID calls. Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the following template and then click Add.
- Username: 7701 (the extension to which to route the incoming calls)
- Domain: opensips.xyz.com (the FQDN of your OpenSIPS server)
- Alias Username: 18435551212 (the 11-digit Skyetel DID)
- Alias Domain: 11.12.13.14 (the IP address of your OpenSIPS server)
- Alias Type: dbaliases
Introducing the VoIP Blacklist
We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. The list gets populated every night while you sleep. Here are the steps to install the VoIP Blacklist with IPset:
apt update && apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent cd /usr/local/sbin wget http://incrediblepbx.com/voipbl-update chmod +x voipbl-update sed -i 's|fail2ban restart|fail2ban restart\n/usr/local/sbin/voipbl-update|' iptables-restart iptables-restart ipset list voipbl ipset list voipbl | wc -l
Then create a cron job in /etc/crontab to run /usr/local/sbin/voipbl-update every day to update the VoIP blacklist.
1 4 * * * root /usr/local/sbin/voipbl-update > /dev/null 2>&1
Congratulations! You now have a functioning OpenSIPS 3 server that can process incoming calls from SIP URIs as well as DIDs. And you can make SIP URI and 11-digit PSTN calls using your SIP softphone that’s registered to your OpenSIPS server. See you next week. Enjoy!
Continue Reading: Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS
Originally published: Monday, October 4, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
- Nerd Vittles receives referral fees from some VoIP service providers to help cover the costs of our blog. We never recommend particular companies solely to generate commissions. We also test all services that we recommend. [↩]
Some Further Thoughts & Solutions Regarding DDoS Attacks
This month’s DDoS attacks on SIP infrastructure in the VoIP community should give us all pause to reflect upon what each of us can do to lessen the impact of these attacks in our Internet-centric community. Suffice it to say, DDoS attacks can be directed toward carriers (last week it was Bandwidth.com), VoIP providers (last week it was VoIP.ms), and VoIP servers (that would be your PBX). While they may not like it, carriers and many VoIP providers have the financial resources to withstand or mitigate a DDoS attack. You, on the other hand, with your budget-basement cloud server probably do not. So what can you do?
Almost 10 years ago, we introduced the Travelin’ Man 3 firewall for VoIP servers. The idea was novel at the time. You can’t attack what you can’t see. By placing an Incredible PBX server behind the IPtables firewall with no public exposure except for trusted sites and users, your server is essentially hidden from the Internet and all of the world’s bad guys. At the time, the design was poo-poo’d by the SIP purists who were adamant that SIP ports needed to be publicly exposed to function reliably. Wrong. Then there was the FreePBX® firewall which blocked repeated attacks from the IP address of a would-be attacker. But what if a botnet unleashed hundreds of thousands of attacks on your IP address. The FreePBX blocking mechanism obviously would fail. One of the shortcomings of Asterisk®: it isn’t a SIP proxy.
The moral of the story is pretty simple. Unless you have an unlimited bank account to thwart DDoS attacks and unless your PBX is sitting behind a SIP proxy, you’re much safer with a fully-protected Incredible PBX platform. And, for those believing your IP address is too obscure to attract much attention, try installing a server on CloudAtCost, or Digital Ocean, or Vultr without a firewall to protect your SSH port. You’ll quickly discover how popular you are. Stay safe!
Originally published: Monday, September 27, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Is SIP Trunking Safe & Reliable in the DDoS World?
Since last Thursday when VoIP.ms suffered (and continues to suffer) one of the worst Distributed Denial of Service (DDOS) attacks in the VoIP era, we’ve been asked a thousand times whether any SIP trunking provider can provide a safe and reliable platform under circumstances similar to the VoIP.ms outage. We obviously cannot vouch for every trunking provider but, based upon our discussions with two of the major carriers that support Incredible PBX, we are confident that either of them could withstand a similar attack and your phones would still ring. Keep in mind that one of the hidden beauties of VoIP is the ability to configure your PBX to use multiple carriers for failover in making outbound calls, something we have always recommended. Unfortunately, inbound calls are tied to registration of each DID with one and only one carrier. Thus, if that carrier goes off line, incoming calls to DIDs registered with that carrier will fail.
To restate the obvious, no provider is going to publicly document their DDOS remediation methodology thereby providing attackers with a blueprint to their network design and remediation strategy. However, under non-disclosure agreements, we have spoken at length with the owners of our two major Incredible PBX providers: Skyetel and Clearly IP. Based upon our NDA discussions over the past few days, we are satisfied that the SIP trunking offerings of our two primary carriers are sufficiently robust to withstand a VoIP.ms-like DDOS attack. Having said that, we are optimistic that the VoIP.ms outage has placed a renewed spotlight on the seriousness of these DDOS attacks with the FBI and the U.S. Department of Homeland Security.
So what’s missing from the VoIP.ms design that has made their infrastructure so vulnerable? Lots. For openers, VoIP.ms apparently does not rely upon SIP proxies or firewalls using industry-standard network management procedures. In fact, until several days ago, VoIP.ms reportedly was hosting its own DNS servers exclusively. While that has been addressed by moving to Cloudflare, other design vulnerabilities have been more difficult to ameliorate. For example, SIP trunking with VoIP.ms by design requires registration to one of several dozen POPs on both your PBX and on their public-facing portal. An inability to access their public portal means an administrator cannot redirect traffic to another POP in case of an outage. And, if an individual POP is overwhelmed with a DDOS attack, that POP can no longer redirect its incoming calls to a failover location. And apparently it is the only server from which this redirection can be initiated. As the current five-day outage makes clear, reengineering this design would be a Herculean task. So an important lesson learned should be that FORWARDING DIDS TO ANOTHER NUMBER OR SIP ADDRESS SHOULD BE COMPLETELY INDEPENDENT OF YOUR PUBLIC-FACING ARCHITECTURE.
What can you do at this juncture to lessen your vulnerability to a future DDOS attack? First, don’t put all of your eggs in one carrier’s basket. This is especially true with your main phone numbers (DIDs). Second, if you are a major organization, move your most important DIDs to one of our preferred providers, Skyetel or ClearlyIP. And, if money is no object, consider an AT&T, Verizon, T-Mobile, or Google Voice trunk. With multi-path forwarding, simultaneous incoming calls can be redirected to other DIDs hosted with SIP trunking providers. These paths can easily be adjusted in the event of a DDOS attack. Many of these providers offer heavily discounted rates for forwarding calls to other SIP destinations which need not be publicly disclosed.
Latest VoIP.ms Update:
Originally published: Monday, September 20, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
DEAL OF THE DAY: OBi2182 Color WiFi Phones now $69.98
These won’t last long but, if you still have some Google Voice numbers lying around unused and you live in the United States, you’d better jump on this one. Amazon is selling the OBi2182 phones with Google Voice, WiFi and power adapter for $69.98. Here’s the link.
We were big fans of OBiHai once upon a time. But then they sold out to Polycom. And they subsequently sold out to Plantronics. And support has gone from bad to worse along the way. But if you like free calling in the U.S. and Canada and have the patience of Job, today’s deal may just be your cup of tea. Just don’t come crying to us when things go wrong. We no longer have any dealings with ObiHai, Polycom, or Plantronics. But we know many of our followers were left high and dry when Google pulled the plug on Google Voice. And today’s deal is an easy way to reactivate free calling in your home or home office. Admin Guide available here.
UPDATE: While the price has fluctuated a bit, these phones are still a good buy. We’ve received and configured one with four Google Voice trunks and free calling in the U.S. and Canada as well as two SIP trunks and a Bluetooth connection to an iPhone so it’s well worth $69.98 for those in the U.S.
Originally published: Saturday, April 10, 2021 Updated: Friday, November 19, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Unified Communications: Adding SMS to the Asterisk Toolkit
As we roll into September, the VoIP landscape continues to evolve. For various reasons, SMS functionality has become a must-have with many VoIP deployments. What we’ve observed lately is that many businesses and professional offices now assume that all phone numbers are SMS-enabled which means, if your primary phone numbers don’t support SMS, you may miss important notices and reminders. Particularly in this COVID era, physicians have incredibly high rates of no-shows for appointments so you’ll typically get multiple SMS messages to multiple numbers beginning several days before an appointment. And, believe it or not, there are many locations where a cellphone lacks service but VoIP is alive and well.
The gap we want to close today is to enable SMS on your Incredible PBX® platform and its critical extensions. It’s also a good time to determine whether your existing SIP phones include SMS support so that notifications can be delivered to the desktop PC and phone in a reliable and timely manner. The good news is you don’t need to mortgage your house with a BroadWorks Instant Message and Presence (IM&P) subscription in order to implement SMS messaging on Asterisk® and FreePBX® platforms. SMS VoIP implementations typically cost less than a penny a message. While that’s not as inexpensive as many cellular services, it won’t break the bank either.
While we’ve all grown accustomed to SMS messaging on our smartphones, SMS and MMS messaging in the VoIP sphere is a different beast because there’s little uniformity in the way messages are sent and delivered. Proprietary messaging unfortunately is the rule rather than the exception. So today we’ll offer several VoIP provider alternatives. If you’re new to all of this, here’s the bottom line. SMS messages are delivered to VoIP trunks or DIDs. SMS messages are sent from VoIP extensions or users. Thus, it becomes the job of the PBX platform to map DIDs to extensions and to map extensions to DIDs in order to reliably send and receive SMS and MMS messages.
Our personal favorite for SMS messaging with Incredible PBX is the Clearly IP offering coupled with the Incredible PBX SIP Trunking platform because of its seamless integration with FreePBX and its User Control Panel as well as the Clearly Anywhere softphone. Once deployed, you can send and retrieve messages from your desktop PC by logging into the User Control Panel or simply calling up the Clearly IP softphone on your smartphone or desktop PC. Complete deployment tutorial is available in the Incredible PBX Wiki.
A close second place goes to VoIP.ms with their extremely flexible SMS/MMS offering which lets you redirect incoming messages to your email address, another SMS number, an SMS SIP account on VoIP.ms, and the VoIP.ms SMS/MMS Portal. We have previously documented and recently updated the Incredible PBX setup procedure to both receive and send messages as well as to deliver the messages to SMS-enabled SIP phones. Email replies to incoming SMS messages are automatically delivered to the original sender. And, of course, SMS replies on your SMS-enabled SIP phone also are delivered to the original sender. Complete Incredible PBX deployment takes only a few minutes.
A third alternative for messaging is our Platinum Partner, Skyetel. As with VoIP.ms, we previously have documented the setup procedure so we won’t repeat it here. The complete deployment tutorial is available here.
Finally, we would direct your attention to the BulkVS messaging tutorial on the VoIP-info.org Forum. It will walk you through the setup procedure using that provider.
Originally published: Wednesday, September 1, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Meet RackNerd: The Best VoIP Cloud Bargain on the Planet
We continue to scour the Internet for the best bargains to host Incredible PBX 2021 in the Cloud. When the annual cost drops to $1 a month, you would be crazy not to move your PBX to a cloud-based solution. And, yes, we eat our own dog food. We have four VPS offerings from RackNerd that are scattered across the United States in Chicago, Atlanta, New York, and Seattle. Over the past year, inflation has set in. For new signups, the price has increased a whopping dollar to $12.00 per year. Renewals remain the same as your original cost.
What’s the catch? Nothing really other than you have to handle backing up your platform as no backup or snapshot option is offered with the service at this price point. Performance is not a problem. SpeedTest reports 547 Mbit/s downloads and 462 Mbit/sec uploads on our most recent install. Here’s the signup link. Dare to Compare:
Installing Incredible PBX 2021 with Debian 10. Installing Incredible PBX 2021 is a breeze. Simply signup for a Debian 10 VPS at RackNerd and wait a minute or two for your credentials to arrive. Then follow the steps in the latest Incredible PBX 2021 tutorial. You’ll be up and running in less than 15 minutes.
For more VoIP Cloud Provider Alternatives, go here or visit the Incredible PBX Wiki.
Originally published: Monday, August 23, 2021 Updated: Sunday, October 24, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Morphing Incredible PBX into a PUBLIC-Facing Cloud PBX
We’ve previously documented how to change Incredible PBX 2021 and Incredible PBX 2020 into PUBLIC-facing PBXs. What that means is that authorized users could still connect to your PBX regardless of where they may be located without having to worry about whitelisting IP addresses. To suggest that the procedure was convoluted is a bit of an understatement. So today we offer a simplified solution that you can deploy in a couple of minutes. It lacks some of the safeguards of the earlier releases, but it remains secure so long as you don’t employ a readily decipherable FQDN for your PBX. The idea here is to block communications access to your PBX using its public IP address and allow access by those that know the fully-qualified domain name (FQDN) of your PBX. You can also restrict the extensions that are accessible. And SSH access to your PBX will be protected by assigning a random port number or by requiring public key authentication for access.
Prerequisites. To get started, you’ll obviously need a cloud-based Incredible PBX 2020 or 2021 platform running CentOS 7, Debian 10, or Raspbian. Next, you’ll need these items:
- Public IP Address of your server
- FQDN linked to the public IP address
- Random SSH port for SSH access to PBX
- List of secure extensions to enable for SIP URI access
- IP Addresses to WhiteList for Access to the Web GUI
1. Deciphering Public IP Address of Your PBX
After logging into your PBX as root, you can execute pbxstatus to decipher the public IP address of the PBX.
2. Obtaining an FQDN for Your PBX
Security through obscurity provides the critical layer of protection for your server so choose an FQDN carefully. sip.yourname.com provides little protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with SIP registrations because registered extensions on your PBX can obviously make phone calls that cost you money. If you don’t have your own domain, you can always obtain a free hostname from a service such as NoIP.com.
3. Securing SSH Access to Your PBX
Whatever you do, don’t leave SSH access via port 22 exposed on your PBX. In the time it took to create a new PBX on CloudAtCost, there were over 400 attempted logins to the default SSH port of the new server. The simplest (but least secure) method to avoid these script kiddie attacks is to change the port number for SSH access to your server. We suggest using the year you were born as the port number because it’s easy to remember. Edit /etc/ssh/sshd_config and uncomment the Port line replacing 22 with the port number you chose. Then restart SSH: systemctl restart sshd.
The preferable solution to secure SSH is to create and use SSH keys for access and set PasswordAuthentication no in /etc/ssh/sshd_config. Digital Ocean has an excellent tutorial to walk you through the setup process.
4. Choosing Extensions for SIP URI Public Access
With today’s PUBLIC design, exposing an extension for PUBLIC access means anyone in the world that knows the FQDN of your server and the extension number can do two things using any SIP client: (1) they can call you and (2) they can attempt to register to that extension and make calls on your trunks AND your nickel. So only expose extensions for public access if there is a need to connect or call from remote locations. For extensions you decide to expose, make certain that the passwords for these extensions are extremely secure, lengthy, and use numbers with both UPPER and lower case letters. Never use default extension passwords!
5. Whitelisting IP Addresses for Public Web Access
Without enumerating IP addresses for public web access, you won’t be able to connect to the web GUI of your PBX. Down the road, if you wish to add additional IP addresses, you can use /root/add-ip to add them via SSH.
Deploying New PUBLIC Firewall
To get started, log into your server as root and issue the following commands:
cd /tmp wget http://incrediblepbx.com/newpublic.tar.gz tar zxvf newpublic.tar.gz rm -f newpublic.tar.gz
Next, edit /tmp/iptables.base and change the highlighted entries:
Change port 22 in the dport entry to the SSH port number you chose in Step 3, above.
Change 8.8.8.8, 8.8.4.4., and 1.1.1.1 to actual public IP addresses of desktop machines you wish to use to access the web GUI of your PBX. If you don’t need three entries, comment out the other entries with # at the beginning of each line.
Replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.
Save the file.
On Debian and Raspbian platforms, issue the following commands:
cd /etc/iptables cp /tmp/iptables.base . mv rules.v4 rules.v4.orig cp iptables.base rules.v4
On CentOS platforms, issue the following commands:
cd /etc/sysconfig cp /tmp/iptables.base . mv iptables iptables.orig cp iptables.base iptables
Using Incredible PBX PUBLIC with Asterisk
The first line of defense with this PUBLIC implementation is your FQDN. Second is the IPtables firewall setup above. And third is the Asterisk® extensions configuration in extensions_override_freepbx.conf. Here’s how to configure it. Edit /tmp/extensions_override_freepbx.base and change the highlighted entries:
If there are phone numbers assigned to your PBX that you want processed according to your Inbound Routing rules, duplicate the first highlighted line above and, for each trunk, replace 8881234567 with your actual DID numbers.
In exten => _.,1 line, replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.
In exten => _.,10 line, replace your-servers-FQDN with the actual FQDN assigned to your PBX from Step 2, above.
Scroll down in the file to the following section:
Comment out undesired default extensions. Place a semicolon at the beginning of the lines.
For any extensions you wish to add, insert a new line in the following format replacing both 7000 entries with the desired extension number:
exten => 7000,13,Dial(local/7000@from-internal)
Save the file and then execute the following commands to complete the PUBLIC setup:
cd /etc/asterisk cp /tmp/extensions_override_freepbx.base . mv extensions_override_freepbx.conf extensions_override_freepbx.orig cp extensions_override_freepbx.base extensions_override_freepbx.conf fwconsole restart asterisk -rx "dialplan reload" iptables-restart sed -i 's|-A INPUT|-I INPUT|' /root/add-ip sed -i 's|-A INPUT|-I INPUT|' /root/add-fqdn
Calling an Incredible PBX PUBLIC Extension
Any extensions that you have whitelisted in the blue section above can be called from anywhere using any SIP client. Simply enter the SIP URI for the extension in the following format: SIP/extension@your-servers-FQDN
CAUTION: If a caller attempts to call any extension on your PUBLIC server from an extension on another Asterisk server to which the caller is registered, the call will fail if there is a matching extension number on the PUBLIC server and the two servers are not registered to each other. So remember to use unique extension numbers on your PUBLIC server if you expect callers from other Asterisk servers.
Registering Incredible PBX PUBLIC Extension
If you wish to login to a whitelisted extension using a SIP client, enter the extension and password of the extension. For the server address, enter the FQDN of your server. If it’s a PJsip extension, add :5061 to the end of the FQDN.
Switching Back to Incredible PBX Default
Should you change your mind and decide to switch back to the default Incredible PBX setup, it’s simple to do so. Here are the steps.
sed -i 's|Port|#Port|' /etc/ssh/sshd_config cd /etc/asterisk cp -p extensions_override_freepbx.orig extensions_override_freepbx.conf cd /root cd /etc/sysconfig cp -p iptables.orig iptables cd /root cd /etc/iptables cp -p rules.v4.orig rules.v4 asterisk -rx "dialplan reload" iptables-restart systemctl restart sshd
Originally published: Monday, August 16, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Amazon’s Alexa Now Available for Incredible PBX
Loyal readers already know that voice recognition applications occupy a special place in the Incredible PBX® toolchest. Over 8 years ago, we introduced Wolfram Alpha integrating the world’s largest almanac into Asterisk®. And today we’re pleased to add Amazon’s Alexa to the Incredible PBX fold for our latest Incredible PBX 2021 for Debian, Raspberry Pi and CentOS 7 builds. Just dial 5555 and tell Alexa what you’d like to know or do. If you’ve been sleeping under a rock these past few years, Alexa provides not only a thesaurus but also current news and weather, cooking tips and recipes, calendars, movie showtimes and data, Amazon purchasing, shopping lists, reminders, maps, music.everything, home automation control to turn on your lights, lock your doors and adjust your thermostat, sports scores and scheduling, grocery shopping, and almost anything else you can imagine asking for. And our special tip of the hat goes to Russell Grokett for his creativity in bringing the Alexa platform to the Asterisk community. Here’s a simple graphic showing the call flow in a typical Alexa call from any SIP phone connected to Incredible PBX:
Before we get started, let me offer a few words of caution. You’ll need to be a careful reader and follow the instructions below carefully to get Alexa working. Amazon uses OAuth 2 authentication which is secure (and tedious) by design. The good news is you only have to go through this setup exercise once after which Alexa will be available at any time without further tweaking. We’ve made some changes in Russell Grokett’s original design to hopefully simplify the OAuth procedure and to adjust some of the configuration to correctly interface with newer releases of the open source components including sox which handles the audio translations between Asterisk and Alexa. All of the code is licensed pursuant to GNU GPLv3.
Prerequisites. Before you begin, you’ll need a working Incredible PBX 2020 platform running CentOS 7, or Incredible PBX 2021 running Debian 10, or the latest Incredible PBX release for Raspbian preferably running on a Raspberry Pi 4 with at least 2GB of RAM.
Overview. There are four steps in today’s installation procedure. First, we will download and install a number of open source components on Incredible PBX by running a simple script. Second, you’ll need to sign up for both an Amazon account if you don’t already have one AND an Amazon Developer Account. Third, we’ll create an Alexa Voice Service application and set up the Alexa Security Profile for the application. Finally, using the credentials obtained during this setup process, we’ll configure the components on your PBX to talk to Alexa. Be advised that the Amazon license we will be using authorizes only private, non-commercial use. Today’s design does not meet Amazon’s terms for commercial and/or public use!
1. Installing Alexa Basics for Incredible PBX
Log into your server as root and issue the following commands to download and install the basic components to support Alexa integration into Incredible PBX:
cd / wget http://incrediblepbx.com/incredible-alexa.tar.gz tar zxvf incredible-alexa.tar.gz rm -f incredible-alexa.tar.gz ./install-alexa
2. Creating an Amazon and Amazon Developer Account
If you don’t already have one, you can create an Amazon account at amazon.com. Write down your email address and password. You’ll need them in the following steps. Next, navigate to the Amazon Developer Portal and set up a free account using your Amazon credentials.
3. Creating Voice Service Application & Security Profile
After creating your Amazon developer account, we’re ready to create a product and security profile. Begin by logging into the AVS Dashboard. Click GET STARTED to begin.
Click PRODUCTS. Then click ADD NEW PRODUCT. Fill in form as shown below. Click NEXT.
- Product Name: IncrediblePBX
- Product ID: IncrediblePBX
- Product Type: Application with Alexa built-in
- Product Category: Communications
- Brief Product Description: Alexa for Incredible PBX
- User Interaction: Hands-free
- Distribute Commercially: NO
- Children’s Product: NO
In LWA Security Profile dialog, click CREATE NEW PROFILE. Fill in template. Then NEXT.
- Security Profile Name: IncrediblePBX
- Security Profile Description: Incredible PBX security profile
In the second LWA Security Profile dialog, copy your Security Profile ID, Client ID, and Client Secret to a text file so that you can use them in the following steps.
In the Allowed return URLs field, create two entries clicking ADD button after entering each:
- http://localhost
- https://actual-Incredible-PBX-IP-address:5000/code
Check the I Agree checkbox and then click FINISH.
Your Product should now appear as successfully configured in Alexa Voice Service overview.
Next, navigate to: https://developer.amazon.com/lwa/sp/overview.html.
Click Select a Security Profile and choose your IncrediblePBX profile. Click CONFIRM.
In the Consent Screen dialog, enter the following and then click SAVE.
- Consent Privacy Notice URL: http://dummyurl.com
- Consent Logo Image: leave blank
Verify your ClientID and Secret that you wrote down above.
Cut-and-paste the following as a single line of code into your favorite text editor. Or you can simply edit /root/Alexa-URL which contains the same code.
https://www.amazon.com/ap/oa?client_id=YOURCLIENTID&scope=alexa%3Aall&scope_data=%7B%22alexa%3Aall%22%3A%7B%22productID%22%3A%22IncrediblePBX%22,%22productInstanceAttributes%22%3A%7B%22deviceSerialNumber%22%3A%2212345%22%7D%7D%7D&response_type=code&redirect_uri=http%3A%2F%2Flocalhost
Replace YOURCLIENTID in the above code substituting your actual Alexa Client ID.
Next, select the entire block of code that now includes your actual Client ID and paste it into the Address URL of your favorite browser. You should be prompted for your Amazon user credentials. Once you sign in, click ALLOW. You then should see an Unable to Connect error message. This is fine. What we actually need is the Token which now is shown immediately after code= in the Address URL of your browser. Copy everything after code= up to the &.
http://localhost/?code=YOURTOKEN&scope=alexa%3Aall
With YOURTOKEN, Client ID, and Client Secret in hand, proceed to the next section.
4. Activating Alexa in Incredible PBX
Log into Incredible PBX as root and navigate to the /root directory. Make a copy of grant-token.sh in case you make a mistake. Now edit grant_token.sh. Replace YOURTOKEN with your actual Token. Replace YOURCLIENTID with your actual Alexa Client ID. Replace YOURCLIENTSECRET with your actual Alexa Client Secret. Save the file and then run the script: ./grant_token.sh
.
The script will return a JSON message that includes both an access_token and a refresh_token. It will be a very long single string that you should cut-and-paste and save for a rainy day. The string can be parsed in an editor so that it looks something like this:
Access tokens expire every hour, but this refresh token never expires. We’ll use the refresh token to generate a new access token whenever Alexa is run from an Asterisk extension. So cut-and-paste the very long refresh_token and save it with your Client ID and Client Secret.
Next, change to the /var/lib/asterisk/agi-bin directory and make a copy of token.pl in case you make a mistake. Then edit token.pl and scroll to the my $post line (line 16). Replace YOUR_REFRESH_TOKEN with the refresh_token from above. Replace YOUR_CLIENT_ID with your actual Client ID. And replace YOUR_CLIENT_SECRET with your Client Secret.
Save the file.
TIP: If you decide to install Alexa on more than one of your PBXs, the setup process only takes a couple minutes. Complete Step #1 as documented above. Then copy the my $post line from token.pl that includes your credentials and replace the my $post line of token.pl script in your second PBX. Done.
Now you’re ready to try things out. From the command line, issue the command: ./token.pl
List the results like this: cat /tmp/token.resp
There should be no errors and the results should look something like this:
IMPORTANT: Don’t forget this step or future queries from Asterisk will fail since our test generated files with root permissions only: rm -f /tmp/token*
Now we’re all set to use Alexa from your PBX. From an extension on your PBX, dial 5555. When prompted, say "What’s the weather for today?" After receiving the response from Alexa, you can either hang up or say another query.
We’ve documented some Alexa queries and skills in this thread on the VoIP-Info.org Forum.
If you have problems getting all the pieces to work, check over the steps again. You may also wish to consult the original documentation. Ignore references to differing file locations.
Republished: Tuesday, August 3, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.