Home » Technology (Page 9)
Category Archives: Technology
Introducing Incredible PBX 2022 for Rocky 8 Linux
As we celebrate the 17th birthday of Nerd Vittles this week, it seemed only fitting to introduce a new version of Incredible PBX 2022 which will carry telephony forward until the end of this decade. For history buffs, you may recall that CentOS used to be a perfect clone of Red Hat Enterprise Linux… until it wasn’t when RedHat decided to morph CentOS into a development sandbox known as CentOS Stream. And then along came Gregory Kurtzer, the original developer of CentOS, to work his magic once again with the Rocky 8 reincarnation. Until Rocky 8 rose from the ashes, we had all but decided to end our CentOS distribution and focus on Debian, Raspbian, and Ubuntu. But the appeal of a new operating system with an end of life slated for May 2029 was hard to resist. So here we are.
Our roadmap for Incredible PBX 2022 for Rocky 8 goes like this. Today we are introducing this beta featuring Asterisk® 16 and the GPL modules from FreePBX® 15. Once we get the kinks out of this release, we will add two additional versions, one featuring Asterisk 18 and FreePBX 15 plus a second one featuring Asterisk 19 and FreePBX 16. The PHP platform to support all three versions is already in place. It supports both PHP 5.6 and PHP 7.4 running concurrently. We needed PHP 5.6 to preserve the legacy AvantFax application which provides free faxing.
CAUTION: Because of frequent changes to the Rocky 8 platform, we no longer recommend it for production use with Incredible PBX.
We hope you’ll download and install Rocky 8 as well as Incredible PBX 2022 and help us move this platform forward. Begin by downloading and installing Rocky 8 Minimal. If you prefer AlmaLinux, download and install their minimal image from here. If you prefer a cloud-based platform, consider our Platinum sponsor, Vultr. They host both Rocky 8 and AlmaLinux 8 images in addition to other operating systems so platform setup takes only a minute.
Once you have your platform up and running, login as root and issue the following commands to kick off the Incredible PBX 2022 install:
cd /root yum -y install wget wget http://incrediblepbx.com/IncrediblePBX2022.16.15-4.sh chmod +x IncrediblePBX2022.16.15-4.sh ./IncrediblePBX2022.16.15-4.sh
Once the Phase I install finishes, your server will reboot. Log back in as root and run the installer a second time:
cd /root ./IncrediblePBX2022.16.15-4.sh
1/31/2022 UPDATE: We’ve now released the second iteration of Incredible PBX 2022 for Rocky8 and AlmaLinux8 featuring Asterisk 18 and the FreePBX GPL modules. You can install this version as an alternative to the Asterisk 16 release if you would prefer:
cd /root yum -y install wget wget http://incrediblepbx.com/IncrediblePBX2022.18.15-1.sh chmod +x IncrediblePBX2022.18.15-1.sh ./IncrediblePBX2022.18.15-1.sh
Once the Phase I install finishes, your server will reboot. Log back in as root and run the new installer a second time:
cd /root ./IncrediblePBX2022.18.15-1.sh
If you chose to install AlmaLinux 8, issue the following command once you’ve logged in to the Linux CLI as root:
sed -i 's|Rocky 8|AlmaLinux 8|' /usr/local/sbin/pbxstatus
As with all Incredible PBX builds, a preconfigured Linux firewall is included which blocks all access except from whitelisted IP addresses. To activate it, simply press the ENTER key when the install completes. To load the latest updates to the platform using the Automatic Update Utility, simply log out of your server and log back in as root. You’re now ready to explore the Incredible PBX feature set using the tutorials available on the Incredible PBX Wiki.
Audio Issues with Incredible PBX
If you experience one-way or no audio on some calls, add your external IP address and LAN subnet in the GUI by navigating to Settings -> Asterisk SIP Settings. In the NAT Settings section, click Detect Network Settings. Click Submit and Apply Settings to save your changes.
Incredible PBX Administration
We’ve eased the pain of administering your new PBX with a collection of scripts which you will find in the /root folder after logging in as root with SSH or Putty. Here’s a quick summary of what each of the scripts does.
add-fqdn is used to whitelist a fully-qualified domain name in the firewall. Because Incredible PBX 2020 blocks all traffic from IP addresses that are not whitelisted, this is what you use to authorize an external user for your PBX. The advantage of an FQDN is that you can use a dynamic DNS service to automatically update the IP address associated with an FQDN so that you never lose connectivity.
add-ip is used to whitelist a public IP address in the firewall. See the add-fqdn explanation as to why this matters.
del-acct is used to remove an IP address or FQDN from the firewall’s whitelist.
admin-pw-change is used to set the admin password for access to the FreePBX/Incredible PBX web GUI using a browser pointed to the local IP address of your server.
apache-pw-change is used to set the admin password for access to Apache/Incredible PBX apps including AsteriDex and Reminders. This provides a password layer of protection for access to these applications.
reset-conference-pins is a script that automatically and randomly resets the user and admin pins for access to the preconfigured conferencing application. Dial C-O-N-F from any registered SIP phone to connect to the conference.
reset-extension-passwords is a script that automatically and randomly resets ALL of the SIP passwords for extensions 701-705. Be careful using this one, or you may disable existing registered phones and cause Fail2Ban to blacklist the IP addresses of those users. HINT: You can place a call to the Ring Group associated with all five extensions by dialing 777.
reset-reminders-pin is a script that automatically and randomly resets the pin required to access the Telephone Reminders application by dialing 123. It’s important to protect this application because a nefarious user could set up a reminder to call a number anywhere in the world assuming your SIP provider’s account was configured to allow such calls.
show-feature-codes is a cheat sheet for all of the feature codes which can be dialed from any registered SIP phone. It documents how powerful a platform Incredible PBX 2020 actually is. A similar listing is available in the GUI at Admin -> Feature Codes.
show-passwords is a script that displays most of the passwords associated with Incredible PBX 2020. This includes SIP extension passwords, voicemail pins, conference pins, telephone reminders pin, and your Anveo Direct outbound calling pin (if configured). Note that voicemail pins are configured by the user of a SIP extension the first time the user accesses the voicemail system by dialing *97.
update-IncrediblePBX is the Automatic Update Utility which checks for server updates from incrediblepbx.com every time you log into your server as root using SSH or Putty. Do NOT disable it as it is used to load important fixes and security updates when necessary. We recommend logging into your server at least once a week.
pbxstatus (shown above) displays status of all major components of Incredible PBX.
Forwarding Calls to Your Cellphone. Keep in mind that inbound calls to your DIDs automatically ring all five SIP extensions, 701-705. The easiest way to also ring your cellphone is to set one of these five extensions to forward incoming calls to your cellphone. After logging into your PBX as root, issue the following command to forward calls from extension 705 to your cellphone: asterisk -rx "database put CF 705 6781234567"
To remove call forwarding: asterisk -rx "database del CF 705"
Originally published: Monday, January 17, 2022 Updated: Monday, December 12, 2022
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Oh My God, It’s Omicron!
We had a near perfect Christmas vacation in Vero Beach this year. There were a couple of terrific mask-free parties leading up to the big day, and they were all loaded with great food and enough college kids to open our own tavern. We also had dined out several nights before Christmas so we have no idea where Omicron was hiding. Then December 27 rolled around and, after two years of remaining Cootie-free, I woke up with the sniffles and congestion not unlike a common cold. Luckily, two of our friends gave us a couple of rapid antigen tests for Covid. I flunked, and Mary passed but had similar symptoms to mine plus a headache. I, of course, have heard the headache story for many years so I didn’t put too much stock in that.
I don’t often write about personal stuff but I’m making an exception simply to stress how important Covid vaccinations and boosters are to your survival. I’ve had all three shots and, on Day 4 of my Omicron surprise, I’m happy to report that my bout with Covid is over, and it was less severe than a common cold. I also confess that I’m one who can nurse a cold for the better part of a month enjoying every miserable day. Aside from a few sniffles and a little sneezing, there’s not much else to report about my time with Omicron. But others haven’t been so lucky. And that’s mainly because of their insistence on asserting their independence from the medical community. Do yourself and your loved ones a favor. Get vaccinated and boosted. It probably won’t keep you from getting Omicron, but there’s a strong possibility it will keep you out of the hospital. Here’s hoping all of you have a safe and Happy New Year!
Originally published: Friday, December 31, 2021
Santa’s Surprise: Free Faxing Returns for FreePBX 16
As most of you know, free faxing with HylaFax, AvantFax, and IAXmodem has been an integral component of Incredible PBX since its introduction. That changed with the Incredible PBX 2022 Beta release last week because of the FreePBX® 16 prerequisite of a PHP 7.4 platform. That prompted us to become a student again and explore the possibility of deploying two simultaneously available versions of PHP. AvantFax is the web GUI for sending and receiving free faxes. It is no longer under active development and depends upon PHP 5.6 to function. Thus, we were faced with the Hobson’s Choice of deploying PHP 7.4 for FreePBX 16 or PHP 5.6 for AvantFax. We chose the lesser of two evils in the initial release of Incredible PBX 2022 by choosing to support FreePBX 16. Today we finally have good news.
We’ve managed to restore the full functionality of Incredible PBX including free faxing by reconfiguring PHP 7.4 and PHP 5.6 to run simultaneously. Incredible PBX 2022 now can be deployed with Asterisk® 19, FreePBX 16, and AvantFax happily coexisting. To get this working, you’ll need a Debian 10 platform running Incredible PBX 2021. Once you have it up and running, here are the steps to add the latest Incredible PBX 2022 Beta including faxing.
1. Install Incredible PBX 2021 on Debian 10 platform
2. Run /root/incrediblefax2021-debian10.sh to install free faxing
3. Set the Apache and FreePBX admin passwords:
/root/apache-pw-change /root/admin-pw-change
4. Reboot
5. Verify that pbxstatus shows everything working
6. Obtain FQDN linked to your server’s public IP address
7. Verify access to Incredible PBX using this FQDN
(NOTE: Do this NOW before proceeding or step 11 will fail)
8. Install Incredible PBX 2022 Beta
9. Reboot
10. Verify that pbxstatus shows everything working
11. Run install-dual-php script to activate dual PHP stack:
cd /root wget http://incrediblepbx.com/install-dual-php chmod +x install-dual-php ./install-dual-php
Now you should be able to login to FreePBX using your server’s public IP address.
And you should be able to login to AvantFax using the FQDN you created (step 6).
At the first login prompt for AvantFax, it’s asking for your Apache admin credentials (step 3).
Then you’ll be prompted for your AvantFax admin credentials. Default is admin:password
We hope you and yours have a very Merry Christmas!
Originally published: Saturday, December 25, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
It’s Incredible PBX 2022 Beta with Asterisk 19 & FreePBX 16
For those with a pioneering spirit, we are pleased to introduce the Incredible PBX 2022 Beta 1 upgrade for the Incredible PBX 2021 Debian 10 platform. This upgrade features the latest release of Asterisk® 19 and includes all FreePBX® 16 GPL modules. It should not (yet) be used in a production environment, but it’s fun to experiment especially when it’s the only implementation of FreePBX currently available for Asterisk 19.
Prerequisites. To get started you’ll need an Incredible PBX 2021 platform running on Debian 10. Our tutorial is available here. If you just want a sandbox, the quickest way to get started is to deploy Incredible PBX 2021 from the Vultr Marketplace. It only takes a couple minutes and costs less than a penny an hour up to a maximum of $5 a month.
Upgrade Procedure. Once you have a non-production Incredible PBX 2021 platform up and running, it’s time to upgrade to Incredible PBX 2022. We’ve provided a script that does the heavy lifting in under 30 minutes: upgrading FreePBX 15 to 16 and then upgrading Asterisk 18 to 19. Begin by logging into the Linux CLI as root and issuing these commands to kick off the upgrade script:
cd /root wget http://incrediblepbx.com/incrediblepbx2022-upgrade.tar.gz tar zxvf incrediblepbx2022-upgrade.tar.gz rm -f incrediblepbx2022-upgrade.tar.gz ./upgrade-to-IncrediblePBX2022
The FreePBX upgrade begins and requires no user intervention. After about 15 minutes, you will be prompted to continue with the Asterisk 19 upgrade. After a couple minutes, the Asterisk MenuSelect Dashboard will appear. Simply tab to Save & Exit and press the ENTER key to continue with the upgrade. When the upgrade finishes, verify that everything is running in the pbxstatus display. Despite what the display may suggest, be advised that faxing is not yet supported since AvantFax requires PHP 5.6, and FreePBX 16 requires PHP 7.4 which is running. Type fwconsole reload
to complete the upgrade.
UPDATE: You now can add free faxing to your new Asterisk 19/FreePBX 16 platform. Follow this link for the script.
If you need help or wish to join the discussion on Incredible PBX 2022, come join us on the VoIP-Info Forum.
Originally published: Monday, December 13, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
The $10,000 Hoax: Meet Tesla’s Full Self-Driving Vehicle
Elon Musk has called Tesla’s pricey $10,000 full self-driving option "amazing by most standards, but we are aiming for 1000% safer than the average human driver,” Here’s our take after 10 minutes behind the wheel with Tesla’s tenth FSD beta release. We’ll all be dead before Elon ever achieves that goal. And, unless you’ve chosen today as your last day above ground on Planet Earth, turn this "feature" off and leave it that way. Better yet, don’t buy it.
To give you some idea of the functionality, take a toddler out to the farm and put them on a tractor alone pointed to the nearby barn. Then put the tractor in gear and tell the toddler you’ll meet them at the barn, but you prefer to walk. Odds are you’ll get there first. But you may never see the toddler alive again. One thing’s for certain with FSD, Tesla won’t have to nag you to keep your hands on the steering wheel. You’ll be holding on for dear life!
We’ve managed to keep our sense of humor about all of this for a couple of reasons. First, we’ve been gobbling up Elon’s bullshit for almost five years, and we’re on our second Tesla with Full Self-Driving. If you’ve read our previous Tesla articles, you already know that our first Model S departed on a tow truck. But, you know what they say about pioneers loving the arrows in the back. It wasn’t long until we bought a Model X with Full Self-Driving after a two year stint with a Jaguar I-Pace. Well, we’ve had the Model X almost two years and still no FSD. So we decided to trade it for a more comfortable car, and we’ve been awaiting the arrival of an Audi Q8 which we’ll enjoy until the Cadillac LYRIQ with SuperCruise becomes available.
Lo and behold, the day before the Q8 was scheduled to arrive, the magic light went on signaling the arrival of FSD on our Model X. All of a sudden we had the best of both worlds, a new car with no deposit arriving tomorrow and the chance to try out FSD to see if we’d prefer to keep the Tesla. We thought it would be a difficult decision considering all the hoopla (a polite word) surrounding FSD. It wasn’t. We took the Tesla a couple miles from home on well-marked roads and told the car to take us home. Disengagement is a word Tesla uses to describe a situation in which the autopilot software fails and the driver needs to take control of the car. The number of FSD disengagements returning home must have set a record. I lost count at a dozen. The simplest maneuvers such as avoiding a trash can on the curb of the road or making a turn into a street with two incoming lanes were met with alarming machinations not unlike the toddler driving the tractor. Could we have made it home alive? We weren’t sure. Nor were we brave (or patient) enough to find out.
https://youtu.be/o7oZ-AQszEI
We’re recounting this fiasco to warn you of the dangers of using FSD. It also makes us wonder how federal, state, and local authorities have ever allowed Elon’s science experiment on public roads. It really is that dangerous. And finally, we wanted to save you $10,000 should you decide to buy a Tesla. There’s a reason you won’t find FSD on demo vehicles at Tesla showrooms. And that should tell you everything you need to know.
Originally published: Wednesday, December 1, 2021
Migrating Incredible PBX 2021 to a PUBLIC Facing Cloud PBX
Today we want to again enhance the migration of Incredible PBX 2021 into a PUBLIC-facing Cloud PBX. What that means is authorized users can connect a SIP phone to the PBX regardless of where the user might be located without worries about an ever-changing dynamic IP address and the requirement to whitelist the new IP address. A PUBLIC-facing PBX also provides free SIP URI connectivity to users of your PBX by anyone from anywhere in the world. In other words, it’s similar to the way you could connect to any Ma Bell telephone in the world simply by knowing the number to dial. The difference, of course, is SIP URI connectivity is free while there were often staggering long distance charges for remote connectivity in the Ma Bell days. Fifty years ago it was not uncommon for a college boy to spend $200 a month calling his college sweetheart less than 200 miles away in the same state. Ask me how I know.
Why is this such a big deal? The short answer is security and your phone bill. You don’t want bad guys on the other side of the globe attempting to register a SIP phone to your PBX so that they can use your trunks to make free phone calls on your nickel. You also don’t want anybody and everybody calling your users by simply guessing the IP address of your PBX. So today’s new design combines several security mechanisms to make a PUBLIC-facing PBX safe and secure. First, we will block all SIP connectivity to your PBX by IP address. Second, we will identify 30,000+ known SIP bad guys and block their access to your PBX entirely. Third, we will only permit SSH access to your PBX using public key authentication instead of traditional username/password authentication. Fourth, we will only permit web access to the Incredible PBX portal from whitelisted IP addresses and OpenVPN private addresses. We haven’t mentioned the elephant in the room, Distributed Denial of Service (DDoS) attacks, but today’s methodology reduces the risk considerably since your PBX cannot be ping’d, and all IP address access is blocked at the Linux kernel level.
Prerequisites. To put all these safeguards in place, you’ll need a cloud-based Incredible PBX 2021 KVM platform running Debian 10. Install the latest Incredible PBX 2021 platform using our tutorial. Next, you’ll need these items:
- Public IP Address of your server
- Obscure FQDN linked to this public IP address
- Random SSH port with registered public keys for SSH access
- List of SIP extensions to enable for SIP URI access
- IP Addresses to WhiteList for Access to the Web GUI
1. Deciphering Public IP Address of Your PBX
After logging into your PBX as root, you can execute pbxstatus to decipher the public IP address of the PBX. Or issue the command: wget -q -O - ipinfo.io/ip
2. Obtaining an FQDN for Your PBX
Security through obscurity provides the critical layer of protection for your server so choose an FQDN carefully. sip.yourname.com provides little protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with SIP registrations because registered extensions on your PBX can obviously make phone calls that cost you money. If you don’t have your own domain, you can always obtain a free hostname from a service such as NoIP.com.
3. Securing SSH Access to Your PBX
Whatever you do, don’t leave SSH access via port 22 exposed on your PBX. In the time it took to create a new PBX on CloudAtCost, there were over 400 attempted logins to the default SSH port of the new server. The simplest (but least secure) method to avoid these script kiddie attacks is to change the port number for SSH access to your server. We suggest using the year you were born as the port number because it’s easy to remember. Edit /etc/ssh/sshd_config and uncomment the Port line replacing 22 with the port number you chose. Then restart SSH: systemctl restart sshd.
The preferable solution to secure SSH is to create and use SSH keys for access and set PasswordAuthentication no on the last line of /etc/ssh/sshd_config. Digital Ocean has an excellent tutorial to walk you through the setup process.
4. Choosing Extensions for SIP URI Public Access
With today’s PUBLIC design, exposing an extension for PUBLIC access means anyone in the world that knows the FQDN of your server and the extension number can do two things using any SIP client: (1) they can call you and (2) they can attempt to register to that extension and make calls on your trunks AND your nickel. So only expose extensions for public access if there is a need to connect or call from remote locations. For extensions you decide to expose, make certain that the passwords for these extensions are extremely secure, lengthy, and use numbers with both UPPER and lower case letters. Never use default extension passwords!
5. Whitelisting IP Addresses for Public Web Access
Without enumerating IP addresses for public web access, you won’t be able to connect to the web GUI of your PBX. Down the road, if you wish to add additional IP addresses, you can use /root/add-ip to add them via SSH.
Deploying New PUBLIC Firewall
To get started, log into your server as root and issue the following commands:
cd /tmp wget http://incrediblepbx.com/newpublic.tar.gz tar zxvf newpublic.tar.gz rm -f newpublic.tar.gz
Next, edit /tmp/iptables.base and change the highlighted entries:
Change port 22 in the dport entry to the SSH port number you chose in Step 3, above.
Change 8.8.8.8, 8.8.4.4., and 1.1.1.1 to actual public IP addresses of desktop machines you wish to use to access the web GUI of your PBX. If you don’t need three entries, comment out the other entries with # at the beginning of each line.
Replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.
Save the file.
On the Debian platform, issue the following commands:
cd /etc/iptables cp /tmp/iptables.base . mv rules.v4 rules.v4.orig cp iptables.base rules.v4
Using Incredible PBX PUBLIC with Asterisk
The first line of defense with this PUBLIC implementation is your FQDN. Second is the IPtables firewall setup above. And third is the Asterisk® extensions configuration in extensions_override_freepbx.conf. Here’s how to configure it. Edit /tmp/extensions_override_freepbx.base and change the highlighted entries:
If there are phone numbers assigned to your PBX that you want processed according to your Inbound Routing rules, duplicate the first highlighted line above and, for each trunk, replace 8881234567 with your actual DID numbers.
In exten => _.,1 line, replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.
In exten => _.,10 line, replace your-servers-FQDN with the actual FQDN assigned to your PBX from Step 2, above.
Scroll down in the file to the following section:
Comment out undesired default extensions. Place a semicolon at the beginning of the lines.
For any extensions you wish to add, insert a new line in the following format replacing both 7000 entries with the desired extension number:
exten => 7000,13,Dial(local/7000@from-internal)
Save the file and then execute the following commands to complete the PUBLIC setup:
cd /etc/asterisk cp /tmp/extensions_override_freepbx.base . mv extensions_override_freepbx.conf extensions_override_freepbx.orig cp extensions_override_freepbx.base extensions_override_freepbx.conf fwconsole restart asterisk -rx "dialplan reload" iptables-restart sed -i 's|-A INPUT|-I INPUT|' /root/add-ip sed -i 's|-A INPUT|-I INPUT|' /root/add-fqdn sed -i 's|for |PUB |' /usr/local/sbin/pbxstatus
Adding IPSET Protections to Incredible PBX
We’re not the biggest fans of blacklists because the bad guys spend a lot of time trying to corrupt them by inserting valid IP addresses of sites such as DNS servers in the lists to wreak havoc. Having said that, there are two blacklists that are carefully monitored on a daily basis, and both provide additional protection for your PBX by weeding out access by 30,000+ potential bad guys. The oldest of these is VoIP Blacklist. And the new kid on the block is APIBAN from LOD.com and Fred Posner. We’ve simplified the setup process for use with Incredible PBX 2021. To get started, obtain an APIBAN API key here. Then issue the following commands to put all the pieces in place on your server:
apt --fix-broken install -y apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent -y cd /usr/local/sbin wget http://incrediblepbx.com/incrediblepbx-ipsets.tar.gz tar zxvf incrediblepbx-ipsets.tar.gz rm -f incrediblepbx-ipsets.tar.gz
Next, edit /usr/local/sbin/apiban-init and insert your APIkey.
Finally, issue the following command to reload the firewall: iptables-restart
Verifying Firewall Setup of Incredible PBX
Let’s make certain that everything got installed correctly. Begin by issuing this command: iptables -nL
Scroll toward the top of the list, and you should see two entries for the voipbl and apiban ipsets indicating that entries in those lists will be dropped by the firewall.
Next, verify that the voipbl and apiban ipsets are populated. The first two commands below will list all of the blocked IP addresses. And the next two commands will provide a count of the dropped IP addresses.
ipset list voipbl ipset list apiban ipset list voipbl | wc -l ipset list apiban | wc -l
Finally, you can refresh the ipsets with the following two commands:
voipbl-init apiban-init
Rebooting or restarting the firewall with iptables-restart
also refreshes the ipset listings.
Calling an Incredible PBX PUBLIC Extension
Any extensions that you have whitelisted in the blue section above can be called from anywhere using any SIP client. Simply enter the SIP URI for the extension in the following format: SIP/extension@your-servers-FQDN
CAUTION: If a caller attempts to call any extension on your PUBLIC server from an extension on another Asterisk server to which the caller is registered, the call will fail if there is a matching extension number on the PUBLIC server and the two servers are not registered to each other. So remember to use unique extension numbers on your PUBLIC server if you expect callers from other Asterisk servers.
Registering Incredible PBX PUBLIC Extension
If you wish to login to a whitelisted extension using a SIP client, enter the extension and password of the extension. For the server address, enter the FQDN of your server. If it’s a PJsip extension, add :5061 to the end of the FQDN.
Originally published: Thursday, November 11, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
An Electronics Home Makeover for the 21st Century
It was a sad day when we finally sold our Bozak Concert Grand speakers this year after enjoying them for over half a century. They were a graduation present from "Papa Gene" Newsom of Newsom’s Music Center when I graduated from law school in 1971. The sale got me thinking that I really needed to write about what has changed in home entertainment now that we’ve turned the page to another century. Back then, there was no Internet or Spotify, just bootleg 8-track tapes, an Apple record label, and great home audio made by McIntosh.
For those living in the present, let me tick off what we hope will save you a boatload of money in the coming years. We’ll cover Internet service providers as well as telephony, home audio and TV options, and home automation. Our plan here is to show you how to replace your $200-$500 a month Comcast, Spectrum, and cellular bills with setups that are more robust and considerably less expensive for the whole family.
Choosing a Cell Provider in 2021
With the advent of 46/LTE and 5G cellular service, the cell phone landscape in the U.S. has changed dramatically in the past two years. Unless you live in a remote location, 5G service now is available from all of the major U.S. carriers: T-Mobile, Verizon, and AT&T. This is where looking at the overall family picture can pay off royally. For example, T-Mobile bundles Netflix, Apple TV, and In-Flight WiFi plus discounted YouTube TV service with many of their plans, and there are substantial discounts compared with other carriers particularly if you’re on a family plan or are a military veteran or age 55+. If you wrote off T-Mobile years ago, it’s time to have another look. Their 5G coverage area now is second to none and pricing is typically 30-50% less than Verizon or AT&T. If you’re looking for the least costly all-you-can-eat cellular plan, then take a careful look at the Nerd Vittles special with Visible, which is the Verizon discount carrier. Unless you need great cell service during major sporting events inside the stadium, our $25 plan has no equal. Here’s a link to our article with the details.
Choosing an Internet Service Provider in 2021
If your cable TV and Internet bill is in the $150+ range and most are, we’ve got some exciting news for you. T-Mobile now has unlimited 5G Home Internet service for $50 a month. While it’s still a little difficult to obtain in all areas, check often. We’ve been searching for eight months in four cities and had signed up for email notice when it was available. We never got an email but, lo and behold, it popped up as available in Asheville NC when we checked last week. Once you have the T-Mobile router, it will work anywhere there’s a T-Mobile 4G/LTE or 5G tower. The results below were in Charleston, SC where the T-Mobile site shows it’s unavailable. Our one-week report card gives T-Mobile an A+ for ease of setup, web access performance, streaming media reliability, and VoIP telephony. There literally have been zero hiccups. You can review our play-by-play adventure on the VoIP-Info.org Forum.
To achieve similar performance from the service providers offering wired service, you’re looking at $100+ a month from Comcast or WOW and at least $50 a month from Spectrum. And, unfortunately, in most U.S. markets, there is zero competition between the major providers. You get Comcast or nothing in many cities and Spectrum or nothing in others.
Choosing a TV Provider in 2021
Even if you’re stuck with Comcast or Spectrum for the time being, there’s still a silver lining. Drop their TV service immediately. Our last (and final) Comcast bill included $55 for hardware rentals, $23.55 in TV broadcast fees, and $13.92 in taxes. That’s nearly $100/month just to get television delivered to your house! That’s before you sign up for a single channel. Here’s a better idea. Once you’ve invested $50 to $100 in your Internet service, sign up for YouTube TV and enjoy unlimited streaming with numerous simultaneous streams, unlimited DVR recordings, 85+ channels including your local TV channels, and almost every sporting event you can name for $65 a month with no additional fees or contracts. The picture quality with a smart TV looks exactly the same as watching cable television. CNET rated it the "best premium live TV streaming service." If you’ve taken our advice thus far, your total home entertainment bill is $50 for T-Mobile Home WiFi and $65 for YouTube TV and includes free Netflix at no additional charge.
Choosing a Music Provider in 2021
Now let’s suppose you still have a teenager in college. Rather than worry about your kids pirating music and movies, here’s a better idea. Sign them up for Spotify with unlimited music plus Showtime plus Hulu for $5 a month for four years! The good news is they’re rarely up when you are so you, too, can enjoy their Spotify, Showtime, and Hulu accounts while they’re sleeping. We’ve never been particularly big fans of Sirius/XM after they pulled their stunt of cancelling lifetime subscriptions. But that lawsuit got settled and they righted their wrong in a most generous way. You not only got your lifetime subscriptions back, but you also got free streaming. While you can’t take advantage of the lifetime subscription any longer, you still can snag the service for about $5 a month if you wait for a deal. That gets you hundreds of music channels for your car plus streaming to your favorite phone, PC, or Sonos device so it’s worth a careful look if you like music.
Home Automation Basics for 2021
If you haven’t dipped your toes into home automation, it’s finally time. An inexpensive Amazon Echo device will get you started. They range in price from under $50 to a couple hundred dollars. Our favorite is the Echo Show 8 for $99. This will bring Alexa into your home and in many of the newer automobiles as well. The next step is to purchase a few smart light bulbs so you can light up your house when the sun goes down and turn off the lights when you crawl into bed at 8:30. There are lots of lights to choose from. Our favorites are Sylvania’s WiFi Smart Lights which can bring every color of the rainbow to your lamps for under $10. For everyday use, you can pick your favorite shade of white, and for holidays, you can set them to orange for Halloween and red and green for Christmas. Now buy yourself a Nest WiFi thermostat and never worry about the proper setting again. It’s that smart. Then get yourself an August Door Lock, and you’ll never have to fumble for your house keys again. Finally, link Spotify with Alexa, and every song on the planet awaits your command. Get hip, dude!
TIP: Using our Amazon referral links helps keep the lights burning brightly at Nerd Vittles.
What About Telephony?
We saved the best for last. Hopefully, you don’t still have a Ma Bell telephone hanging on the wall in your kitchen. But, if you do, today’s your lucky day. You can dump Ma Bell and add a little gizmo called a Raspberry Pi to your home electronics collection. Then follow our tutorial and for about $100 and a monthly cost of a few dollars, you can enjoy home telephone service using your WiFi Internet connection forever. Welcome to the 21st century. Enjoy!
Originally published: Saturday, October 23, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Introducing OpenSIPS 3 for Incredible PBX and Debian 10
Today we’re pleased to introduce an updated OpenSIPS installer for Debian 10 featuring the latest release of OpenSIPS. Our previous tutorial with Debian 8 is now obsolete, an all-too-frequent occurrence in the open source world. Today’s open source SIP server lets you connect users to make and receive free as well as commercial calls worldwide. There’s excellent documentation making it easy to integrate into our existing Incredible PBX platform without hiring a consultant. It’s also straight-forward to secure without providing free phone service to every bad guy on the planet.
OpenSIPS is a multi-functional, multi-purpose signaling SIP server used by carriers, telecoms or ITSPs for solutions like Class4/5 Residential Platforms, Trunking / Wholesale, Enterprise / Virtual PBX Solutions, Session Border Controllers, Application Servers, Front-End Load Balancers, IMS Platforms, Call Centers, and many others. Source: opensips.org
We’ve often complained that the problem with many open source projects is that the developers get so focused on making money that they skimp on the documentation to encourage consulting work or participation in expensive conferences. We have found just the opposite with OpenSIPS. In fact, much of today’s implementation is based upon an excellent tutorial by the folks at PowerPBX. Down the road, if you find yourself in need of a consultant, their services would be a good place to start. What we’ve added to the PowerPBX design is security, support for clients behind NAT-based routers, and an integration scheme for Asterisk®, FreePBX®, and Incredible PBX® platforms so that you get the best of all worlds, a public facing SIP server with the UC feature set that most organizations expect. Last but not least, our turnkey GPLv2 installer will get you up and running in about 5 minutes.
Choosing an Appropriate Platform for OpenSIPS
Let’s begin by addressing the appropriate platform for an OpenSIPS server. The server needs to have a public IP address that is static, and the server should not be situated behind a NAT-based router. It only complicates things and is beyond the scope of what we plan to address. For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM cloud platform is a must since older OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. Pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS.
Ten to twenty gigabytes of disk space should be more than ample for OpenSIPS. The amount of RAM in your server depends upon the volume of calls your server will be handling. If it’s a dozen simultaneous calls then 1GB of RAM will suffice. If it’s 100,000 calls, then take a look at this article for tips on sizing your server. For today’s implementation, you’ll need a Debian 10 platform so a low-cost KVM provider including Digital Ocean, Vultr, and OVH should be fine.1
Choosing OpenSIPS Components to Deploy
We’ve divided up today’s tutorial into bite-sized pieces so that you can pick and choose where to stop implementing and start using. You do not need to have an Asterisk server to make and receive calls with OpenSIPS. However, OpenSIPS lacks voicemail and AutoAttendant/IVR components so, if those are a requirement, then you either need a VoIP service provider that offers them, or deploy a $50 Incredible PBX for the Raspberry Pi to add the missing pieces.
What OpenSIPS offers is a free server platform for worldwide SIP communications so that you, your friends, and business associates can call or connect from anywhere using freely available SIP softphones or any of dozens of SIP telephone instruments. We’ll stick with softphones for today, but hardware-based SIP telephones are equally simple to deploy.
This is not a criticism because it is one of the best tutorials we’ve ever used but, if you want to see how complex a typical OpenSIPS server deployment is, take a look at the PowerPBX tutorial we used as a starting point with OpenSIPS. We’ve compressed most of those procedures into a turnkey installer that only requires you to enter a MySQL root password of passw0rd (with a zero) once you have your Debian 10/64 platform up and running.
Deploying a Debian 10 Server Platform
Start by choosing a cloud provider that offers the 64-bit Debian 10 minimal platform as a deployment option. Most do. As noted, we recommend a KVM platform with support for ipset making it easy to block entire countries overrun with bad guys. Choose offerings with at least 1GB RAM and a 10GB drive to get started. Configure your Debian 10 server with a fully-qualified domain name (FQDN). This is critically important with our security design because we will assign all OpenSIPS users/extensions to this FQDN and reserve your server’s IP address purely for connections from service providers and Asterisk servers. This makes it all but impossible for anyone to hack into your server since most script kiddies launch attacks on IP addresses, not FQDNs. Using an unusual FQDN adds an extra layer of security, but that’s your call. If you lack the ability to assign FQDN aliases to a domain which you own, you can obtain a free FQDN from numerous sources including ChangeIP and point it to the IP address of your OpenSIPS server.
Installing OpenSIPS on a Debian 10 Server
Now the fun begins. Log into your Debian 8 server as root and issue the following commands to prepare for the OpenSIPS install:
cd /root wget http://incrediblepbx.com/opensips3.tar.gz tar zxvf opensips3.tar.gz rm -f opensips3.tar.gz
Make sure you have logged into your Debian 10 server as root using SSH or Putty from a desktop PC that you will use to manage OpenSIPS with a browser. The reason is because this IP address automatically will be whitelisted in the OpenSIPS firewall as part of the install process. Otherwise, you will need to manually log into SSH and whitelist the IP address of your desktop PC using /root/add-ip each time you wish to access the OpenSIPS Control Panel since TCP port 80 (HTTP) is not exposed to the public Internet as a security precaution.
To begin the install, issue this command: /root/install
As the install progresses, you’ll first be prompted to choose the GRUB install device. Press the spacebar on the first entry. Then press TAB and ENTER. When prompted for the SSH configuration, choose "keep local version" and then press TAB and ENTER. For the MariaDB setup, press ENTER when prompted for the current password. Type N when prompted whether to switch to unix_socket authorization. Then type Y to change the root password. Be sure to use passw0rd (with a zero) as your MySQL password, or the install will fail. This is NOT a security risk unless your Debian 10 root user account is compromised. And, in that case, it won’t matter anyway since the MySQL password could easily be changed. Type Y to remove anonymous users. Type Y to disallow remote root logins. Type Y to reload the MySQL privilege tables.
Next you’ll be prompted to set your timezone and TZ entries. For East Coast U.S., it’s 2,49,1,1 then America/New_York. Later you’ll be prompted twice for the MySQL root password. You must enter passw0rd (with a zero). When the OpenSIPS status screen displays, type Q to exit the display. There are a couple of steps where you will be prompted for input. Correct responses are indicated before the various prompts. Pay particular attention when you are prompted to change the SSH port from TCP 22 to a port number in the 1000-2020 range as a security precaution. We recommend using the year you were born because it will be easy for you to remember. When the install finishes and you log out of your server, the next SSH login will look like this where XXXX is the SSH port you chose and yyy.yyy.yyy.yyy is the OpenSIPS server address: ssh -p XXXX root@yyy.yyy.yyy.yyy
Although most of the configuration of your OpenSIPS server will be handled using a web browser and the OpenSIPS Control Panel GUI, we’ve included a few scripts in /root to assist with maintenance of your server platform. Here’s a brief summary of the script functions:
- pbxstatus – Status of your OpenSIPS server (image sample above)
- add-ip – Temporarily WhiteList IP address until next iptables-restart
- ban-ip – Permanently Ban an IP address
- unban-ip – Unban a previously banned IP address
- log-purge – Zero out all of the major Linux log files
- opensips-check – Assures OpenSIPS and RTPproxy are running (runs automatically)
- Fail2Ban BlackLists –
iptables -nL | grep -A100000 "opensips ("
- IPset BlackList (KVM/OVZ7 platforms only) –
ipset list | sort
We secure your server in several ways: (1) by disguising the SSH port, (2) by locking down almost every port on your server with the IPtables firewall with the exception of the SIP ports, (3) by deploying Fail2Ban to scan your OpenSIPS log for errors and lock out attackers for an extended period of time, and (4) by deploying the IPset blacklist for KVM platforms. With this design, there is a symbiotic relationship between IPtables, Fail2Ban, and IPset. Therefore, it is critically important that you only restart these services using the iptables-restart command. NEVER issue other IPtables commands to restart or save your firewall settings.
Activating a SIP Server with OpenSIPS Control Panel
We don’t want to overload you on the first day with your new OpenSIPS 3 platform so we’ll walk you through the preliminary setup steps to create your SIP Domain. Then we’ll show you how to set up user accounts (also known as extensions). Finally we’ll walk you through setting up a trunk to make and receive calls from a commercial SIP provider. When we’re finished today, you’ll be able to make and receive calls using SIP URIs or DIDs which you have purchased from a provider. Then next week we’ll focus on integration of OpenSIPS with an Asterisk platform of your choice using Incredible PBX as an example. Once we’re finished, you’ll be able to handle user account registrations exclusively on your OpenSIPS server while leaving your Asterisk platform completely hidden from public exposure.
Logging into the OpenSIPS Control Panel
As deployed, the OpenSIPS Control Panel is accessible via web browser. As noted previously, HTTP Port 80 access is blocked by default unless the IP address of your desktop PC has been whitelisted either as part of the initial install or using the add-ip script in /root. Once your desktop PC’s IP address is whitelisted, point your browser to http://xxx.xxx.xxx.xxx/cp
The default Username is admin, and the default password is opensips. Once you’re logged in, immediately click on the Users icon in the upper-right corner of the dashboard. Then click the Edit Info pencil icon for user Admin and change your password. Click Save when done.
Creating Domains with OpenSIPS Control Panel
In the Left column of the Dashboard, you’ll see two tabs: Users and System. Click on the System tab to expose the available choices. Then choose the Domains option.
Domains are the essential building blocks in OpenSIPS. You can manage one or a hundred domains on a single OpenSIPS server, and each domain can have its own set of Users, Trunks/Gateways, and Dialplan rules. We’re actually going to create two domains, one for the IP Address of your OpenSIPS server and a second one for the FQDN of your OpenSIPS server. For added security, we will create all User accounts under the FQDN Domain. And we’ll reserve the IP Address Domain for DID Trunks/Gateways from registered, commercial SIP providers. This design allows attackers to attempt to register to accounts on your IP Address Domain until the cows come home, and they will never be successful because there are no existing SIP user accounts there. Keep it that way! With our OpenSIPS design, Fail2Ban will block attackers after a single failed registration attempt. And OpenSIPS itself will identify and block all SIP flood attacks using either Fail2Ban or IPset.
Now that you understand the design, let’s set up your domains. After choosing System -> Domains, enter the IP Address of your OpenSIPS server at the SIP Domain prompt. Then click Add New Domain followed by Reload on Server. Repeat the same steps to enter the fully-qualified domain name (FQDN) of your OpenSIPS server. When finished, you should see:
Creating Users with OpenSIPS Control Panel
We’ve already explained the security implications and reason for creating User accounts with your FQDN Domain only. Click on Users -> User Management -> Add New to get started. You can use Numbers (what we call Extensions in Asterisk) or Names. Our preference is to use Numbers for the User accounts and then to create Alias Names (as desired) for each User account. You can’t dial names from most SIP telephones. This also keeps the design similar to what many are used to in the Asterisk environment. A completed dialog would look something like the following. Use the Domain pull-down to choose your FQDN. Obviously, the passwords must be secure and must match. Then the Register button will be enabled to save. The actual Numbers used for Usernames are completely up to you.
Create at least a couple User accounts so that you can set up two SIP phones to call yourself and verify that everything is working. These User accounts become an integral part of the SIP URI to receive calls from any SIP phone in the world:
7701@opensips.yourdomain.com
Before you can actually answer an incoming call to your SIP URI, you’ll need to register the User account using either a softphone or SIP phone. We’ll do that next. But, first, let’s create an Alias to 7701 User so that folks can reach you by calling joe@opensips.yourdomain.com
Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the example below. Make sure that you select your FQDN Domain using the pull-downs for BOTH the Domain and Alias Domain fields. Then click Add to save.
Registering a Softphone to an OpenSIPS User Account
There are literally dozens of free SIP soft phones from which to choose. We covered some of our favorites for every platform in previous articles. For our purposes today, we recommend you choose one of the Linphone softphones which are available for the PC, Mac, Linux, Android, and iOS platforms. We also recommend signing up for a free Linphone.org SIP account which doesn’t cost you anything. For today, we will be configuring the softphone to register to your new OpenSIPS server.
Once you have downloaded and installed the Linphone client, go into the Preferences menu and make the following changes. Some depend upon your calling platform.
- Audio Codecs: PCMU, G722, PCMA
- Video Codecs: VP8, H264
- Call Encryption: None
- DTMF: RFC2833 only
- Send InBand DTMF: OFF
- Send SIP INFO DTMF: OFF
- SIP UDP 5060: Enabled
- SIP TCP 5060: Enabled
- Allow IPv6: Disabled
Then set up a new SIP Proxy account: Username (7701), Password (as defined), Domain: your FQDN not IP address, Transport: UDP, Outbound Proxy: OFF, Stun Server: stun.linphone.org, ICE: ON, AVPF: OFF, Push Notification: ON, Country Code Prefix: 1 (if required by your commercial SIP provider), Register: YES, Account Enabled: YES. HINT: You can call Alias Names via SIP URI, but you can only register to a SIP account using its actual Username.
Avoiding Lockouts with NeoRouter VPN
By design, Fail2Ban is unforgiving when it comes to failed registrations. A single failed registration will get an IP address banned for a full week. The reason is because the new bad guy strategy is to hit your server once to determine whether anybody is home. Then the creep bombards you later with an endless stream of registration attempts. With our design, nobody will be home when they return. The bad news is a single failed registration attempt by you or your users will also trigger a ban. There are several workarounds. The easiest is to set up the NeoRouter client on each of your machines including your OpenSIPS server and use the 10.0.0.x private network for access. These IP addresses never get banned. Our previous tutorial will walk you through setting up a free NeoRouter server and installing the free NeoRouter clients on your machines. The client software already is installed and running on your OpenSIPS server. It only requires that you log in using nrclientcmd
and register to your NeoRouter server to obtain a private IP address. The other option is to install OpenVPN. Our previous tutorial will walk you through that process. The advantage of OpenVPN is that it’s supported directly on many SIP telephone instruments. The 10.8.0.x addresses are already whitelisted by our OpenSIPS installer.
There are other options to unban an IP address which has accidentally been snagged. First, almost all of the cloud providers include a Console option in their web portals. Second, you can log into your server via SSH from any non-blacklisted IP address to remove the banned IP address. Once you’re logged in, simply run this command using the IP address you wish to unban: /root/unban-ip xxx.xxx.xxx.xxx
Choosing Commercial SIP Providers
Recall that you cannot register to a SIP alias on your OpenSIPS server. We’ll take advantage of this restriction in setting up incoming calls from commercial providers’ DIDs. To set up Trunks from commercial providers so that you can not only receive incoming calls but also make outbound calls over their PSTN network connections, you must use providers that support IP address authentication rather than a SIP registration. Many providers support this including our platinum sponsor, Skyetel, as well as providers such as VoIP.ms, Anveo Direct, V1VoIP, and many others. In our OpenSIPS design, you also can use DIDs from providers that support SIP URI forwarding such as CallCentric and LocalPhone; however, you are limited to receiving inbound calls only. VoIP communications really shines here because you don’t have to choose a single provider to meet all of your communications requirements.
Skyetel is by far the easiest provider to set up with OpenSIPS. See our earlier tutorial for a special offer that will get you half-price calling for up to $500. Effective 10/1/2023, $25/month minimum spend required. Once you’re registered on the Skyetel site, add a new EndPoint Group using the IP address of your OpenSIP server and designate UDP 5060 as the access port. Sign up for a DID and map it to the OpenSIPS Endpoint Group. Done. In the OpenSIPS Control Panel, navigate to System -> Dynamic Routing and click Add Gateway. Using the template below, create 5 Proxy gateways for the following Skyetel data centers:
- skyetel-NW 52.41.52.34
- skyetel-SW 52.8.201.128
- skyetel-NE 52.60.138.31
- skyetel-SE 50.17.48.216
- skyetel-EU 35.156.192.164
Begin by whitelisting the IP addresses of your SIP providers in /etc/iptables/rules.v4 just below the existing 10.8.0.0/24 rule. The entries should look like this:
-I INPUT -s 52.41.52.34 -j ACCEPT
Once you’ve entered IP addresses for your providers, issue the command: iptables-restart
Next, we need to create what Asterisk users know as an Outbound Route. This tells OpenSIPS to send dialed numbers in 11-digit format to Skyetel for termination. We’ve already created the Dial Plan rule for calling out by dialing 1 plus a 10-digit number. So, while you’re still in the Dynamic Routing section of the OpenSIPS Control Panel, click on the Rules tab at the top of the template. Then click Add Rule. Begin by clicking Add ID button and choosing Group ID 0. In the Prefix field, type 1. Now click the Add GW button 3 times after choosing the Skyetel gateways in the following order from the GW pull-down list: skyetel-nw, skyetel-sw, and skyetel-se. Those are the three currently operational Skyetel gateways. When you’re finished, your template should look like the following. Then click the Add button to save the new rule. Click Reload Server to load the new rule into OpenSIPS. Then repeat this procedure leaving the Prefix field blank so that you can make 10-digit calls as well.
Finally, we need to create what Asterisk users know as an Inbound Route. This tells OpenSIPS where to send incoming calls from our Skyetel DID. OpenSIPS handles inbound routes by defining a User Alias for the Username to which you want to route the incoming DID calls. Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the following template and then click Add.
- Username: 7701 (the extension to which to route the incoming calls)
- Domain: opensips.xyz.com (the FQDN of your OpenSIPS server)
- Alias Username: 18435551212 (the 11-digit Skyetel DID)
- Alias Domain: 11.12.13.14 (the IP address of your OpenSIPS server)
- Alias Type: dbaliases
Introducing the VoIP Blacklist
We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. The list gets populated every night while you sleep. Here are the steps to install the VoIP Blacklist with IPset:
apt update && apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent cd /usr/local/sbin wget http://incrediblepbx.com/voipbl-update chmod +x voipbl-update sed -i 's|fail2ban restart|fail2ban restart\n/usr/local/sbin/voipbl-update|' iptables-restart iptables-restart ipset list voipbl ipset list voipbl | wc -l
Then create a cron job in /etc/crontab to run /usr/local/sbin/voipbl-update every day to update the VoIP blacklist.
1 4 * * * root /usr/local/sbin/voipbl-update > /dev/null 2>&1
Congratulations! You now have a functioning OpenSIPS 3 server that can process incoming calls from SIP URIs as well as DIDs. And you can make SIP URI and 11-digit PSTN calls using your SIP softphone that’s registered to your OpenSIPS server. See you next week. Enjoy!
Continue Reading: Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS
Originally published: Monday, October 4, 2021
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
- Nerd Vittles receives referral fees from some VoIP service providers to help cover the costs of our blog. We never recommend particular companies solely to generate commissions. We also test all services that we recommend. [↩]