Home » Search results for 'sip uri' (Page 4)
Search Results for: sip uri
The Most Versatile VoIP Provider: FREE PORTING
JUST RELEASED: Visit the Incredible PBX WikiRTPbleed Security Alert: Asterisk Calls Can Be Intercepted
If you’ve installed Asterisk® during the past 4½ years, your server has a MAJOR security problem. If you didn’t already know, with Asterisk, your VoIP conversations actually are carried over a random UDP port using the Real Time Protocol (RTP), not the SIP port (UDP 5060) which handles the setup and teardown of your VoIP connections. It turns out that, since March 2013, all of that RTP traffic and thus your conversations could be intercepted and redirected by anyone on the Internet. As this recent article in The Register noted:
The problem occurs when [communications] systems like IP telephony have to get past network address translation (NAT) firewalls. The traffic has to find its way from the firewall’s public IP address to the internal address of the device or server, and to do that, RTP learns the IP and port addresses to associate with a call.
The problem is, the process doesn’t use any kind of authentication.
This is exacerbated by the fact that, by default, Asterisk and FreePBX® traditionally use the NAT=yes setting (whether needed or not) to enable this navigational magic just in case your calls need it. Without it, you may end up with no audio or one-way audio on your calls. Traditional wisdom was that an attacker needed to be positioned between the caller and the Asterisk server in order to intercept this media stream. As luck would have it, it turns out the man in the middle didn’t need to be in the middle after all. He could be anywhere on the Internet. The old adage to talk on the phone as if someone else were listening turns out to have been pretty good advice in the case of Asterisk communications. Even if you had a firewall, chances are you protected UDP port 5060 while exposing and forwarding UDP 10000-20000 to Asterisk without any safeguards.
According to last week’s Asterisk advisory, “To exploit this issue, an attacker needs to send RTP packets to the Asterisk server on one of the ports allocated to receive RTP. When the target is vulnerable, the RTP proxy responds back to the attacker with RTP packets relayed from the other party. The payload of the RTP packets can then be decoded into audio.” Specifically, if UDP ports 10000-20000 are publicly exposed to the Internet, anybody and everybody can intercept your communications without credentials of any kind. WOW!
So, there’s a patch to fix this, right? Well, not exactly:
Note that as for the time of writing, the official Asterisk fix is vulnerable to a race condition. An attacker may continuously spray an Asterisk server with RTP packets. This allows the attacker to send RTP within those first few packets and still exploit this vulnerability.
The other recommended "solutions" aren’t much better:
- When possible the nat=yes option should be avoided
- To protect against RTP injection, encrypt media streams with SRTP
- Add config option for SIP peers to prioritize RTP packets
The nat=no option doesn’t work if you or your provider employs NAT-based routers. The SRTP option only works on more recent releases of Asterisk, and it also requires SRTP support on every SIP phone. Prioritizing RTP packets is not a task for mere mortals.
Surprisingly, the one solution that is not even mentioned is hardening your firewall to block incoming UDP 10000-20000 traffic that originates outside your server. Our recognized SIP expert on the PIAF Forum had the simple solution. Bill Simon observed:
If the SDP in the INVITE or subsequent re-INVITE contains routable IP addresses, then use them for media. If the SDP contains non-routable IP addresses, then the client is behind a NAT and not using any NAT traversal techniques like SIP ALG, ICE/STUN, so send to the originating IP. Why are we making allowances here for media to come from anywhere? I think you can probably clamp down your firewall as much as you want, because symmetric RTP should allow media to get through by way of establishing an outbound stream (inbound stream comes back on the same path).
Our testing confirms that simply blocking incoming RTP traffic on your firewall solves the problem without any Asterisk patch. In short, RTP traffic cannot originate from anonymous sources on the Internet.
For those using Incredible PBX® or Travelin’ Man 3 or an IPtables firewall, the fix is easy. Simply remove or comment out the INPUT rule that looks like this and restart IPtables:
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
On RedHat/CentOS servers, the rule is in /etc/sysconfig/iptables. On Debian/Ubuntu and Raspbian servers, you’ll find the rule in /etc/iptables/rules.v4. On Incredible PBX for Issabel servers, you’ll find the rule in /usr/local/sbin/iptables-custom. On all Incredible PBX platforms, remember to restart IPtables using only this command: iptables-restart.
Published: Friday, September 8, 2017
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
Introducing a New WhiteList Security Model for Wazo
Today we’re pleased to introduce a new state-of-the-art Travelin’ Man 3 firewall implementation for 2017. Five years ago, we developed a new security model for Asterisk® servers that whitelisted those needing access while blocking everyone else. The design was simple. You can’t attack what you can’t see. Three years ago, we made Travelin’ Man 3 more flexible for remote users with the addition of PortKnocker, a terrific tool providing temporary remote server access using a random three-number code. Today’s release further streamlines the firewall management process. Trusted users can permanently whitelist new IP addresses from anywhere using any PC or smartphone.
Travelin’ Man 3 Overview
If you’re new to Travelin’ Man 3 and the Linux IPtables firewall, here’s a quick overview. IPtables is a software-based firewall that is integrated into the Linux kernel. It consists of rules that define which IP packets hitting your server are allowed through the gate. The whitelist methodology behind Travelin’ Man 3 works like this. We predefine a list of trusted VoIP providers that get SIP and IAX access to your server so that you can easily set up trunks for incoming and outgoing calls. Then, as part of the Incredible PBX installation procedure, we whitelist all non-routable IP addresses as well as the public IP addresses of your server and the PC from which you installed Incredible PBX. Nobody else can even see your server on the Internet.
New Travelin’ Man 3 Design
With today’s new Travelin’ Man 3 design, you can whitelist additional IP addresses in several ways. First, as the administrator, you can log into your server as root and whitelist any IP address using the add-ip script in the /root folder. If a fully-qualified domain name (FQDN) is associated with the IP address to be whitelisted, the administrator can use the add-fqdn script to add the FQDN. If the FQDN points to a dynamic IP address that is refreshed using a dynamic IP update service, then Travelin’ Man 3 will refresh the firewall at 10-minute intervals to assure that remote users always have access to the server. This differs from previous releases of Travelin’ Man 3 that required a manual entry in /root/ipchecker to enable automatic refreshes.
A third method for permanently adding whitelist entries to your firewall is now provided using PortKnocker which is an integral component of Incredible PBX. By providing your PortKnocker credentials (/root/knock.FAQ) to any user, that user can easily gain one-click permanent access to the server using either the NMAP utility from a remote computer or the iOS PortKnock or Android DroidKnocker apps available for smartphones. As in previous releases of Travelin’ Man 3, an administrator can remove whitelist entries using del-acct utility in the /root folder. All admin and user-generated whitelist entries are stored in /root with a file extension of .iptables. Those generated using PortKnocker are automatically assigned a filename consisting of the timestamp associated with the time at which the whitelist entry was created. IMPORTANT: To authorize PortKnocker to permanently add IP addresses to your firewall, there is an activation step. Log into your server as root and issue the following command: iptables-knock activate
As part of the new implementation of Travelin’ Man 3 for the Incredible PBX for Wazo platform (only!), we’ve also reworked the firewall design a bit. There were several serious limitations in the original IPtables implementation of TM3. First, while IPtables allowed FQDN entries in its main configuration file, if one or more of those domains was off-line when IPtables was started or restarted, the entire firewall came crashing down leaving your server unprotected. In prior implementations, we avoided catastrophe by always using our iptables-restart utility to start and restart IPtables. This utility automatically tested for firewall failures and removed FQDN entries that caused the problems. A second limitation in the original Travelin’ Man 3 design involved an administrator who inadvertently used the iptables save command to modify an existing IPtables setup. Whenever this command is executed, IPtables immediately rewrites all FQDN entries in its configuration by converting them to IP addresses thereby eliminating the ability of the firewall to account for dynamic IP address changes occurring thereafter. Perhaps the most dangerous limitation occurred where your server’s network connection was not yet active when IPtables was started. If your configuration included FQDN entries, this would always cause IPtables startup to fail since FQDNs are all tested for availability as part of the initialization process. With Incredible PBX implementations, we have designed some safeguards into the network startup process to minimize this risk, but it would still be a problem if an administrator happened to notice that a network cable was unplugged and chose to plug it in after the server had already booted. Yes, the network would come on line. No, the IPtables firewall would not if there were FQDN entries in the config causing an IPtables startup failure.
Here’s a quick summary of the new IPtables design. First, there are never FQDN entries in the main IPtables config file, /etc/iptables/rules.v4. Instead, all custom whitelist entries now are generated in /usr/local/sbin/iptables-custom. The startup and restart procedure with iptables-restart now works like this. First, IPtables is started with the rules.v4 rules. Next, Fail2Ban is restarted as a second layer of protection for your server. Finally, the custom rules including all of your whitelisted IP addresses and FQDNs are started by running iptables-custom. If individual custom rules fail, they simply fail. They won’t bring down the firewall or Fail2Ban. Custom rules in iptables-custom look like this:
/sbin/iptables -A INPUT -s yourFQDN.dyndns.org -j ACCEPT
It should be noted that, if an administrator, inadvertently restarts the firewall without using the iptables-restart script, the consequences will be that the custom whitelist rules will not be loaded and Fail2Ban may not function properly. This shouldn’t be a problem because those with whitelisted remote phones will soon be calling with complaints that their phones are off-line. 🙂
As with all servers, your Incredible PBX server is only secure as long as you have no rotten apples in the employee pool. So, yes, there may come a time when it becomes necessary to modify your 3-number PortKnocker credentials to block an employee who has been terminated. The three steps to do this would be the following. First, edit /etc/knockd.conf and change the 3 port addresses in the sequence entry. Second, restart PortKnocker on your server: /etc/init.d/knockd restart. Third, modify /root/knock.FAQ to reflect your newly assigned ports and redistribute the file to remote employees.
Ready to get started? Hop over to the latest Incredible PBX for Wazo tutorial and fire up a new server. If you have an existing XiVO or Wazo server and you’d like to implement the new Travelin’ Man 3 design, here’s a tutorial to get you started. Enjoy!
Published: Monday, February 20, 2017
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
XiVO Nirvana: Cloud Hosting with SIP Service for 15¢ a Day
Unlike in the Ma Bell era, the real beauty of VoIP technology is being able to experiment with different providers and never having to put all your eggs in one basket. And today we’re pleased to introduce a new XiVO hosting and trunk combination that provides first-class service at truly incredible price points. For the XiVO cloud provider, we’ve chosen OVH, a cloud platform that was recommended to us by our friends at 3CX. It also works great with the new PIAF5 platform for those exploring a (free) commercial alternative.
$3.49 a month at OVH (No, that is not a typo!) gets you an OpenStack KVM with 2GB RAM, 10GB of SSD storage, and RAID10 redundancy plus a 99.95% uptime SLA. And you have your choice of worldwide data centers with many more on the way. For those in the United States, the closest location for the time being is Québec which also happens to be the hometown of the XiVO developers. Ping times on both U.S. coasts are well under 100 milliseconds so you won’t have to worry about voice quality and latency.
For our XiVO SIP provider today, we’ll walk you through setting up inbound and outbound calling with Anveo Direct, one of the least expensive SIP providers in the world. In addition to great pricing, Anveo also provides SIP URI failover for your Anveo trunks. Just follow our previous tutorial to set up a SIP URI address for your XiVO server. Or you could use the SIP URI of your RingPlus mobile phone if you followed our previous tutorial. Anveo also happens to give you total control over call routing with their highly configurable LCR technology. Pay-by-the-minute incoming SIP calls in the U.S. are a penny per minute. Outgoing U.S. calls typically range from one-tenth to three-tenths of a cent per minute depending upon the destination.
Installing Incredible PBX for XiVO at OVH
To get started with OVH, order the VPS SSD 1 package and choose Debian 8 as your operating system. Once your credentials arrive, log into your server as root using SSH/Putty and immediately change your root password: passwd.
While still logged into your server as root using SSH/Putty, issue the following commands to kick off the base install:
cd /root wget http://incrediblepbx.com/IncrediblePBX13-XiVO.sh chmod +x IncrediblePBX13-XiVO.sh ./IncrediblePBX13-XiVO.sh
After rebooting (it takes about 2 minutes on the OVH platform), log into your server again as root and issue the following command to complete the XiVO and Incredible PBX installation and configuration:
./IncrediblePBX13-XiVO.sh
You now can proceed to Incredible PBX Initial Configuration tutorial to continue your setup. Much of this initial configuration already has been put in place using our XiVO Snapshot technology. Just review the settings and make sure they meet your requirements. Then you’ll be ready to set up your Anveo Direct trunk and routes to handle your SIP calls.
Getting Started with Anveo Direct
We previously have documented how to set up Anveo Direct for Outbound Calling from your XiVO PBX so we won’t repeat it here. Today we’ll show you how to obtain and configure an Anveo Direct DID to enable Inbound Calling to your XiVO PBX. We’re going to walk you through the procedure to install a U.S. DID, but Anveo Direct offers worldwide DIDs. And we’ll show you how to modify the default XiVO setup to support international DIDs should you wish to use them.
After you’ve set up Outbound Calling with Anveo Direct as previously documented, log back into the Anveo Direct portal with your credentials.
Under the Inbound Service tab, choose Order Anveo Direct DID and click Geographic. Then select the United States, your desired State, and your desired City to obtain a DID. Select one or more DIDs as desired and then click ORDER PHONE NUMBERS SELECTED. Choose either the pay-by-the-minute or all-you-can-eat option for your DID depending upon your needs and complete your purchase. There’s a 3-month minimum charge for all DIDs.
Once you complete your DID purchase, choose the Inbound Service tab again and choose Configure Destination SIP Trunks. ADD A NEW SIP TRUNK following the example below and specifying the IP address of your XiVO PBX. Include a Failover SIP URI if you’ve set one up. Don’t confuse the SIP URI entry with the Failover entry. The first is mandatory while the second is not. The SIP URI entry tells Anveo how to send out the SIP calls to your XiVO PBX. It should look like this using your own server’s IP address or FQDN: $[E164]$@1.2.3.4 or $[E164]$@ovh.yourdomain.com. Click SAVE when finished.
Next, choose the Inbound Service tab again and choose Configure AnveoDIDs. Every DID you purchased should already have an entry here. Click the EDIT button to open the options window. Then click the Call Options tab. From the pull-down, choose the Destination SIP Trunk entry that you created in the previous step:
Finally, under the CallerID tab, choose {E164} (no prefix). Then click SAVE. That completes the DID setup process on the Anveo Direct side. Now you simply have to configure XiVO to accept the incoming calls from your Anveo DID.
Configuring Anveo DIDs on Your XiVO PBX
Unlike most SIP providers, Anveo Direct does not require (nor permit) registration of your Anveo trunks. Calls to Anveo DIDs will simply be routed to your XiVO PBX based upon the SIP URI you specified above. If your Incredible PBX for XiVO server was built on or after November 9, 2016, then the Anveo trunk and dialplan are already in place. All you’ll need to do on the XiVO side is to add an Incoming Call route for each DID telling XiVO where to send the calls. If you have an existing Incredible PBX for XiVO server, there’s a little more work to do, and we’ve documented the steps to support Anveo DIDs on the PIAF Forum.
For U.S. DIDs, the DID format is 11 digits beginning with a 1. The example below would route incoming calls from the Anveo DID to the Demo IVR. You could just as easily have specified an extension or ring group to take the calls.
Published: Wednesday, November 9, 2016
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
Security 101: A Fresh Look at Incredible PBX Security Audit Methodology
Incredible PBX remains one of the most secure VoIP server platforms on the planet for one simple reason. We always deploy a preconfigured Linux IPtables firewall with a whitelist that hides your server from everyone except you and trusted VoIP providers. IPtables is automatically configured and deployed as part of every initial install of Incredible PBX regardless of your platform. This includes XiVO with Debian 8 as well as CentOS 6 and 7, Ubuntu 14.04, Raspbian 7 and 8, and even SHMZ OS (not recommended). If your server happens to be housed behind a hardware-based firewall as well, then so much the better. That obviously isn’t possible with most Cloud-based servers so IPtables firewall security is a must.
Unlike most other VoIP server platforms, we don’t leave firewall configuration to chance. Nor do we assume you’re a firewall expert. It really doesn’t matter whether you are or not, you still need a server platform that is secure and protected. So we do it for you initially and, if you are a firewall expert or study to become one, you then can modify the default settings to meet your own requirements down the road. In the meantime, you and your server are protected.
As you probably have surmised, we conduct periodic security audits of our servers testing for vulnerabilities. And we perform these audits locally as well as remotely using servers we’ve deployed throughout the world. We also deploy honeypot servers from time to time in order to gather important information about what the bad guys are up to. With as many platforms as Incredible PBX now supports, just conducting local and remote security audits is no small feat.
Today we want to share some of the methodology we use in conducting our audits, and we’ll provide the results of our most recent remote security audit. We encourage everyone with a VoIP server, whether it’s Incredible PBX or some other platform, to periodically test your server(s) for vulnerabilities AND access. It not only could save you thousands of dollars, but it also protects the rest of us by assuring that you haven’t inadvertently provided malicious individuals with a zombie platform from which to launch denial of service and spam attacks against the Internet community. So let’s get started.
The first step in testing your server is to log into your server as root using SSH or Putty from multiple IP addresses. These sites should include logins from the home base of your server if it’s a dedicated machine, from your home PC, from a neighbor’s PC, from a public WiFi hotspot, and from your smartphone as well as someone else’s. If you gain access from all of these sites, you’ve got a problem. It means SSH access is not protected in any way on your server. While SSH is relatively secure, it has had its share of problems. And zero day vulnerabilities are regularly discovered in various Linux utilities so exposing all of your server’s important resources to the Internet is a very bad idea.
The second test deciphers the existing firewall rules that have been activated on your server: iptables -nL. If the results look like the following, you’ve got a major problem. It means there are no firewall rules blocking any access to your server:
root@incrediblepbx:~ $ iptables -nL Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Next, reboot your server and repeat the first two tests to make certain that your firewall still is activated properly whenever your server experiences a power outage and comes back on line.
If your firewall is not running, try issuing the command, iptables-restart, and then retest: iptables -nL. If you get the same results shown above, then something has come unglued. Here’s how to easily fix things up. First, move to the directory where the iptables rules are stored on your server. For CentOS/SL/RHEL, it’s /etc/sysconfig. For Debian/Ubuntu/Raspbian, it’s /etc/iptables.
Next, copy the default Incredible PBX firewall settings to the proper file location.
For CentOS/SL/RHEL platforms:
cp -p /etc/sysconfig/rules.v4.ubuntu14 /etc/sysconfig/iptables cp -p /etc/sysconfig/rules.v6.ubuntu14 /etc/sysconfig/ip6tables
For Debian/Ubuntu/Raspbian platforms:
cp -p /etc/iptables/rules.v4.ubuntu14 /etc/iptables/rules.v4 cp -p /etc/iptables/rules.v6.ubuntu14 /etc/iptables/rules.v6
Next, edit iptables (CentOS/SL/RHEL) or rules.v4 (Debian/Ubuntu/Raspbian) and move to the bottom of the file where you’ll find a section that looks like this:
# The IP addresses are your server, user, and public addresses respectively -A INPUT -s 8.8.4.4 -j ACCEPT -A INPUT -s 8.8.8.8 -j ACCEPT -A INPUT -s 74.86.213.25 -j ACCEPT
Replace the existing IP addresses with the actual IP addresses of your server, user workstation, and public IP address. Be very careful here. If you don’t whitelist the IP address of the machine on which you are performing these tasks, you will lock yourself out when you restart your firewall. Once you’ve made the changes, save the file.
Finally, restart IPtables using the following command: iptables-restart. Then retest: iptables -nL.
We’re not going to spend a lot of time addressing what the proper firewall rules for your VoIP server should be. If you’re interested, you can take a look at the IPtables firewall setup that is deployed with Incredible PBX. On RHEL/CentOS/SL servers, you’ll find the firewall rules in /etc/sysconfig/iptables. On Debian/Ubuntu/Raspbian servers, the rules are in /etc/iptables/rules.v4. Suffice it to say that, if the only remote access required with your server is to connect to VoIP service providers, there is no reason to expose your web server or your SIP ports to the Internet, period. And this is true whether your server is sitting behind a hardware-based firewall or not.
The Incredible PBX security design uses a whitelist to provide access to most network services other than those that are absolutely essential to the operation of your server. The reason we use a whitelist is because blacklists don’t work. Those interested in doing harm to your server are perfectly capable of altering their IP addresses until they find one that isn’t blacklisted. And they also are adept at poisoning blacklists with IP addresses that are absolutely essential to the operation of your server, e.g. DNS servers and NTP servers.
As part of every Incredible PBX firewall install, we provide SIP and IAX access to many of the major VoIP providers around the globe. You may be wondering why we use IP addresses for providers rather than fully-qualified domain names. The reason is that IPtables doesn’t directly support FQDNs. Instead, when IPtables starts up, it looks up every FQDN and converts it into an IP address. If a server matching the FQDN happens to be off line, IPtables crashes and burns. The same is true if the lookup is attempted before DNS services are running on your server. So, the short answer to why we use IP addresses is because it is safer. The downside, of course, is you can’t eyeball the IP address and decipher to whom it belongs. If you ever have any doubt about the identity of the provider associated with any specific IP address, there’s a simple utility you can run to identify its owner: nslookup 178.63.143.236.
Here is a list of the providers included in the default Incredible PBX whitelist. Others can be added using the add-ip and add-fqdn utilities in /root. If you use FQDNs, be sure to add the entries to /root/ipchecker so that your IP addresses are periodically checked and updated when necessary. This is especially important for dynamic IP addresses at remote locations.
outbound1.vitelity.net inbound1.vitelity.net atlanta.voip.ms chicago.voip.ms dallas.voip.ms houston.voip.ms losangeles.voip.ms newyork.voip.ms seattle.voip.ms tampa.voip.ms montreal.voip.ms montreal2.voip.ms toronto.voip.ms toronto2.voip.ms london.voip.ms didforsale.com callcentric.com sipgate.com chi-in.voipstreet.com did.voip.les.net magnum.axvoice.com proxy.sipthor.net sip.voipwelcome.com incoming.future-nine.com outgoing.future-nine.com DEN.teliax.net LAX.teliax.net NYC.teliax.net ATL.teliax.net IPkall (defunct) used two IP addresses: 66.54.140.46 and 66.54.140.47 gvgw1.simonics.com sip2sip.info googlelabs.com talk.google.com gmail.com
The major drawbacks to firewall whitelists are (1) you can inadvertently lock yourself out of your own server and (2) someone that needs access to your server from remote locations may have more difficulty connecting without intervention by a network administrator to authorize remote access. With Incredible PBX, we’ve provided some tools to ease the pain. First, Incredible PBX is deployed with both the PPTP and NeoRouter VPN platforms already in place. With a VPN IP address, remote logins are minimized because they work from almost anywhere. Second, Incredible PBX includes the PortKnocker utility which lets a remote user "knock" on the server using three randomly assigned port numbers to gain temporary access. Many Incredible PBX platforms also support Travelin’ Man 4 which lets you authorize remote access by telephone. You also need to test remote VPN, PortKnocker, and Travelin’ Man 4 access as part of your security audits.
Testing for vulnerabilities is only half of the puzzle. Also make certain that your server has the proper Linux tools in place to allow you to whitelist additional IP addresses so that remote users can deploy phones or gain access to your server when necessary. Try to run the nslookup and dig utilities to verify that they are installed on your server. If not, install them with yum install bind-utils (CentOS/SL/RHEL) or apt-get install dnsutils (Debian/Ubuntu/Raspbian).
Security Audit Results. We’re pleased to report that no vulnerabilities were identified in any of the Incredible PBX platforms; however, good security practices dictate that the IPkall IP addresses should probably be removed from the whitelist now that the company has ceased providing VoIP services.
For CentOS/SL/RHEL platforms:
sed -i '/66.54.140.46/d' /etc/sysconfig/iptables sed -i '/66.54.140.47/d' /etc/sysconfig/iptables sed -i '/66.54.140.46/d' /etc/sysconfig/rules.v4.ubuntu14 sed -i '/66.54.140.47/d' /etc/sysconfig/rules.v4.ubuntu14 iptables-restart
For Debian/Ubuntu/Raspbian platforms:
sed -i '/66.54.140.46/d' /etc/iptables/rules.v4 sed -i '/66.54.140.47/d' /etc/iptables/rules.v4 sed -i '/66.54.140.46/d' /etc/iptables/rules.v4.ubuntu14 sed -i '/66.54.140.47/d' /etc/iptables/rules.v4.ubuntu14 iptables-restart
We did identify a couple of access anomalies that kept the add-ip and add-fqdn utilities in /root from functioning properly. These glitches meant that a few administrators could not easily add remote IP addresses to their whitelists. Three fixes are recommended. First, be sure the utilities documented in the previous paragraph are installed on your server. Second, on CentOS/SL/RHEL platforms or servers installed using the Incredible PBX ISO, issue the following commands after logging into your server as root:
sed -i 's|/etc/iptables/rules.v4|/etc/sysconfig/iptables|' /root/add-ip sed -i 's|/etc/iptables/rules.v4|/etc/sysconfig/iptables|' /root/add-fqdn
Third, for Incredible PBX deployments on the CentOS 7 platform, issue these commands while logged in as root:
chattr -i /root/add-ip sed -i 's|iptables-persistent|iptables|' /root/add-ip chattr +i /root/add-ip
Be safe!
Originally published: Tuesday, August 9, 2016
Go For the Gold: Incredible PBX for XiVO, CentOS, Ubuntu, or Raspbian. https://t.co/zZDnO8OUVt #asterisk #NoGotchas pic.twitter.com/wv3KkuMJha
— Ward Mundy (@NerdUno) August 8, 2016
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
Wazo Trunks Tutorial: Installing a Skype Connect SIP Trunk
Skype has been a free calling favorite for many of us for a very long time. Don’t confuse that history with Microsoft’s Skype Connect SIP trunks. These are pure SIP trunks that happen to be hosted by Microsoft under the Skype name. They’re not only not free. They’re expensive. Here’s a quick overview from Microsoft:
Skype Connect provides connectivity between your business and the Skype community. By adding Skype Connect to your existing SIP-enabled PBX, your business can save on communication costs with little or no additional upgrades required.
With Skype Connect, your business can make great value Skype calls and receive calls from your customers using your desk phones. Customers can also contact your business for free by using Skype from a browser with Skype buttons, by calling [not for free] the Skype business accounts associated with your SIP-enabled PBX, or [by placing PSTN calls to Skype Numbers you may have purchased].
Before you can make or receive calls from Skype Connect on your Wazo PBX, you’ll need to set things up on both the Skype side and the Wazo side. Here’s how.
Setting Up a Skype Connect Trunk with Microsoft
To get started, sign up for a Skype Manager account if you don’t already have one. It’s easy and it’s the only thing that’s free. Once you’re signed up and logged in, you’re going to need cash in your Skype credit account to get things going. $30 will get you started but finish reading before you invest.
First, click Features in the toolbar, choose Skype Connect and click Set up a SIP Profile. Give the profile a name "XiVO" and click Next. Next, choose the number of Channels you need at $6.95 per month. A channel gets you one simultaneous call in or out of Skype. Two channels gets you one call in and one call out simultaneously for $13.90 per month. You can take it from there but, sorry, you can only buy 300 channels at this time. You can also add the U.S. Minute Bundles if you make lots of calls in the United States.
Don’t buy your channels just yet. For now, cancel out of the dialog by clicking Back. Microsoft will set up your profile anyway:
The money deposited into your Skype Manager account will be needed to fund Skype Connect in three separate ways: (1) monthly payments for Channels at $6.95 each,1 (2) monthly payments for Phone Numbers associated with those Channels at $6.30 each, and (3) allocation of funds in advance to pay for outbound calls from each profile you create. You’ll need at least one phone number (a.k.a. DID) to receive any inbound calls from POTS phones to the Skype Connect SIP account on your Wazo server. You’ll also need at least one phone number before you can assign a CallerID to your outbound calls.2 Otherwise, they go out as Anonymous calls. Outgoing and incoming calls using traditional Skype Names are not supported!
Once you get your finances in order, it’s time to set up your SIP credentials for your new profile. Click on Authentication Details to display the dialog. Leave the Registration tab highlighted, and click on Generate a New Password, and a new SIP password will be sent to the email address you used to register when you set up your Skype Manager account.
Write down your credentials including the SIP password that was emailed to you by Microsoft. You’ll need them to configure your Skype Connect trunk on your Wazo server.
Configuring a Skype Connect SIP Trunk with Wazo
If you’ve already set up Incredible PBX for Wazo, then you can skip this first step which you should have already performed. In Services:IPBX:General settings:SIP Protocol under the General tab, make sure Match users with ‘username’ field is checked and SAVE your settings.
Next, create a new SIP trunk by click + Add after choosing Services:IPBX:Trunk Management:SIP Protocol. Make the settings under each of the tabs look like the following using your Skype Connect credentials. Then Save your settings.
Configuring an Outbound Route for Skype Connect with Wazo
Create an outgoing route for your Skype Connect trunk by clicking + Add after choosing Services:IPBX:Call Management:Outgoing Calls. Make the settings under the first two tabs look like the following. If you wish to use a dialing prefix for Skype calls other than 759 (S-K-Y), change the dial string accordingly. Save your new outgoing route.
Configuring an Incoming Route for a Skype Connect DID with Wazo
Create an incoming route for each of your Skype Connect DIDs by clicking + Add after choosing Services:IPBX:Call Management:Incoming Calls. Make the settings under the first tab look like the following. Enter the Skype Connect DID assigned to your account. Choose the destination for incoming calls to this DID based upon your specific requirements. Click Save when you complete the setup.
- Only in the Land of Micro$oft is a month equal to 27 days. If you multiply that by 12, you’ll see how an extra month of fees can be generated annually out of simple math "errors." [↩]
- According to this article, phone numbers registered to your company can also be used as a CallerID number. [↩]
Wazo Trunks Tutorial: Installing a RingPlus SIP Trunk
RingPlus brings a unique SIP trunking opportunity to Wazo. You not only get free SIP calls within the United States, but you also get a Sprint cellular account with free U.S. calls, free SMS messaging, and free bandwidth. The amount of each depends upon the plan you signed up for. Most of the plans have no monthly charges and only a nominal up-front charge. SIP calls are treated just like cellular calls except they use Sprint’s Internet backbone rather than the cellular network. Partial minutes are rounded up to the next full minute.
Setting Up Service at RingPlus and Obtaining SIP Credentials
1. There are a number of ways to acquire RingPlus cellular service. They announce new deals every week so just check every few days until you find a plan that meets your needs. You won’t have to wait long. Here’s a list of all the previously announced PROMOS to give you a good handle on the scope of the RingPlus offerings. Deals don’t last but a couple hours or days so check often or sign up for RingPlus Alerts on SlickDeals and you’ll be the first to know!
2. Once a deal comes along, you’ll need a phone. Fully paid for, prepaid Sprint phones with no existing contract are the best choice. They’re readily available at Best Buy and Apple retail stores. There’s also a RingPlus Store. Some of the deals include an offer of a "loaner" phone at modest cost. These go fast so you’ll have to hurry. You can keep them as long as you like. A final option is the new Classifieds market on RingPlus where existing users sell their phone AND its plan. Just find one that meets your needs and avoid the hassle. There is a generous return policy if you’re not satisfied.
3. Once you have your mobile phone in hand and working, visit your Web Portal and click on your phone to display your Account information. Then click Online Apps:WiFi FluidCall. The Settings page will display your SIP credentials including the SIP gateway at RingPlus. That’s all the information needed to configure your RingPlus SIP account with Wazo.
4. What’s the catch? You have to make at least one outbound call every 60 days, and you get to listen to music and an occasional ad while outgoing calls are being connected. As soon as the called party answers, your call is connected and the music and/or ad stop playing.
Setting Up a RingPlus SIP Trunk on Wazo
SIP trunks are different than traditional Ma Bell phone lines. With SIP trunks, you need not use the same provider to process incoming and outgoing calls. With some SIP providers including RingPlus, incoming and outgoing calls are managed on the same server. To place or receive calls on your RingPlus number, all you need is your FluidCall credentials from above. Incoming calls simultaneously ring on BOTH your cellphone and Wazo. You just need to register your RingPlus account. To receive incoming SIP calls, callers can use your assigned SIP URI: 10-digit-phone-number@sip.ringplus.net.
In the Wazo GUI, create a new RingPlus SIP Trunk by choosing IPBX:Trunk Management:SIP Protocol. Click on + Add to open a new template.
In the General tab, fill in the blanks using your RingPlus FluidCall credentials including the gateway to which to register your RingPlus trunk:
In the Register tab, fill in the blanks exactly as shown below using your RingPlus phone number and SIP password:
In the Signalling tab, set Monitoring to YES.
In the Advanced tab, set Insecure to ALL.
Click SAVE when you’ve finished.
Wazo will not actually process incoming and outgoing calls through this RingPlus trunk until you configure an outgoing route in IPBX:Call Management:Outgoing Calls and an incoming route using IPBX:Call Management:Outgoing Calls. Outgoing and Incoming call routing are covered in separate tutorials.
Wazo Trunks Tutorial: Installing a VoIP.ms SIP Trunk
Setting Up a SIP Trunk at VoIP.ms
VoIP.ms has one of the best customer portals in the business. Spend some time getting familiar with it!
1. Sign up for a VoIP.ms account.
2. Login to your VoIP.ms account. You can order a DID here.1
3. Create a new Subaccount to use with Wazo. Usernames begin with your account number, an underscore character, and up to 12 alphanumeric characters of your choosing. Be sure to specify User/Password Authentication with Asterisk as the Device Type. The remaining defaults are fine. Here is a sample to follow:
4. If you add an Internal Extension Number to your subaccount during setup, then Wazo can receive SIP URI calls through VoIP.ms without exposing your Wazo server directly to the Internet. For example, if your VoIP.ms main account number was 199555, and you assigned the 701 extension number to your subaccount, and you registered your trunk to atlanta.voip.ms, then any device with SIP capabilities worldwide could call you at the following SIP URI at little or no cost: sip://199555701@atlanta.voip.ms.
5. If you purchased a DID from VoIP.ms, choose Manage DIDs to configure it for use with Wazo. Find your DID in the listing of your DIDs and click Edit DID icon. For Routing, choose SIP/IAX and assign your subaccount to the DID. For DID Point of Presence (POP), choose a server that’s close to your server.
6. If you want to enable Call Failover, first set up your alternate numbers or mobile numbers in DID Numbers:Call Forwarding. Then you can click Show Failover Options above and route unreachable calls to an alternate phone number, SIP URI, or another registered DID.
7. If your DID supports SMS messaging, you also can specify a forwarding email address and/or SMS number to receive SMS messages sent to this DID. You’d be amazed how many SMS messages we receive that are addressed to our home phone number which happens to be a VoIP.ms DID supporting SMS messaging.
Setting Up a VoIP.ms SIP Trunk on Wazo
SIP trunks are different than traditional Ma Bell phone lines. With SIP trunks, you need not use the same provider to process incoming and outgoing calls. With some SIP providers including VoIP.ms, incoming and outgoing calls are managed on the same server. To place outgoing calls with VoIP.ms, all you need is a subaccount with credentials. You do NOT need a DID. To receive calls from Plain Old Telephones, you will need a VoIP.ms DID. To receive SIP calls, you will need to create an Internal Extension Number as documented in Step #4 above.
In the Wazo GUI, create a new VOIP.ms SIP Trunk by choosing IPBX:Trunk Management:SIP Protocol. Click on + Add to open a new template.
In the General tab, fill in the blanks using your VoIP.ms subaccount credentials including the DID POP to which you wish to register your VoIP.ms trunk:
In the Register tab, check the Register option and fill in the blanks using your subaccount credentials from VoIP.ms as well as the VoIP.ms POP server:
In the Signalling tab, set DTMF, Monitoring, and specify your preferred Codec:
In the Advanced tab, set Insecure to ALL, Port = 5060, and From field-User to your subaccount name:
Click SAVE when you’ve finished.
Wazo will not actually process incoming and outgoing calls through this VoIP.ms trunk until you configure an outgoing route in IPBX:Call Management:Outgoing Calls and an incoming route using IPBX:Call Management:Outgoing Calls if you have a DID. Outgoing and Incoming call routing are covered in separate tutorials.
- If your DID is strictly for residential use, you may be able to take advantage of Martin’s offer of a $2 unlimited monthly flat rate price match with Anveo that was announced on DSLreports. Just open a support ticket after you sign up for the DID and mention Martin’s offer with a link to the DSL Reports thread. No guarantees! [↩]
Taking a Fresh Look at the Asterisk, FreePBX, and Incredible PBX Security Models
About once a year, we try to shine the spotlight on Asterisk® security in hopes of saving lots of organizations and individuals a little bit (or a lot) of money. In light of last week’s major security lapse in the Asterisk® dialplan of those using FreePBX® since the Asterisk@Home days, now seemed like a good time for a review. As we’ve noted before, the problem with open source phone systems is they’re open source phone systems. So the bad guys can figure out how they work just like the good guys. Unfortunately, some of the bad guys are paying particular attention to Asterisk and FreePBX so it behooves all of us to remain vigilant and patch vulnerabilities quickly. The FreePBX Devs have done an admirable job in responding quickly to this issue.
Last week’s vulnerability involves the call transfer methodology that has been incorporated into FreePBX-based Asterisk servers for at least a decade. In a nutshell, it allows an internal or outside caller or called party to transfer a call using touchtones instead of a dedicated transfer button or hook flash. ## performs a blind transfer while *2 sets up an attended transfer where the person transferring the call can actually talk to the transfer recipient before executing the call transfer. Some of our foreign friends used this *2 methodology to initiate calls to Asterisk servers and then to transfer those calls to expensive destinations while the other party to the call listened to music on hold. Worse yet, it could be performed within an answering IVR on some servers so the administrator never knew the call transfer took place other than reviewing the call detail records. As with some previous vulnerabilities, this one had lain dormant since the inception of call transfer technology in Asterisk. The default settings in FreePBX permitted outside calling or called parties to initiate transfers using these feature codes. We’re reminded of a similar vulnerability that used to exist in many Asterisk voicemail systems that allowed callers to dialout to another number from within the voicemail system.
We hope to persuade you today that allowing transfer of calls using touch tones is a very bad idea to begin with. Even when you don’t get a surprise phone bill, it often results in unanticipated consequences such as depicted in this video shared on DSL Reports:
https://youtu.be/bnMVebywX6Y
Here’s how you can protect any server that uses all or some of the FreePBX GUI. First, be aware that the FreePBX developers are working on a rewrite of the Core component in versions 13 and 12. The fix would limit use of this technology to those on the internal side of a PBX. In other words, remote callers would be blocked from calling into an Asterisk server and transferring themselves to a phone on a cruise ship sailing in the Indian Ocean. In the meantime, issuing the following commands will patch things up:
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1" mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1" amportal a r
For those using Incredible PBX™, the Automatic Update Utility will patch your server the next time you log in as root.
Olle Johansson has been one of the primary shakers and movers when it comes to educating folks on Asterisk security and inspiring developers to do a better job designing these systems. If you didn’t attend AstriCon 2013 and haven’t watched the Security Master Class, put these videos on your Bucket List. They’re all free and well worth your time.
When we began building out Incredible PBX on other platforms several years ago, we decided it was an opportune time to revisit our Asterisk security model and make it as bullet-proof as possible given the number of people now deploying Asterisk servers in the cloud. As a practical matter, there are no hardware-based firewalls to protect you with many of the cloud-based systems. So you literally live or die based upon the strength of your own software-based security model.
As in the past, security is all about layers of protection. A bundle of sticks is harder to break than a single stick. There now are Incredible PBX builds for CentOS, Scientific Linux, Ubuntu 14, and the latest Raspbian 8 for the Raspberry Pi 2 and 3. All of these releases include the new Incredible PBX security model. Here’s how it works…
The 7 Security Layers include the following, and we will go into the details below:
- Preconfigured IPtables Linux Firewall
- Preconfigured Travelin’ Man 3 WhiteLists
- Randomized Port Knocker for Remote Access
- TM4 WhiteListing by Telephone (optional)
- Fail2Ban
- Randomized Ultra-Secure Passwords
- Automatic Security Updates & Bug Fixes
1. IPtables Linux Firewall. Yes, we’ve had IPtables in place with PBX in a Flash for many years. And, yes, it was partially locked down in previous Incredible PBX releases if you chose to deploy Travelin’ Man 3. Now it’s automatically installed AND locked down, period. As installed, the new Incredible PBX limits login access to your server to those on your private LAN (if any) and anyone logging in from the server’s public or private IP address and the public IP address of the desktop machine used to install the Incredible PBX software. If you or your users need access from other computers or phones, those addresses can be added quickly using either the Travelin’ Man 3 tools (add-ip and add-fqdn) or using the Port Knocker application running on your desktop or smartphone. All you need is your randomized 3 codes for the knock. You can also enable a remote IP address by telephone. Keep reading!
2. Travelin’ Man 3 WhiteLists. As in the past, many of the major SIP providers have been whitelisted in the default setup so that you can quickly add new service without worrying about firewall access. These are providers that we’ve used over the years. The preconfigured providers include Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. You are, of course, free to add other providers or users using the whitelist tools being provided. add-ip lets you add an IP address to your whitelist. add-fqdn lets you add a fully-qualified domain name to your whitelist. del-acct lets you remove an entry from your whitelist. Because FQDNs cause problems with IPtables if the FQDN happens to be invalid or non-functional, we’ve provided a customized iptables-restart tool which will filter out bad FQDNs and start up IPtables without the problematic entries.
Be advised that whitelist entries created with PortKnocker are stored in RAM, not in your IPtables file. These RAM entries will get blown out of the water whenever your system is restarted OR if IPtables is restarted. Stated another way, PortKnocker should be used as a stopgap tool to get new IP addresses qualified quickly. If these addresses need access for more than a few hours, then the Travelin’ Man 3 tools should be used to add them to your IPtables whitelist. If your whitelist setup includes dynamic IP addresses, be aware that using ipchecker in a cron job to test for changing dynamic IP addresses will remove PortKnocker whitelist RAM entries whenever an IP address change triggers an iptables-restart.
For more detail on Travelin’ Man 3, review our original tutorial.
3. PortKnocker WhiteListing. We’ve previously written about PortKnocker so we won’t repeat the article here. Simply stated, it lets you knock on three ports on a host machine in the proper order to gain access. If you get the timing and sequence right, the IP address from which you knocked gets whitelisted for access to the server… with appropriate admin or root passwords, of course. The knocking can be accomplished with either a command line tool or an iOS or Android app using your smartphone or tablet. As noted above, it’s a terrific stopgap tool to let you or your users gain quick access to your server. For the reasons we’ve documented, don’t forget that it’s a stopgap tool. Don’t use it as a replacement for Travelin’ Man 3 whitelists unless you don’t plan to deploy dynamic IP address automatic updating. Just to repeat, PortKnocker whitelists get destroyed whenever IPtables is restarted or your server is rebooted. You’ve been warned.
4. TM4 WhiteListing by Telephone. Newer releases of Incredible PBX are preconfigured with ODBC support for telephony applications. One worth mentioning is our new Travelin’ Man 4 utility which lets a remote user dial into a dedicated DID and register an IP address to be whitelisted on the server. Within a couple minutes, the user will be sent an email confirming that the IP address has been whitelisted and remote access is now enabled. For phone systems and administrators supporting hundreds of remote users, this new feature will be a welcome addition. It can be configured in a couple minutes by following the Installation instructions in the Travelin’ Man 4 tutorial. Unlike PortKnocker, whitelisted IP addresses added with TM4 are permanent until modified by the remote user or deleted by the administrator.
5. Fail2Ban. We’ve never been a big fan of Fail2Ban which scans your logs and blacklists IP addresses after several failed attempts to log in or register with SSH or Apache or Asterisk. The reason is because of documented cases where attacks from powerful servers (think: Amazon) completely overpower a machine and delay execution of Fail2Ban log scanning until tens of thousands of registration attempts have been launched. The FreePBX folks are working on a methodology to move failed login attempts to a separate (smaller) log which would go a long way toward eliminating the log scanning bottleneck. In the the meantime, Fail2Ban is included, and it works when it works. But don’t count on it as your only security layer.
6. Randomized Passwords. With the new security model described above, we’ve dispensed with Apache security to protect FreePBX® access. These new Incredible PBX releases rely upon the FreePBX security model which uses encrypted passwords stored in MySQL or MariaDB. As part of the installation process, Incredible PBX randomizes ALL FreePBX passwords including those for the default 701 extension as well as the admin password. When your new Incredible PBX install completes, the most important things to remember are your (randomized) FreePBX admin password AND the (randomized) 3 ports required for Port Knocker access. Put them in a safe place. Sooner or later, you’ll need them. You can review your PortKnocker settings in /root/knock.FAQ. We’ve also included admin-pw-change in the /root folder for those that are too lazy to heed our advice. With the new security model, there is no way to look up your admin password. All you can do is change it… assuming you haven’t also forgotten your root password. 😉
7. Automatic Update Service. All new Incredible PBX builds include an automatic update service to provide security patches and bug fixes whenever you log into your server as root. It saved you just last week! If you don’t want the updates for some reason, you can delete the /root/update* file from your server. If the cost of maintaining this service becomes prohibitive, we may implement a pay-for-service fee, but it presently is supported by voluntary contributions from our users. It has worked extremely well and provided a vehicle for pushing out updates that affect the reliability and security of your server.
A Word About IPv6. Sooner or later Internet Protocol version 6 will be upon us because of the exhaustion of IPv4 IP addresses. Incredible PBX is IPv6-aware and IPtables has been configured to support it as well. As deployed, outbound IPv6 is not restricted. Inbound access is limited to localhost. You, of course, are free to modify it in any way desired. Be advised that disabling IPv6 localhost inbound access will block access to the FreePBX GUI. Don’t ask us how we know. 🙂
Originally published: Monday, April 18, 2016
9 Countries Have Never Visited Nerd Vittles. Got a Friend in Any of Them https://t.co/wMfmlhiQ9y #asterisk #freepbx pic.twitter.com/TPFGZbqWB6
— Ward Mundy (@NerdUno) April 22, 2016
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
Free Asterisk Solutions
