Home » Posts tagged 'disa'
Tag Archives: disa
Going Public with Incredible PBX 16 and VitalPBX 2.3.8
As part of our ongoing development efforts, we maintain about a dozen honeypot servers across the U.S. and Canada to monitor the latest adventures of the bad guys. Security becomes especially important for those wishing to live on the bleeding edge and deploy a cloud-based, public-facing VoIP server. Today we want to walk you through our latest suggestions to set up and secure a VitalPBX platform using just the built-in FirewallD, IPset, and Fail2Ban components. If you opt to deploy VitalPBX in the Cloud, a KVM-based VPS is absolutely essential in order to take advantage of the security mechanisms we will introduce today.
Here are 6 Key Security Features in today’s public design:
- SIP Registration Lockdown by FQDN
- Extension Lockdown by IP Address
- Trunk Provider Lockdown by IP Address
- Web Access Lockdown by WhiteList
- Disguised Ports for SIP and SSH Access
- 100,000+ VOIP Blacklist for FirewallD
Is it 100% safe? Nothing ever is. That’s what backups are for. 😉
FYI: The CentOS folks reintroduced a previous FirewallD bug on October 22 which (again) broke new VitalPBX installs. On October 23, the VitalPBX developers fixed the bug (again). There should be no problems with new installs. For previous installs, see this thread on the PIAF Forum for the fix.
Taking Incredible PBX with VitalPBX to the Cloud
Because Incredible PBX with VitalPBX 2.3.8 was originally distributed as an ISO, getting it installed in the cloud was a challenge. A few cloud providers let you bring your own ISO to install on their VPS platforms, but it was still a tedious process. So today we’re pleased to introduce a new install script that can be run on any CentOS 7 platform.
We have a few cloud providers that we recommend without reservation. Both Vultr and Digital Ocean provide referral credits to Nerd Vittles to support our VoIP project development efforts. We’ve used both of them for many years with no problems. Either of the platforms works well using the $5 a month option in your choice of cities. Just be sure to choose the CentOS 7 platform, not CentOS 8. For an extra buck, you can add automatic backups.
Our favorite bargain is now CrownCloud in Los Angeles. For $25 a year, they offer a KVM VPS that is ideal as a VoIP platform. And the offering includes a free snapshot image as well. As you might imagine, it’s very popular and goes Out of Stock from time to time so check back often. For our international friends, CrownCloud offers similar platforms at the same price point in both Germany and the Netherlands.
Installing Incredible PBX with VitalPBX on CentOS 7
Once your CentOS 7 platform is up and running, here’s how to install Incredible PBX for VitalPBX. Log into your server as root using SSH or Putty. Then issue these commands:
cd /root passwd yum -y install net-tools wget nano tar wget http://incrediblepbx.com/incrediblepbx.sh chmod +x incrediblepbx.sh ./incrediblepbx.sh
Incredible PBX Cloud Setup Recipe for VitalPBX
We think the easiest way to configure your new VitalPBX platform is to follow the simple steps outlined below. This will avoid your having to jump back and forth between tutorials to get all the pieces in place. When you’re finished, you’ll have a secure VitalPBX cloud platform. Don’t be intimidated by the number of steps. If you can handle slice-and-bake cookies, you can do this!
1. Point your browser to the IP address of your server. You’ll be prompted to set a password for admin access to the GUI. Fill in the blanks to proceed. Should you ever forget your admin password, here’s how as root user to force a reset on your next login from a browser:
mysql ombutel -e 'update ombu_settings set value = "yes" where name = "reset_pwd"'
2. Register your server when prompted. The VitalPBX Dashboard will appear.
3. Decipher the public IP address of your desktop machine and any other PCs that will be used to manage your server.
4. From the VitalPBX Dashboard, navigate to Admin:Security:Firewall:WhiteList. Enter each of your IP addresses from step #3 and click Save button.
5. From the VitalPBX Dashboard, navigate to Admin:Security:Intrusion Detection:WhiteList. Enter each of your IP addresses from step #3 and click Save button.
6. Modify the default SSH port by logging in to your server as root and issuing the following commands using the year you were born in the first line replacing 2000:
sed -i 's|#Port 22|Port 2000|' /etc/ssh/sshd_config systemctl restart sshd
7. From the VitalPBX Dashboard, navigate to Admin:Security:Firewall:Services. Change the SIP port to 5080 or some other port number not in the 5060-5065 range. Change the SSH port to a 4-digit number matching the year you were born. Click Save button. Monitor your SSH log for attempted breaches and change your port if necessary:
cat /var/log/secure | grep password
8. Verify that you can log back into your server with SSH using the new SSH port number you assigned in step #6: ssh -p 2000 root@server-IP-address
9. From the VitalPBX Dashboard, navigate to Admin:Security:Firewall:Rules. Delete the HTTP and HTTPS items by clicking the Trash icon beside each entry. In the GENERAL tab, set Block ICMP Requests to YES. Click Save button. This blocks web access to everyone except those you’ve whitelisted in step #4 above. If you ever lock yourself out of web access, login to your server as shown in step #8 and temporarily whitelist the public IP address desired. This gets removed automatically the next time you save your Firewall settings from within the VitalPBX GUI.
iptables -A vpbx_white_list -s 12.34.56.78 -j ACCEPT
10. Before we get too far along, let’s put another layer of security in place for your new server. We’re going to add the VoIP Blacklist which blocks about 100,000 bad guys from around the globe. We’ll also add a cron job to update the blacklist every night. Log back into your server as root and issue these commands to put the pieces in place and enable the VoIP Blacklist.
TIP: The cron job below is scheduled to run at 20 minutes after 3 a.m. Change the time to something else so we don’t all bombard the VoIP Blacklist site for downloads at exactly the same time every night.
cd /etc wget http://incrediblepbx.com/voipbl-firewalld.tar.gz tar zxvf voipbl-firewalld.tar.gz rm -f voipbl-firewalld.tar.gz echo "20 3 * * * root /etc/update-voipbl.sh >/dev/null 2>&1" >> /etc/crontab /etc/update-voipbl.sh
11. From the VitalPBX Dashboard, navigate to Admin:Add-Ons:Add-Ons. Click Check Online button. Click Install button beside Custom Contexts. Click Install button beside Phonebooks. Click Install button beside Domotic.
12. From the VitalPBX Dashboard, navigate to Settings:Tech Settings:SIP Settings.
a. In the GENERAL tab, set the Bind Address port to 5080 or whatever port you chose in step #7 above. This is the port number together with the FQDN of your PBX (set in the next step) that any SIP phone will need to successfully register to an extension.
b. In the SECURITY tab, set Allow Guest to NO, set Auto-Domain to NO, set Allow External Domains to NO, and enter a fully-qualified domain name (FQDN) pointing to the IP address of your server in the Domain field. We cannot stress enough how important this FQDN is to the security of your cloud-based server. It limits SIP registrations to this FQDN only, and all SIP registration attempts by IP address are automatically blocked. Don’t skip this step!
c. In the NETWORK tab, enter the IP address of your server in External Address. Click the ADD button in the Local Networks section and enter the private IP addresses associated with your LAN and VPN, e.g. 192.168.0.0/255.255.0.0 and 10.0.0.0/255.240.0.0. Change NAT to Force,Comedia if your server is behind a NAT-based router.
d. In the CODECS tab, enable ULAW, ALAW, G722, and G729.
e. In the OTHERS tab, set SRV LOOKUPS to Yes. Click SAVE button.
13. From the VitalPBX Dashboard, navigate to Settings:Tech Settings:Profiles. Click Show All Profiles bar and choose Default PJSIP Profile. In the GENERAL tab, set the following entries to YES: Force rport, Rewrite Contact, Direct Media, RTP Symmetric, and Send Diversion Header. Click UPDATE button.
14. From the VitalPBX Dashboard, navigate to PBX:Applications:Parking. Click Show All Parking Profiles bar and choose Default. Change Code from 700 to 7000 and click Update button. This changes your Parking Lot extensions to the 7000 range so that 700 range can be used for Extensions, just like other versions of Incredible PBX.
15. Log out of your Dashboard and then log back in so that the menus get refreshed with the Custom Contexts addition.
16. From the VitalPBX Dashboard, navigate to PBX:Applications:Custom Contexts. Create the new sample IVR context with the following entries. Then click Save button.
- Description: IncrediblePBX
- Context: incrediblepbx
- Extension: s
- Priority: 1
- Destination: Terminate Call -> Hangup
17. From the VitalPBX Dashboard, navigate to PBX:Applications:Custom Applications. Create the custom application for the sample IVR and Save it.
- Code: 3366
- Name: DEMO
- Enabled: YES
- Destination: Custom Contexts -> IncrediblePBX
18. From the VitalPBX Dashboard, navigate to PBX:Applications:Conferences. Create the new sample conference application and Save it.
- Code: 2663
- Description: CONF
- Music on Hold When Empty: YES
- User Count: YES
- Announce Join/Leave: YES
- Announce Only User: YES
- User PIN: 1234
- Leader PIN: 4321
- Drop Silence: YES
19. If you didn’t read last week’s article on Custom Contexts, now would be a good time to do so. Here are the commands to put all those pieces in place on your new cloud-based server:
cd / yum -y install dialog wget nano tar mailx cp -p /etc/crontab /etc/crontab.bak wget http://incrediblepbx.com/incrediblepbx-vitalpbx.tar.gz tar zxvf incrediblepbx-vitalpbx.tar.gz rm -f incrediblepbx-vitalpbx.tar.gz chown asterisk:asterisk /var/lib/asterisk cd /etc/asterisk/ombutel echo "[cos-all-custom](+)" >> extensions__80-custom.conf echo "exten => 412,1,NoOp(Voice Dialer)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,1,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf echo "exten => 951,1,NoOp(News)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,5,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf echo "exten => 947,1,NoOp(Weather by ZIP)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,6,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf echo "exten => 3172,1,NoOp(DISA Voice Dialer)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,9,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf echo "exten => 4747,1,NoOp(Wolfram Alpha)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,3,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf echo "exten => 8463,1,NoOp(Time of Day)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,*,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf echo "exten => 53669,1,NoOp(Lenny)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,53669,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf echo "exten => 86329,1,NoOp(Today in History)" >> extensions__80-custom.conf echo " same => n,Answer" >> extensions__80-custom.conf echo " same => n,Goto(incrediblepbx,7,1)" >> extensions__80-custom.conf echo " same => n,Hangup()" >> extensions__80-custom.conf echo "" >> extensions__80-custom.conf systemctl restart asterisk chown asterisk:asterisk /var/lib/asterisk chown asterisk:apache /var/lib/asterisk/agi-bin
20. Create new Extensions for your PBX by navigating to PBX:Extensions:Extensions. You only need to fill in the Extension, Name, and Email Address fields. We recommend extension numbers beginning with 701. If the extension will be used from a phone behind a NAT-based router, change the NAT entry to Force,Comedia. If the phone associated with the extension has a static IP address, enter it in the Permit field for an extra layer of security. In the VOICEMAIL tab, you will note that voicemail is enabled by default with a password matching the extension number. This forces the user to set the voicemail password the first time they access voicemail with their phone. We recommend the YES setting for Attach Voicemail, Ask Password, Say CID, Say Duration, and Envelope. Then press SAVE.
21. Once you have created your extensions, you can create Ring Groups to assign multiple extensions and external numbers to a designated number which will ring all of the extensions and external numbers in the ring group either simultaneously or serially. Navigate to PBX:Call Center:Ring Groups to set this up.
22. Trunk Setup. While we don’t recommend it, if you just want to play around with some toll-free calls using option 1 in the DEMO IVR to see how everything works, here’s a simple trunk setup to get you started. First, navigate to Settings:Telephony:Channel Groups and save a group named Default with no entries. Then navigate to PBX:External:Trunks:CUSTOM. Create TollFree trunk with this Dial String: SIP/1${EXTEN}@ovh.starcompartners.com. No other entries are required. Click SAVE and reload your dialplan. Finally, create an Outbound Route for these calls in PBX:External:Outbound Routes like this:
- Description: TollFree
- Trunks: TollFree
- Dial Pattern: Pattern=NXXNXXXXXX
Save your settings and reload the dialplan. You now can skip down to step #25. NOTE: You will not be able to receive outside calls or make calls to numbers other than toll-free ones.
Our preference is that you use our Platinum Provider, Skyetel, for your default trunk and DID because they offer quadruple redundancy so you never miss a call. Sign up for Skyetel service and take advantage of the Nerd Vittles specials which include a $10 credit to kick the tires. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request the $10 credit for your account by referencing the Nerd Vittles special offer. Once you are satisfied with the service, fund your account as desired, and Skyetel will match your deposit of up to $250 simply by opening another ticket. That gets you up to $500 of half-price calling. You can also port in your DIDs at no cost for 60 days after funding your account. Credit is limited to one per person/company/address/location. Effective 10/1/2023, $25/month minimum spend required.
We don’t recommend trunk registrations with a publicly exposed server because it creates a potential attack vector for intruders and any intrusion would be undetectable from the PBX since the attacker could make unauthorized calls after registering directly with your SIP provider. For this reason, Skyetel does not use SIP registrations to make connections to your PBX. Instead, Skyetel utilizes Endpoint Groups to identify which servers can communicate with the Skyetel service. An Endpoint Group consists of a Name, an IP address, a UDP or TCP port for the connection, and a numerical Priority for the group. For incoming calls destined to your PBX, DIDs are associated with an Endpoint Group to route the calls to your PBX. For outgoing calls from your PBX, a matching Endpoint Group is required to authorize outbound calls through the Skyetel network. Thus, the first step in configuring the Skyetel side for use with your PBX is to set up an Endpoint Group. Here’s a typical setup for Incredible PBX 16 for VitalPBX:
- Name: IncrediblePBX
- Priority: 1
- IP Address: IncrediblePBX-Public-IP-Address
- Port: 5062
- Protocol: UDP
- Description: my.incrediblepbx.com
To receive incoming PSTN calls, you’ll need at least one DID. On the Skyetel site, you acquire DIDs under the Phone Numbers tab. You have the option of Porting in Existing Numbers (free for the first 60 days after you sign up for service and fund your account) or purchasing new ones under the Buy Phone Numbers menu option.
Once you have acquired one or more DIDs, navigate to the Local Numbers or Toll Free Numbers tab and specify the desired SIP Format and Endpoint Group for each DID. Add SMS/MMS and E911 support, if desired. Call Forwarding and Failover are also supported. That completes the VoIP setup on the Skyetel side. System Status is always available here.
If you’d like additional details on why we recommend Skyetel, see this Nerd Vittles article.
On the VitalPBX side, we need to add a new Skyetel trunk. Navigate to PBX:External:Trunks:PJSIP. The VitalPBX Trunk setup should look like the following for Skyetel. If you’d like to cut-and-paste the entries for the Match field, here you go:
52.41.52.34,52.8.201.128,52.60.138.31,50.17.48.216,35.156.192.164
[popup url="https://pbs.twimg.com/media/EGDhgsXWsAIbmw1?format=jpg&name=medium" width="1200″ height="700″][/popup]
In Admin:Security:Firewall:WHITELIST, you’ll need to individually Add the five Skyetel IP addresses used in the Match field above and then SAVE your firewall settings.
Finally in PBX:Incoming Calls:CID Modifiers, add a new entry for Skyetel with Skip/Length = 2/10 and Save your settings.
23. Before your PBX can receive calls, you’ll need at least one Inbound Route. This tells the PBX how to route calls from one or more phone numbers (DIDs) that you own to a destination on your PBX, e.g. an extension, a ring group, an IVR, or custom context. Navigate to PBX:External:Inbound Routes to get started. Let’s set up a default inbound route for all the DIDs you have acquired from Skyetel in step #22. Fill in the fields shown below. Then SAVE.
- Routing Method: Default
- Description: Default Skyetel
- DID Pattern: [leave blank for ALL DIDs]
- CallerID Modifier: Skyetel
- Inbound Destination: Custom Contexts -> IncrediblePBX
24. Before you can make outbound calls from extensions on your PBX, you’ll need at least one Outbound Route. This tells the PBX which provider to use to complete calls dialed with a certain sequence of numbers. For example, you probably would want 10-digit numbers routed to Skyetel. And, if users dial 1 and then a 10-digit number, you’d probably want those calls routed to Skyetel as well. To create this outbound route, navigate to PBX:External:Outbound Routes. Fill in the fields shown below. Click ADD to add a second Dial Pattern. Click SAVE and Reload Dialplan when finished.
NOTE: While you can "spoof" any CallerID number here, it is only legal to assign CallerID numbers that you actually own. Most carriers do not forward CallerID names to destinations regardless of what you enter here. The CallerID name and number will be shown in your CDR logs: Reports:CDR Reports:CDR.
- Description: Skyetel-OUT
- Trunks: Skyetel
- Outbound CID: [Your Name and CallerID Number]
- Overwrite CID: YES
- Dial Pattern: Prepend=1 Pattern=NXXNXXXXXX
- Dial Pattern: Pattern=1NXXNXXXXXX
25. For the time being, we strongly recommend disabling IPv6 simply because we don’t have the necessary confidence that all of the security mechanisms are in place for IPv6. Here’s how on the CentOS 7 platform:
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf sysctl -p sed -i 's|#AddressFamily any|AddressFamily inet|' /etc/ssh/sshd_config systemctl restart sshd sed -i 's|inet_protocols = all|inet_protocols = ipv4|' /etc/postfix/main.cf systemctl restart postfix
26. Outbound email functionality is essential on your PBX. You’ll need it to be alerted to potential issues with VitalPBX, and you’ll need it for delivery of voicemail messages to users. There are a couple ways to implement it, and both are easy. If you want to use the native capabilities of Postfix to send the emails assuming your provider is not blocking outbound SMTP mail from downstream servers, then follow these steps:
- Insert your FQDN from step #12b into /etc/hosts immediately after 127.0.0.1
- Replace the contents of /etc/hostname with the same FQDN
- Issue the following command using your actual FQDN: hostname FQDN
- Sending yourself an email: echo "test" | mail -s test you@your-domain.com
If you don’t receive the test email message, then the easiest solution is to configure PostFix as an SMTP Relay using a Gmail account. You can do this easily from within the VitalPBX GUI. Navigate to Admin:System Settings:Email Settings and click the External Mail Server tab. Be sure that Gmail is selected and enter your Gmail name and password in the fields provided. Save your settings and send yourself an email using the field provided.
27. Once you get outbound email flowing, jump down to the next section and obtain IBM TTS and STT passwords. Now set up Voicemail Transcription with Email Message Delivery:
a. After logging into your VitalPBX server as root using SSH/Putty:
cd /tmp mkdir sendmail cd sendmail wget http://incrediblepbx.com/sendmailibm-vitalpbx.tar.gz tar zxvf sendmailibm-vitalpbx.tar.gz rm -f sendmailibm-vitalpbx.tar.gz mv usr/sbin/sendmailibm /usr/sbin cd /etc/asterisk/ombutel echo "[general](+)" > voicemail__60-1-transcript.conf echo "; format=wav|wav49|gsm" >> voicemail__60-1-transcript.conf echo "mailcmd=/usr/sbin/sendmailibm" >> voicemail__60-1-transcript.conf chown apache:apache voicemail__60-1-transcript.conf rm -rf /tmp/sendmail
b. Restart Asterisk core services: asterisk -rx "core reload"
c. Edit /usr/sbin/sendmailibm and insert your IBM Watson STT APIkey on line 23. Change the language on line 31 if you don’t want en-US. Then save the file.
d. Log back into the VitalPBX GUI and configure the extensions desired for email delivery of voicemail. For each extension in PBX:Extensions:General, enter an Email Address for delivery of voicemails. In PBX:Extensions:Voicemail, verify the VM settings from step #20.
28. We hesitate to even mention (free) Festival TTS as a text-to-speech alternative because it is so bad compared to IBM TTS. But for those that like always free, here’s how to install it. Once installed, you can issue Festival commands in your dialplan using the keyword Festival followed by the text to be spoken in parentheses.
yum -y install festival echo "[general]" > /etc/asterisk/festival.conf asterisk -rx "dialplan reload" festival_server & systemctl restart asterisk echo "/usr/bin/festival_server &" >> /etc/rc.d/rc.local
29. If you’d like to test the performance of your cloud-based server, here’s how to deploy and run SpeedTest:
cd /root wget -O speedtest-cli https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py chmod +x speedtest-cli /root/speedtest-cli
30. Associating CallerID Names (CNAM) with inbound calls for display on SIP phones and in the CDR logs is an often-requested PBX feature. There are a few ways to do it. First, for less than a penny a call, you can activate the feature with your DIDs in the Skyetel Dashboard. Or, for about half the cost, you can acquire an OpenCNAM account and activate it in VitalPBX by navigating to PBX:Incoming Calls:CID Lookup. Choose OpenCNAM as the Source and enter your credentials. Then SAVE your settings and reload the dialplan. Then, for each of your Inbound Routes, add OpenCNAM as the CID Lookup source and Update your configuration.
31. Unless you want a full-time job monitoring the size of your logs, remove the fail2ban Asterisk log which grows every 5 seconds. Navigate to Settings:PBX Settings:Log Files and click the Trash icon beside fail2ban. It’s probably a good idea to turn OFF the Notice option for the full log while you’re at it. Then SAVE your changes.
32. Before you do anything else, navigate to Admin:Admin:Backup & Restore, configure and run a Full Backup, and then download the file and keep it in a safe place. Be advised that Backup/Restore doesn’t restore Add-Ons, /var/lib/asterisk/agi-bin, custom contexts (extensions__80*.conf) in /etc/asterisk/ombutel, custom MySQL databases (mysqldump -u root yourDB > yourDB.sql), custom and lenny sound directories in /var/lib/asterisk/sounds, phpMyAdmin, /usr/local/sbin, and /etc/crontab.
Obtaining IBM Watson TTS and STT Credentials
Incredible PBX uses IBM Watson® for TTS and STT support. This Nerd Vittles tutorial will walk you through getting your IBM account set up and obtaining both your TTS and STT credentials. Be sure to write down BOTH sets of credentials which you’ll need in a minute. For home and SOHO use, IBM access and services generally is FREE even though you must provide a credit card when signing up. Details are provided when you sign up. If you ever forget your passwords, you can retrieve them by navigating to Resource List:Services:TTS or STT:View Full Details:Show Credentials.
Obtaining Wolfram Alpha Credentials
When people ask what exactly Wolfram Alpha is, our favorite answer was provided by Ed Borasky.
It’s an almanac driven by a supercomputer.
That’s an understatement. It’s a bit like calling Google Search a topic index. Unlike Google which provides links to web sites that can provide answers to queries, Wolfram Alpha provides specific and detailed answers to almost any question. Here are a few examples (with descriptions of the functionality) to help you wrap your head around the breadth of information. For a complete list of what’s available, visit Wolfram Alpha’s Examples by Topic. Type a sample query here. Some of our favorites include:
Weather in Charleston South Carolina
Weather forecast for Washington D.C.
Next solar eclipse
Otis Redding
Define politician
Who won the 1969 Superbowl? (Broadway Joe)
What planes are flying overhead now? (flying over your server’s location)
Ham and cheese sandwich (nutritional information)
Holidays 2012 (summary of all holidays for 2012 with dates and DOW)
Medical University of South Carolina (history of MUSC)
Star Trek (show history, air dates, number of episodes, and more)
Apollo 11 (everything you ever wanted to know)
Cheapest Toaster (brand and price)
Battle of Gettysburg (sad day 🙂 )
Daylight Savings Time 2012 (date ranges and how to set your clocks)
Tablets by Motorola (pricing, models, and specs from Best Buy)
Doughnut (you don’t wanna know)
Snickers bar (ditto)
Weather (local weather at your server’s location)
Before you can actually use our TTS implementation of Wolfram Alpha, you’ll need to obtain a free Wolfram Alpha account. As you can imagine, there have to be some rules when you’re using someone else’s supercomputer for free. So here’s the deal. It’s free for non-commercial, personal use once you sign up for an account. But you’re limited to 2,000 queries a month which works out to almost 70 queries a day. Every query requires your personal application ID, and that’s how Wolfram Alpha keeps track of your queries. Considering the price, we think you’ll find the query limitation generous compared to other web resources.
To get started, sign up for a free Wolfram Alpha API account. Just provide your email address and set up a password. It takes less than a minute. Log into your account and click on Get An App ID. Make up a name for your application and write down (and keep secret) your APP-ID code. That’s all there is to getting set up with Wolfram Alpha. If you want to explore costs for commercial use, there are links to let you get more information.
Configuring Your Incredible PBX Credentials
In addition to your Wolfram Alpha APPID, there are two sets of IBM credentials to plug into the Asterisk AGI scripts. Keep in mind that there are different passwords for the IBM Watson TTS and STT services. The TTS credentials will look like the following: $IBM_password. The STT credentials look like this: $API_PASSWORD. Don’t mix them up. The username for both TTS and STT is now the single word: apikey
All of the scripts requiring credentials are located in /var/lib/asterisk/agi-bin so switch to that directory after logging into your server as root. Edit each of the following files and insert your TTS credentials in the variables already provided: nv-today2.php, ibmtts.php, and ibmtts2.php. Edit each of the following files and insert your STT credentials in the variables already provided: getquery.sh, getnumber.sh, and getnumber2.sh. Finally, edit 4747 and insert your Wolfram Alpha APPID.
If you ever want to learn how to develop applications for Asterisk, these scripts coupled with the dialplan code included in /etc/asterisk/ombutel/extensions__80-1-incrediblepbx.conf will point you in the right direction with easy to follow examples.
Managing the AsteriDex SQLite3 Database
We’ve alluded to the AsteriDex database in a couple of VitalPBX articles but never mentioned how to access it. Using a browser, point it to http://server-ip/asteridex4
. You can add, edit, display, and delete entries from there. Before you can make changes in the database, issue the following command after logging into your server as root:
chown asterisk:apache /var/lib/asterisk/agi-bin
Taking Incredible PBX for a Test Drive
You can take Incredible PBX for VitalPBX on a test drive in two ways. You can call our server, and then you can try things out on your own server and compare the results. Call our IVR by dialing 1-843-606-0555. For our international friends, you can use the following SIP URI for a free call: 10159591015959@atlanta.voip.ms. For tips on setting up your own secure, hybrid SIP URI with VitalPBX, see our original tutorial. The FreePBX® setup is virtually identical except for the location of the custom SIP setting for match_auth_username=yes. On a VitalPBX server, you will enter it here: Settings:Technology Settings:SIP Settings:CUSTOM.
With Allison’s Demo IVR, you can choose from the following options:
- 0. Chat with Operator — connects to extension 701
- 1. AsteriDex Voice Dialer (412) – say "Delta Airlines" or "American Airlines" to connect
- 2. Conferencing (2663) – log in using 1234 as the conference PIN
- 3. Wolfram Alpha Almanac (4747) – say "What planes are flying overhead now?"
- 4. Lenny (53669) – The Telemarketer’s Worst Nightmare
- 5. Today’s News Headlines (951) — courtesy of Yahoo! News
- 6. Weather by ZIP Code (947) – enter any 5-digit ZIP code for today’s weather
- 7. Today in History (86329) — courtesy of OnThisDay.com
- 8. Call Extension 701 — on your local PBX
- 9. DISA Voice Dialer (3172) — say any 10-digit number to be connected
- *. Current TIME and Date (8463) — courtesy of VitalPBX
CAUTION: We have intentionally disabled outbound calls using Option #9 and redirected callers to Lenny. The reason is that an unscrupulous caller could easily run up your phone bill by entering a number with expensive destination charges. If you wish to enable the feature, despite the risks, you can edit extensions__80-1-incrediblepbx.conf and make the change.
You can call your own IVR in a few ways. From an internal VitalPBX phone, dial D-E-M-O (2663) to be connected. Or simply dial the number of the DID you routed to the Incredible PBX Custom Context. Local users can also dial the individual feature codes shown in parentheses above. Be sure that you heed AND test the CAUTION documented above.
Originally published: Monday, October 21, 2019
Got Friends? 7 Countries Have Never Visited Nerd Vittles. 2018 Is Calling! https://t.co/wMfmlhAr16 #asterisk #freepbx #wazo #issabel #IncrediblePBX #3CX pic.twitter.com/kAmAEnwVIw
— Ward Mundy (@NerdUno) January 9, 2018
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Introducing Incredible PBX Custom Contexts for VitalPBX
Last week we introduced Incredible PBX for VitalPBX 2.3.8 to the Asterisk® community. And today we’re pleased to present the first of many Incredible PBX® add-ons, Allison’s DEMO IVR featuring text-to-speech and voice recognition utilities that take your Asterisk PBX to a whole new level. When we’re finished, you’ll have Headlines News, Weather Reports, Today in History, Wolfram Alpha, Voice Recognition apps to call people in your AsteriDex phonebook and to call anyone else by simply speaking the number to dial, and good ol’ Lenny, the Telemarketer’s Worst Nightmare. We’ll utilize a single custom context to harness the power of 11 Asterisk utilities using an easily configurable Interactive Voice Response (IVR) interface. Last week, VitalPBX released a new Custom Contexts module that has no limitations on the number of contexts you can create for free. But, for today, we’ll do it the old-fashioned way just to demonstrate what’s possible. And it’s pure GPL code.
Prerequisites. Before deploying the Incredible PBX components, you’ll need to install VitalPBX on a platform of your choice behind a hardware-based firewall. You’ll need to add an extension 701 where you can receive calls on a softphone or SIP phone, and you’ll need at least one SIP trunk to make and receive calls from those not connected to your PBX. The Outbound Route for this trunk must support 10 and 11-digit calls in the following formats: NXXNXXXXXX and 1NXXNXXXXXX. You’ll also need to install the Custom Contexts add-on to VitalPBX and then configure the (free) Custom Context for use by the Incredible PBX add-ons. The Inbound Route for at least one of your trunks must send calls to this new Incredible PBX Custom Context. Our previous tutorial will walk you through the setup steps for all of this.
In the VitalPBX GUI, navigate to PBX:Applications:Custom Applications and add a new 3366 (D-E-M-O) application for the Incredible PBX Demo IVR. Make it look like the following. Save your entries and Reload your dialplan when you’re finished.
In the VitalPBX GUI, navigate to PBX:Applications:Conference and add a 2663 (C-O-N-F) conference that looks like the following using PINs of your choice for participants and the conference leader. Save your entries and Reload your dialplan when you’re finished.
Finally, navigate to Settings:Technology Settings:SIP Settings:OTHERS and set SRV Lookups to YES. Save your settings and reload the dialplan.
Obtaining IBM Watson TTS and STT Credentials
Incredible PBX uses IBM Watson® for TTS and STT support. This Nerd Vittles tutorial will walk you through getting your IBM account set up and obtaining both your TTS and STT credentials. Be sure to write down BOTH sets of credentials which you’ll need in a minute. For home and SOHO use, IBM access and services generally is FREE even though you must provide a credit card when signing up. Details are provided when you sign up. If you ever forget your passwords, you can retrieve them by navigating to Watson:ExistingServices:TTS or STT:View Full Details:Show Credentials.
Obtaining Wolfram Alpha Credentials
When people ask what exactly Wolfram Alpha is, our favorite answer was provided by Ed Borasky.
It’s an almanac driven by a supercomputer.
That’s an understatement. It’s a bit like calling Google Search a topic index. Unlike Google which provides links to web sites that can provide answers to queries, Wolfram Alpha provides specific and detailed answers to almost any question. Here are a few examples (with descriptions of the functionality) to help you wrap your head around the breadth of information. For a complete list of what’s available, visit Wolfram Alpha’s Examples by Topic. Type a sample query here. Some of our favorites include:
Weather in Charleston South Carolina
Weather forecast for Washington D.C.
Next solar eclipse
Otis Redding
Define politician
Who won the 1969 Superbowl? (Broadway Joe)
What planes are flying overhead now? (flying over your server’s location)
Ham and cheese sandwich (nutritional information)
Holidays 2012 (summary of all holidays for 2012 with dates and DOW)
Medical University of South Carolina (history of MUSC)
Star Trek (show history, air dates, number of episodes, and more)
Apollo 11 (everything you ever wanted to know)
Cheapest Toaster (brand and price)
Battle of Gettysburg (sad day 🙂 )
Daylight Savings Time 2012 (date ranges and how to set your clocks)
Tablets by Motorola (pricing, models, and specs from Best Buy)
Doughnut (you don’t wanna know)
Snickers bar (ditto)
Weather (local weather at your server’s location)
Before you can actually use our TTS implementation of Wolfram Alpha, you’ll need to obtain a free Wolfram Alpha account. As you can imagine, there have to be some rules when you’re using someone else’s supercomputer for free. So here’s the deal. It’s free for non-commercial, personal use once you sign up for an account. But you’re limited to 2,000 queries a month which works out to almost 70 queries a day. Every query requires your personal application ID, and that’s how Wolfram Alpha keeps track of your queries. Considering the price, we think you’ll find the query limitation generous compared to other web resources.
To get started, sign up for a free Wolfram Alpha API account. Just provide your email address and set up a password. It takes less than a minute. Log into your account and click on Get An App ID. Make up a name for your application and write down (and keep secret) your APP-ID code. That’s all there is to getting set up with Wolfram Alpha. If you want to explore costs for commercial use, there are links to let you get more information.
Installing Incredible PBX Components
To install the Incredible PBX components on your VitalPBX server, login to your server as root and issue the following commands:
# on VitalPBX 3.x servers only, issue next 2 commands: ln -s /etc/asterisk/vitalpbx /etc/asterisk/ombutel ln -s /usr/share/vitalpbx /usr/share/ombutel cd / yum -y install dialog wget nano tar mailx cp -p /etc/crontab /etc/crontab.bak wget http://incrediblepbx.com/incrediblepbx-vitalpbx.tar.gz tar zxvf incrediblepbx-vitalpbx.tar.gz rm -f incrediblepbx-vitalpbx.tar.gz chown asterisk:asterisk /var/lib/asterisk chown asterisk:apache /var/lib/asterisk/agi-bin /etc/init.d/asterisk restart
The GPL3 license for all of the Incredible PBX components is available for review in /root/COPYING.
Configuring Your Incredible PBX Credentials
In addition to your Wolfram Alpha APPID, there are two sets of IBM credentials to plug into the Asterisk AGI scripts. Keep in mind that there are different passwords for the IBM Watson TTS and STT services. The TTS credentials will look like the following: $IBM_password. The STT credentials look like this: $API_PASSWORD. Don’t mix them up. The username for both TTS and STT is now the single word: apikey
All of the scripts requiring credentials are located in /var/lib/asterisk/agi-bin so switch to that directory after logging into your server as root. Edit each of the following files and insert your TTS credentials in the variables already provided: nv-today2.php, ibmtts.php, and ibmtts2.php. Edit each of the following files and insert your STT credentials in the variables already provided: getquery.sh, getnumber.sh, and getnumber2.sh. Finally, edit 4747 and insert your Wolfram Alpha APPID.
If you ever want to learn how to develop applications for Asterisk, these scripts coupled with the dialplan code included in /etc/asterisk/ombutel/extensions__80-1-incrediblepbx.conf will point you in the right direction with easy to follow examples.
Using Asteridex with VitalPBX
AsteriDex is a web-based dialer and address book application for Asterisk and VitalPBX. It lets you store and manage phone numbers of all your friends and business associates in an easy-to-use SQLite3 database. You simply call up the application with your favorite web browser: http://vitalpbx-ip-address/asteridex4/. When you click on a contact that you wish to call, AsteriDex first calls you at extension 701, and then AsteriDex connects you to your contact through another outbound call made using your default outbound trunk that supports numbers in the 1NXXNXXXXXX format.
Before AsteriDex Click-to-Call will work, you must authorize AsteriDex to access Asterisk from your browser. After logging into your server as root, edit the following file in /etc/asterisk/ombutel: manager__50-ombutel-user.conf. For each browser IP address you wish to authorize, add an entry like the following immediately below the existing permit entry in the file. Then reload the Asterisk dialplan: asterisk -rx "dialplan reload"
permit=12.34.56.78 permit=192.168.0.0/255.255.255.0
Taking Incredible PBX for a Test Drive
You can take Incredible PBX for VitalPBX on a test drive in two ways. You can call our server, and then you can try things out on your own server and compare the results. Call our IVR by dialing 1-843-606-0555. For our international friends, you can use the following SIP URI for a free call: 10159591015959@atlanta.voip.ms. For tips on setting up your own secure, hybrid SIP URI with VitalPBX, see our original tutorial. The FreePBX® setup is virtually identical except for the location of the custom SIP setting for match_auth_username=yes. On a VitalPBX server, you will enter it here: Settings:Technology Settings:SIP Settings:CUSTOM.
With Allison’s Demo IVR, you can choose from the following options:
- 0. Chat with Operator — connects to extension 701
- 1. AsteriDex Voice Dialer – say "Delta Airlines" or "American Airlines" to connect
- 2. Conferencing – log in using 1234 as the conference PIN
- 3. Wolfram Alpha Almanac – say "What planes are flying overhead now?"
- 4. Lenny – The Telemarketer’s Worst Nightmare
- 5. Today’s News Headlines — courtesy of Yahoo! News
- 6. Weather by ZIP Code – enter any 5-digit ZIP code for today’s weather
- 7. Today in History — courtesy of OnThisDay.com
- 8. Chat with Nerd Uno — courtesy of SIP URI connection to 3CX iPhone Client
- 9. DISA Voice Dialer — say any 10-digit number to be connected
- *. Current Date and Time — courtesy of VitalPBX
CAUTION: We have intentionally disabled outbound calls using Option #9 and redirected callers to Lenny. The reason is that an unscrupulous caller could easily run up your phone bill by entering a number with expensive destination charges. If you wish to enable the feature, despite the risks, you can edit extensions__80-1-incrediblepbx.conf and make the change.
You can call your own IVR in two ways. From an internal VitalPBX phone, dial D-E-M-O (2663) to be connected. Or simply dial the number of the DID you routed to the Incredible PBX Custom Context. Either way, you should be connected to the Incredible PBX IVR running on your VitalPBX server. Be sure that you heed AND test the CAUTION documented above.
Using Incredible PBX Features Independently of IVR
Now that we have some of the Incredible PBX applications in place using the IVR, there may be situations in which you want callers to be able to access the individual components without navigating through the IVR. For example, you may want to let users contact LENNY (53669) directly. There are three steps to do this: (1) add a new Custom Context for the feature desired, (2) add a new Custom Application with the number to associate with the application, and (3) add a snippet of dialplan code to extensions__80-custom.conf redirecting the Custom Context to the matching IVR priority. Then reload Asterisk dialplan.
For the new Lenny Custom Context, here are the entries:
Description: Lenny Context: lenny Extension: s Priority: 1 Destination: Terminate Call -> Hangup
For the new Lenny Custom Application, here are the entries:
Code: 53669 Name: Lenny Enabled: Yes Destination: Custom Contexts -> Lenny
In /etc/asterisk/ombutel/extensions__80-custom.conf, add the following dialplan code and reload the Asterisk dialplan: asterisk -rx "dialplan reload"
[lenny] exten => s,1,NoOp(Lenny) same => n,Answer same => n,Goto(incrediblepbx,53669,1)
Let’s walk through one more example to be sure you get the hang of it. To mimic the News Headlines (951) setup on other Incredible PBX platforms, here are the steps:
For the News Custom Context, here are the entries:
Description: News Context: news Extension: s Priority: 1 Destination: Terminate Call -> Hangup
For the News Custom Application, here are the entries:
Code: 951 Name: News Enabled: Yes Destination: Custom Contexts -> News
In /etc/asterisk/ombutel/extensions__80-custom.conf, add the following dialplan code and reload the Asterisk dialplan: asterisk -rx "dialplan reload"
[news] exten => s,1,NoOp(News) same => n,Answer same => n,Goto(incrediblepbx,5,1)
Coming Events. We still plan to address security for those that want to deploy this terrific platform in the cloud. And we’re already working on a new version of CallerID Superfecta for VitalPBX that will let you use OpenCNAM to associate names with CallerID numbers. You can follow our progress and offer suggestions on the PIAF Forum.
Originally published: Monday, October 14, 2019
Got Friends? 7 Countries Have Never Visited Nerd Vittles. 2018 Is Calling! https://t.co/wMfmlhAr16 #asterisk #freepbx #wazo #issabel #IncrediblePBX #3CX pic.twitter.com/kAmAEnwVIw
— Ward Mundy (@NerdUno) January 9, 2018
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Mastering the Incredible PBX 16-15 Feature Set with Raspbian
This week we’ll finish up our introduction of Incredible PBX® 16-15 for the Raspberry Pi with a quick look at some of the additional features that are offered on this new platform and that were not covered in our first and second articles. These include text-to-speech apps for news, weather, and today in history as well as the sample ODBC apps for speed dialing and employee data base lookups. We’ll also walk you through the conferencing setup and document the easiest way to deploy an Interactive Voice Response (IVR) system or a Stealth AutoAttendant with or without Direct Inward System Access (DISA) which provides a way to call into your PBX from anywhere and obtain dial tone to make calls or access features just as if you were using a local phone connected to your PBX. We’ll finish up with a review of the Incredible PBX security model: Travelin’ Man 3 IPtables firewall, Fail2Ban, and PortKnocker.
Introduction to Incredible PBX TTS Apps
Text-to-Speech (TTS) applications are included in Incredible PBX for two reasons. First, they provide useful information by phone. Second, they document the procedure required to build your own TTS applications using Asterisk®. That process typically includes a dialplan code addition to /etc/asterisk/extensions_custom.conf plus a PHP/AGI script which must be stored in /var/lib/asterisk/agi-bin. The actual interaction with the caller is handled in the dialplan code using a TTS engine to convert the text results of the PHP/AGI query into audio suitable for playback over the telephone. The (free) PicoTTS engine is included in the Incredible PBX image for the Raspberry Pi. The commercial IBM TTS engine is also available.
The job of the dialplan code is to answer the incoming call and prompt the caller for any necessary information that needs to be passed to the PHP/AGI script to obtain the information sought by the caller. For example, with the Weather by ZIP code app, the caller dials Z-I-P (947) and the dial plan code prompts the caller for the ZIP code of the desired weather report. This ZIP code is then passed to the nv-weather-zip.php AGI script to retrieve the requested weather forecast. The text results of the query then are passed back to the dialplan code which plays back the results to the caller using the PicoTTS engine.
Three sample TTS applications are included. Dial 951 for the latest Yahoo News headlines. Dial 947 to obtain a weather report for any American city using its ZIP code. Dial T-O-D-A-Y to listen to Today in History events for the current day of the year.
Introduction to Incredible PBX ODBC Apps
As with TTS apps, sample ODBC apps are included in Incredible PBX to provide useful information to callers and to document the procedure required to build your own ODBC applications with Asterisk. For those unfamiliar with ODBC, it is a middleware component that lets you build generic database applications that will work with almost any data base management system. In our case, we are using the MySQL clone, MariDB, as the backend database. But the same ODBC API could be used with a database stored in SQLite, or SQL Server, or PostgreSQL. To interact with your own database, the first step is to install an ODBC connector for your particular database so that it can "talk" to Linux and to Asterisk. On the Linux side, take a look at /etc/odbc.ini for examples of how this is done for individual databases. If you’re using a backend database other than MySQL/MariaDB, then the driver must be installed and added to /etc/odbcinst.ini. On the Asterisk side, there are three pieces that need to be put in place in /etc/asterisk. res_odbc_custom.conf houses the actual linkages to the ODBC databases defined in /etc/odbc.ini. func_odbc.conf houses the actual ODBC queries that will be used to read and write information from and to your databases. Finally, odbc.conf contains the dialplan code that will be used to interact with the caller. It answers the incoming calls, prompts the caller for necessary data to complete the query, executes the query defined in func_odbc.conf, and then converts the text results to audio and passes the results back to the caller using the PicoTTS app.
Two sample ODBC applications are included. Dial 222 to obtain an employee name lookup from the employee timeclock database by entering the employee number, e.g. 12345. Dial 223 for a speed dial application using the AsteriDex dialcode (the first 3 letters of a name). For example, enter D-E-L to obtain phone number of Delta Airlines and optionally place the call.
Introduction to Incredible PBX Conference Bridge
The Incredible PBX platform includes a preconfigured conference application which makes it easy for two or more parties to confer regarding any subject matter of common interest. Those with a local extension on the PBX can join the conference by dialing C-O-N-F (2663). For callers outside the PBX to participate, you would need to add a DID that points to the conference number. We’ve made it easy by including this option in the sample IVR created by Allison Smith. Simply designate the IVR as the destination for a DID and tell users to choose option 2. Local users can call D-E-M-O (3366) and choose option 2.
Before using the conference application, you will want to reset the conference passwords. There’s one for users and a second one for the conference leader. After logging into your server as root, issue the command: ./reset-conference-pins. You can display most of the passwords on your PBX including the conference PINs: ./show-passwords.
The conference bridge setup is configured in the GUI: Applications -> Conferences. Here you can decide whether to require the conference administrator to be present before users can join the conference, you can force termination of the conference when the admin leaves, you can enable the menus for users and administrators by pressing *, you can choose whether to record the conference, you can set the maximum number of conference participants, and much more. Simply click on the ? icons for explanations of the various features. CAUTION: Be advised that saving new settings for the conference bridge will reset the conference PINs to the entries shown or entered into the template, e.g. 1234 and 4321 as shown above!
Configuring Incredible PBX IVRs and AutoAttendants
We’ve included a sample IVR and the Stealth AutoAttendant as part of the Incredible PBX install. The easiest way to master the process of building these is to examine the included samples and try them out: Applications -> IVR -> DemoIVR. The demo IVR comes with all the options preconfigured. Be very careful exposing this through a DID unless you have hardened the passwords, especially for the Telephone Reminders app since this application allows any caller to set up calls to external phone numbers which may cost you money!
The IVR options themselves are self-explanatory and well-documented under the ? icon. The IVR Entries at the bottom of the template define the destinations for caller button presses during a call. The Stealth AutoAttendant is worth examining further since it does not include predefined destinations. You would need to add these yourself. The idea behind a Stealth AutoAttendant is to provide options to a caller which are not explained when the AutoAttendant answers the call. In this way, it allows you to "hide" certain features of your PBX from the average caller. While standing alone, it’s obviously not secure since anyone can press a number on their phone after being connected, it does at least obscure the existence of the options. One good use for this is a DISA option which would let you call into your PBX to obtain dialtone to perform other functions on the PBX with an appropriate password, of course. This is documented in the next section and would need to be set up BEFORE adding the option as a choice on the AutoAttendant.
Configuring DISA with Incredible PBX
Before setting up a DISA option with Incredible PBX, be aware of the risks. Anyone that guesses your DISA password basically gets a blank check to perform any function that could be executed from any phone registered to your PBX. If you’ve decided to proceed anyway, access the GUI and choose Applications -> DISA -> Add DISA. Here’s what a typical DISA setup would look like. You’d obviously want a much more secure PIN!
Once you have saved the template and reloaded your dialplan, you then can add DISA as an option in your IVR or AutoAttendant. Be sure to test it carefully before exposing it for public access. You’ve been warned!
Incredible PBX Security Model Overview
Unlike most other free PBX offerings, Incredible PBX is always deployed as a secure platform. Attempts to access Incredible PBX from outside your local area network will fail unless the IP address has been whitelisted in the IPtables firewall using one of the Travelin’ Man 3 utilities: add-ip or add-fqdn. Repeated attempts to access the PBX will be blocked by Fail2Ban and subsequent attempts to whitelist a blocked IP address will not be successful until the Fail2Ban quarantine expires. Thus, it is important to set up Incredible PBX initially using a desktop PC from which you will subsequently manage the PBX. This assures that at least this desktop PC’s IP address is whitelisted.
To whitelist a static IP address, log into your server as root and issue the following command: ./add-ip my-log-cabin 12.34.56.78 where my-log-cabin is the descriptive name you wish to associate with the whitelisted IP address and 12.34.56.78 is the actual IP address.
Obviously, everyone doesn’t have a static IP address. That’s what the add-fqdn utility is for. It allows you to use a dynamic DNS service to assign an FQDN to a dynamic IP address and rely upon the dynamic IP address provider to keep the FQDN synchronized as the IP address changes. Search your favorite search engine, search for "free dynamic dns raspberry pi" to find available providers. On the Incredible PBX, the setup is much the same except you’ll use the FQDN assigned to the IP address: ./add-fqdn my-log-cabin logcabin.myip.com. Incredible PBX actually runs a script every 10 minutes to keep dynamic IP addresses synchronized. Don’t make any changes to /root/ipchecker. If you’d prefer to have the script run more frequently, adjust the 10 entry in the ipchecker line in /etc/crontab.
Last but not least, Incredible PBX includes the PortKnocker utility which provides an emergency "back door" into your PBX if you ever find yourself locked out by the firewall rules. The idea behind PortKnocker is that you send a packet to three random, pre-defined ports in a particular sequence and, if there’s a match, PortKnocker whitelists your IP address for further access to the server until the firewall is restarted or the server is rebooted. You’ll find your credentials and documentation in /root/knock.FAQ. If your PBX is sitting behind a hardware-based router or firewall, be sure to map the three TCP ports to the LAN IP address of your PBX. Enjoy!
Originally published: Wednesday, August 28, 2019
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Keep On Trunkin’: Free International VoIP Calling Returns
Today we’re taking a fresh look at the international calling marketplace by updating the best VoIP deals available. FreeVoipDeal once again takes the prize with the best selection of "free" international calling destinations at the lowest prices. Below we’ll provide a quick tutorial to transform your Incredible PBX server into an international calling platform at minimal cost.
Here’s How It Works. For every 10 euros ($10.72) you deposit into your account, you’ll get 300 minutes a week of free calls to a specific list of countries for 120 days. After you exhaust your free minutes, calls to the "free" countries revert to their standard VoIP rates. You can also call anywhere else in the world at very reasonable per minute rates that compare favorably with other SIP providers around the world. The beauty of a PBX and SIP trunks is you can mix and match as many providers as you like to take advantage of favorable calling rates to multiple countries. We’ll walk you through the FreeVoipDeal trunk setup below.
Betamax 101. There are a few things you need to know about the so-called Betamax VoIP services up front. Most importantly, they change rates and free countries more frequently than college kids change partners. The calling rate to some country from some Betamax provider changes almost every day because Betamax has dozens of companies offering similar services with differing rates and freebies. Here’s an very old spreadsheet that will give you a good idea of what you’re up against. Don’t depend upon it for the current rates. You’ll need to visit the actual site(s) for their current rate tables or visit this site (not) maintained by Betamax for a country-by-country comparison by provider. That’s another way of saying DON’T BLAME US IF YOUR 3-HOUR CALL TO ANTARCTICA CHANGED FROM 20¢ PER MINUTE TO $1 PER MINUTE OVERNIGHT. IT PROBABLY WON’T, BUT IT MIGHT.
One other word of warning. Some Betamax sites (marked with a red asterisk in the Betamax country table) such as powervoip.com have good calling rates, but they tack on a 3.9¢ connection fee to every call. If you make lengthy calls, it’s not a big deal. If you make numerous short calls, it drives your discount calling rates through the roof. Before making a lengthy call to a remote destination, spend the two minutes it takes to look up the current rate on the actual Betamax web site and take a snapshot of the page for your records. Here’s another tip. If you make frequent calls to Antarctica, spend a little time doing your homework. Review the latest Betamax spreadsheet to track down the cheapest rates. Then double-check the actual sites for the current rates. There’s a $100+ difference in the cost of a 3-hour call at €.20/minute from some Betamax sites versus the €.70/minute rate at some other Betamax sites. THIS OFTEN CHANGES! HINT: Don’t use FreeVoipDeal for Antarctica.
Today we’ll be focusing on the company we’ve tracked for many years, FreeVoipDeal.com. Except for the domain name, the setup with other Betamax providers is similar but not identical. And, of course, you’ll have to kick in another deposit to make free calls from each site. The length of the Freebie period also may vary so read the terms carefully. FreeVoipDeal actually hasn’t changed much since our first visit about five years ago. In fact, we still had most of our ten euro credit so we could play all we wanted even though the calls were no longer free since our four month window has long since expired.
Here’s the February 23, 2019 Freebie list by country. Don’t depend upon it! Check their actual web site or the Betamax country summary for current freebies and current rates. Here’s a great trick to remember. When you visit the FreeVoipDeal Rate Table, click on the Out of Minutes tab for a quick listing of all the Free Calling Countries as well as the rates once you’ve used up your four months or 300 weekly minutes of free calls. With few exceptions, most of the "free countries" still have a rate of 1.1¢ per minute even after you run out of minutes.
How Free International Calling Works
Placing international calls through FreeVoipDeal can be done in a number of ways. That’s the real beauty of a PBX. First, you can either load an app to make the calls if your smartphone or PC supports it. With Incredible PBX, you can use a SIP phone to dial a FreeVoipDeal number directly through your PBX, or you can dial a DISA access number or SIP URI from anywhere to connect to your PBX and then enter your DISA password after which you will get a second dial tone to place an international call using your FreeVoipDeal trunk. The beauty of the DISA approach is you can call into your PBX from any telephone to place free or dirt cheap international calls.
Using Incredible PBX 13 and DISA for Calling
On the Incredible PBX platform, you can use the DISA application to provide secondary dialtone for processing international calls. A phone number and trunk will receive incoming calls bound for DISA from your cellphone. An inbound route will only forward incoming calls to DISA that match your cellphone number. A secondary trunk from FreeVoipDeal or other providers will be used to process outgoing international calls that are dialed using DISA. We’ll create an outbound route or rule for every country to which you want to authorize international calling. Each of these outbound routes will point to the least expensive (or free) trunk to complete the call. In the VoIP world, you actually could have dozens of outbound trunks that handle international calls based upon the country codes of each international call. This lets you take advantage of the best calling rates for each country. We will block international calls to country codes not specifically authorized.
Just to restate the obvious, a misconfigured DISA application that allows the world to make international calls on your nickel can get expensive quickly. We’ll protect today’s DISA setup for Incredible PBX with three layers of protection. First, we’ll require that the CallerID of the incoming call match your cellphone number. While this isn’t failsafe since CallerID numbers can be spoofed, it does reduce the risk considerably. Second, to make DISA calls, you’ll have to know the incoming phone number or SIP URI managing DISA on your PBX. And third, you’ll have to enter the correct DISA PIN before being prompted for an international number to dial. Without all three, nobody gets to make an international call on your nickel. Just remember, compromising DISA on your PBX is just as risky as handing out your credit card to a stranger so follow the setup steps below carefully. And then TEST, TEST, TEST to make sure strangers can’t access your DISA setup. We’ll show you how.
Here’s an overview of the DISA setup drill once you have Incredible PBX running. We’ll walk through each of the six steps below. Don’t get frustrated. There are a number of steps, but none of them are difficult. Just pretend you’re baking cookies and don’t skip any steps.
- Set Up Your Trunk to Process Incoming DISA Calls
- Set Up Your Trunk(s) to Process Outgoing International Calls
- Configure DISA with a Very Secure Password
- Configure an Inbound Route to Limit Incoming DISA Calls to Your Cellphone #
- Configure an Outbound Route for Each International Country Code
- Test, Test, Test
1. Setting Up Incoming DISA Call Trunk
Before you can make calls to your PBX, it’ll need a phone number (known affectionately as a DID). As installed, Incredible PBX includes preconfigured SIP trunks from about a dozen SIP providers. All you’ll need is credentials from the company you wish to use. You can obtain a free DID here. To obtain your own SIP URI, read our tutorial.
2. Trunk Setup for International Calling
We’re going to walk you through setting up a trunk with FreeVoipDeal to handle free international calls to certain countries documented above. This may not be the best fit for you depending upon the international destinations you wish to call. Figure that out first! Then adjust the trunk settings below to match each SIP provider trunk you wish to create. There’s no limit to the number you can have. And, with most of these providers, you pay by the minute for international calls anyway so there is no harm in configuring multiple trunks to take advantage of the best rates calling the countries of your choice. The same applies to all-you-can-eat and "free" trunks except there are varying fees for using the services so you’re probably not going to want a dozen of them even if some of the calls are free after making a periodic deposit. Start with the pink and green entries on the old spreadsheet we referenced for the cheapest historical rates and then visit the actual sites and read the fine print.
To add new trunks to Incredible PBX, use a browser to access the IP address of your server. Login with the default username of admin and the password that you set when your install completed. You can change it with the admin-pw-change script in /root. Once the dashboard appears, click the Connectivity tab and choose Trunks -> Add SIP (chan_sip) Trunk.
For Trunk Name, enter FreeVoipDeal. In the Dialed Number Manipulation Rules section, add a rule for each country code you wish to activate. You can decipher the Country Code for any country at this link. For example, for the United Kingdom, you’d enter a rule like this where 44 is the Country Code and each X represents a required digit in the local area code and phone number. The trailing period means the number includes one or more additional digits. NOTE: DISA calls will not have to be prefixed with 011 to place international calls. Just enter the country code and number to be called. And, we are told that only 441, 442, and perhaps 443 calls to the U.K. are free since those are the designated landline prefixes.
If there are other countries, you wish to support with this trunk provider, you’d click Add More Dial Pattern Fields and insert an additional rule for each country following the example above. If you’ll be using this trunk to make calls in the U.S. and Canada as well, the correct Match Pattern is 1NXXNXXXXXX, and calls will need to be dialed with the 1 to avoid conflicts with international dialing.
Next, we need to enter the Outgoing Settings. For the Trunk Name, enter freevoipdeal. Clear out the entries in Peer Details section and enter the following using your actual FreeVoipDeal credentials for yourusername and yourpassword:
authuser=yourusername username=yourusername secret=yourpassword type=peer qualify=yes nat=yes insecure=port,invite host=sip.freevoipdeal.com fromdomain=sip.freevoipdeal.com dtmfmode=auto disallow=all canreinvite=no allow=alaw&ulaw
Finally, clear out the default entries in User Details and click the Submit Changes button and then red Apply Config button to save your new trunk.
Spoofing Your CallerID. When setting up your FreeVoipDeal account, you can set up one or more numbers to use as your CallerID number on FreeVoipDeal calls. You simply verify the number with a code sent by SMS or phone call from their service. Once you’ve gone through the verification procedure, you can spoof the outbound CallerID on FreeVoipDeal calls using your actual cellphone number. Just add the following entries to your Trunk settings replacing 9991234567 with your cellphone number. Special thanks to @hillclimber on the PIAF Forum for the tip.
fromuser=0019991234567 sendrpid=yes
3. Configuring DISA for International Calling
In the Incredible PBX GUI, we’ll set up DISA by clicking the Applications tab and choosing DISA. Add your new DISA configuration by following this sample. Use a VERY secure password. It’s your phone bill. Once you’ve finished, click the Submit Changes button and then the Apply Config button to save your new DISA setup.
4. Inbound Routing of DISA Calls
Here’s where we lock down your setup so that Incredible PBX only accepts DISA calls from your cellphone number. If you want to allow additional people to use your DISA setup or if you have multiple cellphones, then simply create multiple inbound routes with the 10-digit numbers of each phone to be supported.
In the Incredible PBX GUI, we’ll set up a new Inbound Route by clicking the Connectivity tab and choosing Inbound Routes. If you plan to support multiple phones, then create multiple inbound routes and give each of them a unique Description and CallerID Number that matches the phone number of the cellphone to be supported. Be sure to check the CID Priority Route checkbox and set the correct Destination for your incoming calls. Just fill in the blanks appropriately using this template as a guide. Once you’ve finished, click the Submit button and then the Apply Config button to save your new Inbound Route.
5. Outbound Routing by Country Code
The DISA application is going to obtain the phone number to be dialed and will pass that to the Outbound Routes module. The job of the Outbound Routes module is to examine the phone number passed to it from DISA to figure out which trunk to use to make the outbound call. It then will pass the call to the appropriate trunk which sends the outgoing call on its way to the destination.
For each Dialed Number Manipulation Rule in every Trunk that you set up in Step #2 above, you’ll need a matching Outbound Route if your PBX is used to place calls using multiple trunks. If you’re only using one provider for all of your outbound calls, then we can use a more generic Outbound Route. It’s always a good idea to create the one-to-one match between Outbound Routes and Trunks to make certain that outbound calls are sent to the correct Trunk for processing. So let’s do that using the U.K. trunk we created above.
In the Incredible PBX GUI, we’ll set up a new Outbound Route by clicking the Connectivity tab and choosing Outbound Routes. When the template appears, notice in the far right column that there’s a listing of all your existing Outbound Routes. Calls are actually processed sequentially using the order that these Outbound Routes appear in the list. If there’s no number match in the top route, processing drops to the next route in the list until there is a match AND a successful connection. You can adjust the sequence by dragging the Outbound Routes to a different position in the priority list.
It’s important to use specificity in your Outbound Routes (especially with International calling) to make certain that a call isn’t inadvertently processed by some other trunk. The easiest way to do this is to require the Outbound Route Match Pattern for U.K. calls to be at least 11 digits, e.g. 44XXXXXXXX. (the trailing period is important in that it requires at least one more digit for a match). And we can force a Hangup if the FreeVoipDeal trunk is not available for some reason by adjusting the Destination on Congestion setting. This keeps the call routing from dropping down to the next available Outbound Route in the list if FreeVoipDeal happens to be off-line at some point. So our Outbound Route for U.K. calls should look something like this:
The final step is to move the new Outbound Route for U.K. calls to the top of the Outbound Routes listing in the right column to assure that it is processed first. Once you’ve done that, click the Submit Changes button and then the Apply Config button to save your new Outbound Route AND the adjusted Outbound Route Priority List.
Another alternative in creating Outbound Routes is to use a Dial Prefix that never matches a real phone number to direct calls to a particular trunk. For example, you might use *8 as a dial prefix for FreeVoipDeal calls. By placing *8 in the Prefix column of the Dial Pattern, it will get stripped off before the number is actually passed to the FreeVoipDeal trunk for processing. We actually prefer this setup because it adds an additional layer of security for international calls. If someone were to break into your DISA application by knowing your cellphone number AND your DID AND your DISA password, it’s unlikely they’d also know to prefix outgoing international calls with some arbitrary dial prefix. Just don’t use *8 in case they’re a Nerd Vittles reader. 😉
6. Test, Test, Test!
The easiest way to test the new setup is to place a couple of calls and to watch the Asterisk CLI (asterisk -rvvvvvvvvvv) and see how the calls are processed and who answers at the other end. Then you can apologize for reaching the wrong number.
You can make up your own test methodology, but here’s one that works for us. There are several tests you need to make. First, call your Incredible PBX DID from your authorized cellphone and enter a correct DISA password to see if you get dial tone to make an international call. Then repeat the drill with an invalid password and make sure you don’t get a dial tone. Next, call your Incredible PBX DID from a phone other than your authorized cellphone. You should not get a prompt for a DISA password. Finally, we use the first three digits of a U.K. number to identify a matching NANPA area code. Then, we find hotels in the two matching cities. For example, one might attempt to call a hotel in Bath, England (44 1… ……) and a hotel in Bermuda (441-…-….). The U.K. call should go through, and the Bermuda call should fail. If you pass all three tests with flying colors, you’re good to go.
Using FreeVoipDeal’s MobileVoIP App
FreeVoipDeal also offers a MobileVoIP app that can be used directly on your smartphone (Android, iOS, and Windows phone versions available) using any Wi-Fi, UMTS, 4G/LTE, 3G, GPRS or EDGE connection. The drawback is the lack of the three extra layers of security protection that Incredible PBX using DISA offers. MobileVOIP lets you log in with your registered Betamax credentials and offers the option to use your existing VoIP credit from your smartphone. The downside is that anyone with the app and your credentials can call anywhere and talk for as long as they like on your nickel using any of your registered CallerIDs. You’ve been warned. For more information or to download the app for your mobile device, go here. Remember to dial the "+1″ country code prefix for U.S./Canada calls.
Originally published: Monday, April 24, 2017 Updated: Monday, February 25, 2019
Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.
Need help with Asterisk? Visit the VoIP-info Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
The Definitive Quick Start Guide: Introducing Incredible PBX for XiVO
Today we kick off a new Asterisk® adventure with the introduction of Incredible PBX™ for XiVO®. This pure GPL implementation of Asterisk has no strings, no gotchas, no hidden agenda, and no primadonnas. It’s open source code with no prohibitions on redistribution. The XiVO developers actively participate in the XiVO and PBX in a Flash™ communities and actually listen to constructive suggestions to improve their product. Changes happen in days, not years. Today we celebrate the return of true GPL project development and the end of closed-source ISOs and commercial modules with costly annual support contracts. Join us!
UPDATE: This article has been superseded. For the latest tutorial, go here.
If you’ve been following Nerd Vittles these past two months, then you already know there is literally nothing in the open source Unified Communications world that you can’t do faster, better, and cheaper with XiVO: automatic backups every night, seamless upgrades every three weeks, uncrippled endpoint provisioning for dozens of phones, powerful call centers, high availability redundant servers, real-time Asterisk technology out of the box, flexible SDK and APIs, and much more.
XiVO Installation Methodology
There are two ways to build XiVO servers. You can start with a minimal install of Debian 8 (64-bit), or you can use the 64-bit XiVO ISO. The advantage of the XiVO ISO is that building a system from the ISO gets you BOTH Debian 8 AND the basic XiVO install. However, you can only use the XiVO ISO on platforms that you own, not on virtual machines controlled by somebody else. Stated another way, if you plan to use dedicated hardware or VirtualBox or VMware ESXi, use the XiVO ISO. Otherwise, install a minimal Debian 8 (64-bit) operating system and nothing else on your platform of choice. Now you’re ready to choose your Incredible PBX installer. Install time: about 5-20 minutes depending upon the platform.
IMPORTANT: When you build your Debian 8 platform on either stand-alone hardware or as a virtual machine, use a fully-qualified domain name for your server’s hostname, e.g. xivo.incrediblepbx.com, NOT xivo. Disaster awaits if you forget this! But, don’t worry. If you do forget, the install will blow up, and you’ll get to start over. But you’ll remember the next time. 😉
Incredible PBX Feature Set
If you’ve been sleeping under a rock for the last few years, you may be wondering what the Incredible PBX offering includes. We’ve tried to preserve much of the functionality of prior releases in the XiVO implementation, and there is still more to come. Here’s a quick summary of two dozen features and applications that Incredible PBX offers for XiVO today:
Recent Additions: Skype Connect, Port Knocker, PPTP VPN, Pico TTS, A La Carte installer, Telephone Alarms.
The 3 Flavors of Incredible PBX for XiVO
To kick off our Independence Day celebration, we introduced three new Incredible PBX turnkey installers for XiVO because of the numerous platforms on which XiVO will run. We’ve now combined all three of the original installers into a single script for ease of use.
For those new to XiVO, there are three steps in getting a XiVO PBX up and running: (1) Debian 8 OS installation, (2) XiVO installation, (3) and XiVO basic configuration (typically using a web browser). The Incredible PBX installer has different tasks based upon how far along in this installation process you happen to be on a particular platform. Our special thanks to Sylvain Boily for his Python wizard to assist us in providing turnkey installs to the greatest extent possible. So here’s the new installer, but you are well advised to actually follow the platform tutorial (below) for your provider because of special quirks that are provider-specific:
IncrediblePBX13-XiVO.sh – Suitable for Debian 8 (32-bit or 64-bit) minimal platform where XiVO is not installed. Use with Cloud VMs. Also works with Debian 8 (32-bit or 64-bit) platform with XiVO installed but not configured. This is typically the situation if you built your server using the XiVO ISO. And the new installer works with Debian 8 (32-bit and 64-bit) platform with XiVO installed and configured.
WARNING: Incredible PBX erases and replaces stuff as part of its installation procedure. NEVER install Incredible PBX over the top of an existing production server!
Incredible PBX Installation Procedure
We’ve taken the guesswork out of this for a number of platforms by providing detailed tutorials that you can follow:
Choosing a XiVO Hardware Platform
- XiVO Platform Tutorial: Manually Installing XiVO and Debian 8
- XiVO Platform Tutorial: Installing XiVO on a Dedicated PC
- XiVO Platform Tutorial: Installing XiVO VM on VirtualBox
- XiVO Platform Tutorial: Turnkey 5-Minute Install on VirtualBox
- XiVO Platform Tutorial: Installing XiVO VM on VMware ESXi
- XiVO Platform Tutorial: Installing XiVO VM at ImpactVPS
- XiVO Platform Tutorial: Installing XiVO VM at Digital Ocean
- XiVO Platform Tutorial: Installing XiVO VM at CloudAtCost
- XiVO Platform Tutorial: Installing XiVO VM at RentPBX
- XiVO Platform Tutorial: Installing XiVO VM at Vultr
- XiVO Platform Tutorial: Installing XiVO VM at OVH.com
- XiVO Platform Tutorial: Turnkey 1-Minute Install on Raspberry Pi 3
If your situation falls somewhere in between all of these, here’s a quick summary. For stand-alone systems and virtual machine platforms that you own (such as VirtualBox and VMware ESXi), download and install the 64-bit version of XiVO using the XiVO ISO. For most other virtual machine platforms in the Cloud, you’ll start by creating a 64-bit Debian 8 virtual machine with at least 1GB of RAM and a 20GB drive. For turnkey cloud servers such as RentPBX, simply choose the VM option that already has Debian 8 and XiVO preinstalled.
Once you have your platform up and running, simply download and run the Incredible PBX installer:
cd /root wget http://incrediblepbx.com/IncrediblePBX13-XiVO.sh chmod +x IncrediblePBX13-XiVO.sh ./IncrediblePBX13-XiVO.sh
Incredible PBX Initial Configuration
Here are the first steps to complete after you have finished your initial XiVO and Incredible PBX installation. Log into the web interface at the IP address of your server using username root and the web password you created during installation.
All of this initial setup will be completed under the IPBX option of the Services tab as shown below. For each of the categories below, click on the matching section and tab in XiVO’s IPBX toolbar and fill in the properties as indicated.
UPDATE: The latest Incredible PBX for XiVO installer automatically configures SIP defaults and a dozen SIP trunks for you using XiVO Snapshots if you elect to install all of the Incredible PBX features when you run the installer. If so, you can skip through the next few sections of this tutorial.
General Settings:SIP Protocol
WARNING: If your XiVO server is running as a virtual machine behind a hardware-based NAT router and the virtual host also is sitting behind the same router, you may experience failed calls by setting the external IP address and local network addresses in the following screen. Try calls first without these settings, and add them only if you experience calling issues such as failed calls or one-way audio.
Genl Settings:SIP Protocol:Signaling:Codecs
In order of priority, move desired Codecs from right to left by clicking on + icons. If you plan to use the IAX or SCCP protocol for phones and/or trunks, also select Default Codecs under General Settings:IAX Protocol:Default and General Settings:SCCP Protocol tabs, respectively.
Genl Settings:SIP Protocol:Signaling:DNS
For DNS Manager and Server Lookup support (required for some SIP providers), enable the DNS Request field:
IPBX Configuration:Contexts
XiVO differs from some other Asterisk implementations in the way it manages the routing of calls. XiVO uses Contexts to define what constitute Internal calls (Default), External calls (Outcalls), and Incoming calls (Incalls). Think of these contexts as dialing rules. They define how the three categories of calls are managed internally by the XiVO PBX and determine which callers can do what with your PBX resources. XiVO uses dial strings and ranges of phone numbers to manage and constrain how various classes of calls are routed. The reason for these call specifications is pretty simple. You don’t want outside callers dialing into your PBX and making outbound calls using your PBX trunks on your nickel.
Some basic settings to enable internal calls and allow creation of user accounts were configured when you set up your XiVO PBX by running the configuration script. However, before anyone can make or receive calls to/from outside the XiVO PBX, you’ll need some additional specifications.
Edit the from-extern (Incalls) context and click Incoming Calls tab then the + icon. Add a range of DID numbers for incoming calls that will be allowed. These are the phone numbers assigned to SIP and IAX trunks that were acquired through commercial providers such as Vitelity. Note that the example below assumes that your incoming DID trunks deliver calls with 10-digit numbers. If you’re using a service such as Google Voice that delivers calls with 11-digit numbers starting with a 1, then add an additional range of numbers starting with a 1. If the provider delivers calls with +44, then you’d add an additional range with that prefix. Click Save once you’ve entered your settings.
Let’s also modify the Default context to support MeetMe conferencing for your server. Edit the default context and click Conference Rooms tab then + icon. For the extension range, enter 2663-2665. 2663 spells C-O-N-F by the way. Then click Save. If you have a DAHDI timing source on your server, you then can add conferences: IPBX Setting:Conference Rooms. If you don’t have a DAHDI timing source or you don’t know what any of this means, keep reading. There’s an easier way to set up a conference room for your users.
While you’re still in the (2) Default context, click on the (3) General tab and (4) move all of the sub-contexts to the left (Selected) column. (5) Then click the Save button.
General Settings:Advanced (Time Zone)
IPBX Settings:Users:Add User
Before you can actually make or receive calls with XiVO PBX, you’ll first need at least one User, Extension, and Line. So click on the (1) Users tab and then (2) the + icon and Add option (as shown below) to get started.
Use the General tab entries below as a guide to create your first user account. You only need to fill in options (1) and (2) if you would like this user to receive a simultaneous call on a mobile phone whenever this user’s internal phone rings.
In the Lines tab, assign an internal phone number for this user. By default, the initial configuration script created a range of extension numbers for you: 701-799. This can be changed in the next section to meet your specific requirements.
Once you’ve chosen an extension, click the Save button and a Line will automatically be generated to associate with your new User account.
Next, goto IPX Settings:Lines and click the pencil icon to obtain your SIP username and password credentials. You’ll need these to connect a SIP phone or softphone to your user account.
While you’re obtaining your username and password SIP credentials, fill in the blanks for the Line and click Save:
IPX Settings:Users (Voicemail Setup)
There are two steps to setting up voice mailboxes correctly. First, you need to configure the voicemail system defaults to accommodate your required time zones. The system only comes with support for Europe/Paris.
Go to (1) IPX General Settings:Voicemails and (2) click Time Zones tab and then (3) + Add. (4) Name your new time zone, (5) select the correct Time Zone from the pull-down list, and (6) add the following under Options and (7) Save your entry:
'vm-received' q 'digits/at' kM
Go to (1) IPX Settings:Users, edit your (2) User account, and click the (3) Voicemail tab. (4) Click the + icon to Add a new Voicemail account. (5) Check Enable Voicemail. (6) Fill in the form using the sample below. Be sure to choose the correct Time Zone for your voicemails. Uncheck Delete message after notification to retrieve voicemail messages by dialing *98 from an extension. (7) Click Save.
Setting Up a Ring Group in XiVO
A ring group is a collection of extensions to which calls can be routed. In XiVO terminology, they’re known as Groups. Extensions in a Group can be set to ring simultaneously or in one of six round-robin configurations based upon factors such as previous call volume. Before you can create a ring group, you first have to enable a range of extensions to dedicate to Groups. Edit the Default context, click the Groups tab, and then click the + Add icon to add a range of extension numbers:
To create a new ring group, choose IPX Setttings -> Groups and click the + Add icon. A typical setup to ring all extensions simultaneous and play a ring tone to the caller would look like this:
Next, click on the Users tab and move the desired extensions to the the selected side of the window. Then click Save.
Setting Up Trunks and Routes for XiVO Calling
Before you can make calls to phones outside your PBX or receive calls from outside your PBX, you’ll need one or more trunks. We’ve simplified the process of setting these up by providing step-by-step tutorials for the leading trunk providers. They are reproduced below for ease of reference:
XIVO Trunk Implementation Tutorials
- XiVO Trunks Tutorial: Installing a Vitelity SIP Trunk
- XiVO Trunks Tutorial: Installing a VoIP.ms SIP Trunk
- XiVO Trunks Tutorial: Installing a RingPlus SIP Trunk
- XiVO Trunks Tutorial: Installing a FreeVoipDeal (Betamax) SIP Trunk
- XiVO Trunks Tutorial: Installing a Google Voice-Simonics SIP Trunk
- XiVO Trunks Tutorial: Deploying Native Google Voice with OAuth Trunks
- XiVO Trunks Tutorial: Installing an Anveo Direct Outbound SIP Trunk
- XiVO Trunks Tutorial: Installing a Skype Connect SIP Trunk
- XiVO Trunks Tutorial: Installing a LocalPhone SIP Trunk
- XiVO Trunks Tutorial: Installing a CallCentric SIP Trunk
- XiVO Trunks Tutorial: Installing a FlowRoute SIP Trunk* (not yet verified)
Once you’ve added one or more trunks, you’ll need to tell XiVO how to route outgoing and incoming calls. Here are our step-by-step tutorials on setting up Outbound Calling Routes and Incoming Call Routes:
XIVO Call Routing Tutorials
- XiVO Call Routing Tutorial: Creating Outbound Routes for PSTN Calling
- XiVO Call Routing Tutorial: Creating Inbound Routes for DIDs
Deploying Google Voice with OAuth on XiVO PBX
Beginning in mid-August, 2016, native Google Voice with OAuth support became available on the Incredible PBX for XiVO platform. It supports deployment of multiple Google Voice trunks on any XiVO server. This new Nerd Vittles tutorial will walk you through implementation.
Using an SMTP Mail RelayHost with Postfix
To cut down on spam, many ISPs no longer allow SMTP mail traffic that originates from downstream mail servers. If your server is connected to an ISP such as Comcast, that would be you. Here’s how to reconfigure the Postfix mail server included with XiVO to process your outgoing emails using your ISP as a mail relay.
First, edit /etc/postfix/main.cf and search for relayhost. Replace it with the entries below. If it’s not in the file, then just add the following entries to the end of the file:
relayhost = smtp.comcast.net:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasldb smtp_sasl_security_options = noanonymous
Next, create /etc/postfix/sasldb and add the following entries: your ISP (smtp.comcast.net) followed by a TAB and then your full comcast login name, a colon, and your Comcast password. No spaces! Save the file.
Next, create a hashed version of the file: postmap sasldb
Then restart Postfix: /etc/init.d/postfix restart
Now send yourself a test email like this:
echo "test" | mail -s testmessage yourname@yourmailprovider.com
Getting Started with SQLite3 on the XiVO Platform
Here are a couple SQLite3 queries to get you started with syntax:
sqlite3 /var/lib/asterisk/agi-bin/zipcodes.sqlite "select zip,city,state from zipcodes where zip=29401;" sqlite3 /var/lib/asterisk/agi-bin/asteridex.sqlite 'select name,out from user1 where name LIKE "%Airlines%";'
A bonus script in /root will let you convert existing MySQL databases to SQLite3. For example, if you’re currently using AsteriDex on another Incredible PBX platform, it only takes a couple seconds to convert your MySQL database to SQLite3. The syntax to run the script looks like this:
./mysql2sqlite3.sh -u root -ppassw0rd yourdatabase | sqlite3 yourdatabase.sqlite
Move the script to the server on which your existing MySQL databases are stored and run it there using the above syntax. Then copy the asteridex.sqlite file to your XiVO server and save it in /var/lib/asterisk/agi-bin.
Getting Started with Incredible PBX Call Logs
To retrieve SQLite3 call log data, here are a few examples to get you started:
ALL: sqlite3 /var/log/asterisk/master.db "select * from cdr"
DATE: sqlite3 /var/log/asterisk/master.db "select * from cdr where calldate >= '2016-05-22'"
NPA: sqlite3 /var/log/asterisk/master.db "SELECT * from cdr WHERE clid LIKE '%<843%'"
DEST: sqlite3 /var/log/asterisk/master.db "SELECT * from cdr WHERE dstchannel LIKE '%411%'"
FLDS: sqlite3 /var/log/asterisk/master.db "PRAGMA table_info(cdr)"
To retrieve the CDR log in CSV format suitable for spreadsheets, download:
/var/log/asterisk/cdr-csv/Master.csv
Managing Your Logs with XiVO
XiVO is a busy place especially on a busy PBX. Call logs and traditional Asterisk and Linux logs grow like crazy. We have added the following entries to /etc/crontab to assure that you don’t inadvertently run out of disk space on your server. Modify them to meet your own requirements.
10 1 * * * root rm -f /tmp/tts* > /dev/null 2>&1 11 1 * * * root rm -f /var/log/asterisk/*.gz > /dev/null 2>&1 11 2 * * * root rm -f /var/log/asterisk/*.1.gz > /dev/null 2>&1 12 1 * * * root rm -f /var/log/*.gz > /dev/null 2>&1 12 2 * * * root rm -f /var/log/*.1.gz > /dev/null 2>&1
Activating Voice Recognition for XiVO
Google has changed the licensing of their speech recognition engine about as many times as you change diapers on a newborn baby. Today’s rule restricts use to “personal and development use.” Assuming you qualify, the very first order of business is to enable speech recognition for your XiVO PBX. Once enabled, the Incredible PBX feature set grows exponentially. You’ll ultimately have access to the Voice Dialer for AsteriDex, Worldwide Weather Reports where you can say the name of a city and state or province to get a weather forecast for almost anywhere, Wolfram Alpha for a Siri-like encyclopedia for your PBX, and Lefteris Zafiris’ speech recognition software to build additional Asterisk apps limited only by your imagination. And, rumor has it, Google is about to announce new licensing terms, but we’re not there yet. To try out the Voice Dialer in today’s demo IVR, you’ll need to obtain a license key from Google. This Nerd Vittles tutorial will walk you through that process. Don’t forget to add your key to /var/lib/asterisk/agi-bin/speech-recog.agi on line 72.
Adding DISA Support to Your XiVO PBX
If you’re new to PBX lingo, DISA stands for Direct Inward System Access. As the name implies, it lets you make calls from outside your PBX using the call resources inside your PBX. This gives anybody with your DISA credentials the ability to make calls through your PBX on your nickel. It probably ranks up there as the most abused and one of the most loved features of the modern PBX.
There are three ways to implement DISA with Incredible PBX for XiVO. You can continue reading this section for our custom implementation with two-step authentication. There also are two native XiVO methods for implementing DISA using a PIN for security. First, you can dedicate a DID to incoming DISA calls. Or you can add a DISA option to an existing IVR. Both methods are documented in our tutorial on the PIAF Forum.
We prefer two-step authentication with DISA to make it harder for the bad guys. First, the outside phone number has to match the whitelist of numbers authorized to use your DISA service. And, second, you have to supply the DISA password for your server before you get dialtone to place an outbound call. Ultimately, of course, the monkey is on your back to create a very secure DISA password and to change it regularly. If all this sounds too scary, don’t install DISA on your PBX.
1. To get started, edit /root/disa-xivo.txt. When the editor opens the dialplan code, move the cursor down to the following line:
exten => 3472,n,GotoIf($["${CALLERID(number)}"="701"]?disago1) ; Good guy
2. Clone the line by pressing Ctrl-K and then Ctrl-U. Add copies of the line by pressing Ctrl-U again for each phone number you’d like to whitelist so that the caller can access DISA on your server. Now edit each line and replace 701 with the 10-digit number to be whitelisted.
3. Move the cursor down to the following line and replace 12341234 with the 8-digit numeric password that callers will have to enter to access DISA on your server:
exten => 3472,n,GotoIf($["${MYCODE}" = "12341234"]?disago2:bad,1)
4. Save the dialplan changes by pressing Ctrl-X, then Y, then ENTER.
5. Now copy the dialplan code into your XiVO setup, remove any previous copies of the code, and restart Asterisk:
cd /root sed -i '\:// BEGIN DISA:,\:// END DISA:d' /etc/asterisk/extensions_extra.d/xivo-extrafeatures.conf cat disa-xivo.txt >> /etc/asterisk/extensions_extra.d/xivo-extrafeatures.conf /etc/init.d/asterisk reload
6. The traditional way to access DISA is to add it as an undisclosed option in an IVR that is assigned to one of your inbound trunks (DIDs). For the demo IVR that we installed last week, edit the ivr-1.conf configuration file and change the "option 0″ line so that it looks like this. Then SAVE your changes.
exten => 0,1(ivrsel-0),Dial(Local/3472@default)
7. Adjust the inbound calls route of one of your DIDs to point to the demo IVR by changing the destination to Customized with the following Command:
Goto(ivr-1,s,1)
Here’s how ours looks for the Nerd Vittles XiVO Demo IVR:
8. Now you should be able to call your DID and choose option 0 to access DISA assuming you have whitelisted the number from which you are calling. When prompted, enter the DISA password you assigned and press #. You then should be able to dial a 10-digit number to make an outside call from within your PBX.
SECURITY HINT: Whenever you implement a new IVR on your PBX, it’s always a good idea to call in from an outside number 13 TIMES and try every key from your phone to make sure there is no unanticipated hole in your setup. Be sure to also let the IVR timeout to see what result you get.
Setting Up a Softphone or WebRTC to Connect to XiVO
If you’re a Mac user, you’re lucky (and smart). Download and install Telephone from the Mac App Store. Start up the application and choose Telephone:Preference:Accounts. Click on the + icon to add a new account. To set up your softphone, you need 3 pieces of information: the IP address of your server (Domain), and your Username and Password. In the World of XiVO, you’ll find these under IPBX:Services:Lines. Just click on the Pencil icon beside the extension to which you want to connect. Now copy or cut-and-paste your Username and Password into the Accounts dialog of the Telephone app. Click Done when you’re finished, and your new softphone will come to life and should show Available. Dial the IVR (4871) to try things out. With Telephone, you can use over two dozen soft phones simultaneously on your desktop.
Prefer to use WebRTC from your browser as a softphone? XiVO has you covered. Complete setup instructions available here.
For everyone else, we recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the XiVO Line. You’ll need the IP address of your server plus your Line username and password associated with the 701 extension. On the XiVO platform, do NOT use an actual extension number for your username with XiVO. Go to IPBX Settings:Lines to decipher the appropriate username and password for the desired extension. Click OK to save your entries.
Test Drive of Sample Incredible PBX Apps
Once your softphone is registered, you can try out some of the Incredible PBX sample applications:
- 4871 (IVR1) – Allison’s Demo IVR
- 411 (Voice Dialing) – Call by Name (try "Delta Airlines")
- 2663 (CONF) – Conference Room with Music on Hold
- 951 – Yahoo! News Headlines (TTS)
- 947 (ZIP) – NWS Weather by ZIP Code
- 53669 (LENNY) – The Telemarketer’s Worst Nightmare
You can review the Dialplan code in the GUI by choosing IPBX Configuration:Configuration Files and clicking xivo-extrafeatures.conf. The sample IVR code is in ivr-1.conf. This Nerd Vittles tutorial will walk you through building your own IVRs for XiVO.
Using PBX Status with XiVO
For those that like to see how things are going from the Linux CLI, a modified version of pbxstatus is available for XiVO. From the Linux CLI, type: pbxstatus.
Using FQDNs with the Travelin’ Man 3 Firewall
If you plan to use FQDNs with your IPtables firewall or if your remote users will be using a Dynamic DNS provider to keep their IP addresses fresh, be sure to review Step #5 in the Travelin’ Man 3 tutorial which explains how to configure your firewall to automatically refresh IP addresses based upon changes in dynamic addresses. All of the necessary components already have been activated. Simply insert your FQDN entries using /root/add-fqdn and modify /root/ipchecker.
PortKnocker for XiVO: Your Firewall Safety Net
If you use a dynamic IP address for your local PC and that address changes, you may find yourself locked out of your own server unless you have heeded the advice in the preceding section. But there’s still hope. Incredible PBX for XiVO now includes the PortKnocker utility which lets you ping three predefined TCP ports in sequence to regain access to your server. You can read all about PortKnocker in this Nerd Vittles article. Unfortunately, PortKnocker doesn’t do you a bit of good if you haven’t deciphered what the three-port secret handshake is for your server. Before you forget, review /root/knock.FAQ and put the information in a safe place where you can retrieve it if the need should ever arise.
Adding a PPTP VPN to XiVO
Microsoft introduced the Point-to-Point-Tunneling-Protocol (PPTP) with Windows 95. Back then we knew it as Dial-Up Networking. Suffice it to say that, in those days, PPTP was anything but secure. Unfortunately, the bad name kinda stuck. For the most part, the security issues have been addressed with the possible exception of man-in-the-middle attacks which are incredibly difficult to pull off unless you are a service provider or have access to the wiring closets of your employer. You can read the long history of PPTP VPNs on Wikipedia for more background. If you’re traveling to China or other democracy-challenged destinations, you probably shouldn’t rely upon PPTP for network security. If these security considerations aren’t applicable in your situation, keep reading because PPTP VPNs are incredibly useful and extremely easy to deploy for an extra layer of VoIP and network security in most countries that have severe wiretapping penalties in place.
PPTP VPNs also provide home-away-from-home transparency to home office network services. Simply stated, with a PPTP VPN, you get a private IP address on the XiVO PBX that lets you do almost anything you could have done sitting at a desk in the home office. PPTP VPNs probably won’t work on most OpenVZ platforms such as Wable and ImpactVPS. But they work great on virtual machines such as CloudAtCost and Digital Ocean. For a quick-and-dirty back door into your server, a PPTP VPN is hard to beat. Here’s how to set one up on your XiVO PBX using 128-bit encryption. Make up a very obscure username and password in the first two lines below:
PPTPUSER=somebodyspecial PPTPPASS=someverysecurepassword apt-get -y update apt-get -y install pptpd sed -i 's|#ms-dns 10.0.0.1|ms-dns 8.8.8.8|' /etc/ppp/pptpd-options sed -i 's|#ms-dns 10.0.0.2|ms-dns 8.8.4.4|' /etc/ppp/pptpd-options echo "localip 172.16.16.100" >> /etc/pptpd.conf echo "remoteip 172.16.16.101-199" >> /etc/pptpd.conf echo "$PPTPUSER pptpd $PPTPPASS *" >> /etc/ppp/chap-secrets /etc/init.d/pptpd restart # show logged in PPTP users last | grep ppp
Connect to your PPTP server from a Windows or Mac in the usual PPTP way. Once connected, you will be assigned an IP address in the range of 172.16.16.101-199. You then can access your XiVO PBX on the following IP address: 172.16.16.100.
Everything You Need to Know About XiVO Backups
Another feature of XiVO that separates the men from the boys is its documentation. In the case of backups, you’ll find everything you need to know here. All backups are stored on your XiVO server’s local drive in /var/backups/xivo. Be sure you have ample storage space available and, if you’re smart, you’ll copy both data.tgz and db.tgz from the local drive to a safe remote location periodically just in case disaster strikes. The documentation shows you how to quickly restore a backup should that ever become necessary.
Upgrading XiVO to the Latest Release
The XiVO development cycle is nothing short of miraculous. A new version is released every three weeks! The average time to close a bug has dropped from 315 days in 2009 to 28 days in 2012! You’ll probably want to keep your system current. 🙂
Upgrading XiVO is even easier than restoring a backup. Upgrade documentation is available here. Because we’ve added the Travelin’ Man 3 firewall, we recommend stopping IPtables during an upgrade and then restarting it when you’re finished. Your phone system is disabled during the upgrade. When upgrading XiVO, remember to also upgrade all associated XiVO Clients. Be sure to verify that things are back to normal once the upgrade procedure is completed: xivo-service status.
The commands to upgrade your XiVO PBX are as follows:
/etc/init.d/netfilter-persistent stop xivo-upgrade iptables-restart # restore Incredible PBX module and ODBC configuration cp -p /etc/asterisk/modules.conf.dpkg-old /etc/asterisk/modules.conf cp -p /etc/asterisk/res_odbc.conf.dpkg-old /etc/asterisk/res_odbc.conf xivo-service restart # code below reactivates Incredible PBX web apps cd / wget http://incrediblepbx.com/incredible-nginx.tar.gz tar zxvf incredible-nginx.tar.gz rm -f incredible-nginx.tar.gz /etc/init.d/nginx restart
Google Voice CLI and SMS Messaging Support
Thanks to Nick Pettazzoni, beginning with the August 29, 2016 release of Incredible PBX for XiVO, you now can take advantage of the pygooglevoice implementation of gvoice as well as Nerd Vittles’ SMS messaging and message blasting utilities. If you’re using an earlier release, it’s easy to add this functionality to your server as well:
cd /root wget http://incrediblepbx.com/install-gv-cli chmod +x install-gv-cli ./install-gv-cli
Be advised that the Google Voice CLI interface (gvoice) uses plain-text Google Voice passwords, not OAuth. Before most Google Voice accounts will work with gvoice and smsblast, you’ll need to do the following and then immediately login to gvoice from the Linux CLI at least once to mark your account as safe for access from this location. Here are the steps:
- Log in to the Gmail account you plan to use with gvoice
- While logged in, open a new browser tab to this site and enable Less Secure Apps
- Open another browser tab and enable the Google Reset procedure here
- Return immediately to the Linux CLI and login to gvoice
Creating an SMS Message Blast with XiVO
Here’s how to take advantage of SMS Message Blasting using a Google Voice account with Incredible PBX for XiVO. Log into your server as root and do the following:
- Edit /root/smsmsg.txt and insert the text message to be sent
- Edit /root/smslist.txt and create a list of the phone numbers to receive the SMS message
- Edit /root/smsblast and insert your gvoice username and password
- Run /root/smsblast to kick off the SMS Blast
Incredible PBX Application Quick Start Guide
Here’s a quick refresher on some of the Incredible PBX applications that have been installed. There’s also a link for more information. This remains a work-in-progress so expect more applications in coming weeks.
- CallerID Superfecta – Match Names to CallerID Numbers
- CallerID Blacklist – Block Calls from Spammers and Old Girlfriends
- CDR Reports in CSV Format
- CDR Reports in SQLite3 Format
- Asteridex – The Poor Man’s Rolodex (SQLite3 version)
- AsteriDex Click-to-Dial with XiVO Phonebook
- NeoRouter VPN for XiVO
- FCC RoboCall BlackList
- CallerID WhiteList Override
- Install Siri-Like Wolfram Alpha Module
- Dial 123 – Telephone Reminders
- Dial 411 – Call by Name from AsteriDex
- Dial 947 – Weather Forecasts by ZIP Code
- Dial 951 – Latest Yahoo News
- Dial 2663 – Conference Call
- Dial 3472 – DISA Access
- Dial 4871 – Allison’s Sample IVR
- Dial 53669 – Meet Lenny, the Robocaller’s Worst Nightmare
XiVO and Incredible PBX Dial Code Cheat Sheets
Complete XiVO documentation is available here. But here are two cheat sheets in PDF format for XiVO Star Codes and Incredible PBX Dial Codes. See also the previous 7 Nerd Vittles XiVO tutorials, all of which are listed below. Enjoy!
Taking Nerd Vittles’ XiVO IVR for a Test Drive
There’s a Demo IVR running at www.pacificnx.com on their XenServer virtualization platform. Scott McCarthy, a leading outside XiVO developer and a principal at PacificNX, advises they have a $50 a month GOLD platform specifically tailored to XiVO for those needing 99.999% reliability, 24/7 support with nightly backups and enterprise level firewalls that have intelligence to stop attacks and look for viruses, spyware and more. That’s what you’ll be hearing when you call the Nerd Vittles Demo IVR:
Nerd Vittles Demo IVR Options
1 – Call by Name (say "Delta Airlines" or "American Airlines" to try it out)
2 – MeetMe Conference
3 – Wolfram Alpha (Coming Soon!)
4 – Lenny (The Telemarketer’s Worst Nightmare)
5 – Today’s News Headlines
6 – Weather Forecast (enter a 5-digit ZIP code)
7 – Today in History (Coming Soon!)
8 – Speak to a Real Person (or maybe just Lenny if we’re out)
Don’t Stop Reading Just Yet. We’ve been busy since this article was first published in June, 2016. Continue reading about the latest developments including XiVO Snapshots.
Published: Monday, June 27, 2016 Updated: Regularly
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
The Perfect Threesome: iNum + VoIP.ms + Google Voice
We’ve got a terrific new VoIP development for you today especially for those who travel internationally. For several years, a VoIP company called VoxBone has been pushing hard to establish an International Number™ (iNum™) for every phone on the planet so that every telephone could call every other telephone at little or no cost. They’re not quite there, but two recent events will certainly hasten the implementation. The first was an announcement from VoIP.ms that they would provide a free iNum DID and free iNum calling to every one of their customers with a credit balance in their account. The second was last week’s announcement from Google that they, too, would support free iNum calling worldwide using any Google Voice account. Today, we’ll show you how to take advantage of these two developments to begin making free calls worldwide using your PBX in a Flash™ server, a WiFi-enabled smartphone, and an available WiFi connection. Basically, the plan is to use free iNum calling to get back to your PBX for dial tone and then use DISA for free Google Voice calling in the U.S. and Canada.
Until everyone has an iNum or Google opens up Google Voice outside North America, the hidden beauty of iNum for those of us who have both is the cost savings that can be achieved by phoning home with iNum from anywhere in the world for free. And, once the call hits your Asterisk® PBX, it’s incredibly simple to route the call to DISA, prompt for a password, and then place a call to anywhere in the U.S. or Canada at no cost with PIAF2™ and Google Voice.
This can be accomplished in several ways. First, you can download a SIP phone and use it in conjunction with your VoIP.ms account and a smartphone to make free iNum calls from any WiFi hotspot in the world. Bria is our favorite on both the iPhone/iPad and Android platforms. If $10 is too rich for your blood, there are some free alternatives: CSipSimple for Android and 3CXPhone for Android or iPhone. A second alternative is to use Google Voice or Gtalk to connect back to your PIAF2 server via iNum and then use DISA and your local trunks to place outbound calls. A final alternative is to take advantage of the numerous local numbers now available in many countries to phone home using iNum. The only cost of these calls is the cost associated with calling the local number. You’ll find a list of the local phone numbers to make these calls on the iNum web site or in the footnote to this article.1 So today we’ll show you how to set up your PIAF2 server to support free iNum calling. It’s a 15-minute project.
VoIP.ms Setup. To get started, if you’re not already a customer, register for a voip.ms account by filling out their registration form.
Once you submit the form, you’ll have to confirm your registration by clicking on the link that is emailed to you. Then you’re ready to login with your email address and the password you set up when you created your account. That’ll bring you to the Main Portal Page for your new voip.ms account.
You’ll need a positive balance in your VoIP.ms account in order to create your free iNum account so deposit some money using PayPal or a credit card by clicking Finances, Add Funds. The minimum deposit is $25 which can be used to make penny a minute calls in the U.S. and Canada or equally reasonable calls to any phone number in the world. We won’t be doing any of that today. For today, all of our calls will be free thanks to iNum and the generous support of VoIP.ms. But the nest egg will be there as a backup to your other PIAF2 VoIP providers which is an excellent idea anyway.
Like Vitelity, VoIP.ms lets you create subaccounts to compartmentalize your VoIP services. This makes it easy to use VoIP.ms on multiple PIAF2 servers or even standalone SIP telephones. It also provides added security by separating out account names and passwords for VoIP services from your main VoIP.ms portal account that let’s you manage your settings and VoIP funding, a very good idea. So let’s first set up an account to use with Asterisk just to show you how easy it is.
From the Main Portal Menu, click on Subaccounts, Create Subaccount. The Subaccount creation form will display. Fill it out so it looks something like this. Just click on the form below to enlarge it if you want a better view.
Once you’ve clicked the button to create the subaccount, it takes about a minute for voip.ms to activate it. Then click Main Menu, Portal Home. The bottom of the portal page will now show your subaccount.
Let’s create one more subaccount. We’ll use this one so that we can access VoIP.ms from a standard SIP app running on our iPhone or Android device. We can use the subaccount either to make outbound calls directly from VoIP.ms on a pay per minute basis, or we can use it to make free iNum calls. To create the subaccount, repeat the process above and fill in the blanks using your own credentials and a very secure password. Be sure to choose ATA device, IP Phone or Softphone for the Device Type. We always leave International Calls Disabled unless we really plan to make international calls. This will not affect your ability to make iNum calls, and it reduces your financial exposure in the event your subaccount is compromised. Never, ever use auto-replenishment from your credit card on a VoIP provider account from any provider.
Before we get too far along, let’s activate your new iNum DID. Click on DID Numbers, Order DID. When the DID Order Form displays, click on the iNum link to order your free iNum DID.
When the iNum DID order form displays, fill out the form by clicking on the POP location nearest to your server. Then, in the SIP/IAX Routing column, be sure to select the Subaccount we created previously rather than the default Main Account. Finally click the Click Here to Order button.
You’ll get a Confirmation display that shows your new iNum DID. Write it down! We’ve already set up the proper routing for your new iNum DID in the previous step so you can ignore the Managing Your DID message.
That completes the setup of your VoIP.ms account with your free iNum DID. Now let’s configure your PBX in a Flash server to support VoIP.ms and iNum. We’re assuming you already have a PBX in a Flash server configured with at least one Google Voice account activated. If not, stop here and complete that step using the PIAF2 tutorial and optionally the Incredible PBX 3 and Incredible Fax 2 tutorial.
Smartphone SIP Client Setup. We used the free cSipSimple Android app to set up a connection with our second subaccount at VoIP.ms using cSipSimple’s Basic Setup Wizard. Here are the entries required to gain connectivity:
Once your SIP client is connected to VoIP.ms through your smartphone, you can make free iNum calls using this dial syntax: 0118835100xxxxxxxx where xxxxxxxx is the last 8 digits of your iNum beginning with 0. As noted previously, you do NOT have to enable international calls on your VoIP.ms subaccount for these calls to go through.
PBX in a Flash iNum Setup. We’ll be using the FreePBX GUI to configure PBX in a Flash to support iNum. Using your browser, log into the IP address of your server: http://ipaddress/admin. When prompted for your username and password, use maint and whatever FreePBX password you assigned when your server was set up.
To simplify things, we’re going to set up 2 trunks: one for your VoIP.ms subaccount and another for iNum. Begin by choosing Trunks, Add SIP Trunk in the FreePBX GUI. For Trunk Name, use voipms. For Maximum Channels, choose 2. For the Dial Pattern, enter 1 | NXXNXXXXXX and, in Outgoing Settings for the PEER Details, enter the following using your subaccount name and password as well as the POP you chose for your subaccount:
canreinvite=yes
nat=yes
context=from-trunk
host=atlanta.voip.ms
secret=subacctpw
type=peer
username=137786_myinum
disallow=all
allow=ulaw
fromuser=137786_myinum
trustrpid=yes
sendrpid=yes
insecure=invite
qualify=yes
Leave all the fields for Incoming Settings blank. For the Registration String, the syntax is subacctname:subacctpw@atlanta.voip.ms:5060/8835100xxxxxxxx. Using our example and assuming you’re using the Atlanta POP, the entry would look like this where xxxxxxxx is your own 8-digit iNum beginning with 0:
137786_myinum:secretPassword21@atlanta.voip.ms:5060/8835100xxxxxxxx
Verify that your server got a successful registration with your VoIP.ms subaccount by clicking Tools, Asterisk Info, SIP Info.
Now click Setup, Trunks, Add Custom Trunk. For Trunk Name, use iNum. For Maximum Channels, choose 5. For Dial Pattern, use 0XXXXXX. including the period! For Custom Dial String, use SIP/0118835100$OUTNUM$@voipms.
Next, we need to create an Inbound Route. Use your full iNum DID number in the DID Number field, e.g. 8835100xxxxxxxx where xxxxxxxx is your personal iNum beginning with a 0. Activate CallerID Superfecta for the CID Lookup Source. And choose a Destination for the incoming iNum calls. This could be an extension, an IVR, or whatever else you’ve set up on your server. For now, route it to a working extension on your PBX so we can test it below. Then you can edit the inbound route and change it to any destination.
Finally, create an Outbound Route. Name the route OutiNum. For the Dial Pattern, use 0XXXXXX. with the trailing period. For the Trunk Sequence for Matched Routes, choose inum. After you save the trunk settings, move it to the top of your trunk listing in the right column of FreePBX. What this route does is allow you to call other iNum numbers (including your own) by simply dialing the last 8-digits of any iNum that begins with 8835100 or 0118835100. These 8 digits will ALWAYS begin with a 0.
Now let’s modify at least one of your existing Google Voice Outbound Routes so that you also can make iNUM calls with Google Voice by dialing from any extension using the full 8835100xxxxxxxx international number. Go to Outbound Routes and click on the name of one of your Google Voice trunks. Add the following new Dial Pattern and click Submit Changes: 8835100XXXXXXXX
Taking iNum for a Spin. To test things out, use a phone connected to an extension other than the one you chose to route incoming iNum calls to above. Dial the last 8 digits of your own iNum DID, and that extension should begin ringing. Answer the other extension and make sure you have audio in both directions. Next, dial your complete iNum DID beginning with 8835100. This should also cause the other extension to ring even though the call was initiated through your Google Voice trunk. If you’d like to get a Weather Report by Zip Code, we’ve set up an iNum for you to try. Just dial 09901997.
Enjoy!
Originally published: Monday, February 27, 2012
Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.
whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…
- Local iNum Access Numbers include the following: [↩]
Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security
Here's a headline to wake up any CEO: "Small business gets $120,000 phone bill after hackers attack VoIP phone." News.com.au actually ran this story on January 20. "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours... 115,000 international mobile calls were made using the small business's VoIP system over a six month period."
News Flash: Be sure to read our latest article introducing Travelin' Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.
For the latest Security Tips: See our most recent article.
Sad to say that folks install VoIP phone systems to save money and then completely ignore tried-and-true network security principles: hardening your system, regularly watching your logs, and periodically changing your passwords. If PBX in a Flash were a commercial offering, we'd probably keep much of what follows to ourselves and start touting our PBX systems as the only Asterisk® offering with Secure-Wrap™. That's not our world, of course, nor is it what open source is all about... which turns out to be both a blessing and a curse. We openly and jointly figure out ways to secure our Asterisk systems as well as those of our competitors. Then the bad guys get to read all about it and come up with new, more creative "solutions." The silver lining is there are millions of insecure Asterisk systems so the creeps typically move on to easier targets.
Today we'll walk you through our Top Ten Security Tips and Tricks. All of these can be implemented easily to harden your Asterisk PBX and lessen the chances of the bad guys transforming your VoIP system into a free, international payphone: you pay, they phone. In the process, we'll identify some common security blunders that accompany new system installs in hopes that you won't make the same mistakes. So let's start with the basics. If you plug your Asterisk PBX directly into the public Internet without carefully securing it, your chances of being hacked within the hour are pretty good.
Rule #1: Protect Your PBX With IPtables. PBX in a Flash systems are delivered with the IPtables firewall enabled. Leave it that way! If your Asterisk implementation doesn't have IPtables support, demand that it be added immediately or ask for assistance in adding it yourself. There is no reason not to use a freely available, open source firewall, period! And there are many good tools including WebMin (also included in PBX in a Flash distributions) to get it configured properly. With PBX in a Flash, all of the grunt work has been done for you.
Firewalls, of course, are only as good as the set of rules defined to secure your system. So only activate ports that are absolutely essential to run your PBX. For an excellent review of the ports that are opened by default in PBX in a Flash systems, see Joe Roper's summary. Think of an activated port as a hole in the dike. The more holes you add, the less secure your PBX will be. We'll leave it to you to count the holes in the dike if you choose to run your PBX without IPtables enabled. Our rule of thumb for PBX security goes something like this. If you don't need web access to your PBX, don't open ports 80 and 9080. If you don't need SSH, FTP, FOP, or WebMin access to your PBX, don't enable those ports. Better yet, don't even turn those services on unless there is a pressing need.
All of the IPtables rules are stored in /etc/sysconfig/iptables. Don't edit this file unless you know what you're doing. If you need help with the rules, post a question on the PBX in a Flash Forum. Typical response time on posted questions is under an hour on our forum. And don't forget to restart IPtables if you make changes to any of the rules: service iptables restart.
Rule #2: Protect Your PBX With A Hardware-Based Firewall. If one firewall is good protection, two firewalls are even better. As much as NAT-based firewall/routers get a bad rap, the extra layer of protection that a $50 hardware-based firewall/router delivers cannot be overstressed. Think of the software-based firewall as the tool of choice to secure your PBX on your internal LAN while the hardware-based firewall secures your system on the public Internet. We recommend the dLink WBR-2310 for home and SOHO use. It provides a reliable NAT-based router, a firewall, and excellent WiFi capability for under $50. If you've got some spare change, step up to one of dLink's Gaming Routers which we happen to use. They provide all the tools you'll need to prioritize your VoIP traffic. As with Rule #1, only open and redirect ports that are absolutely essential to use your PBX.
Rule #3: Safeguard Against Random Password Hacks. There is no better tool to protect your PBX from random password attacks than Fail2Ban 0.8.3. Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful password attempts. It updates IPtables rules to reject those IP addresses for a period of time that you can set in /etc/fail2ban/jail.conf. Originally PBX in a Flash systems were shipped with an earlier version of Fail2Ban that provided only minimal protection. If your system doesn't include the jail.conf file above, you still have the older version. Simply run our update script to get the current release:
cd /root
mkdir fail2ban
cd fail2ban
wget http://pbxinaflash.net/source/fail2ban/fail2ban-update
chmod +x fail2ban-update
./fail2ban-update
service fail2ban restart
As was true with IPtables, Fail2Ban is only as good as the rules which are defined to identify failed password attempts on your system. On PBX in a Flash systems, we now protect against web, FTP, SSH, SIP, and IAX password attempts.
If your particular Asterisk implementation lacks Fail2Ban support, you're missing a critically important (free) tool to safeguard your system from random password attacks against SSH and your protected web sites as well as your SIP and IAX extension passwords. For tips on installation, review our script that is available on this thread in the PBX in a Flash Forum.
Rule #4: Narrow Access With IP Address Restrictions. Security privileges in the U.S. government are based upon a "need to know." It's pretty simple. If you don't have a need to know the information to perform your duties, you don't get the privilege. You can use a similar technique to secure your PBX by implementing IP address restrictions. For example, if all of your extensions are housed on a private subnet of your internal LAN, then there is no reason to allow Internet access to those extensions. Similarly, for extensions outside your local network, you now can hardcode the IP address into the extension to restrict access. To implement this with Asterisk and FreePBX-based systems, you'll first need to upgrade FreePBX to at least version 2.5.1.1. Once you've upgraded, go into each extension and enter either an IP address or an IP subnet for that extension in the permit field. For an IP address, the syntax is 192.168.0.44/255.255.255.255. For an IP subnet, the syntax would look like this: 192.168.0.0/255.255.255.0. This one tip would have been worth $120,000 to the Australian company referenced above. Yes, consultants can be worth their weight in gold. 🙂
If you're as absent-minded as we are, you don't want to have to worry about remembering this each time you add a new extension to your system. So it's quite simple to change the default permit entry from 0.0.0.0/0.0.0.0 to the subnet mask of your LAN. Then you only have to adjust this entry whenever you add an extension which is not on your internal LAN. For example, if your LAN subnet is 192.168.0, then we want to replace the default entry with 192.168.0.0/255.255.255.0. The file to edit is /var/www/html/admin/modules/core/functions.inc.php. Just search for $tmparr['permit'] in BOTH the iax2 and sip sections of the file and make the value substitution preserving the single quotes on both sides of your new entries.
You also can implement both password and IP address restrictions to limit web access to your server. With Apache web servers, this is done through .htaccess files and directory restrictions in your Apache config files. On PBX in a Flash systems, htaccess password restrictions now are the default setup in all of our builds. Suffice it to say, if you can access the /admin directory on your web site from the Internet without being prompted for a password, your site probably has been compromised. Keep in mind that these passwords get cached so be sure you have cleaned out your browser cache before having a heart attack. Better yet, try this from a browser you don't ordinarily use (such as the one on your cellphone).
For additional security, you can further restrict access to your web directories by adding a list of authorized IP addresses to the .htaccess file in each subdirectory. Here's what an .htaccess file with IP address restrictions might look like. The first Allow entry is the private LAN subnet, the second is a remote site, and the third is the Hamachi VPN subnet mask:
Deny from All
Allow from 192.168.0
Allow from 68.218.222.70
Allow from 5.67
Rule #5: Don't Use 'Normal Ports' for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you've done. Read that last sentence again. It's important! With a hardware-based firewall such as the WBR-2310, this is incredibly easy. dLink calls them Virtual Servers. Here is a typical entry:
HTTP 192.168.0.150 TCP 80/2319 Allow All Always
You can simply redirect common ports to different ports for Internet access. Don't do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. For example, port 80 typically is the default web server port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) web access, simply remap TCP port 80 to some obscure port and change it periodically. For example, you might redirect TCP port 80 to port 2319. Once the setting is saved, you access the web site with a browser entry like this: http://pbx.mydomain.com:2319/. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don't use these numbers obviously! Make up your own. The key here is that 5 minutes work every month will keep web access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 80 every night while you're sleeping. Incidentally, most of these routers also will let you block access to certain ports during certain hours of the day. If you're sleeping, there's really not much need to provide SSH and web access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world's best crackers reside in countries where daytime happens to be nighttime in the United States.
Rule #6: Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our wild-assed guess (WAG) is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn't Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. The first five rules would have protected most Asterisk systems. But our WAG on the number of Asterisk PBX's that have implemented all five rules above would be less than one in a thousand. Part of that is because some of these tools weren't readily available until recently. But part of it is because most of us are just plain L-A-Z-Y.
Really secure passwords really do matter. And it's more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, make certain it has a really, really secure password. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). You've been warned. It's your phone bill and bank account!
<end of sermon>
Rule #7: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn't begin to describe some of what lies under the FreePBX covers. Make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.
Our rule of thumb on Internet web accessibility to an Asterisk PBX goes like this. Don't! But, if you must, build as many layers of protection as possible to assure that your system is not compromised. If the bad guys get into FreePBX, the security of your PBX has been compromised... permanently! This means you need to start over with all-new passwords by installing a fresh system. You simply cannot fix every possible hole that has been opened on a FreePBX-compromised system!
Rule #8: Implement VPNs for PBX Systems. PBX in a Flash has provided simple install scripts to deploy Hamachi VPNs on all of our current systems. Hopefully, the other aggregations will do likewise. In addition, we offer turnkey VPN in a Flash systems which provide this functionality out of the box. VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. We now are exploring other VPN solutions which would facilitate the use of VPN-enabled telephones such as the new offerings from SNOM.
Rule #9: Check Your Logs Every Day. We're still dumbfounded by the following quote from the article above: "115,000 international mobile calls were made using the small business's VoIP system over a six month period." Six months and they never checked their call logs? Sounds like they earned this phone bill. FreePBX provides an incredibly simple way to review your call logs. Click the Reports tab at the top of the screen and look at the bar graph showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day! It also should be noted that Ethan Schroeder has released a beta of some new monitoring software which will provide more granular monitoring of daily call volumes. For additional information or to participate in the beta, visit this link.
Rule #10: Do Some Reading... Regularly. No security implementation is complete without a little regular effort on your part: reading. If you're going to manage your own network or PBX, then you need to keep abreast of what's happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the trixbox Forum, and the FreePBX Forum. Aside from reviewing your call logs, it's the best 15 minutes you could spend to safeguard your system. We also have an RSS Feed which includes security alerts.
Update #1: Be sure to read this great new article. It has two fresh ideas for securing your system!
Update #2: Please also read this Nerd Vittles Alert about FreePBX backdoors and default passwords that was published on April 15, 2011.
Some Other Suggestions. A couple other suggestions come to mind that don't involve securing your PBX per se but nevertheless will lessen your exposure in the event of a security breach. First, if your usual calling patterns don't involve international calling or if they're limited to one or two countries, tighten up your outbound dialplan and restrict calling to countries that you actually need. It can always be changed when the need to call elsewhere arises. Second, if you use pay-as-you-go providers, never use credit card auto-replenishment. Instead, add funds periodically using the provider's web interface. The advantage of this is that, if someone does manage to break into your system, your loss will be limited to the current balance in your provider account. You'll not only save a lot of money, but you'll also get a notification that something has gone horribly wrong. Finally, a forum user mentioned one we had overlooked. If you have a mix of POTS and VoIP lines, don't put the POTS lines in the default outbound pool for toll calls. This could potentially save you lots of money.
Continue Reading Part II: The VoIP WhiteList for IPtables...
Got Some Other Ideas? 50,000 heads always are better than one when it comes to network security. If there are things we've missed, take a minute to post a comment. It'll help all of us keep our systems more secure. Good luck!
Digium® Weighs In. Since this article first appeared, Digium has released its own set of tips on SIP security. By all means, have a look!
Security Alert of the Week. A trixbox user yesterday reported that he had discovered a rootkit exploit on his server. You can could read all about it here. The 6:03 a.m. (California time) post mysteriously disappeared a few hours later... soon after the trixbox staff got to work. Another darn computer failure according to Fonality staff. 😕 We've attempted to recreate the information from Google snippets. And here's a simple test to see if you have a similar rootkit problem:
ls -all /sbin/init.zk
Want a Bootable PBX in a Flash Drive? Our bootable USB flash installer for PBX in a Flash will provide all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and our flash installer in less than 15 minutes!
If you'd like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment with your best PBX in a Flash story.1
Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next couple weeks. All of the individuals whose comments were used in today's story will automatically be included in the drawing as well. Good luck to everyone and Happy New Year!!
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest...
- This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. [↩]