Home » Incredible PBX » Ubuntu/Debian (Page 14)

Category Archives: Ubuntu/Debian

The Most Versatile VoIP Provider: FREE PORTING

VoIP Security: Installing SSL Certificates with Incredible PBX

We’ve got some revolutionary VoIP projects coming your way over the next several weeks, but I’m sorry to say the hardest part of them is getting your server configured to use secure and encrypted web communications via HTTPS. This is quickly becoming a universal requirement of most of the major technology players. So what might not be the most glamorous VoIP topic for a Monday morning is not only necessary but long overdue. The good news is that obtaining, installing, configuring, and maintaining an SSL certificate for your VoIP server is not the royal pain that it once was. And, by this time next week, you’ll be glad you went through the exercise. Thankfully, the EFF’s Certbot project is available to assist in installing free certificates from Let’s Encrypt.

Before we begin, here’s a word to the wise. You will save yourself a thousand headaches by deploying your Incredible PBX server in the cloud where you get a dedicated IP address and can easily assign a fully-qualified domain name (FQDN) to your server. Options now are available for as little as $1.50 to $3.50/month including Vultr which provides an incredibly reliable platform in many cities for as little as $2.50 a month. And another 50¢ buys you weekly image backups without lifting a finger. They can be restored with one click! If reliability and redundancy matter, you can’t beat Vultr’s price or the feature set, and we have tutorials to get you started with either Wazo or Issabel. If cost is your sole criteria, you can’t beat WootHosting at $1.50 a month. You’ll find a tutorial here. If performance is critical, you can’t beat OVH at $3.50/month with a Wazo tutorial here and an Issabel tutorial here. Finally, if you’re technically challenged, our corporate sponsor, RentPBX, will do all of the cloud migration for you and provide a turnkey, high performance VoIP platform for just $15/month. So what are you waiting for? Now’s the time. No excuses! It’s not going to get any cheaper or more reliable. And next week you’ll be thanking us. For these reasons, we’re saying goodbye our home-based servers sitting behind NAT-based firewalls. With the projects coming down the pike, the mountain is just too steep to continue that trek unless you have the technical expertise to pull it off yourself.

Obtaining and Installing an SSL Certificate

For CentOS 6 running Incredible PBX 13 or CentOS 7 running Incredible PBX for Issabel 4, begin by making certain that you can access your site using its FQDN with HTTP, e.g. http://myserver.mydomain.org. Get that working first. Next, log into your server as root using SSH/Putty and issue the following commands:

yum -y install python-devel python-pip python-setuptools python-virtualenv --enablerepo=epel
yum -y install centos-release-scl
yum -y install python27
scl enable python27 bash
pip -V # should show python 2.7
pip install --upgrade pip
pip install requests registry urllib3 pyOpenSSL --force --upgrade
pip install certbot-apache --force --upgrade
cd /root
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
service iptables stop
./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d FQDN.here
iptables-restart
service httpd restart
exit

During the automated setup, you can decide whether to force all web traffic to the secure site. We recommend it. Once the install finishes, test access to your server by going to your FQDN using HTTPS. Don’t continue with the setup until you get HTTPS working and your browser shows you have a SECURE site! Remember that you must renew your free certificate every 90 days by using the following /root/certbot-update script:

#!/bin/bash
echo "Before you begin, type: scl enable python27 bash"
echo "Then rerun this update script and press ENTER."
read -p "If you already have done so, press Enter. Otherwise, Ctrl-C now"
service iptables stop
./certbot-auto --authenticator webroot --installer apache -w /var/www/html -d FQDN.here
iptables-restart
echo "Type exit when this script completes."
exit

For Debian 8 running Incredible PBX for Wazo, things are a bit more complicated because Wazo forces HTTPS access even though you do not yet have a certificate for your FQDN. Because of its NGINX web server platform, with Wazo you’ll have to manually install and configure certificates with certbot and LetsEncrypt. The silver lining with Wazo is HTTPS access gets you a WebRTC phone with a couple button clicks. Go to this link, click on the Config wheel (bottom right), click on the Pencil icon and plug in the FQDN of your server. Click SAVE. Enter your login name as 701 and the password assigned to the extension which you can obtain by running: /root/show-701-pw. That’s probably the quickest phone setup you’ll ever find. But we’re getting ahead of ourselves…

1. Let’s get certbot installed. Login to your server as root using SSH or Putty and issue the following commands:

cd /etc/apt
echo "deb http://ftp.debian.org/debian jessie-backports main" >>  sources.list
apt-get update
apt-get install certbot -t jessie-backports

2. Temporarily, turn off HTTPS since the certificate install requires HTTP access. In /etc/nginx/sites-enabled/xivo, comment out these 3 lines and save the updated file:

In server section for port 80:
 #   include /etc/nginx/locations/http-enabled/*;
In server section for port 443:
 #   listen 443 default_server;
 #   server_name $domain;

Then restart the web server: /etc/init.d/nginx restart. Now you have a basic http web server. If you want to verify that it’s working, use a browser and go to http://YOUR-FQDN/asteridex4/index.php. It should download the file to your desktop which isn’t desirable, but this is only temporary.

3. In /var/www/html, issue the following commands:

cd /var/www/html
mkdir .well-known
cd .well-known
mkdir acme-challenge
cd acme-challenge
chown -R asterisk:www-data /var/www/html/.well-known

Leave this SSH/Putty session running temporarily and open a second SSH/Putty connection to your server logging in as root.

4. Disable your firewall temporarily: /etc/init.d/netfilter-persistent flush

5. Start the certbot installation script: certbot certonly –manual

6. You’ll be prompted for the FQDN of your server to generate the certificates. Then you’ll be given an oddball name AND an expected oddball response. With these two entries in hand, temporarily switch back to your other SSH session and issue these commands while positioned in /var/www/html/.well-known/acme-challenge:

mkdir ODDBALL-NAME
cd ODDBALL-NAME
echo "ODDBALL-RESPONSE > index.html"
chown -R asterisk:www-data /var/www/html/.well-known

7. Use a browser to (quickly) go to http://YOUR-FQDN/.well-known/acme-challenge/ODDBALL-NAME/ and be sure your web server displays the expected ODDBALL-RESPONSE. You’ve got to get this working before you continue with the certbot install or it will fail. You only have a few minutes to do this before certbot will change the ODDBALL-NAME and ODDBALL-RESPONSE credentials. 3 consecutive failures and you have to wait an hour to try again. Guess how we know?

8. Once you get the expected response, switch back to your SSH session running the certbot installer and press ENTER to continue with the certificate install. When it completes, you’ll get a congratulatory note and a reminder that, in less than 90 days, you’ll need to run certbot renew to update your certificate.

9. Install the new certificates in NGINX and put things back together again:

cd /etc/nginx/sites-enabled
nano -w xivo

10. Begin by removing the 3 # signs that we inserted to get HTTP working in step #2.

11. Near the bottom of the file, comment out these existing certificate lines:

#    ssl_certificate /usr/share/xivo-certs/server.crt;
#    ssl_certificate_key /usr/share/xivo-certs/server.key;
#    ssl_ciphers ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:!SEED:+HIGH:+MEDIUM;

12. Add the following new lines just below the lines you commented out. Be sure to replace YOUR.FQDN in each line with the actual FQDN of your server:

    ssl_certificate /etc/letsencrypt/live/YOUR.FQDN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/YOUR.FQDN/privkey.pem;
    ssl_ciphers HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA;

13. Save the file and then restart your firewall and NGINX:

iptables-restart
/etc/init.d/nginx restart

14. Edit /etc/apt/sources.list and comment out the jessie-backports line from step #1.

15. Reload your aptitude sources: apt-get update

16. Remember that you must renew your free certificate every 90 days by issuing this command: certbot renew --quiet.

Better yet, issue the following command to set up a cron job to auto-renew your certificate every week:

echo "5 3 * * 0 root /usr/bin/certbot renew --quiet > /dev/null 2>&1" >> /etc/crontab

17. Test things out with a web browser by visiting your FQDN. Your browser should now show the site as SECURE.

18. Now try out that new WebRTC phone.

Published: Monday, September 25, 2017  



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

RTPbleed Security Alert: Asterisk Calls Can Be Intercepted


If you’ve installed Asterisk® during the past 4½ years, your server has a MAJOR security problem. If you didn’t already know, with Asterisk, your VoIP conversations actually are carried over a random UDP port using the Real Time Protocol (RTP), not the SIP port (UDP 5060) which handles the setup and teardown of your VoIP connections. It turns out that, since March 2013, all of that RTP traffic and thus your conversations could be intercepted and redirected by anyone on the Internet. As this recent article in The Register noted:

The problem occurs when [communications] systems like IP telephony have to get past network address translation (NAT) firewalls. The traffic has to find its way from the firewall’s public IP address to the internal address of the device or server, and to do that, RTP learns the IP and port addresses to associate with a call.

The problem is, the process doesn’t use any kind of authentication.

This is exacerbated by the fact that, by default, Asterisk and FreePBX® traditionally use the NAT=yes setting (whether needed or not) to enable this navigational magic just in case your calls need it. Without it, you may end up with no audio or one-way audio on your calls. Traditional wisdom was that an attacker needed to be positioned between the caller and the Asterisk server in order to intercept this media stream. As luck would have it, it turns out the man in the middle didn’t need to be in the middle after all. He could be anywhere on the Internet. The old adage to talk on the phone as if someone else were listening turns out to have been pretty good advice in the case of Asterisk communications. Even if you had a firewall, chances are you protected UDP port 5060 while exposing and forwarding UDP 10000-20000 to Asterisk without any safeguards.

According to last week’s Asterisk advisory, “To exploit this issue, an attacker needs to send RTP packets to the Asterisk server on one of the ports allocated to receive RTP. When the target is vulnerable, the RTP proxy responds back to the attacker with RTP packets relayed from the other party. The payload of the RTP packets can then be decoded into audio.” Specifically, if UDP ports 10000-20000 are publicly exposed to the Internet, anybody and everybody can intercept your communications without credentials of any kind. WOW!

So, there’s a patch to fix this, right? Well, not exactly:

Note that as for the time of writing, the official Asterisk fix is vulnerable to a race condition. An attacker may continuously spray an Asterisk server with RTP packets. This allows the attacker to send RTP within those first few packets and still exploit this vulnerability.

The other recommended "solutions" aren’t much better:

  • When possible the nat=yes option should be avoided
  • To protect against RTP injection, encrypt media streams with SRTP
  • Add config option for SIP peers to prioritize RTP packets

The nat=no option doesn’t work if you or your provider employs NAT-based routers. The SRTP option only works on more recent releases of Asterisk, and it also requires SRTP support on every SIP phone. Prioritizing RTP packets is not a task for mere mortals.

Surprisingly, the one solution that is not even mentioned is hardening your firewall to block incoming UDP 10000-20000 traffic that originates outside your server. Our recognized SIP expert on the PIAF Forum had the simple solution. Bill Simon observed:

If the SDP in the INVITE or subsequent re-INVITE contains routable IP addresses, then use them for media. If the SDP contains non-routable IP addresses, then the client is behind a NAT and not using any NAT traversal techniques like SIP ALG, ICE/STUN, so send to the originating IP. Why are we making allowances here for media to come from anywhere? I think you can probably clamp down your firewall as much as you want, because symmetric RTP should allow media to get through by way of establishing an outbound stream (inbound stream comes back on the same path).

Our testing confirms that simply blocking incoming RTP traffic on your firewall solves the problem without any Asterisk patch. In short, RTP traffic cannot originate from anonymous sources on the Internet.

For those using Incredible PBX® or Travelin’ Man 3 or an IPtables firewall, the fix is easy. Simply remove or comment out the INPUT rule that looks like this and restart IPtables:

-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT

On RedHat/CentOS servers, the rule is in /etc/sysconfig/iptables. On Debian/Ubuntu and Raspbian servers, you’ll find the rule in /etc/iptables/rules.v4. On Incredible PBX for Issabel servers, you’ll find the rule in /usr/local/sbin/iptables-custom. On all Incredible PBX platforms, remember to restart IPtables using only this command: iptables-restart.

Published: Friday, September 8, 2017  



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

A VPN for All Seasons: Introducing NeoRouter v2

Today, we want to revisit our favorite client-server VPN, NeoRouter. It’s included with all versions of Incredible PBX® and eases the pain of setting up air-tight firewalls as well as High Availability (HA) redundant servers with VoIP. NeoRouter relies upon a central server and uses a star topology to connect remote nodes. The major difference between NeoRouter and PPTP VPNs is that only registered devices participate in the virtual private network so there is no direct access to other machines on the LANs of the registered devices. If you have servers or users scattered all over the countryside, NeoRouter is an excellent (and free) way to manage and interconnect them. All data and communications between the nodes can then be routed through the encrypted VPN tunnel for rock-solid security.

With NeoRouter’s latest 2.3 (free) software, you can set up your VPN server using a PC, a Mac, a Linux or FreeBSD machine, OpenWrt Backfire, Tomato, or even a Raspberry Pi. With all versions of Incredible PBX, the NeoRouter Free Client is automatically installed. To bring up NeoRouter, all you need to do is install the NeoRouter Free Server on one of your machines and then login to the server from each NeoRouter Client using your server credentials. VPN clients also are available for PCs, Macs, Linux and FreeBSD machines, Raspberry Pi, OpenWrt, Tomato as well as Android and iOS phones and tablets. There’s even an HTML5 web application in addition to a Chrome browser plug-in. With the OpenWrt and Tomato devices or if you’re an extreme techie, you can broaden your NeoRouter star configuration and bridge remote LANs. See pp. 58-63 of the NeoRouter User’s Manual.



You can interconnect up to 256 devices to the NeoRouter Free Server at no cost. For $999, you can enlarge your VPN to support 1,000 devices. Screen sharing, remote desktop connections, HTTP, and SSH access all work transparently using private IP addresses of the VPN nodes which are automatically assigned in the 10.0.0.0 private network.

Today we are introducing the second generation of the NeoRouter VPN solution. It’s suitable for use on a dedicated server or running as a virtual machine. Whether to run NeoRouter Free server on a dedicated machine is your call. We never do. And NeoRouter never requires exposure of your entire server to the Internet. Only a single TCP port needs to be opened in your hardware-based firewall or IPtables Linux firewall. The only real requirement is a dedicated IP address for your server so that the client nodes can always find the mothership. We typically run the NeoRouter server component on our failover VoIP server with Wazo HA. We’ll finish up today by showing you how to back up the critical components of NeoRouter Server so that, if your server platform ever should fail, it only takes a few minutes to get back in business on a new server platform. Let’s get started.

Creating Your NeoRouter Server Platform

We’re assuming you already have an Incredible PBX server of some flavor running on a dedicated IP address with the IPtables firewall. If not, start there.

First, on your IPtables firewall, make certain that TCP port 32976 has been whitelisted for public access. On Incredible PBX platforms, this is automatic. You can double-check by running iptables -nL and searching for an entry that looks like this:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:32976

Second, we need to download and install the NeoRouter Free Server for your platform. Be sure you choose the version that matches your operating system, CPU architecture, and type. Debian and Ubuntu servers use the same code. We do not recommend Raspberry Pi as a suitable platform for your NeoRouter server!

For RedHat/CentOS 64-bit platforms, here’s the download link. While logged into your server as root, issue the following command using the downloaded 64-bit RPM:

rpm -Uvh nrserver-2.3.1.4360-free-centos-x86_64.rpm

For Ubuntu/Debian 64-bit platforms, use this link. While logged into your server as root, issue the following command using the downloaded 64-bit .deb image:

dpkg -i nrserver-2.3.1.4360-free-ubuntu-amd64.deb

Third, each administrator (admin) and user is going to need a username to access your NeoRouter VPN. You can use the same credentials to log in from multiple client machines, something you may or may not want to do. Here are the commands to create admin and user accounts. Don’t use any special characters in the username and password!

nrserver -adduser username password admin
nrserver -adduser username password user

You’re done. Now let’s register your NeoRouter server with the mothership.

After your NeoRouter Free Server is installed, you can optionally go to the NeoRouter web site and register your new VPN by clicking Create Standalone Domain. Make up a name you can easily remember with no periods or spaces. You’ll be prompted for the IP address of your server in the second screen. FQDNs are NOT permitted.

When a VPN client attempts to login to your server, the server address is always checked against this NeoRouter database first before any attempt is made to resolve an IP address or FQDN using DNS. If no matching entry is found, it will register directly to your server using a DNS lookup of the FQDN. Whether to register your VPN is totally up to you. Logins obviously occur quicker using this registered VPN name, but logins won’t happen at all if your server’s dynamic IP address changes and you’ve hard-coded a different IP address into your registration at neorouter.com.

Configuring and Connecting Your NeoRouter Client

As mentioned previously, there are NeoRouter clients available for almost every platform imaginable, including iPhones, iPads, and our beloved Raspberry Pi. NeoRouter Client software is included in all Incredible PBX builds. If you’re using some other platform, Step #1 is to download whatever client is appropriate to meet your requirements. Here’s the NeoRouter Download Link. Make sure you choose a client for the Free version of NeoRouter. Obviously, the computing platform needs to match your client device. The clients can be installed in the traditional way with Windows machines, Macs, etc. Once enabled, you can use your NeoRouter Client to create a VPN tunnel to connect to any other resource in your virtual private network using SSH, VoIP clients, and web browsers.

To activate the NeoRouter client while logged in as root, type: nrclientcmd. You’ll be prompted for your Domain, Username, and Password. You can use the registered domain name from neorouter.com if you completed that step above. Otherwise, be sure to use the FQDN assigned to your NeoRouter Server. Once you’re logged in, you will be presented with the names and private IP addresses of all of your connected nodes.

To exit from NeoRouter Explorer, type: quit. The NeoRouter client will continue to run so you can use the displayed private IP addresses to connect to any other online devices in your NeoRouter VPN. All traffic from connections to devices in the 10.0.0.0 network will flow through NeoRouter’s encrypted VPN tunnel. This includes inter-office SIP and IAX communications between Asterisk® endpoints. These private IP addresses can also be used to create a High Availability (HA) platform with Wazo even if the servers are not colocated.

Admininistrative Tools to Manage NeoRouter

Here are a few helpful commands for monitoring and managing your NeoRouter VPN.

Browser access to NeoRouter Configuration Explorer (requires user with Admin privileges)

Browser access to NeoRouter Remote Access Client (user with Admin or User privileges)

Manage your account on line at this link

To access your NeoRouter Linux client: nrclientcmd

To restart NeoRouter Linux client: /etc/rc.d/init.d/nrservice.sh restart

To restart NeoRouter Linux server: /etc/rc.d/init.d/nrserver.sh restart

To set domain: nrserver -setdomain YOUR-VPN-NAME domainpassword

For a list of client devices: nrserver -showcomputers

For a list of existing user accounts: nrserver -showusers

For the settings of your NeoRouter VPN: nrserver -showsettings

To add a user account: nrserver -adduser username password user

To add admin account: nrserver -adduser username password admin

Test VPN access: http://www.neorouter.com/checkport.php

For a complete list of commands: nrserver –help

To change client name from default pbx.local: rename-server OR…

  • Edit /etc/hosts
  • Edit /etc/sysconfig/network
  • Edit /etc/sysconfig/network-scripts/ifcfg-eth0
  • Edit /etc/asterisk/vm_general.inc
  • reboot

For the latest NeoRouter happenings, visit the NeoRouter blog and forum.

Backing Up NeoRouter Server for That Rainy Day

Yes, servers fail sooner or later. So it’s best to plan ahead and avoid having to recreate your NeoRouter VPN from scratch. Backing up your server is easy. Log into your server as root and issue the following command:

tar cvzf nr-server-db.tar.gz /usr/local/ZebraNetworkSystems/NeoRouter/NeoRouter_0_0_1.db /usr/local/ZebraNetworkSystems/NeoRouter/Feature.ini

Copy nr-server-db.tar.gz and your NeoRouter Server installer to a safe place!

When that sad day arrives, be sure that your original NeoRouter Server is off line. Then reinstall NeoRouter Server on a new server platform using your original NeoRouter Server installer. If necessary, change the DNS entry for your original NeoRouter server to the new IP address. Then shut down new NeoRouter Server, load your backup, and restart server:

/etc/rc.d/init.d/nrserver.sh stop
cd /
tar zxvf nr-server-db.tar.gz
/etc/rc.d/init.d/nrserver.sh start

Published: Monday, August 21, 2017  



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Twofer Tuesday: $1.50 Cloud Bargains for VoIP Deployments

We’ve been big fans of $5/month VPS offerings of Digital Ocean and Vultr for many years. When Vultr reduced their lowest tier to $2.50/month, we were ecstatic. These weren’t ideal VoIP platforms because of their 512MB memory constraint, but they were perfectly suitable as a sandbox for experimentation. And then along came OVH with a 2GB VPS that was nearly perfect for VoIP at $3.49/month. As we all know, the Earth does not stand still, and WootHosting now has once again changed the landscape with two different $1.50/month offerings that include 2GB of RAM. That’s cheaper than the cost of electricity to run a server in your home or office. Never mind that you also have to purchase a server.

As most of you know, we eat our own dog food before recommending products, and we’ve deployed both the Wazo and Issabel PBXs on the WootHosting platform being reviewed today. In addition, we’ve deployed a multi-purpose web server to host more than a dozen of our personal sites using an even better second offering that we also will cover today.

The first offering (pictured above) actually provides a platform for two separate VoIP servers. For each of the servers, you have a choice of sites: New York, Miami, or Los Angeles. Why would you want two servers? The most obvious answer is redundancy. Wazo already offers High Availability (HA) redundant servers with the click of a button. Our deployment tutorial is available here. By deploying identical servers in two cities, you have a failsafe VoIP platform that can survive almost any natural or man-made disaster. And the total cost for both cloud servers is just $3 a month. A similar implementation for other Incredible PBX platforms is now under development on the PIAF Forum. Compare these free options to HA solutions from other VoIP providers costing $3,000 plus maintenance.

If a New York-based cloud offering will meet your needs, the second WootHosting offer is even more impressive with 4 CPU core allocations, 2GB RAM and swap space, a whopping 150GB of storage, 3TB of monthly bandwidth, and advanced DDOS protection for $1.50/mo.:



As we mentioned, we actually use this second VPS offering to host more than a dozen of our personal web sites without a hiccup. But it is sufficiently robust to host very large VoIP implementations with support for dozens of simultaneous calls. A deployment guide for Wazo is available here. As with all cloud-based servers, we strongly recommend redundant system deployments in separate locations. Additional WootHosting specials in their various locations are documented on the New York ordering page. Enjoy!

Published: Tuesday, August 15, 2017  



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Choosing the Best (free) PBX for SOHO Deployments




[iframe-popup id="6″]
When it comes to choices in free PBXs, times have indeed changed. A decade ago your options went something like this. There was Asterisk@Home or Asterisk@Home. Then along came trixbox® and Elastix® and PBX in a Flash™ and AsteriskNOW®. What remained constant throughout this evolution was the underlying Asterisk® platform. With the exception of Digium’s offering, the remaining products all included the FreePBX® GUI. Then came a whole new way of looking at things with FreeSWITCH®. Another morphing occurred when the FreePBX developers introduced their own distribution which bundled free software with a collection of commercial demoware, better known as NagWare. Along the way we introduced Incredible PBX™ which let you choose an underlying platform and then an installer preconfigured the entire PBX together with dozens of applications. We also discovered an open source sleeper called XiVO that morphed into Wazo. It wasn’t long until commercial companies discovered that there might be gold in them hills. Sangoma® purchased FreePBX and 3CX acquired PBX in a Flash and Elastix. Digium’s AsteriskNOW product morphed into a rebranded FreePBX Distro®. Another popular commercial company that had been around the Asterisk community for more than a decade was Xorcom, and in 2016, they introduced their own freeware PBX called Ombutel. Another well-respected commercial provider, 3CX, quickly followed suit and introduced a collection of freeware PBXs1 including PBX in a Flash 5, Elastix 5, and a free edition of its popular 3CX UC platform running under Debian. Whew! What a ride it has been. But now what?

We’ve gone from rags to riches, but how do you sort out which solution is best for you? I’m reminded of some advice my dad gave me when I was trying to choose a college to attend. He said, "Make yourself a list of what’s important to you, and then rank each school from 1 to 10 on each of those criteria. Add up the columns, and there’s your answer." I would offer you the same advice in choosing a PBX. So let’s start with our list of 10 criteria in no particular order that should be considered in choosing a PBX. Then we’ll drill down on each of these and provide some tips on what to consider when you develop your own scorecard.

  1. Reputation of the Provider
  2. Reliability of the Product
  3. Feature Set
  4. Security
  5. Performance
  6. Redundancy
  7. Ease of Deployment
  8. Ease of Use
  9. Support Availability
  10. Long-Term Cost

A couple other factors will weigh into your ratings. First, your own level of expertise matters. And, second, the intended use for your PBX is critically important. If you’re deploying a PBX in your home where the only Happy Campers have to be you and the Little Mrs., that’s obviously a different use case than a business that relies upon telephones for its livelihood. If you have 30 years of telephony and networking experience, that makes some of these criteria less important than others. You can adjust your ratings scale accordingly or simply remove the criteria that don’t matter in your particular situation.

1. Reputation of the Provider

Depending upon whether you’ve chosen an open source PBX and your own level of expertise, the reputation of the provider matters. And, for those that aren’t do-it-yourselfers, the reputation of the installer or reseller is also important. There’s a reason that people pay big bucks for Cisco phone systems. Provider reputation becomes even more significant if you’re installing a closed source system and there’s a risk that the vendor won’t be around in a couple of years. If, on the other hand, you’re choosing a free PBX as a sandbox to learn about telephony, then provider reputation is obviously less important than some of the other factors. One of the real beauties of the Internet is that it’s easy to obtain information on and customer ratings of providers. So do your homework!

2. Reliability of the Product

Forums such as the PIAF Forum and DSL Reports provide a limitless supply of information about PBX offerings. Take the time to read user comments about their experience with the various offerings. Most of the free PBX products we’ve listed above have been around for many years, but that doesn’t always tell you everything you need to know. Visit the provider’s own forum so you can see for yourself what problems are being reported by their own users. If there are dozens of postings about bugs and non-working components with no proffered solutions, that’s usually a pretty good hint to start looking elsewhere.

3. Feature Set

Whenever we provide consulting services to companies, the first thing we do is ask everyone in the organization to provide a list of the top 10 features they need in an ideal phone system. You then can take that survey and match it against available offerings for free and commercial PBXs. If 90% of your users travel and need their smartphones integrated into the company’s PBX, that’s important. If your organization depends upon incoming phone calls for 90% of your new business, then deployment of a PBX that never hands out busy signals is critical. If IVRs need to be integrated into your existing corporate databases to check availability of product without employee intervention, then write it down as a "must have." You get the idea. Figure out what really matters to everyone that will actually be using phones connected to your PBX. Then find the offerings that are the best fit insofar as features are concerned.

4. Security

The last thing anyone wants to see is a whopping phone bill because some creep on the other side of the globe managed to make expensive calls on your nickel. Do all the research that time permits to discover which phone systems have a history of security breaches. Does the phone system you are considering have its own firewall? Is it self-configured or are you on your own? Will you need to hire a consultant just to keep your phone system secure? What’s your budget for security mistakes? A PBX isn’t free if you get an unexpected $100,000 phone bill. Visit the forums including the forums of the providers you are considering and look for any mentions of security breaches, hacking, and bugs related to software vulnerabilities. Google is your friend as well. Search for the name of the PBX you’re considering together with the word "vulnerability" and see how long a list you receive. Last, but not least, visit CVE Details and look up the scorecard of your vendor and product. One final consideration worth mentioning is the procedure required to update the PBX when security vulnerabilities are discovered. Is it a manual upgrade process or is it automatic when you log into your server? Do you have to keep abreast of security developments by regularly visiting some web site or are the alerts prominently displayed on the admin interface whenever you log into your PBX? Are you responsible for keeping the underlying operating system vulnerabilities patched or does your vendor handle that as well? Suffice it to say, you get what you pay for when it comes to a secure PBX. Do your homework and decide whether a free PBX really is the best choice for your situation.

5. Performance

There’s a big difference in a phone system for a home or SOHO deployment with a handful of phones versus a small business PBX with dozens of phones and hundreds or thousands of calls every day. Lots of external factors weigh into the actual performance you will see with any given phone system. For VoIP-based PBXs, your calls are only as good as your Internet connection and the ability of your server to handle the workload. Whether you plan to deploy your PBX on local hardware or in the Cloud also impacts performance. There are cloud providers and cloud providers. Some put you on an overloaded shared server to maximize profits while others (such as our own advertiser, RentPBX) carefully monitor the time slice that every PBX receives to assure reliable PBX performance all the time. As we’ve previously noted, you get what you pay for. Don’t expect a Cloud at Cost server for which you paid a one-time fee to provide the same level of performance and phone quality as a dedicated server or a provider such as RentPBX. Our best advice is to try your desired platform with your desired PBX. You’ll know quickly whether the combination will meet your performance requirements.

6. Redundancy

If your business depends upon reliable telephone calls, redundancy would be a requirement at the top of our list. How long can your business go without incoming or outgoing phone service? Do you have a dedicated administrator on staff? Does your support provider offer 24/7 assistance? Answers to those questions will narrow down your options. With a dedicated administrator on site and a hot standby server, you probably have all the redundancy you need unless criticality is judged in minutes. In the latter case, a High Availability failover system may be what you need. You can spend thousands of dollars on software and hardware to achieve an acceptable level of High Availability. What is your budget? Luckily, Wazo is a free alternative that also includes free HA support. All you need is a second server which could be a second hardware device on site or a Cloud-based server at minimal cost. We’ve documented the Wazo HA setup procedure here if you want to evaluate whether it will meet your requirements.

7. Ease of Deployment

Determining the ease with which you can deploy a new server is obviously subjective and depends upon your skill set, the expertise of others in your organization, and the complexity of the system you will be deploying. Bringing up and configuring the various systems is the only way you’re going to get an accurate picture of what’s involved. If you will be relying upon a vendor to perform the heavy lifting, then get some references and start making calls to judge the satisfaction level of similarly situated customers. Then ask yourself what the likelihood is that your vendor will still be around five years down the road. Is there a competitor that could step in and perform the same tasks? Are your available choices limited to telephone support or are on site services available to assist with or perform setup and configuration tasks? Be sure to get an accurate estimate of the overall cost of deployment including server and telephone configuration as well as staff training.

8. Ease of Use

Nothing holds a candle to letting employees at all levels in your organization actually use the system you’ve chosen before you purchase it. Particularly with a phone system, a free evaluation period is worth its weight in gold. The beauty of a free PBX is you can install it and kick the tires to your heart’s content. To end users, the ease of use determination is pretty simple. There’s a phone sitting on the desk. Does it do what I need it to do to get my job done?

9. Support Availability

There are three kinds of support: in-house, free, and paid. If you have in-house staff to manage and support your PBX, this criteria may be less important to you. If not, then the free and paid options are important. We have tens of thousands of administrators who have relied upon the PIAF Forum for support over the years. With the latest PBXs that have been around for a very long time, that’s probably all you need if you have made backups and have a recovery plan or a redundant system. As for paid support, the sky’s the limit quite literally. Telephone support does not equal on site support. If your business demands 24×7 phone service, then choose a support option that can make that happen.

10. Long-Term Cost

Last, but not least, is factoring in the overall cost of your phone system. Just because your PBX may be free, it doesn’t mean that add-ons and software maintenance and support are. Do the math and figure out what the long-term cost actually is to get the feature set and support level that your business requires. It may very well turn out that $395 a year for a fully-supported commercial PBX such as our corporate sponsor’s 3CX PBX may be a downright bargain compared to a free PBX for which you’d easily spend that much with a single call for commercial support. Do the math before you jump feet first into the free fire.

Originally published: Monday, May 8, 2017


SECURITY ALERT: The Sangoma® Portal reportedly has been compromised. According to Sangoma’s Chief Operating Officer, customers’ root passwords were stored on Sangoma servers as a favor to customers to facilitate future support access by Sangoma staff. That procedure now has been discontinued. Although not acknowledged, the root passwords were apparently stored in unencrypted format unbeknownst to customers. More than a dozen customers have since reported their servers were compromised using their own root credentials. Sangoma maintains there is a "theoretical possibility" that their portal was the culprit although the COO indicates that they have been unable to find any evidence of an intrusion. Rootkit appears to be a word missing from the Sangoma lexicon. If you do business with Sangoma through their web portal, you are well advised to check your server immediately to determine if your PBX also has been compromised. Full details regarding breach detection and a link to Sangoma’s response are available on the PIAF Forum. If your server has been hacked, prudence would dictate rebuilding your server from the ground up. There was no mention whether Sangoma did the same after a previous unauthorized intrusion. As this incident reinforces, attempting to patch a compromised server is extremely risky.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Don’t confuse a free PBX with Sangoma’s FreePBX® GUI. The former means a truly free PBX. The latter is a code generator for Asterisk that commingles free components with commercial nagware for which you have to pay registration fees before use and maintenance fees annually after purchase. []

IBM’s Speech Recognition Engine Comes to Asterisk



Eight years ago, we introduced transcription for Asterisk® voicemail messages. When the messages were delivered by email, you got both a recording and the transcribed text courtesy of Google. As with most things Google, the licensing terms changed regularly and voicemail transcription became more convoluted until it became next to worthless. Today we begin our new exploration of IBM’s Watson Developer Cloud. It offers a rich collection of services at unbelievably low price points. We’re kicking things off by introducing a better Speech-to-Text (STT) solution with IBM’s Bluemix. The STT API performs better than any speech recognition engine in the world. And you won’t have to worry about Google breaking our middleware every month. On the Lite plan, up to 100 minutes per month are free. Or you can opt for the Standard pay-as-you-go plan for 2¢ per minute and let your customers yack all they like. That works out to $1.20 an hour which still is pretty cheap secretarial help. In coming weeks, we will introduce IBM’s Text-to-Speech (TTS) offering and Lisa. Up to a million characters of TTS service monthly are free. Here’s a sample to give you a taste of the voice quality:

[soundcloud url="https://api.soundcloud.com/tracks/312693441″ params="auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&visual=true" width="100%" height="350″ iframe="true" /]

NOV. 1 UPDATE: IBM has moved the goal posts effective December 1, 2018:

For new deployments, your API Username will be apikey, and your API Password will be your actual APIkey.

Overview. What we’ve done today is integrate the STT Bluemix API directly into existing Asterisk voicemail systems. We started with Nicolas Bernaerts’ terrific sendmailmp3 script. It works on both the Wazo and FreePBX® platforms. If you have deployed Incredible PBX, then the setup takes a couple of minutes. For everyone else, there’s an additional configuration step using your favorite GUI. To get started, you’ll sign up for a Bluemix account and obtain your credentials. Next, you download today’s script for your platform and insert your credentials. Finally, you set up voicemail on the extensions desired and insert an email address for each voicemail account. On generic FreePBX systems, you’ll need to add the name of our script to manage your voicemail recordings.

What About the Quality? Here’s the bottom line. Speech recognition isn’t all that useful if it fails miserably in recognizing everyday speech. The good news is that IBM Watson’s speech recognition engine is now the best in the business. If you want more details, read the article below which will walk you through IBM’s latest speech recognition breakthrough:


Creating an IBM Bluemix Speech to Text Account

Follow this link to set up your IBM account and obtain credentials for both Speech to Text (STT) and Text to Speech (TTS) services. Please note that your STT and TTS API keys will NOT be the same. So don’t accidentally use the wrong one.
 

Installing STT Engine with Incredible PBX for Wazo

1. After logging into your Incredible PBX for Wazo server as root using SSH/Putty:

cd /usr/sbin
wget http://incrediblepbx.com/sendmailibm.tar.gz
tar zxvf sendmailibm.tar.gz
rm -f sendmailibm.tar.gz

2. Edit sendmailibm and insert Bluemix STT credentials on lines 29 and 30. Save the file.

3. Edit bluemix-test and insert Bluemix STT credentials on first two lines. Save the file.

4. Copy the updated sendmailibm file to sendmail:

cd /usr/sbin
cp -p sendmailibm sendmail

5. Test your Bluemix STT setup: bluemix-test

6. Result should be: please record your message after the beep

7. Set up voicemail account for a Wazo extension with your email address.

8. Place a test call to the extension and record a voicemail when prompted.

9. Your message will be transcribed and delivered via email.

 

Installing STT Engine with Incredible PBX for RasPi

1. After logging into your Raspberry Pi server as root using SSH/Putty:

cd /usr/sbin
wget http://incrediblepbx.com/sendmailibm-raspi.tar.gz
tar zxvf sendmailibm-raspi.tar.gz
rm -f sendmailibm-raspi.tar.gz

2. Edit sendmailmp3.ibm and insert Bluemix STT credentials on lines 28 and 29. Save file.

3. Edit bluemix-test and insert Bluemix STT credentials on first two lines. Save the file.

4. Copy the updated sendmailmp3.ibm file to sendmailmp3:

cd /usr/sbin
cp -p sendmailmp3.ibm sendmailmp3

5. Test your Bluemix STT setup: bluemix-test

6. Result should be: your dictation is now being processed and emailed please wait

7. Set up voicemail for a RasPi extension with your email address.

8. Place a test call to the extension and record a voicemail when prompted.

9. Your message will be transcribed and delivered via email.

 

Installing STT Engine with Incredible PBX 13

1. After logging into your Incredible PBX 13 server as root using SSH/Putty:

cd /usr/local/sbin
wget http://incrediblepbx.com/sendmailibm-13.tar.gz
tar zxvf sendmailibm-13.tar.gz
rm -f sendmailibm-13.tar.gz

2. Edit sendmailmp3.ibm and insert Bluemix STT credentials on lines 28 and 29. Save file.

3. Edit bluemix-test and insert Bluemix STT credentials on first two lines. Save the file.

4. Copy the updated sendmailmp3.ibm file to sendmailmp3:

cd /usr/local/sbin
cp -p sendmailmp3.ibm sendmailmp3

5. Test your Bluemix STT setup: bluemix-test

6. Result should be: we are now transferring you out of the company directory…

7. Set up voicemail for an extension and include your email address.

8. Place a test call to the extension and record a voicemail when prompted.

9. Your message will be transcribed and delivered via email.

 

Installing STT Engine with Legacy FreePBX® Servers

1. Follow steps #1 through #7 from the Incredible PBX 13 tutorial above.

2. Choose Settings -> Voicemail Admin -> Settings in the GUI.

3. In the format field, insert: wav|wav49

4. In the mailcmd field, insert: /usr/local/sbin/sendmailmp3

5. Click Submit to save your settings and then Reload the FreePBX Dialplan.

6. Place a test call to the extension and record a voicemail when prompted.

7. Your message will be transcribed and delivered via email.

Update: Matt Darnell reports that, depending upon your existing setup, you may need to add the unix2dos and lame packages with legacy FreePBX servers to get MP3 messages delivered correctly.

 

Originally published: Monday, March 20, 2017





Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

VoIPtopia 2017: Choosing the Best, Free VoIP Platform




[iframe-popup id="6″]
Once a year we like to step back and survey the latest and greatest VoIP developments for the coming year. And 2016 was certainly filled with surprises including the release of free versions of 3CX sporting the PIAF5 and Elastix 5.0 monikers. That, in turn, produced a wave of FUD from our friends at Sangoma® urging users to return to their open source roots. But guess what? Sangoma was pitching their FreePBX Distro®, another closed source product just like 3CX. Sure, the Sangoma distro has open source components… just like 3CX and your car for that matter. But it’s disingenuous to diss other products because they’re closed source platforms when yours is too. So today we want to cut through the sales pitches and compare apples to apples while offering our Elastix friends this New Year’s Day Resolution:

Ignore the Hype! Look Before You Leap and Avoid Jumping from the Kettle into the Fire.


NEWS FLASH: For PIAF3 and Incredible PBX users who have registered on the PIAF Forum, you’ll be getting an invitation to upgrade to the 8-simultaneous-call 3CX commercial platform at no cost. In addition to unlimited extensions, this one-year license adds unlimited SIP trunks and gateways, 10-participant conferencing, G.729 support, custom FQDNs, BLF support, Call Parking, Call Queueing, Call Pickup, Call Recordings and Management, Call Reporting, Intercom/Paging, remote 3CX bridging support, as well as an integrated fax server and Office 365 and Microsoft Outlook integration. If you haven’t already joined the PIAF Forum, there’s still time. But you’d better hurry.

Choosing a VoIP platform is partially a subjective decision, but there also are some glaring red flags to consider. We suggest you begin by deciding whether your preferences include any must-have’s. Do your requirements mandate an open source solution? Do you need text-to-speech and voice recognition? Does the platform have to include Asterisk®, or are you open to alternatives? Does the operating system have to be Linux-based and, if so, must it be CentOS, Debian, or Ubuntu? If you’ll be using SIP phones, must the platform include phone provisioning software for your phones, or is the ability to purchase it as an add-on sufficient? Is paid support important in making your platform decision and how much are you prepared to pay? Are automatic or pain-free software updates critical in making your selection? Is migration from an existing platform a factor? Does a preconfigured, secure firewall matter, or are you prepared to do it yourself or take your chances? Before choosing to ignore security, read last month’s RIPS analysis of FreePBX®. Here’s a snippet from the article. Read it carefully. It’s your phone bill.

Since FreePBX is written completely in PHP, we decided to throw it into our code analysis tool RIPS. The results were more than surprising…

The total amount of detected vulnerabilities is very high. Luckily, the majority of the detected vulnerabilities are inside the administration control panel, such that attackers either need to steal a valid account or they have to trick an administrator into visiting a malicious website that triggers one of the critical vulnerabilities. For example, a remote command execution vulnerability could be triggered by a less critical cross-site scripting vulnerability. By chaining both vulnerabilities, the severity is increased drastically and can lead to full server compromise.

In choosing which platforms to include today, we eliminated platforms which we considered too complicated for the average new user to configure. We also eliminated any platform that did not offer at least a free tier of service with a reasonably complete feature set as part of their offering. If we’ve inadvertently missed one of your favorites, please feel free to leave a comment, and we will consider including it as well. Happy Hunting!

VoIP Platform Feature Summary

Aggregation: FreePBX Distro a.k.a. AsteriskNOW
License: Closed Source
VoIP Platform: Asterisk 13/14
GUI: FreePBX GPL and Commercial modules
O/S: CentOS-clone
Phone Provisioning: Open Source (minimal) or Commercial
Text-to-Speech/Voice Recognition: Optional/No
Software Updates: Manual
Migration Tools: Yes
Security: Fail2Ban + User-Configured Firewall
Security Rating (as delivered): see above
Comments: Extensive commercial NagWare preinstalled

Aggregation: Incredible PBX for Wazo
License: GPL3 Open Source
VoIP Platform: Asterisk 14 RealTime
GUI: Wazo GPL3 modules
O/S: Debian 8
Phone Provisioning: Extensive Open Source
Text-to-Speech/Voice Recognition: Yes/Yes
Software Updates: Automatic or 2-minute Manual
Migration Tools: No
Security: Fail2Ban + Preconfigured Firewall
Security Rating (as delivered): Secure WhiteList
Comments: High Availability & Call Center GPL3 Modules

Aggregation: Ombutel
License: Closed Source
VoIP Platform: Asterisk 13
GUI: Ombutel with external module support
O/S: Debian 8
Phone Provisioning: Closed Source
Text-to-Speech/Voice Recognition: No/No
Software Updates: Manual
Migration Tools: No
Security: FaiL2Ban + Do-It-Yourself Firewall
Security Rating (as delivered): Insecure

Aggregation: PIAF5 powered by 3CX
License: Closed Source
VoIP Platform: 3CX
GUI: 3CX
O/S: Debian 8
Phone Provisioning: Extensive Closed Source
Text-to-Speech/Voice Recognition: No/No
Software Updates: Semi-Automatic
Migration Tools: Yes
Security: Fail2Ban + Preconfigured Firewall
Security Rating (as delivered): Secure
Comments: Free upgrade provides unlimited SIP trunks with 8 simultaneous calls

Aggregation: Elastix 5.0 powered by 3CX
License: Closed Source
VoIP Platform: 3CX
GUI: 3CX
O/S: Debian 8
Phone Provisioning: Extensive Closed Source
Software Updates: Semi-Automatic
Migration Tools: Yes
Security: Fail2Ban + Preconfigured Firewall
Security Rating (as delivered): Secure
Comments: Free version limited to one SIP trunk & 8 simultaneous calls

Aggregation: Incredible PBX 3
License: GPL2 Open Source
VoIP Platform: Asterisk 13
GUI: FreePBX GPL modules only
O/S: CentOS 6/7, Ubuntu 14, or Raspbian 8
Phone Provisioning: Open Source (minimal)
Text-to-Speech/Voice Recognition: Yes/Yes
Software Updates: Automatic
Migration Tools: Yes
Security: Fail2Ban + Preconfigured Firewall
Security Rating (as delivered): Secure WhiteList
Comments: FreePBX GPL modules only; module signature verification disabled1

Aggregation: Elastix 4.0
License: Open Source GPL
Platform: Asterisk 13
O/S: CentOS 7
Phone Provisioning: Open Source
Text-to-Speech/Voice Recognition: No/No
Software Updates: Semi-Automatic
Migration Tools: No
Security: Fail2Ban + Unconfigured Firewall
Security Rating (as delivered): Insecure
Comments: Currently unavailable but fork announced

Aggregation: PIAF3
License: Open Source GPL with Closed Source Installer
Platform: Asterisk 11/13
O/S: CentOS 6
Phone Provisioning: Open Source (minimal)
Text-to-Speech/Voice Recognition: No/No
Software Updates: Manual
Migration Tools: No
Security: Fail2Ban + Unconfigured Firewall
Security Rating (as delivered): Insecure
Comments: No longer maintained

Published: Sunday, January 1, 2017



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. See RIPStech article explaining why FreePBX module signature verification is a very dangerous methodology. []

Taking a Fresh Look at the Asterisk, FreePBX, and Incredible PBX Security Models

About once a year, we try to shine the spotlight on Asterisk® security in hopes of saving lots of organizations and individuals a little bit (or a lot) of money. In light of last week’s major security lapse in the Asterisk® dialplan of those using FreePBX® since the Asterisk@Home days, now seemed like a good time for a review. As we’ve noted before, the problem with open source phone systems is they’re open source phone systems. So the bad guys can figure out how they work just like the good guys. Unfortunately, some of the bad guys are paying particular attention to Asterisk and FreePBX so it behooves all of us to remain vigilant and patch vulnerabilities quickly. The FreePBX Devs have done an admirable job in responding quickly to this issue.

Last week’s vulnerability involves the call transfer methodology that has been incorporated into FreePBX-based Asterisk servers for at least a decade. In a nutshell, it allows an internal or outside caller or called party to transfer a call using touchtones instead of a dedicated transfer button or hook flash. ## performs a blind transfer while *2 sets up an attended transfer where the person transferring the call can actually talk to the transfer recipient before executing the call transfer. Some of our foreign friends used this *2 methodology to initiate calls to Asterisk servers and then to transfer those calls to expensive destinations while the other party to the call listened to music on hold. Worse yet, it could be performed within an answering IVR on some servers so the administrator never knew the call transfer took place other than reviewing the call detail records. As with some previous vulnerabilities, this one had lain dormant since the inception of call transfer technology in Asterisk. The default settings in FreePBX permitted outside calling or called parties to initiate transfers using these feature codes. We’re reminded of a similar vulnerability that used to exist in many Asterisk voicemail systems that allowed callers to dialout to another number from within the voicemail system.

We hope to persuade you today that allowing transfer of calls using touch tones is a very bad idea to begin with. Even when you don’t get a surprise phone bill, it often results in unanticipated consequences such as depicted in this video shared on DSL Reports:



Here’s how you can protect any server that uses all or some of the FreePBX GUI. First, be aware that the FreePBX developers are working on a rewrite of the Core component in versions 13 and 12. The fix would limit use of this technology to those on the internal side of a PBX. In other words, remote callers would be blocked from calling into an Asterisk server and transferring themselves to a phone on a cruise ship sailing in the Indian Ocean. In the meantime, issuing the following commands will patch things up:

mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r

For those using Incredible PBX™, the Automatic Update Utility will patch your server the next time you log in as root.

Olle Johansson has been one of the primary shakers and movers when it comes to educating folks on Asterisk security and inspiring developers to do a better job designing these systems. If you didn’t attend AstriCon 2013 and haven’t watched the Security Master Class, put these videos on your Bucket List. They’re all free and well worth your time.

When we began building out Incredible PBX on other platforms several years ago, we decided it was an opportune time to revisit our Asterisk security model and make it as bullet-proof as possible given the number of people now deploying Asterisk servers in the cloud. As a practical matter, there are no hardware-based firewalls to protect you with many of the cloud-based systems. So you literally live or die based upon the strength of your own software-based security model.

As in the past, security is all about layers of protection. A bundle of sticks is harder to break than a single stick. There now are Incredible PBX builds for CentOS, Scientific Linux, Ubuntu 14, and the latest Raspbian 8 for the Raspberry Pi 2 and 3. All of these releases include the new Incredible PBX security model. Here’s how it works…

The 7 Security Layers include the following, and we will go into the details below:

  1. Preconfigured IPtables Linux Firewall
  2. Preconfigured Travelin’ Man 3 WhiteLists
  3. Randomized Port Knocker for Remote Access
  4. TM4 WhiteListing by Telephone (optional)
  5. Fail2Ban
  6. Randomized Ultra-Secure Passwords
  7. Automatic Security Updates & Bug Fixes

1. IPtables Linux Firewall. Yes, we’ve had IPtables in place with PBX in a Flash for many years. And, yes, it was partially locked down in previous Incredible PBX releases if you chose to deploy Travelin’ Man 3. Now it’s automatically installed AND locked down, period. As installed, the new Incredible PBX limits login access to your server to those on your private LAN (if any) and anyone logging in from the server’s public or private IP address and the public IP address of the desktop machine used to install the Incredible PBX software. If you or your users need access from other computers or phones, those addresses can be added quickly using either the Travelin’ Man 3 tools (add-ip and add-fqdn) or using the Port Knocker application running on your desktop or smartphone. All you need is your randomized 3 codes for the knock. You can also enable a remote IP address by telephone. Keep reading!

2. Travelin’ Man 3 WhiteLists. As in the past, many of the major SIP providers have been whitelisted in the default setup so that you can quickly add new service without worrying about firewall access. These are providers that we’ve used over the years. The preconfigured providers include Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. You are, of course, free to add other providers or users using the whitelist tools being provided. add-ip lets you add an IP address to your whitelist. add-fqdn lets you add a fully-qualified domain name to your whitelist. del-acct lets you remove an entry from your whitelist. Because FQDNs cause problems with IPtables if the FQDN happens to be invalid or non-functional, we’ve provided a customized iptables-restart tool which will filter out bad FQDNs and start up IPtables without the problematic entries.

Be advised that whitelist entries created with PortKnocker are stored in RAM, not in your IPtables file. These RAM entries will get blown out of the water whenever your system is restarted OR if IPtables is restarted. Stated another way, PortKnocker should be used as a stopgap tool to get new IP addresses qualified quickly. If these addresses need access for more than a few hours, then the Travelin’ Man 3 tools should be used to add them to your IPtables whitelist. If your whitelist setup includes dynamic IP addresses, be aware that using ipchecker in a cron job to test for changing dynamic IP addresses will remove PortKnocker whitelist RAM entries whenever an IP address change triggers an iptables-restart.

For more detail on Travelin’ Man 3, review our original tutorial.

3. PortKnocker WhiteListing. We’ve previously written about PortKnocker so we won’t repeat the article here. Simply stated, it lets you knock on three ports on a host machine in the proper order to gain access. If you get the timing and sequence right, the IP address from which you knocked gets whitelisted for access to the server… with appropriate admin or root passwords, of course. The knocking can be accomplished with either a command line tool or an iOS or Android app using your smartphone or tablet. As noted above, it’s a terrific stopgap tool to let you or your users gain quick access to your server. For the reasons we’ve documented, don’t forget that it’s a stopgap tool. Don’t use it as a replacement for Travelin’ Man 3 whitelists unless you don’t plan to deploy dynamic IP address automatic updating. Just to repeat, PortKnocker whitelists get destroyed whenever IPtables is restarted or your server is rebooted. You’ve been warned.

4. TM4 WhiteListing by Telephone. Newer releases of Incredible PBX are preconfigured with ODBC support for telephony applications. One worth mentioning is our new Travelin’ Man 4 utility which lets a remote user dial into a dedicated DID and register an IP address to be whitelisted on the server. Within a couple minutes, the user will be sent an email confirming that the IP address has been whitelisted and remote access is now enabled. For phone systems and administrators supporting hundreds of remote users, this new feature will be a welcome addition. It can be configured in a couple minutes by following the Installation instructions in the Travelin’ Man 4 tutorial. Unlike PortKnocker, whitelisted IP addresses added with TM4 are permanent until modified by the remote user or deleted by the administrator.

5. Fail2Ban. We’ve never been a big fan of Fail2Ban which scans your logs and blacklists IP addresses after several failed attempts to log in or register with SSH or Apache or Asterisk. The reason is because of documented cases where attacks from powerful servers (think: Amazon) completely overpower a machine and delay execution of Fail2Ban log scanning until tens of thousands of registration attempts have been launched. The FreePBX folks are working on a methodology to move failed login attempts to a separate (smaller) log which would go a long way toward eliminating the log scanning bottleneck. In the the meantime, Fail2Ban is included, and it works when it works. But don’t count on it as your only security layer.

6. Randomized Passwords. With the new security model described above, we’ve dispensed with Apache security to protect FreePBX® access. These new Incredible PBX releases rely upon the FreePBX security model which uses encrypted passwords stored in MySQL or MariaDB. As part of the installation process, Incredible PBX randomizes ALL FreePBX passwords including those for the default 701 extension as well as the admin password. When your new Incredible PBX install completes, the most important things to remember are your (randomized) FreePBX admin password AND the (randomized) 3 ports required for Port Knocker access. Put them in a safe place. Sooner or later, you’ll need them. You can review your PortKnocker settings in /root/knock.FAQ. We’ve also included admin-pw-change in the /root folder for those that are too lazy to heed our advice. With the new security model, there is no way to look up your admin password. All you can do is change it… assuming you haven’t also forgotten your root password. 😉

7. Automatic Update Service. All new Incredible PBX builds include an automatic update service to provide security patches and bug fixes whenever you log into your server as root. It saved you just last week! If you don’t want the updates for some reason, you can delete the /root/update* file from your server. If the cost of maintaining this service becomes prohibitive, we may implement a pay-for-service fee, but it presently is supported by voluntary contributions from our users. It has worked extremely well and provided a vehicle for pushing out updates that affect the reliability and security of your server.

A Word About IPv6. Sooner or later Internet Protocol version 6 will be upon us because of the exhaustion of IPv4 IP addresses. Incredible PBX is IPv6-aware and IPtables has been configured to support it as well. As deployed, outbound IPv6 is not restricted. Inbound access is limited to localhost. You, of course, are free to modify it in any way desired. Be advised that disabling IPv6 localhost inbound access will block access to the FreePBX GUI. Don’t ask us how we know. 🙂

Originally published: Monday, April 18, 2016





Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…