Home » Posts tagged 'firewall'

Tag Archives: firewall

The Most Versatile VoIP Provider: FREE PORTING

Migrating Incredible PBX 2022 to a PUBLIC-Facing Cloud PBX



Today we want to show you how to reconfigure Incredible PBX 2022 for Rocky 8 into a PUBLIC-facing Cloud PBX. What that means is authorized users can connect a SIP phone to the PBX regardless of where the user might be located without worries about an ever-changing dynamic IP address and the requirement to whitelist the new IP address. A PUBLIC-facing PBX also provides free SIP URI connectivity to users of your PBX by anyone from anywhere in the world. In other words, it’s similar to the way you could connect to any Ma Bell telephone in the world simply by knowing the number to dial. The difference, of course, is SIP URI connectivity is free while there were often staggering long distance charges for remote connectivity in the Ma Bell days. Fifty years ago it was not uncommon for a college boy to spend $200 a month calling his college sweetheart less than 200 miles away in the same state. Ask me how I know.

Why is this such a big deal? The short answer is security and your phone bill. You don’t want bad guys on the other side of the globe attempting to register a SIP phone to your PBX so that they can use your trunks to make free phone calls on your nickel. You also don’t want anybody and everybody calling your users by simply guessing the IP address of your PBX. As with Incredible PBX 2021 PUBLIC for Debian, today’s design combines several security mechanisms to make a PUBLIC-facing PBX safe and secure. First, we will block all SIP connectivity to your PBX by IP address. Second, we will identify 30,000+ known SIP bad guys and block their access to your PBX entirely. Third, we will only permit SSH access to your PBX using public key authentication instead of traditional username/password authentication. Fourth, we will only permit web access to the Incredible PBX portal from whitelisted IP addresses and OpenVPN private addresses. We haven’t mentioned the elephant in the room, Distributed Denial of Service (DDoS) attacks, but today’s methodology reduces the risk considerably since your PBX cannot be ping’d, and all IP address access is blocked at the Linux kernel level.

Prerequisites. To put all these safeguards in place, you’ll need a cloud-based Incredible PBX 2022 KVM platform running Rocky 8. Install the latest Incredible PBX 2022 platform using our tutorial. Next, you’ll need these items:

  1. Public IP Address of your server
  2. Obscure FQDN linked to this public IP address
  3. Random SSH port with registered public keys for SSH access
  4. List of SIP extensions to enable for SIP URI access
  5. IP Addresses to WhiteList for Access to the Web GUI

1. Deciphering Public IP Address of Your PBX

After logging into your PBX as root, you can execute pbxstatus to decipher the public IP address of the PBX. Or issue the command: wget -q -O - ipinfo.io/ip

2. Obtaining an FQDN for Your PBX

Security through obscurity provides a critical layer of protection for your server so choose an FQDN carefully. sip.yourname.com provides little protection while f246g.yourname.com pretty much assures that nobody is going to guess your domain name. This is particularly important with SIP registrations because registered extensions on your PBX can obviously make phone calls that cost you money. If you don’t have your own domain, you can always obtain a free hostname from a service such as NoIP.com.

3. Securing SSH Access to Your PBX

Whatever you do, don’t leave SSH access via port 22 exposed on your PBX. In the time it took to create a new PBX on CloudAtCost, there were over 400 attempted logins to the default SSH port of the new server. The simplest (but least secure) method to avoid these script kiddie attacks is to change the port number for SSH access to your server. We suggest using the year you were born as the port number because it’s easy to remember. Edit /etc/ssh/sshd_config and uncomment the Port line replacing 22 with the port number you chose. Then restart SSH: systemctl restart sshd.

The preferable solution to secure SSH is to create and use SSH keys for access and set PasswordAuthentication no on the last line of /etc/ssh/sshd_config. Digital Ocean has an excellent tutorial to walk you through the setup process.

4. Choosing Extensions for SIP URI Public Access

With today’s PUBLIC design, exposing an extension for PUBLIC access means anyone in the world that knows the FQDN of your server and the extension number can do two things using any SIP client: (1) they can call you and (2) they can attempt to register to that extension and make calls on your trunks AND your nickel. So only expose extensions for public access if there is a need to connect or call from remote locations. For extensions you decide to expose, make certain that the passwords for these extensions are extremely secure, lengthy, and use numbers with both UPPER and lower case letters. Never use default extension passwords!

5. Whitelisting IP Addresses for Public Web Access

Without enumerating IP addresses for public web access, you won’t be able to connect to the web GUI of your PBX from any IP address. Down the road, if you wish to authroize additional IP addresses, you can use /root/add-ip to add them via SSH.

Deploying Incredible PBX PUBLIC Firewall

To get started, log into your server as root and issue the following commands:

cd /tmp
wget http://incrediblepbx.com/newpublic.tar.gz
tar zxvf newpublic.tar.gz
rm -f newpublic.tar.gz

Next, edit /tmp/iptables.base and change the highlighted entries:


Change port 22 in the dport entry to the SSH port number you chose in Step 3, above.

Change 8.8.8.8, 8.8.4.4., and 1.1.1.1 to actual public IP addresses of desktop machines you wish to use to access the web GUI of your PBX. If you don’t need three entries, comment out the other entries with # at the beginning of each line.

Replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

Save the file.

On the Rocky 8 platform, issue the following commands:

cd /etc/sysconfig
cp /tmp/iptables.base .
mv iptables iptables.orig
cp iptables.base iptables

Using Incredible PBX PUBLIC with Asterisk

The first line of defense with this PUBLIC implementation is your FQDN. Second is the IPtables firewall setup above. And third is the Asterisk® extensions configuration in extensions_override_freepbx.conf. Here’s how to configure it. Edit /tmp/extensions_override_freepbx.base and change the highlighted entries:


If there are phone numbers assigned to your PBX that you want processed according to your Inbound Routing rules, duplicate the first highlighted line above and, for each trunk, replace 8881234567 with your actual DID numbers.

In exten => _.,1 line, replace your-servers-IP-address with the actual IP address of your PBX from Step 1, above.

In exten => _.,10 line, replace your-servers-FQDN with the actual FQDN assigned to your PBX from Step 2, above.

Scroll down in the file to the following section:



Comment out undesired default extensions. Place a semicolon at the beginning of the lines.

For any extensions you wish to add, insert a new line in the following format replacing both 7000 entries with the desired extension number:

exten => 7000,13,Dial(local/7000@from-internal)

Save the file and then execute the following commands to complete the PUBLIC setup:

cd /etc/asterisk
cp /tmp/extensions_override_freepbx.base .
mv extensions_override_freepbx.conf extensions_override_freepbx.orig
cp extensions_override_freepbx.base extensions_override_freepbx.conf
fwconsole restart
asterisk -rx "dialplan reload"
iptables-restart
sed -i 's|-A INPUT|-I INPUT|' /root/add-ip
sed -i 's|-A INPUT|-I INPUT|' /root/add-fqdn

Adding IPSET Incredible PBX 2022 Protection

We’re not the biggest fans of blacklists because the bad guys spend a lot of time trying to corrupt them by inserting valid IP addresses of sites such as DNS servers in the lists to wreak havoc. Having said that, there are two blacklists that are carefully monitored on a daily basis, and both provide additional protection for your PBX by weeding out access by 30,000+ potential bad guys. The oldest of these is VoIP Blacklist. And the new kid on the block is APIBAN from LOD.com and Fred Posner. We’ve simplified the setup process for use with Incredible PBX 2022. To get started, obtain an APIBAN API key here. Then issue the following commands to put all the pieces in place on your server:


cd /usr/local/sbin
wget http://incrediblepbx.com/incrediblepbx-ipsets8.tar.gz
tar zxvf incrediblepbx-ipsets8.tar.gz
rm -f incrediblepbx-ipsets8.tar.gz

Next, edit /usr/local/sbin/apiban-init and insert your APIkey.

Finally, issue the following command to reload the firewall: iptables-restart

Verifying Firewall Setup of Incredible PBX

Let’s make certain that everything got installed correctly. Begin by issuing this command: iptables -nL

Scroll toward the top of the list, and you should see two entries for the voipbl and apiban ipsets indicating that entries in those lists will be dropped by the firewall.


Next, verify that the voipbl and apiban ipsets are populated. The first two commands below will list all of the blocked IP addresses. And the next two commands will provide a count of the dropped IP addresses.

ipset list voipbl
ipset list apiban
ipset list voipbl | wc -l
ipset list apiban | wc -l

Finally, you can refresh the ipsets with the following two commands:

voipbl-init
apiban-init

Rebooting or restarting the firewall with iptables-restart also refreshes the ipset listings.




 

Calling an Incredible PBX PUBLIC Extension

Any extensions that you have whitelisted in the blue section above can be called from anywhere using any SIP client. Simply enter the SIP URI for the extension in the following format: SIP/extension@your-servers-FQDN

CAUTION: If a caller attempts to call any extension on your PUBLIC server from an extension on another Asterisk server to which the caller is registered, the call will fail if there is a matching extension number on the PUBLIC server and the two servers are not registered to each other. So remember to use unique extension numbers on your PUBLIC server if you expect callers from other Asterisk servers.

Registering Incredible PBX PUBLIC Extension

If you wish to login to a whitelisted extension using a SIP client, enter the extension and password of the extension. For the server address, enter the FQDN of your server. If it’s a PJsip extension, add :5061 to the end of the FQDN.

Originally published: Monday, April 25, 2022



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Travelin’ Man 3: A Plug-and-Play Firewall for Incredible PBX

Seven years ago we introduced Travelin’ Man 3 to simplify the task of securing the Incredible PBX® VoIP platforms. Today we want to reexamine the Travelin’ Man 3 firewall design for the benefit of those that are new to Asterisk® and FreePBX®. In the old days, FreePBX-based VoIP servers were notoriously vulnerable because of numerous bugs in the original FreePBX code which was developed by dozens of developers around the world with very different skill sets. Not only did you risk having your server compromised, but there also was a very real risk of receiving a staggering phone bill for calls that neither you nor your users made.

Travelin’ Man 3 introduced a new security model by providing a whitelist-based, plug-and-play firewall for Incredible PBX servers using the Linux IPtables firewall platform. If the IP address of a device wasn’t listed in the firewall, then that device could not even see your PBX much less access it. SSH access, web access, SIP and IAX2 access all were blocked.

The whitelist design worked great so long as your PBX and all of your phones shared the same private network. But then came deployment of PBXs in the cloud on the wide open Internet. And, of course, there were traveling salesmen that moved from place to place with new IP addresses at every new hotel. And then there were the users with dynamic IP addresses whose IP address identity changed without much warning.

To address these limitations, Travelin’ Man 3 provided the add-ip script to whitelist new IP addresses. The setup included the ability to limit IP addresses to a certain group of features on the PBX such as SIP, IAX2, SSH, and web access. Or the administrator could enable full access to the PBX for a given IP address.

That solved the new IP address issue, but it wasn’t of much use to those with ever-changing dynamic IP addresses. Thus was born the add-fqdn addition which could be used in combination with a dynamic DNS provider to assign a fully-qualified domain name to a device and keep it regularly updated. An additional ipchecker script was also added as a cron job to pass IP address changes along to the IPtables firewall every 10 minutes.

To round out the Incredible PBX whitelist design, we added PortKnocker to protect administrators from locking themselves out of their own server. We added Travelin’ Man 4, OpenVPN and the NeoRouter VPN to facilitate easy access without resorting to the add-ip and add-fqdn utilities. Private LAN addresses are automatically whitelisted with Travelin’ Man 3 so deploying SIP phones with native VPN capability remains the simplest and safest connectivity option.

One key feature that sets Travelin’ Man 3 apart from other firewall alternatives is the fact that it’s plug-and-play. When you install any of the Incredible PBX 2020 platforms, your IPtables firewall and whitelist are automatically configured. The only requirement is that you perform the second phase of the Incredible PBX install using SSH or Putty from a desktop machine that will be used to manage your PBX. In that way, your desktop PC gets automatically whitelisted as part of the install process. And, as previously noted, all devices on the same private LAN or VPN as your Incredible PBX server have total access without jumping through any additional configuration hoops.

Let’s take a moment to examine how Travelin’ Man 3 works under the covers. First, it’s important to note that IPtables does not support FQDNs, only IP addresses. So, if you add an FQDN entry to the IPtables startup file, it gets translated into a static IP address when IPtables is started. More importantly, if that FQDN happens to be unresolvable when IPtables is started because the remote computer is off-line for some reason, then IPtables crashes and never deploys any of its other rules leaving your PBX totally exposed. For this reason, Travelin’ Man 3 handles firewall startup in a unique way. First, it loads some basic firewall rules, all of which have static IP addresses. These rules are found in the startup script: /etc/sysconfig/iptables on RedHat and CentOS platforms and /etc/iptables/rules.v4 on Debian, Ubuntu, and Raspbian platforms. Then, once IPtables is running, it executes the /usr/local/sbin/iptables-custom script with individual IPtables commands to deploy the remaining whitelist entries including FQDNs. When an individual IPtables command fails in this BASH script, the script simply moves on to the next rule without burning down the house. The only damage is an individual FQDN is not whitelisted. But the computer with this FQDN was off-line anyway so there’s no impact on the operation of your PBX. Once that computer comes back on line, it’s simple enough to whitelist the FQDN again. This is a long-winded explanation of why it’s important on Incredible PBX platforms to start and restart IPtables with the iptables-restart script rather than using systemctl restart iptables. The latter would only load the basic IPtables rules in the startup script and not iptables-custom.

Now that you know how Travelin’ Man 3 works, you may be wondering why FQDN support was never integrated into the IPtables design. We’ve wondered much the same thing and never got much of an answer from the developers other than a cryptic response that IPtables worked as designed. Oh well. What we also have found is there is substantial institutional resistance to whitelist firewall implementations even though they provide the most secure computing environment for most deployments. Blacklists, standing alone, simply don’t work because either the bad guys poison the blacklist with legitimate IP addresses (such as the DNS servers upon which you rely) or the bad guys move on to a new IP address which has not yet been added to the blacklist.

We’d be the first to admit that additional flexibility may be desirable in certain edge cases particularly where end-users must rely upon a smartphone on the road with little more than a softphone app available to connect back to the mothership. But, again, we would strongly recommend deploying OpenVPN on all your devices and sticking with a whitelist solution for most scenarios. For those that can’t or won’t, take a look at the Incredible PBX PUBLIC offering as an alternative. It strikes a good balance using a combination of blacklists, some security through obscurity tricks, and implementation of rules blocking most script kiddies.

Originally published: Monday, March 9, 2020



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Going Public with Incredible PBX 16 and VitalPBX 2.3.8



As part of our ongoing development efforts, we maintain about a dozen honeypot servers across the U.S. and Canada to monitor the latest adventures of the bad guys. Security becomes especially important for those wishing to live on the bleeding edge and deploy a cloud-based, public-facing VoIP server. Today we want to walk you through our latest suggestions to set up and secure a VitalPBX platform using just the built-in FirewallD, IPset, and Fail2Ban components. If you opt to deploy VitalPBX in the Cloud, a KVM-based VPS is absolutely essential in order to take advantage of the security mechanisms we will introduce today.

Here are 6 Key Security Features in today’s public design:

  • SIP Registration Lockdown by FQDN
  • Extension Lockdown by IP Address
  • Trunk Provider Lockdown by IP Address
  • Web Access Lockdown by WhiteList
  • Disguised Ports for SIP and SSH Access
  • 100,000+ VOIP Blacklist for FirewallD

Is it 100% safe? Nothing ever is. That’s what backups are for. 😉

FYI: The CentOS folks reintroduced a previous FirewallD bug on October 22 which (again) broke new VitalPBX installs. On October 23, the VitalPBX developers fixed the bug (again). There should be no problems with new installs. For previous installs, see this thread on the PIAF Forum for the fix.

Taking Incredible PBX with VitalPBX to the Cloud

Because Incredible PBX with VitalPBX 2.3.8 was originally distributed as an ISO, getting it installed in the cloud was a challenge. A few cloud providers let you bring your own ISO to install on their VPS platforms, but it was still a tedious process. So today we’re pleased to introduce a new install script that can be run on any CentOS 7 platform.

We have a few cloud providers that we recommend without reservation. Both Vultr and Digital Ocean provide referral credits to Nerd Vittles to support our VoIP project development efforts. We’ve used both of them for many years with no problems. Either of the platforms works well using the $5 a month option in your choice of cities. Just be sure to choose the CentOS 7 platform, not CentOS 8. For an extra buck, you can add automatic backups.

Our favorite bargain is now CrownCloud in Los Angeles. For $25 a year, they offer a KVM VPS that is ideal as a VoIP platform. And the offering includes a free snapshot image as well. As you might imagine, it’s very popular and goes Out of Stock from time to time so check back often. For our international friends, CrownCloud offers similar platforms at the same price point in both Germany and the Netherlands.

Installing Incredible PBX with VitalPBX on CentOS 7

Once your CentOS 7 platform is up and running, here’s how to install Incredible PBX for VitalPBX. Log into your server as root using SSH or Putty. Then issue these commands:

cd /root
passwd
yum -y install net-tools wget nano tar
wget http://incrediblepbx.com/incrediblepbx.sh
chmod +x incrediblepbx.sh
./incrediblepbx.sh

Incredible PBX Cloud Setup Recipe for VitalPBX

We think the easiest way to configure your new VitalPBX platform is to follow the simple steps outlined below. This will avoid your having to jump back and forth between tutorials to get all the pieces in place. When you’re finished, you’ll have a secure VitalPBX cloud platform. Don’t be intimidated by the number of steps. If you can handle slice-and-bake cookies, you can do this!

1. Point your browser to the IP address of your server. You’ll be prompted to set a password for admin access to the GUI. Fill in the blanks to proceed. Should you ever forget your admin password, here’s how as root user to force a reset on your next login from a browser:

mysql ombutel -e 'update ombu_settings set value = "yes" where name = "reset_pwd"'


2. Register your server when prompted. The VitalPBX Dashboard will appear.

3. Decipher the public IP address of your desktop machine and any other PCs that will be used to manage your server.

4. From the VitalPBX Dashboard, navigate to Admin:Security:Firewall:WhiteList. Enter each of your IP addresses from step #3 and click Save button.

5. From the VitalPBX Dashboard, navigate to Admin:Security:Intrusion Detection:WhiteList. Enter each of your IP addresses from step #3 and click Save button.

6. Modify the default SSH port by logging in to your server as root and issuing the following commands using the year you were born in the first line replacing 2000:

sed -i 's|#Port 22|Port 2000|' /etc/ssh/sshd_config
systemctl restart sshd

 
7. From the VitalPBX Dashboard, navigate to Admin:Security:Firewall:Services. Change the SIP port to 5080 or some other port number not in the 5060-5065 range. Change the SSH port to a 4-digit number matching the year you were born. Click Save button. Monitor your SSH log for attempted breaches and change your port if necessary:

cat /var/log/secure | grep password

 
8. Verify that you can log back into your server with SSH using the new SSH port number you assigned in step #6: ssh -p 2000 root@server-IP-address

9. From the VitalPBX Dashboard, navigate to Admin:Security:Firewall:Rules. Delete the HTTP and HTTPS items by clicking the Trash icon beside each entry. In the GENERAL tab, set Block ICMP Requests to YES. Click Save button. This blocks web access to everyone except those you’ve whitelisted in step #4 above. If you ever lock yourself out of web access, login to your server as shown in step #8 and temporarily whitelist the public IP address desired. This gets removed automatically the next time you save your Firewall settings from within the VitalPBX GUI.

iptables -A vpbx_white_list -s 12.34.56.78 -j ACCEPT

10. Before we get too far along, let’s put another layer of security in place for your new server. We’re going to add the VoIP Blacklist which blocks about 100,000 bad guys from around the globe. We’ll also add a cron job to update the blacklist every night. Log back into your server as root and issue these commands to put the pieces in place and enable the VoIP Blacklist.

TIP: The cron job below is scheduled to run at 20 minutes after 3 a.m. Change the time to something else so we don’t all bombard the VoIP Blacklist site for downloads at exactly the same time every night.

cd /etc
wget http://incrediblepbx.com/voipbl-firewalld.tar.gz
tar zxvf voipbl-firewalld.tar.gz
rm -f voipbl-firewalld.tar.gz
echo "20 3 * * * root /etc/update-voipbl.sh >/dev/null 2>&1" >> /etc/crontab
/etc/update-voipbl.sh

11. From the VitalPBX Dashboard, navigate to Admin:Add-Ons:Add-Ons. Click Check Online button. Click Install button beside Custom Contexts. Click Install button beside Phonebooks. Click Install button beside Domotic.

12. From the VitalPBX Dashboard, navigate to Settings:Tech Settings:SIP Settings.

  a. In the GENERAL tab, set the Bind Address port to 5080 or whatever port you chose in step #7 above. This is the port number together with the FQDN of your PBX (set in the next step) that any SIP phone will need to successfully register to an extension.

  b. In the SECURITY tab, set Allow Guest to NO, set Auto-Domain to NO, set Allow External Domains to NO, and enter a fully-qualified domain name (FQDN) pointing to the IP address of your server in the Domain field. We cannot stress enough how important this FQDN is to the security of your cloud-based server. It limits SIP registrations to this FQDN only, and all SIP registration attempts by IP address are automatically blocked. Don’t skip this step!

  c. In the NETWORK tab, enter the IP address of your server in External Address. Click the ADD button in the Local Networks section and enter the private IP addresses associated with your LAN and VPN, e.g. 192.168.0.0/255.255.0.0 and 10.0.0.0/255.240.0.0. Change NAT to Force,Comedia if your server is behind a NAT-based router.

  d. In the CODECS tab, enable ULAW, ALAW, G722, and G729.

  e. In the OTHERS tab, set SRV LOOKUPS to Yes. Click SAVE button.

13. From the VitalPBX Dashboard, navigate to Settings:Tech Settings:Profiles. Click Show All Profiles bar and choose Default PJSIP Profile. In the GENERAL tab, set the following entries to YES: Force rport, Rewrite Contact, Direct Media, RTP Symmetric, and Send Diversion Header. Click UPDATE button.

14. From the VitalPBX Dashboard, navigate to PBX:Applications:Parking. Click Show All Parking Profiles bar and choose Default. Change Code from 700 to 7000 and click Update button. This changes your Parking Lot extensions to the 7000 range so that 700 range can be used for Extensions, just like other versions of Incredible PBX.

15. Log out of your Dashboard and then log back in so that the menus get refreshed with the Custom Contexts addition.

16. From the VitalPBX Dashboard, navigate to PBX:Applications:Custom Contexts. Create the new sample IVR context with the following entries. Then click Save button.

  • Description: IncrediblePBX
  • Context: incrediblepbx
  • Extension: s
  • Priority: 1
  • Destination: Terminate Call -> Hangup

17. From the VitalPBX Dashboard, navigate to PBX:Applications:Custom Applications. Create the custom application for the sample IVR and Save it.

  • Code: 3366
  • Name: DEMO
  • Enabled: YES
  • Destination: Custom Contexts -> IncrediblePBX

18. From the VitalPBX Dashboard, navigate to PBX:Applications:Conferences. Create the new sample conference application and Save it.

  • Code: 2663
  • Description: CONF
  • Music on Hold When Empty: YES
  • User Count: YES
  • Announce Join/Leave: YES
  • Announce Only User: YES
  • User PIN: 1234
  • Leader PIN: 4321
  • Drop Silence: YES

19. If you didn’t read last week’s article on Custom Contexts, now would be a good time to do so. Here are the commands to put all those pieces in place on your new cloud-based server:

cd /
yum -y install dialog wget nano tar mailx
cp -p /etc/crontab /etc/crontab.bak
wget http://incrediblepbx.com/incrediblepbx-vitalpbx.tar.gz
tar zxvf incrediblepbx-vitalpbx.tar.gz
rm -f incrediblepbx-vitalpbx.tar.gz
chown asterisk:asterisk /var/lib/asterisk
cd /etc/asterisk/ombutel
echo "[cos-all-custom](+)" >> extensions__80-custom.conf
echo "exten => 412,1,NoOp(Voice Dialer)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,1,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
echo "exten => 951,1,NoOp(News)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,5,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
echo "exten => 947,1,NoOp(Weather by ZIP)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,6,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
echo "exten => 3172,1,NoOp(DISA Voice Dialer)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,9,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
echo "exten => 4747,1,NoOp(Wolfram Alpha)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,3,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
echo "exten => 8463,1,NoOp(Time of Day)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,*,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
echo "exten => 53669,1,NoOp(Lenny)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,53669,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
echo "exten => 86329,1,NoOp(Today in History)" >> extensions__80-custom.conf
echo " same => n,Answer" >> extensions__80-custom.conf
echo " same => n,Goto(incrediblepbx,7,1)" >> extensions__80-custom.conf
echo " same => n,Hangup()" >> extensions__80-custom.conf
echo "" >> extensions__80-custom.conf
systemctl restart asterisk
chown asterisk:asterisk /var/lib/asterisk
chown asterisk:apache /var/lib/asterisk/agi-bin

20. Create new Extensions for your PBX by navigating to PBX:Extensions:Extensions. You only need to fill in the Extension, Name, and Email Address fields. We recommend extension numbers beginning with 701. If the extension will be used from a phone behind a NAT-based router, change the NAT entry to Force,Comedia. If the phone associated with the extension has a static IP address, enter it in the Permit field for an extra layer of security. In the VOICEMAIL tab, you will note that voicemail is enabled by default with a password matching the extension number. This forces the user to set the voicemail password the first time they access voicemail with their phone. We recommend the YES setting for Attach Voicemail, Ask Password, Say CID, Say Duration, and Envelope. Then press SAVE.

21. Once you have created your extensions, you can create Ring Groups to assign multiple extensions and external numbers to a designated number which will ring all of the extensions and external numbers in the ring group either simultaneously or serially. Navigate to PBX:Call Center:Ring Groups to set this up.

22. Trunk Setup. While we don’t recommend it, if you just want to play around with some toll-free calls using option 1 in the DEMO IVR to see how everything works, here’s a simple trunk setup to get you started. First, navigate to Settings:Telephony:Channel Groups and save a group named Default with no entries. Then navigate to PBX:External:Trunks:CUSTOM. Create TollFree trunk with this Dial String: SIP/1${EXTEN}@ovh.starcompartners.com. No other entries are required. Click SAVE and reload your dialplan. Finally, create an Outbound Route for these calls in PBX:External:Outbound Routes like this:

  • Description: TollFree
  • Trunks: TollFree
  • Dial Pattern: Pattern=NXXNXXXXXX

Save your settings and reload the dialplan. You now can skip down to step #25. NOTE: You will not be able to receive outside calls or make calls to numbers other than toll-free ones.

Our preference is that you use our Platinum Provider, Skyetel, for your default trunk and DID because they offer quadruple redundancy so you never miss a call. Sign up for Skyetel service and take advantage of the Nerd Vittles specials which include a $10 credit to kick the tires. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request the $10 credit for your account by referencing the Nerd Vittles special offer. Once you are satisfied with the service, fund your account as desired, and Skyetel will match your deposit of up to $250 simply by opening another ticket. That gets you up to $500 of half-price calling. You can also port in your DIDs at no cost for 60 days after funding your account. Credit is limited to one per person/company/address/location. Effective 10/1/2023, $25/month minimum spend required.

We don’t recommend trunk registrations with a publicly exposed server because it creates a potential attack vector for intruders and any intrusion would be undetectable from the PBX since the attacker could make unauthorized calls after registering directly with your SIP provider. For this reason, Skyetel does not use SIP registrations to make connections to your PBX. Instead, Skyetel utilizes Endpoint Groups to identify which servers can communicate with the Skyetel service. An Endpoint Group consists of a Name, an IP address, a UDP or TCP port for the connection, and a numerical Priority for the group. For incoming calls destined to your PBX, DIDs are associated with an Endpoint Group to route the calls to your PBX. For outgoing calls from your PBX, a matching Endpoint Group is required to authorize outbound calls through the Skyetel network. Thus, the first step in configuring the Skyetel side for use with your PBX is to set up an Endpoint Group. Here’s a typical setup for Incredible PBX 16 for VitalPBX:

  • Name: IncrediblePBX
  • Priority: 1
  • IP Address: IncrediblePBX-Public-IP-Address
  • Port: 5062
  • Protocol: UDP
  • Description: my.incrediblepbx.com

To receive incoming PSTN calls, you’ll need at least one DID. On the Skyetel site, you acquire DIDs under the Phone Numbers tab. You have the option of Porting in Existing Numbers (free for the first 60 days after you sign up for service and fund your account) or purchasing new ones under the Buy Phone Numbers menu option.

Once you have acquired one or more DIDs, navigate to the Local Numbers or Toll Free Numbers tab and specify the desired SIP Format and Endpoint Group for each DID. Add SMS/MMS and E911 support, if desired. Call Forwarding and Failover are also supported. That completes the VoIP setup on the Skyetel side. System Status is always available here.

If you’d like additional details on why we recommend Skyetel, see this Nerd Vittles article.

On the VitalPBX side, we need to add a new Skyetel trunk. Navigate to PBX:External:Trunks:PJSIP. The VitalPBX Trunk setup should look like the following for Skyetel. If you’d like to cut-and-paste the entries for the Match field, here you go:

52.41.52.34,52.8.201.128,52.60.138.31,50.17.48.216,35.156.192.164


[popup url="https://pbs.twimg.com/media/EGDhgsXWsAIbmw1?format=jpg&name=medium" width="1200″ height="700″][/popup]

In Admin:Security:Firewall:WHITELIST, you’ll need to individually Add the five Skyetel IP addresses used in the Match field above and then SAVE your firewall settings.

Finally in PBX:Incoming Calls:CID Modifiers, add a new entry for Skyetel with Skip/Length = 2/10 and Save your settings.

23. Before your PBX can receive calls, you’ll need at least one Inbound Route. This tells the PBX how to route calls from one or more phone numbers (DIDs) that you own to a destination on your PBX, e.g. an extension, a ring group, an IVR, or custom context. Navigate to PBX:External:Inbound Routes to get started. Let’s set up a default inbound route for all the DIDs you have acquired from Skyetel in step #22. Fill in the fields shown below. Then SAVE.

  • Routing Method: Default
  • Description: Default Skyetel
  • DID Pattern: [leave blank for ALL DIDs]
  • CallerID Modifier: Skyetel
  • Inbound Destination: Custom Contexts -> IncrediblePBX

24. Before you can make outbound calls from extensions on your PBX, you’ll need at least one Outbound Route. This tells the PBX which provider to use to complete calls dialed with a certain sequence of numbers. For example, you probably would want 10-digit numbers routed to Skyetel. And, if users dial 1 and then a 10-digit number, you’d probably want those calls routed to Skyetel as well. To create this outbound route, navigate to PBX:External:Outbound Routes. Fill in the fields shown below. Click ADD to add a second Dial Pattern. Click SAVE and Reload Dialplan when finished.

NOTE: While you can "spoof" any CallerID number here, it is only legal to assign CallerID numbers that you actually own. Most carriers do not forward CallerID names to destinations regardless of what you enter here. The CallerID name and number will be shown in your CDR logs: Reports:CDR Reports:CDR.

  • Description: Skyetel-OUT
  • Trunks: Skyetel
  • Outbound CID: [Your Name and CallerID Number]
  • Overwrite CID: YES
  • Dial Pattern: Prepend=1 Pattern=NXXNXXXXXX
  • Dial Pattern: Pattern=1NXXNXXXXXX

25. For the time being, we strongly recommend disabling IPv6 simply because we don’t have the necessary confidence that all of the security mechanisms are in place for IPv6. Here’s how on the CentOS 7 platform:

echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
sed -i 's|#AddressFamily any|AddressFamily inet|' /etc/ssh/sshd_config
systemctl restart sshd
sed -i 's|inet_protocols = all|inet_protocols = ipv4|' /etc/postfix/main.cf
systemctl restart postfix

 
26. Outbound email functionality is essential on your PBX. You’ll need it to be alerted to potential issues with VitalPBX, and you’ll need it for delivery of voicemail messages to users. There are a couple ways to implement it, and both are easy. If you want to use the native capabilities of Postfix to send the emails assuming your provider is not blocking outbound SMTP mail from downstream servers, then follow these steps:

  • Insert your FQDN from step #12b into /etc/hosts immediately after 127.0.0.1
  • Replace the contents of /etc/hostname with the same FQDN
  • Issue the following command using your actual FQDN: hostname FQDN
  • Sending yourself an email: echo "test" | mail -s test you@your-domain.com

If you don’t receive the test email message, then the easiest solution is to configure PostFix as an SMTP Relay using a Gmail account. You can do this easily from within the VitalPBX GUI. Navigate to Admin:System Settings:Email Settings and click the External Mail Server tab. Be sure that Gmail is selected and enter your Gmail name and password in the fields provided. Save your settings and send yourself an email using the field provided.

27. Once you get outbound email flowing, jump down to the next section and obtain IBM TTS and STT passwords. Now set up Voicemail Transcription with Email Message Delivery:

  a. After logging into your VitalPBX server as root using SSH/Putty:

cd /tmp
mkdir sendmail
cd sendmail
wget http://incrediblepbx.com/sendmailibm-vitalpbx.tar.gz
tar zxvf sendmailibm-vitalpbx.tar.gz
rm -f sendmailibm-vitalpbx.tar.gz
mv usr/sbin/sendmailibm /usr/sbin
cd /etc/asterisk/ombutel
echo "[general](+)" > voicemail__60-1-transcript.conf 
echo "; format=wav|wav49|gsm" >> voicemail__60-1-transcript.conf
echo "mailcmd=/usr/sbin/sendmailibm" >> voicemail__60-1-transcript.conf
chown apache:apache voicemail__60-1-transcript.conf
rm -rf /tmp/sendmail

 
  b. Restart Asterisk core services: asterisk -rx "core reload"

  c. Edit /usr/sbin/sendmailibm and insert your IBM Watson STT APIkey on line 23. Change the language on line 31 if you don’t want en-US. Then save the file.

  d. Log back into the VitalPBX GUI and configure the extensions desired for email delivery of voicemail. For each extension in PBX:Extensions:General, enter an Email Address for delivery of voicemails. In PBX:Extensions:Voicemail, verify the VM settings from step #20.

28. We hesitate to even mention (free) Festival TTS as a text-to-speech alternative because it is so bad compared to IBM TTS. But for those that like always free, here’s how to install it. Once installed, you can issue Festival commands in your dialplan using the keyword Festival followed by the text to be spoken in parentheses.

yum -y install festival
echo "[general]" > /etc/asterisk/festival.conf
asterisk -rx "dialplan reload"
festival_server &
systemctl restart asterisk
echo "/usr/bin/festival_server &" >> /etc/rc.d/rc.local

 

29. If you’d like to test the performance of your cloud-based server, here’s how to deploy and run SpeedTest:

cd /root
wget -O speedtest-cli https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
chmod +x speedtest-cli
/root/speedtest-cli

 
30. Associating CallerID Names (CNAM) with inbound calls for display on SIP phones and in the CDR logs is an often-requested PBX feature. There are a few ways to do it. First, for less than a penny a call, you can activate the feature with your DIDs in the Skyetel Dashboard. Or, for about half the cost, you can acquire an OpenCNAM account and activate it in VitalPBX by navigating to PBX:Incoming Calls:CID Lookup. Choose OpenCNAM as the Source and enter your credentials. Then SAVE your settings and reload the dialplan. Then, for each of your Inbound Routes, add OpenCNAM as the CID Lookup source and Update your configuration.

31. Unless you want a full-time job monitoring the size of your logs, remove the fail2ban Asterisk log which grows every 5 seconds. Navigate to Settings:PBX Settings:Log Files and click the Trash icon beside fail2ban. It’s probably a good idea to turn OFF the Notice option for the full log while you’re at it. Then SAVE your changes.

32. Before you do anything else, navigate to Admin:Admin:Backup & Restore, configure and run a Full Backup, and then download the file and keep it in a safe place. Be advised that Backup/Restore doesn’t restore Add-Ons, /var/lib/asterisk/agi-bin, custom contexts (extensions__80*.conf) in /etc/asterisk/ombutel, custom MySQL databases (mysqldump -u root yourDB > yourDB.sql), custom and lenny sound directories in /var/lib/asterisk/sounds, phpMyAdmin, /usr/local/sbin, and /etc/crontab.

Obtaining IBM Watson TTS and STT Credentials

Incredible PBX uses IBM Watson® for TTS and STT support. This Nerd Vittles tutorial will walk you through getting your IBM account set up and obtaining both your TTS and STT credentials. Be sure to write down BOTH sets of credentials which you’ll need in a minute. For home and SOHO use, IBM access and services generally is FREE even though you must provide a credit card when signing up. Details are provided when you sign up. If you ever forget your passwords, you can retrieve them by navigating to Resource List:Services:TTS or STT:View Full Details:Show Credentials.

Obtaining Wolfram Alpha Credentials

When people ask what exactly Wolfram Alpha is, our favorite answer was provided by Ed Borasky.

It’s an almanac driven by a supercomputer.

That’s an understatement. It’s a bit like calling Google Search a topic index. Unlike Google which provides links to web sites that can provide answers to queries, Wolfram Alpha provides specific and detailed answers to almost any question. Here are a few examples (with descriptions of the functionality) to help you wrap your head around the breadth of information. For a complete list of what’s available, visit Wolfram Alpha’s Examples by Topic. Type a sample query here. Some of our favorites include:

Weather in Charleston South Carolina
Weather forecast for Washington D.C.
Next solar eclipse
Otis Redding
Define politician
Who won the 1969 Superbowl? (Broadway Joe)
What planes are flying overhead now? (flying over your server’s location)
Ham and cheese sandwich (nutritional information)
Holidays 2012 (summary of all holidays for 2012 with dates and DOW)
Medical University of South Carolina (history of MUSC)
Star Trek (show history, air dates, number of episodes, and more)
Apollo 11 (everything you ever wanted to know)
Cheapest Toaster (brand and price)
Battle of Gettysburg (sad day 🙂 )
Daylight Savings Time 2012 (date ranges and how to set your clocks)
Tablets by Motorola (pricing, models, and specs from Best Buy)
Doughnut (you don’t wanna know)
Snickers bar (ditto)
Weather (local weather at your server’s location)

Before you can actually use our TTS implementation of Wolfram Alpha, you’ll need to obtain a free Wolfram Alpha account. As you can imagine, there have to be some rules when you’re using someone else’s supercomputer for free. So here’s the deal. It’s free for non-commercial, personal use once you sign up for an account. But you’re limited to 2,000 queries a month which works out to almost 70 queries a day. Every query requires your personal application ID, and that’s how Wolfram Alpha keeps track of your queries. Considering the price, we think you’ll find the query limitation generous compared to other web resources.

To get started, sign up for a free Wolfram Alpha API account. Just provide your email address and set up a password. It takes less than a minute. Log into your account and click on Get An App ID. Make up a name for your application and write down (and keep secret) your APP-ID code. That’s all there is to getting set up with Wolfram Alpha. If you want to explore costs for commercial use, there are links to let you get more information.

Configuring Your Incredible PBX Credentials

In addition to your Wolfram Alpha APPID, there are two sets of IBM credentials to plug into the Asterisk AGI scripts. Keep in mind that there are different passwords for the IBM Watson TTS and STT services. The TTS credentials will look like the following: $IBM_password. The STT credentials look like this: $API_PASSWORD. Don’t mix them up. The username for both TTS and STT is now the single word: apikey

All of the scripts requiring credentials are located in /var/lib/asterisk/agi-bin so switch to that directory after logging into your server as root. Edit each of the following files and insert your TTS credentials in the variables already provided: nv-today2.php, ibmtts.php, and ibmtts2.php. Edit each of the following files and insert your STT credentials in the variables already provided: getquery.sh, getnumber.sh, and getnumber2.sh. Finally, edit 4747 and insert your Wolfram Alpha APPID.

If you ever want to learn how to develop applications for Asterisk, these scripts coupled with the dialplan code included in /etc/asterisk/ombutel/extensions__80-1-incrediblepbx.conf will point you in the right direction with easy to follow examples.

Managing the AsteriDex SQLite3 Database

We’ve alluded to the AsteriDex database in a couple of VitalPBX articles but never mentioned how to access it. Using a browser, point it to http://server-ip/asteridex4. You can add, edit, display, and delete entries from there. Before you can make changes in the database, issue the following command after logging into your server as root:

chown asterisk:apache /var/lib/asterisk/agi-bin

Taking Incredible PBX for a Test Drive

You can take Incredible PBX for VitalPBX on a test drive in two ways. You can call our server, and then you can try things out on your own server and compare the results. Call our IVR by dialing 1-843-606-0555. For our international friends, you can use the following SIP URI for a free call: 10159591015959@atlanta.voip.ms. For tips on setting up your own secure, hybrid SIP URI with VitalPBX, see our original tutorial. The FreePBX® setup is virtually identical except for the location of the custom SIP setting for match_auth_username=yes. On a VitalPBX server, you will enter it here: Settings:Technology Settings:SIP Settings:CUSTOM.

With Allison’s Demo IVR, you can choose from the following options:

  • 0. Chat with Operator — connects to extension 701
  • 1. AsteriDex Voice Dialer (412) – say "Delta Airlines" or "American Airlines" to connect
  • 2. Conferencing (2663) – log in using 1234 as the conference PIN
  • 3. Wolfram Alpha Almanac (4747) – say "What planes are flying overhead now?"
  • 4. Lenny (53669) – The Telemarketer’s Worst Nightmare
  • 5. Today’s News Headlines (951) — courtesy of Yahoo! News
  • 6. Weather by ZIP Code (947) – enter any 5-digit ZIP code for today’s weather
  • 7. Today in History (86329) — courtesy of OnThisDay.com
  • 8. Call Extension 701 — on your local PBX
  • 9. DISA Voice Dialer (3172) — say any 10-digit number to be connected
  • *. Current TIME and Date (8463) — courtesy of VitalPBX

CAUTION: We have intentionally disabled outbound calls using Option #9 and redirected callers to Lenny. The reason is that an unscrupulous caller could easily run up your phone bill by entering a number with expensive destination charges. If you wish to enable the feature, despite the risks, you can edit extensions__80-1-incrediblepbx.conf and make the change.

You can call your own IVR in a few ways. From an internal VitalPBX phone, dial D-E-M-O (2663) to be connected. Or simply dial the number of the DID you routed to the Incredible PBX Custom Context. Local users can also dial the individual feature codes shown in parentheses above. Be sure that you heed AND test the CAUTION documented above.

Originally published: Monday, October 21, 2019





Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Mastering the Incredible PBX 16-15 Feature Set with Raspbian



This week we’ll finish up our introduction of Incredible PBX® 16-15 for the Raspberry Pi with a quick look at some of the additional features that are offered on this new platform and that were not covered in our first and second articles. These include text-to-speech apps for news, weather, and today in history as well as the sample ODBC apps for speed dialing and employee data base lookups. We’ll also walk you through the conferencing setup and document the easiest way to deploy an Interactive Voice Response (IVR) system or a Stealth AutoAttendant with or without Direct Inward System Access (DISA) which provides a way to call into your PBX from anywhere and obtain dial tone to make calls or access features just as if you were using a local phone connected to your PBX. We’ll finish up with a review of the Incredible PBX security model: Travelin’ Man 3 IPtables firewall, Fail2Ban, and PortKnocker.

Introduction to Incredible PBX TTS Apps

Text-to-Speech (TTS) applications are included in Incredible PBX for two reasons. First, they provide useful information by phone. Second, they document the procedure required to build your own TTS applications using Asterisk®. That process typically includes a dialplan code addition to /etc/asterisk/extensions_custom.conf plus a PHP/AGI script which must be stored in /var/lib/asterisk/agi-bin. The actual interaction with the caller is handled in the dialplan code using a TTS engine to convert the text results of the PHP/AGI query into audio suitable for playback over the telephone. The (free) PicoTTS engine is included in the Incredible PBX image for the Raspberry Pi. The commercial IBM TTS engine is also available.

The job of the dialplan code is to answer the incoming call and prompt the caller for any necessary information that needs to be passed to the PHP/AGI script to obtain the information sought by the caller. For example, with the Weather by ZIP code app, the caller dials Z-I-P (947) and the dial plan code prompts the caller for the ZIP code of the desired weather report. This ZIP code is then passed to the nv-weather-zip.php AGI script to retrieve the requested weather forecast. The text results of the query then are passed back to the dialplan code which plays back the results to the caller using the PicoTTS engine.

Three sample TTS applications are included. Dial 951 for the latest Yahoo News headlines. Dial 947 to obtain a weather report for any American city using its ZIP code. Dial T-O-D-A-Y to listen to Today in History events for the current day of the year.

Introduction to Incredible PBX ODBC Apps

As with TTS apps, sample ODBC apps are included in Incredible PBX to provide useful information to callers and to document the procedure required to build your own ODBC applications with Asterisk. For those unfamiliar with ODBC, it is a middleware component that lets you build generic database applications that will work with almost any data base management system. In our case, we are using the MySQL clone, MariDB, as the backend database. But the same ODBC API could be used with a database stored in SQLite, or SQL Server, or PostgreSQL. To interact with your own database, the first step is to install an ODBC connector for your particular database so that it can "talk" to Linux and to Asterisk. On the Linux side, take a look at /etc/odbc.ini for examples of how this is done for individual databases. If you’re using a backend database other than MySQL/MariaDB, then the driver must be installed and added to /etc/odbcinst.ini. On the Asterisk side, there are three pieces that need to be put in place in /etc/asterisk. res_odbc_custom.conf houses the actual linkages to the ODBC databases defined in /etc/odbc.ini. func_odbc.conf houses the actual ODBC queries that will be used to read and write information from and to your databases. Finally, odbc.conf contains the dialplan code that will be used to interact with the caller. It answers the incoming calls, prompts the caller for necessary data to complete the query, executes the query defined in func_odbc.conf, and then converts the text results to audio and passes the results back to the caller using the PicoTTS app.

Two sample ODBC applications are included. Dial 222 to obtain an employee name lookup from the employee timeclock database by entering the employee number, e.g. 12345. Dial 223 for a speed dial application using the AsteriDex dialcode (the first 3 letters of a name). For example, enter D-E-L to obtain phone number of Delta Airlines and optionally place the call.

Introduction to Incredible PBX Conference Bridge

The Incredible PBX platform includes a preconfigured conference application which makes it easy for two or more parties to confer regarding any subject matter of common interest. Those with a local extension on the PBX can join the conference by dialing C-O-N-F (2663). For callers outside the PBX to participate, you would need to add a DID that points to the conference number. We’ve made it easy by including this option in the sample IVR created by Allison Smith. Simply designate the IVR as the destination for a DID and tell users to choose option 2. Local users can call D-E-M-O (3366) and choose option 2.

Before using the conference application, you will want to reset the conference passwords. There’s one for users and a second one for the conference leader. After logging into your server as root, issue the command: ./reset-conference-pins. You can display most of the passwords on your PBX including the conference PINs: ./show-passwords.

The conference bridge setup is configured in the GUI: Applications -> Conferences. Here you can decide whether to require the conference administrator to be present before users can join the conference, you can force termination of the conference when the admin leaves, you can enable the menus for users and administrators by pressing *, you can choose whether to record the conference, you can set the maximum number of conference participants, and much more. Simply click on the ? icons for explanations of the various features. CAUTION: Be advised that saving new settings for the conference bridge will reset the conference PINs to the entries shown or entered into the template, e.g. 1234 and 4321 as shown above!

Configuring Incredible PBX IVRs and AutoAttendants

We’ve included a sample IVR and the Stealth AutoAttendant as part of the Incredible PBX install. The easiest way to master the process of building these is to examine the included samples and try them out: Applications -> IVR -> DemoIVR. The demo IVR comes with all the options preconfigured. Be very careful exposing this through a DID unless you have hardened the passwords, especially for the Telephone Reminders app since this application allows any caller to set up calls to external phone numbers which may cost you money!

The IVR options themselves are self-explanatory and well-documented under the ? icon. The IVR Entries at the bottom of the template define the destinations for caller button presses during a call. The Stealth AutoAttendant is worth examining further since it does not include predefined destinations. You would need to add these yourself. The idea behind a Stealth AutoAttendant is to provide options to a caller which are not explained when the AutoAttendant answers the call. In this way, it allows you to "hide" certain features of your PBX from the average caller. While standing alone, it’s obviously not secure since anyone can press a number on their phone after being connected, it does at least obscure the existence of the options. One good use for this is a DISA option which would let you call into your PBX to obtain dialtone to perform other functions on the PBX with an appropriate password, of course. This is documented in the next section and would need to be set up BEFORE adding the option as a choice on the AutoAttendant.

Configuring DISA with Incredible PBX

Before setting up a DISA option with Incredible PBX, be aware of the risks. Anyone that guesses your DISA password basically gets a blank check to perform any function that could be executed from any phone registered to your PBX. If you’ve decided to proceed anyway, access the GUI and choose Applications -> DISA -> Add DISA. Here’s what a typical DISA setup would look like. You’d obviously want a much more secure PIN!

Once you have saved the template and reloaded your dialplan, you then can add DISA as an option in your IVR or AutoAttendant. Be sure to test it carefully before exposing it for public access. You’ve been warned!

Incredible PBX Security Model Overview

Unlike most other free PBX offerings, Incredible PBX is always deployed as a secure platform. Attempts to access Incredible PBX from outside your local area network will fail unless the IP address has been whitelisted in the IPtables firewall using one of the Travelin’ Man 3 utilities: add-ip or add-fqdn. Repeated attempts to access the PBX will be blocked by Fail2Ban and subsequent attempts to whitelist a blocked IP address will not be successful until the Fail2Ban quarantine expires. Thus, it is important to set up Incredible PBX initially using a desktop PC from which you will subsequently manage the PBX. This assures that at least this desktop PC’s IP address is whitelisted.

To whitelist a static IP address, log into your server as root and issue the following command: ./add-ip my-log-cabin 12.34.56.78 where my-log-cabin is the descriptive name you wish to associate with the whitelisted IP address and 12.34.56.78 is the actual IP address.

Obviously, everyone doesn’t have a static IP address. That’s what the add-fqdn utility is for. It allows you to use a dynamic DNS service to assign an FQDN to a dynamic IP address and rely upon the dynamic IP address provider to keep the FQDN synchronized as the IP address changes. Search your favorite search engine, search for "free dynamic dns raspberry pi" to find available providers. On the Incredible PBX, the setup is much the same except you’ll use the FQDN assigned to the IP address: ./add-fqdn my-log-cabin logcabin.myip.com. Incredible PBX actually runs a script every 10 minutes to keep dynamic IP addresses synchronized. Don’t make any changes to /root/ipchecker. If you’d prefer to have the script run more frequently, adjust the 10 entry in the ipchecker line in /etc/crontab.

Last but not least, Incredible PBX includes the PortKnocker utility which provides an emergency "back door" into your PBX if you ever find yourself locked out by the firewall rules. The idea behind PortKnocker is that you send a packet to three random, pre-defined ports in a particular sequence and, if there’s a match, PortKnocker whitelists your IP address for further access to the server until the firewall is restarted or the server is rebooted. You’ll find your credentials and documentation in /root/knock.FAQ. If your PBX is sitting behind a hardware-based router or firewall, be sure to map the three TCP ports to the LAN IP address of your PBX. Enjoy!

Originally published: Wednesday, August 28, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



The One-Minute Installer: Deploying Asterisk on the Internet


Last week we introduced a new methodology for deploying Incredible PBX® and Asterisk® on the wide open Internet. And this week we’ve put all the pieces together in a One-Minute Installer that will transform any Incredible PBX 13-13.10 server into a public-facing server platform in under a minute. Today you not only get the cupcake, but also some of the sprinkles in the form of tips or scripts to whitelist providers and users, to adjust countries on the blacklists, to add IP addresses to the blacklist, and to update our default VoIP Blacklist which now blocks over 83,000 suspicious IP addresses worldwide. Stay tuned for more.

Is It Safe?

Let’s first cover our deployment strategy so you can decide whether a public facing PBX is the right choice for you or your organization. What we mean by "exposed to the Internet" is that all of your SIP traffic is opened for public access. It doesn’t mean everybody gets free admission, but it does allow everyone to come to the door and at least knock. We still protect web access to your server with a whitelist of IP addresses, and SSH access is hidden behind a port number of your choice to protect you from the script kiddies. Is it as safe as the traditional Incredible PBX platform that is totally hidden from public view by the Travelin’ Man 3 firewall whitelist? Obviously not. But what you gain is what we had with the traditional Ma Bell phone system. Anybody can call you, but it’s up to you to determine whether to answer or block the calls. The major difference is there was a cost of calling random numbers in the old days. With VoIP technology, all of the calls are free so long as the caller has an Internet connection and a SIP client. We believe the platform is relatively safe today, but there is always a chance of SIP flooding or some zero-day vulnerability that could put your server at risk. If you’re not comfortable with that risk, now would be a good time to stop reading. Stick with the traditional Incredible PBX platform and avoid the worries of SIP attacks. The bad guys can’t see your server, and you still can be reached by calls to your PSTN number.

Changing Your Mindset About Security

Deploying a public-facing PBX does require an attitude adjustment. Behind the security of an airtight firewall, passwords for extensions, voicemail, and trunks didn’t much matter because the bad guys couldn’t find you much less get the necessary access to attempt to decipher your passwords. THAT HAS NOW CHANGED! You should immediately create new passwords that are as secure as you would use for your bank account because some folks will be trying to figure them out shortly. And, once they do, if you have VoIP services that allow calls to anywhere, your phone bill can skyrocket in a matter of minutes. You’ve been warned. If you have automatic replenishment of funds with one or more VoIP providers, change that now. And set up low balance notifications instead. Fund your VoIP provider accounts with amounts you can stand to lose in a worst case scenario. Better safe than sorry… and broke!

Choosing FQDNs for Your Server

There’s another important safeguard in today’s implementation, and that’s fully-qualified domain names (FQDNs) for your server. Without knowing your FQDN, nobody will be able to make a SIP connection to your PBX. Guessing your IP address won’t help because we automatically block all of those calls. And, once any caller attempts to connect in that way, they will be blocked from further access for a very long time by the Fail2Ban service. You have the option of using a single FQDN for both incoming calls and for registering SIP phones to your extensions. You also may use two separate FQDNs, one for incoming calls from the public and another for SIP phone registrations. Despite what some pundits would say, security through obscurity matters. Using less obvious FQDNs dramatically reduces the likelihood that your server can be attacked. This is especially important in the case of a SIP registration FQDN. Making this FQDN as obscure as possible protects your server in much the same way that a password would. So give serious consideration to whether your FQDN will be known or guessed by the general public. If so, deploy a second obscure one for registrations.

Deployment Prerequisites

That’s all we’re going to say about security. We’re now going to turn our attention to deployment. Before running the One-Minute Installer, there are some prerequisites. Here’s the short list:

  1. Functioning Incredible PBX 13-13.10 server with CentOS 6
  2. KVM (not OpenVZ) Cloud Platform with 1GB+ RAM
  3. Public, Static IPv4 Address for your server
  4. One or two FQDNs pointed to your server
  5. Whole Enchilada installed, if desired
  6. Incredible Fax installed, if desired (requires reboot)
  7. Preconfigured extensions & voicemail accounts with SECURE PASSWORDS

We’ve provided the link above to get your Incredible PBX 13-13.10 server up and running. This must be deployed on a Cloud-based KVM platform using CentOS 6 on a KVM (not OpenVZ) platform with a static IP address and a minimum of 1GB of RAM and a 20GB disk. The KVM platform is mandatory because we’ll be using ipset (which won’t work with OpenVZ platforms) to block entire countries as well as to set up our VoIP Blacklist. You’ll need at least one and preferably two FQDNs pointed to the IP address of your PBX. If you plan to use the Incredible PBX apps, then make sure to install the Whole Enchilada and Incredible Fax components before you transform your PBX into a public-facing server. And, as previously mentioned, tighten up ALL of your passwords for SSH and web access as well as for all of your extension secrets and voicemail PINs. It’s also a good idea to create the extensions you plan to make available for incoming calls although these can be added later as well.

UPDATE: CentOS 7 support with Incredible PBX 13-13.10 now has been added.

Choosing a KVM Platform

There are numerous cloud providers that offer a KVM platform. Choosing one that’s a perfect fit depends upon your budget obviously. For rock-solid dependability and little risk of provider implosion, we recommend Digital Ocean, Vultr, and OVH.1 If you’re just experimenting and can recover if your provider happens to suddenly go out of business, then the LowEndBox KVM offerings will save you some money. We don’t recommend CloudAtCost.

Converting to a Public-Facing PBX

Once you’ve completed the steps above and verified that your PBX is functioning reliably, you’re ready to download and run the One-Minute Installer to convert Incredible PBX into a public-facing server.

WARNING: Before you proceed, make certain that you log out any extensions that are registered using the IP address of the PBX as opposed to the FQDN of your server. Otherwise, these extensions may find their IP addresses locked out by Fail2Ban since SIP extension registrations by IP address will be blocked once the conversion to a public server is finished. After the update, if you find extensions that won’t register, the first thing to do is to issue the command: iptables -nL. See if the extension’s IP address is blocked. If it is, change the extension’s SIP registration to point the FQDN of the server as opposed to its IP address. Then you can unblock the IP address with this command using the extension’s actual IP address:

fail2ban-client set asterisk unbanip xxx.xxx.xxx.xxx

Now let’s proceed. Log into your server as root with SSH/Putty and issue these commands:

cd /root
wget http://incrediblepbx.com/go-public.tar.gz
tar zxvf go-public.tar.gz
rm -f go-public.tar.gz
./GO-PUBLIC


Modifying the Blocked Countries List

As part of the install, all of the IP addresses from a number of countries were blocked using ipset in conjunction with the IPtables firewall. You can add or change the countries being blocked by making modifications in two places: (1) /etc/sysconfig/iptables beginning at line #69 and (2) /etc/blockem.sh on line #7. Be advised that every country blocked in IPtables requires a separate DROP line and the same country must also be enumerated on line #7 in /etc/blockem.sh. Otherwise, the IPtables firewall startup will fail when your server is rebooted or when IPtables is restarted. If a country is blocked on line #7 in /etc/blockem.sh but a DROP line is not added to /etc/sysconfig/iptables, then that country’s IP addresses will NOT be blacklisted when IPtables is restarted or your server is rebooted. Simply stated, the countries blocked in IPtables must match the country list in /etc/blockem.sh. For a current list matching countries with their international country code abbreviations, go here.

Blacklist Update Methodology

As configured, the country blacklists are only updated when the /etc/blockem.sh script is run. This occurs whenever you reboot your server or when you manually run the script. The VoIP Blacklist is updated nightly by a cron job which runs the /etc/update-voipbl.sh script.

Adding Extensions to Your SIP WhiteList

For the time being, you can manually adjust the extension listing that controls incoming SIP call access to your PBX. Only extensions included in this list are made available to receive incoming calls using the SIP URI syntax of 701@your.fqdn.com. First, you will need to edit extensions_override_freepbx.conf in /etc/asterisk. Once you’ve saved your changes, reload your dialplan: asterisk -rx "dialplan reload"

Beginning on line 31 of extensions_override_freepbx.conf, you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. Below them are the extensions you whitelisted when you ran the One Minute Installer above. The 13 entry in each line of the dialplan is required for all extensions to be enabled. You can add additional extensions by cloning the syntax of one of the existing entries. Be sure to enter the new extension number in BOTH places on each line that you add. The first entry corresponds to the left side of the SIP URI, e.g. 947@your.FQDN.com. The second entry tells Asterisk the extension to which to send the incoming call. Samples also are provided in the comments for redirecting incoming calls to outbound destinations. See also last week’s article.

exten => 947,13,Dial(local/947@from-internal)
exten => 951,13,Dial(local/951@from-internal)
exten => news,13,Dial(local/951@from-internal)
exten => weather,13,Dial(local/947@from-internal)

Adding IP Addresses to Your IPtables BlackList

You can manually add BlackList entries to your server using ipset; however, keep in mind that these entries will be overwitten when the VoIP Blacklist is updated each night. The recommended procedure is to first add them to ipset using the following command with the actual IP address to be blacklisted: ipset add voipbl xx.xx.xx.xx

Then visit the VoIP BlackList site and add the same IP address in the Blacklist Submission form. Multiple IP addresses can be added by separating every entry with a space.

Adding IP Addresses to Your IPtables WhiteList

You can whitelist additional IP addresses to enable access to your PBX that takes precedence over the blacklists by using the existing add-ip and add-fqdn utilities included in the /root folder. These were both modified to accommodate the public-facing Incredible PBX design.

Last week we got bitten by the age-old problem with BlackLists, namely that the bad guys populate them with IP addresses of places you actually want to go, such as CallCentric and Skyetel. Without a whitelist of safe sites, a blacklist is worse than worthless. So the way this works in Incredible PBX is the whitelist entries are moved to the top of the pecking order so that they take precedence in IPtables processing. The IPtables design works like this. Once a packet qualifies as safe by being accepted, the rest of the IPtables rules are ignored. Enjoy!

Originally published: Monday, June 10, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. []

Safely Deploying Incredible PBX on the Wide Open Internet

We’ve previously documented the benefits of SIP URI calling. Because the calls are free from and to anywhere in the world, the use case is compelling. The drawbacks, particularly with Asterisk® servers, have primarily centered around the security implications of exposing SIP on a publicly-accessible server. Today we want to take another look at an open Internet SIP implementation for Asterisk based upon the pioneering work of Dr. Lin Song back in the PBX in a Flash heyday. We’ve embellished Lin’s original IPtables creation and our original article with some additional security mechanisms for Fail2Ban, Asterisk, FreePBX®, and Travelin’ Man 3. Special thanks also for a terrific tutorial from JavaPipe. All of today’s implementation is open source code which you are more than welcome to use or improve pursuant to GPL3.

July 22 UPDATE: New Incredible PBX 16-15-PUBLIC deployment tutorial is now available here.

Consider this. If everyone in the world had an accessible SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends upon your platform. With Asterisk they look like this: SIP/somebody@FQDN.yourdomain.com. On SIP phones, SIP URIs look like this: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have “dialed” a SIP URI, the destination SIP device will ring just as if the called party had a POTS phone. Asterisk® processes SIP URIs in much the same way as calls originating from commercial trunk providers except anonymous SIP calls are blocked.

While we have tested today’s design extensively including implementation of a cloud-based server with no security issues since deployment over four months ago, we still don’t recommend this SIP design for mission-critical PBXs because there remain some security risks with denial of service attacks and zero-day vulnerabilities. For these deployments, Incredible PBX® coupled with the Travelin’ Man 3 firewall which blocks SIP access except from whitelisted IP addresses and FQDNs has no equal. When properly deployed, the bad guys cannot even see your server much less attack it. A typical use case for today’s new SIP design would be a public Asterisk server that provides anonymous SIP access to the general public without any exposure to the corporate jewels. For example, we’ve put up a demonstration server that provides news and weather reports. In the corporate world, an equivalent deployment might provide access to a product database with pricing and availability details. Our rule of thumb before deploying today’s platform would be to ask yourself what damage could be inflicted if your server were totally compromised. If the answer is zero, then proceed. Otherwise, stick with Incredible PBX and the Travelin’ Man 3 firewall. The ideal platform for deployment using the same rule of thumb as above is one of the $1 a month cloud platforms.

ProviderRAMDiskBandwidthPerformance as of 12/1/19Cost
CrownCloud KVM (LA)1GB20GB +
Snapshot
1TB/month598Mb/DN 281Mb/UP
2CPU Core
$25/year
Best Buy!
Naranjatech KVM (The Netherlands)1GB20GB1TB/monthHosting since 2005
VAT: EU res.
20€/year w/code:
SBF2019
BudgetNode KVM (LA)1GB40GB RAID101TB/monthAlso available in U.K PM @Ishaq on LET before payment$24/year
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA)1GB20GB SSD3TB/monthPick EGG loc'n
Open ticket for last 5GB SSD
$30/year w/code:
LEBEGG30

Overview. There are a number of moving parts in today’s implementation. So let’s briefly go through the steps. Begin with a cloud-based installation of Incredible PBX. Next, we’ll upgrade the Fail2Ban setup to better secure a publicly-accessible Asterisk server. We’ll also customize the port for SSH access to reduce the attack rate on the SSH port. You’ll need a fully-qualified domain name (FQDN) for your server because we’ll be blocking all access to your server by IP address. If you want to allow SIP URI calls to your server, you’ll need this FQDN. If you want to also allow SIP registrations from this same FQDN, then a single FQDN will suffice; however, with OpenVZ platforms, we recommend using a different (and preferably more obscure) FQDN for SIP registrations since registered users have an actual extension on your PBX that is capable of making outbound calls which usually cost money. In this case, the obscure FQDN performs double-duty as the equivalent of a password to your PBX. For example, an FQDN such as hk76dl34z.yourdomain.com would rarely be guessed by an anonymous person while sip.yourdomain.com would be fairly obvious to attempted intruders. But that’s your call.

Using whatever FQDN you’ve chosen for SIP registrations, we’ll add an entry to /etc/asterisk/sip_custom.conf that looks like this: domain=hk76dl34z.yourdomain.com. That will block all SIP registration attempts except from that domain. It will not block SIP invitations! The next step will be to add a new [from-sip-external] context to extensions_override_freepbx.conf. Inside that context, we’ll specify the FQDN used for public SIP URI connections to your server, e.g. sip.yourdomain.com. This will block SIP invitations except SIP URIs containing that domain name. We’ll also define all of the extensions on your Asterisk server which can be reached with SIP URI invitations. These could be actual extensions, or ring groups, or IVRs, or Asterisk applications. The choice is yours. These SIP URI authorizations can be either numeric (701@sip.yourdomain.com) or alpha (weather@sip.yourdomain.com) or alphanumeric (channel7@sip.abc.com). Finally, we’ll put the new IPtables firewall rules in place and adjust your existing iptables-custom setup to support the new publicly-accessible PBX. For example, we’ll still use whitelist entries for web access to your server since anonymous users would cause nothing but mischief if TCP ports 80 and 443 were exposed. It’s worth noting that KVM platforms provide a more robust implementation of IPtables that can block more types of nefarious traffic. We’ve supplemented the original article with a KVM update below. With OpenVZ platforms, we have to rely upon Asterisk to achieve IP address blocking and some types of packet filtering. So why not choose a KVM platform? It’s simple. These platforms typically cost twice as much as equivalent OpenVZ offerings. With this type of deployment, KVM is worth it.

Installing Incredible PBX Base Platform

Today’s design requires an Incredible PBX platform on a cloud-based server. Start by following this tutorial to put the pieces in place. We recommend you also install the Whole Enchilada addition once the base install is finished. Make sure everything is functioning reliably before continuing.


Upgrading the Fail2Ban Platform

Because this will be a publicly-accessible server, we’re going to tighten up the Asterisk configuration in Fail2Ban and lengthen the bantime and findtime associated with Fail2Ban’s Asterisk log monitoring. We also recommend that you whitelist the IP addresses associated with your server and PCs from which you plan to access your server so that you don’t inadvertently block yourself.

Log into your server as root and issue the following commands. When the jail.conf file opens in the nano editor, scroll down to line 34 and add the IP addresses you’d like to whitelist to the existing ignoreip settings separating each IP address with a space. Then press Ctrl-X, Y, then Enter to save your changes. Verify that Fail2Ban restarts successfully.

cd /etc/fail2ban
wget http://incrediblepbx.com/fail2ban-public.tar.gz
tar zxvf fail2ban-public.tar.gz
rm -f fail2ban-public.tar.gz
nano -w jail.conf
service fail2ban restart

If you ever get locked out of your own server, you can use the Serial Console in your VPS Control Panel to log into your server. Then verify that your IP address has been blocked by issuing the command: iptables -nL. If your IP is shown as blocked, issue this command with your address to unblock it: fail2ban-client set asterisk unbanip 12.34.56.78

Obtaining an FQDN for Your Server

Because we’ll be blocking IP address SIP access to your server, you’ll need to obtain one or perhaps two FQDNs for your server. If you manage DNS for a domain that you own, this is easy. If not, you can obtain a free FQDN from ChangeIP here. Thanks, @mbellot.

For the FQDN that you’ll be using for SIP registrations on your server, configure Asterisk to use it by logging into your server as root and issuing the following command using your new FQDN, e.g. xyz.yourdomain.com. Thanks, @ou812.

echo "domain=xyz.yourdomain.com" >> /etc/asterisk/sip_custom.conf

SECURITY ALERT: Never use the SIP URI MOD on a server such as this one with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.

Customizing the [sip-external-custom] Context

All FreePBX-based servers include a sip-external-custom context as part of the default installation; however, we need a customized version to use for a publicly-accessible PBX. You can’t simply update the context in /etc/asterisk/extensions.conf because FreePBX will overwrite the changes the next time you reload your dialplan. Instead we have to copy the context into extensions_override_freepbx.conf and make the changes there. So let’s start by copying the new template there with the following commands:

cd /tmp
wget http://incrediblepbx.com/from-sip-external.txt
cd /etc/asterisk
cat /tmp/from-sip-external.txt >> extensions_override_freepbx.conf
rm -f /tmp/from-sip-external.txt
nano -w extensions_override_freepbx.conf

When the nano editor opens the override file, navigate to line #10 of the [from-sip-external] context and replace xyz.domain.com with the FQDN you want to use for SIP invites to your server. These are the connections that are used to actually connect to an extension on your server (NOT to register). As noted previously, this can be a different FQDN than the one used to actually register to an extension on your server. Next, scroll down below line #27, and you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. The 13th position in the dialplan is required for all authorized calls.

exten => 947,13,Dial(local/947@from-internal)
exten => 951,13,Dial(local/951@from-internal)
exten => news,13,Dial(local/951@from-internal)
exten => weather,13,Dial(local/947@from-internal)

You can leave these in place, remove them, or add new entries depending upon which extensions you want to make publicly accessible on your server. Here are some syntax examples for other types of server access that may be of interest.

; Call VoIP Users Conference
exten => 882,13,Dial(SIP/vuc@vuc.me)
exten => vuc,13,Dial(SIP/vuc@vuc.me)
; Call Default CONF app
exten => 2663,13,Dial(local/${EXTEN}@from-internal)
exten => conf,13,Dial(local/2663@from-internal)
; Call Bob at Local Extension 701
exten => 701,13,Dial(local/${EXTEN}@from-internal)
exten => bob,13,Dial(local/701@from-internal)
; Call Default Inbound Route thru Time Condition
exten => home,13,Goto(timeconditions,1,1)
; Call Inbound Trunk 8005551212
exten => 8005551212,13,Goto(from-trunk,${DID},1)
; Call Lenny
exten => 53669,13,Dial(local/${EXTEN}@from-internal)
exten => lenny,13,Dial(SIP/2233435945@sip2sip.info)
; Call any toll-free number (AT&T Directory Assistance in example)
exten => information,13,Dial(SIP/18005551212@switch.starcompartners.com)

Once you’ve added your FQDN and authorized SIP URI extensions, save the file: Ctrl-X, Y, then Enter.

One final piece is required to enabled anonymous SIP URI connections to your server:

echo "allowguest=yes" >> /etc/asterisk/sip_general_custom.conf

Now restart Asterisk: amportal restart

UPDATE for DialPlan Junkies: We received a few inquiries following publication inquiring about the dialplan design. We’ve taken advantage of a terrific feature of Asterisk which lets calls fall through to the next line of a dialplan if there is no match on a Goto(${EXTEN},13) command. For example, if a caller dials ward@sip.domain.com and there is a line 12 in the dialplan directing the call to ward,13 which exists, call processing will continue there. However, if the extension does not exist, the call will not be terminated. Instead, if there exists a more generic line 13 in the dialplan, e.g. exten => _X.,13,Goto(s,1), call processing will continue there. We use this trick to then redirect the call to an ‘s’ extension sequence to announce that the called extension could not be reached. It’s the reason all of the whitelisted extensions have to have the same line 13 designation so that call processing can continue with the generic line 13 when a specific extension match fails.

Configuring IPtables for Public SIP Access

You may recall that, with Incredible PBX, we bring up the basic IPtables firewall using the /etc/sysconfig/iptables rules. Then we add a number of whitelist entries using /usr/local/sbin/iptables-custom. We’re going to do much the same thing with today’s setup except the rule sets are a bit different. Let’s start by putting the default iptables-custom file in place:

cd /usr/local/sbin
wget http://incrediblepbx.com/iptables-custom-public.tar.gz
tar zxvf iptables-custom-public.tar.gz
rm -f iptables-custom-public.tar.gz
nano -w iptables-custom

When the nano editor opens, scroll to the bottom of the file. You’ll note that we’ve started a little list of notorious bad guys to get you started. Fail2Ban will actually do a pretty good job of managing these, but for the serious recidivists, blocking them permanently is probably a good idea. In addition to the bad guys, you’ll want to whitelist your own IP addresses and domains so that you don’t get blocked from FreePBX web access to your server. The syntax looks like the following two examples:

/usr/sbin/iptables -I INPUT -s pbxinaflash.dynamo.org -j ACCEPT
/usr/sbin/iptables -I INPUT -s 8.8.8.8                -j ACCEPT

Whenever you make changes to your IPtables configuration, remember to restart IPtables using the following command ONLY: iptables-restart

Now let’s put the final IPtables piece in place with the default IPtables config file:

cd /etc/sysconfig
wget http://incrediblepbx.com/iptables-public.tar.gz
tar zxvf iptables-public.tar.gz
rm -f iptables-public.tar.gz
nano -w iptables

When the nano editor opens the file, scroll down to line 55 which controls the TCP port for SSH access to your server. We strongly recommend you change this from 22 to something in the 1000-2000 range. HINT: Your birth year is easy to remember. In the next step, we’ll make the change in your SSH configuration as well.

Next, scroll down to lines 148 and 149. Replace YOUR_HOSTNAME.no-ip.com on both lines with the FQDN of your server that will be used to accept SIP invitations (connections) on your server. These entries have no effect on SIP registrations which we covered above!

Once you’ve made these changes, save the file BUT DO NOT RESTART IPTABLES JUST YET.

Securing the SSH Access Port

TCP port 22 is probably one of the most abused ports on the Internet because it controls access to SSH and the crown jewels by default. Assuming you changed this port in the IPtables firewall setup above, we now need to change it in your SSH config file as well. Edit /etc/ssh/sshd_config and scroll down to line 12. Change the entry to: Port 1999 assuming 1999 is the port you’ve chosen. Be sure to remove the comment symbol (#) at the beginning of the line if it exists. Then save the file.

You’ll also want to update the SSH port in Fail2Ban. Edit /etc/fail2ban/jail.conf and search for port=ssh. In the [ssh-iptables] context, change the entry to port=1999 assuming 1999 is your chosen port. Save the file and reboot your server. Then you should be all set.

Dealing with the Bad Guys

You’ll be amazed how quickly and how many new friends you’ll make on the public Internet within the first few hours. You can watch the excitement from the Asterisk CLI by logging into your server as root and issuing the command: asterisk -rvvvvvvvvvv. Another helpful tool is to monitor your IPtables status which will show IP addresses that have been temporarily blocked by Fail2Ban: iptables -nL. This will catch most of the bad guys and block them. But some are smarter than others, and many know how to spoof IP addresses in SIP packets as you will quickly see. Unlike on KVM platforms, IPtables on most OpenVZ platforms cannot search packets for text strings which is a simple way to block many of these attackers. HINT: You get what you pay for. And, in some cases, attackers disguise their address or use yours. We’ve now found that ${SIPURI} holds the caller’s true identity so we’ve updated the code accordingly. Whether to permanently block these guys is completely up to you. A typical SIP INVITE before such a call is dropped only consumes about 100 bytes so it’s usually not a big deal. You also can manually block callers using the Fail2Ban client with the desired IP address: fail2ban-client set asterisk banip 12.34.56.78.

Additional Security on KVM Platforms

As we mentioned above, a KVM platform provides considerably more security for your public-facing server because you can block entire countries using the ipset extension to IPtables. You can read all about it here. After considerable discussion and suggestions on the PIAF Forum, we would offer the following code which blocks the countries we have identified as causing the majority of problems. First, modify your /etc/sysconfig/iptables configuration and insert the following code in the IPSPF section of the script around line 93. You can change the list of blocked countries to meet your own needs. Just be sure to make the same country-code changes in the blockem.sh script which we will cover in step 2. A list of available country codes can be found here. Save your changes, but do NOT restart IPtables just yet.

-A IPSPF -m set --match-set cn src -j DROP
-A IPSPF -m set --match-set ru src -j DROP
-A IPSPF -m set --match-set ps src -j DROP
-A IPSPF -m set --match-set kp src -j DROP
-A IPSPF -m set --match-set ua src -j DROP
-A IPSPF -m set --match-set md src -j DROP
-A IPSPF -m set --match-set nl src -j DROP
-A IPSPF -m set --match-set fr src -j DROP
-A IPSPF -m set --match-set SIPFLOOD src -j DROP

Second, we want to add a new /etc/blockem.sh script and make it executable (chmod +x /etc/blockem.sh). With the exception of the SIPFLOOD entry which is our custom Bad Guys List, make sure the country list in line #5 below matches the dropped countries list you added to IPtables in step #1 above.

#!/bin/bash
cd /etc
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxvf -
for i in \\
cn ru ps kp ua md nl fr
do
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
wait
sleep 5
wget http://incrediblepbx.com/badguys.tar.gz
tar zxvf badguys.tar.gz
rm -f badguys.tar.gz
/usr/sbin/ipset restore -! < /etc/SIPFLOOD.zone
wait
sleep 5
service iptables restart
wait
sleep 5
/usr/local/sbin/iptables-custom
wait
sleep 5
service fail2ban restart
wait
exit 0

Third, try things out by running the script: /etc/blockem.sh. Verify that IPtables is, in fact, blocking the listed countries: iptables -nL.

Finally, we recommend adding the script to /etc/rc.d/rc.local replacing the existing iptables-restart line. In that way, it gets run whenever you reboot your server.

In choosing a KVM platform, we've had good luck with the $5/month Digital Ocean platform where you still can get a $50 credit to kick the tires for 60 days, Vultr (similar pricing to D.O. also with a $50 credit). With either of these providers, you can add automatic backups for an extra dollar a month. In the bargain basement (may not be here tomorrow) category, we like the following providers. Many other low-cost options are documented on the LowEndBox site. Just don't invest more than you can afford to lose... and make a backup.1

Connecting a SIP Phone to OpenSIPS or LinPhone

If you followed along in our OpenSIPS adventure, then it's easy to test some SIP URI calls to your new server. You can connect virtually any kind of SIP telephone or endpoint to OpenSIPS. Another easy way to try out SIP calling is to first set up a free LinPhone Account.

You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we'll get you started with one of our favorite (free) softphones, YateClient. It's available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for your OpenSIPS or LinPhone account you've previously created. You’ll need the IP address of your OpenSIPS server or LinPhone's FQDN (sip.linphone.org) plus your account’s password. Fill in the Yate Client template using the IP address or FQDN as well as your Username and whatever Password you assigned to the account when you created it. Click OK to save your entries.

Once the Yate softphone shows that it is registered, try a test call to one of the SIP URIs you authorized on your new Asterisk server or try ours:

If you don't happen to have an OpenSIPS server or a LinPhone SIP account to play with but you have another Asterisk server, then the simple way to enable SIP URI extensions is by editing /etc/asterisk/extensions_custom.conf. In the [from-internal-custom] context, add an extension that can be used to contact any desired SIP URI. Then reload your dialplan: asterisk -rx "dialplan reload". Now dial that extension (2468 in the following example) from any phone connected to your Asterisk server. The entry would look something like this to call our SIP URI for the latest weather forecast:

NEWS FLASH: A new One-Minute Installer to use Incredible PBX on the open Internet is now available here.

Originally published: Monday, June 3, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. []

Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS




Last week we introduced OpenSIPS, the multi-functional, multi-purpose signaling SIP server which can fulfill almost any communications function one can dream up except the unified communications tasks typically performed with a PBX such as Asterisk®. Today we want to marry the two platforms to give you the best of both worlds. For Incredible PBX® users, the primary advantage of adding an OpenSIPS front end is the elimination of the complexities associated with interacting with your PBX from remote sites with ever changing, dynamic IP addresses coupled with NAT firewalls over which you have no control. While there are many approaches to interconnecting the two platforms, we’re not comfortable with the exposure that a simple registration passthrough design introduces for many Asterisk users. Instead we prefer a model that lets everybody contact you and your users without providing the world the access necessary to allow anonymous strangers a platform from which to launch endless attempts to compromise your Asterisk server and individual Asterisk accounts.

Not all users on an Asterisk PBX need anonymous lurkers to have worldwide, public access to their individual phones. For most, DIDs suffice for public access. For users that do need such access, we will begin by creating a SIP account on your OpenSIPS server that is separate and apart from your Asterisk user account or extension. Also keep in mind that anonymous SIP calls require a match on the SIP URI to reach the person or function desired. You can enable and disable these SIP URI-accessible functions on your OpenSIPS server as desired. And you can determine how obscure to make each of the SIP URIs. Security through obscurity works and deters many SIP attacks. Now let’s address what you can and cannot do with this setup.

Using a SIP phone from anywhere in the world, any SIP user CAN:

  • Make SIP URI calls to authorized extensions and ring groups on your Asterisk PBX
  • Make SIP URI calls to authorized clients registered to a 3CX PBX with a SIP UUID
  • With a legitimate password, make DISA-like calls with Asterisk trunks, if enabled
  • With an invalid DISA password, converse with Lenny
  • With a legitimate password, check and manage authorized Asterisk voicemail accounts
  • With a legitimate password, participate in authorized Asterisk conferences
  • Access other authorized Asterisk applications available from Asterisk extensions

Using a SIP phone from anywhere in the world, an OpenSIPS-registered User also CAN:

  • Make PSTN calls from OpenSIPS-registered SIP phones, if enabled
  • Receive calls from Asterisk forwarded to any OpenSIPS-registered SIP phone
  • Receive calls from Asterisk forwarded to any 3CX-registered client or SIP phone

Using any SIP phone registered to a SIP proxy, you CANNOT:

  • Log into any Asterisk user account without whitelist permission and credentials
  • Make 911 calls

Prerequisites: To complete today’s setup, we’re assuming you have (1) an Incredible PBX server running Asterisk 13, (2) an OpenSIPS server built with version 1.2.0 or later of the Incredible PBX for OpenSIPS installer, and (3) either a registered SIP account and SIP URI on your OpenSIPS PBX or a SIP account with a provider such as a free linphone.org account.

Running pbxstatus on your OpenSIPS server will tell you which version you have. If you don’t have pbxstatus or the version is below 1.2.0, please initialize your Debian 8 platform, download the latest release, and reinstall following the our OpenSIPS tutorial here. There were major changes in the OpenSIPS configuration to support Asterisk connectivity which made an in place upgrade too complex. Our apologies.

Before creating user accounts on your OpenSIPS server, give some thought to a numbering scheme that won’t conflict with extension registrations on your Asterisk server. For example, if your Asterisk server uses extensions 701 through 750, then you may wish to consider using 7701 through 7750 on your OpenSIPS server. The one-to-one match keeps things simple without running into conflicts between the Asterisk extension numbers and the OpenSIPS user accounts. We’ll use the 700 (Asterisk) and 7700 (OpenSIPS) extension ranges in our examples which follow. And we’ve reworked the original OpenSIPS tutorial in keeping with this design to simplify Asterisk integration for new readers just joining the party.

We want to express our sincere appreciation to Bill Simon for his patient tutelage in walking us through some of the potential landmines in marrying an OpenSIPS server with Asterisk. Should your organization ever need professional help with a SIP deployment, there is no finer SIP authority than Simon Telephonics.


1. Configuring Asterisk for Inbound OpenSIPS Calls

Assuming you have an Incredible PBX 13 platform, open the GUI as admin using a browser from your desktop. First, let’s create a Trunk for the OpenSIPS server. Choose Connectivity -> Trunks -> Add SIP (chan_sip) Trunk. For Trunk Name, use opensips. Next, click on the SIP Settings tab in the dialog. For Trunk Name, again use opensips. In PEER DETAILS, enter the following and replace xxx.xxx.xxx.xxx twice with the actual IP address of your OpenSIPS server. Then click Submit and Reload Dialplan when prompted.

type=peer
host=xxx.xxx.xxx.xxx
context=from-opensips
insecure=port,invite
disallow=all
allow=ulaw
deny=0.0.0.0/0.0.0.0
permit=xxx.xxx.xxx.xxx/255.255.255.255

Next, using SSH or Putty, login to your Asterisk server as root and issue these commands replacing xxx.xxx.xxx.xxx with the IP address of your OpenSIPS server (choose option 0 when prompted for access type):

cd /root
./add-ip opensips xxx.xxx.xxx.xxx
wget http://incrediblepbx.com/from-opensips.tar.gz
tar zxvf from-opensips.tar.gz
rm -f from-opensips.tar.gz
nano -w from-opensips.txt

When the editor opens, scroll down to line 16 and enter a very secure PIN (up to 10 digits) for access to the DISA-like service to make outbound calls via SIP URI. It’s your phone bill so make it long (up to 10 digits) and something that is not easily guessed. On line 20, we have configured DISA for numbers up to 11 digits. If your dialplan requires international dialing support, you can adjust 11 to the desired number of digits. Then save the file and copy the dialplan code into extensions_custom.conf and reload your dialplan:

cd /etc/asterisk
cat /root/from-opensips.txt >> extensions_custom.conf
asterisk -rx "dialplan reload"

IMPORTANT NOTE: Just because you have configured this DISA option on your Asterisk server does not mean it is available via SIP URI. In fact, no SIP URI access to your Asterisk server is enabled at this juncture. You still must set up the SIP URI connections on your OpenSIPS server. Whether to do that and which features to activate are completely up to you.

2. Configuring OpenSIPS for Asterisk Connectivity

Beginning with version 1.2.0 of the Incredible PBX installer for OpenSIPS, the server itself is preconfigured to support Asterisk connectivity using AVPs. Implementation only requires command line execution of an AVP script to enable each feature you wish to activate. A similar script can be used to deactivate any AVP feature previously activated. To install the scripts on your OpenSIPS server, log in as root using SSH or Putty and issue these commands:

cd /root
wget http://incrediblepbx.com/asterisk-features-for-opensips.tar.gz
tar zxvf asterisk-features-for-opensips.tar.gz
rm -f asterisk-features-for-opensips.tar.gz

The function of each of the Asterisk scripts is self-explanatory from the script names:

  • asterisk-add-forward
  • asterisk-delete-forward
  • asterisk-list-forwards

Three pieces of information are required to add a SIP URI forward from OpenSIPS to your Asterisk server using the AVP asterisk-add-forward script:

  • UUID of SIP URI (from any SIP phone, dial UUID@opensips.yourdomain.com to connect)
  • Asterisk Extension (destination where incoming OpenSIPS call should be forwarded)
  • Asterisk Public IP Address

To add a SIP URI for extension 701 on your Asterisk server at xx.xx.xx.xx reachable at 701@opensips.yourdomain.com, the command would look like this where xx.xx.xx.xx is the public IP address of your Asterisk server and opensips.yourdomain.com is the FQDN of your OpenSIPS server: /root/asterisk-add-forward 701 701 xx.xx.xx.xx

CAUTION: Other than for forwards like this, do NOT set up User accounts in the OpenSIPS Control Panel using the same numbers as existing extensions on your Asterisk server. Otherwise, if your SIP phone is registered to a 701 user account on your OpenSIPS server, you lose the ability to connect to any extension on your Asterisk server if a 701 account requiring registration also existed on the Asterisk platform.

To use a name in the SIP URI or enable a second SIP URI for the same Asterisk 701 extension (jdoe@opensips.yourdomain.com): /root/asterisk-add-forward jdoe 701 xx.xx.xx.xx

Simply repeat the steps above for every SIP URI you wish to enable for an Asterisk extension.

To enable DISA-like access via SIP URI using dial as UUID (dial@opensips.yourdomain.com): /root/asterisk-add-forward dial *1 xx.xx.xx.xx

Keep in mind that you need not use "dial" as the UUID. You can make up any name you like. So long *1 is the DISA extension, the UUID can be as obscure as desired e.g. disa5038now.

For voicemail access via SIP URI, you can do it in two ways. For generic access triggering prompts for both the voice mailbox number and the mailbox PIN, use the following: /root/asterisk-add-forward vm *98 xx.xx.xx.xx

For voicemail access to a specific mailbox (701) with only a prompt for the mail PIN, use: /root/asterisk-add-forward vm701 *98701 xx.xx.xx.xx

For access to a specified conference (2663) with a prompt for the conference PIN, use: /root/asterisk-add-forward conf2663 2663 xx.xx.xx.xx

For access to Weather Reports (947) with a prompt for the ZIP Code, use something like this: /root/asterisk-add-forward weather 947 xx.xx.xx.xx

For News Headlines (951), use: /root/asterisk-add-forward news 951 xx.xx.xx.xx

To delete any previously created UUID forward: /root/asterisk-delete-forward

To list existing UUID forwards for SIP URIs: /root/asterisk-list-forwards

Calling Tip: If your softphone is registered to an OpenSIPS User account, you can call any of the enabled forwarding entries by entering the UUID without @opensips.yourdomain.com, e.g. dialing vm would connect to the Asterisk voicemail system with a prompt for mailbox.

3. Enabling Inbound Calls from Asterisk to a SIP Phone

In today’s design, incoming calls to your Asterisk PBX can be forwarded to a user account on your OpenSIPS server or a free linphone.org user account by (1) creating a free User account in the OpenSIPS Control Panel or at linphone.org, (2) logging into that user account with a SIP phone or softphone, (3) creating a custom extension in the Incredible PBX GUI that points to the SIP URI of your user account on the OpenSIPS server or your free linphone.org SIP user account or a 3CX client, and (4) adding that custom extension to either a Ring Group that includes your Asterisk extension or enabling FindMe/FollowMe for your Asterisk extension and designating the custom extension as the No Answer Destination. Need support for multiple Asterisk users? Not a problem. Repeat the drill for each user.

The procedure for adding a User Account in the OpenSIPS Control Panel was covered in last week’s article. The procedure for creating a free Linphone User Account was covered in an earlier article so we won’t repeat it here. Another obvious SIP URI destination is any 3CX Client if you’ve previously set up a free 3CX server following our 3CX tutorial. Refer back to those articles if you need a refresher.

On the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension and Display Name, we recommend using the 7701 numbering scheme for remote accounts. Then click on the Advanced tab and enter the SIP URI of your OpenSIPS, Linphone, or 3CX User account as the Dial option, e.g. SIP/yourname@sip.linphone.org or SIP/7701@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

To assure that incoming calls ring on both your Asterisk phone (701) and your registered SIP phone, we recommend setting up a Ring Group on the Asterisk side that includes both the 701 extension and the new 7701 custom extension. Then adjust your Inbound Routes to point to the number of this Ring Group instead of to 701. In this way, you can preserve the voicemail functionality associated with your 701 extension. FYI: None of these servers proxy audio and video of your calls. They provide a SIP registration service only.

The other alternative to a Ring Group is to enable FindMe/FollowMe in the 701 extension settings and then specify Extension:701 as the No Answer Destination. With this approach, voicemail will never be triggered on calls sent to extension 701 on your PBX. Since OpenSIPS lacks voicemail, you would lose calls not answered on your registered SIP phone or softphone.

TIP: We use 3CX clients exclusively for inbound calls on iPhones and Android devices because we have found they are far superior in dealing with both push notifications and NAT routing. 3CX clients actually ring when someone calls AND you can hear both sides of every call.

4. Outbound PSTN Calling from OpenSIPS

The DISA setup documented above allows your existing Trunks to continue to be managed and secured exclusively on your Asterisk server with no trunk exposure on the OpenSIPS platform at all. Thus, if either your public-facing OpenSIPS server or Linphone is ever compromised, nobody will be able to make any calls on your nickel because there will be no trunks available to process the outbound calls. Your DISA password is never exposed.

For some (like us), a two-step outbound calling procedure is just too painful. In that case, with providers such as Skyetel, you can deploy a PSTN calling platform on both your Asterisk server and on OpenSIPS. We documented the Skyetel trunk setup for OpenSIPS in our tutorial last week. The good news is nothing precludes deployment of Skyetel at multiple sites even if you only use Skyetel on the OpenSIPS platform for outbound calling. And this completely avoids implementing a DISA solution which has security implications of its own. Effective 10/1/2023, $25/month minimum spend at Skyetel is required.

Enabling direct PSTN calling with OpenSIPS means nobody can ever make PSTN calls merely by guessing a SIP URI. It requires an actual SIP registration to OpenSIPS, and you have Fail2Ban to assist with securing that process. So the outbound calling design is completely up to you. Direct PSTN calling from OpenSIPS is no less safe so long as none of your OpenSIPS User account passwords are compromised.

5. Enabling Calls from Asterisk to OpenSIPS Users

For OpenSIPS AVP forwards that have been enabled to Asterisk extensions, you probably will also want to provide a way for Asterisk users to return those calls directly to OpenSIPS users since that will be the CallerID that displays when an OpenSIPS user places a call directly to a forwarded Asterisk extension. Assuming a SIP phone has been registered to User account 7709, when that OpenSIPS user places a call to a forwarded Asterisk extension 701, it means the Asterisk user will see 7709 displayed as the CallerID for the incoming call even though the User of the OpenSIPS 7709 extension may also be associated with extension 709 on the Asterisk side. If the Asterisk callee attempts to return the call by dialing 7709 instead of 709, the call would fail. To avoid confusion by Asterisk users, the simple solution is to add an additional Custom SIP extension for every OpenSIPS User account.

For example, on the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension, enter 7709. For the Display Name, enter the name of the person using that OpenSIPS user account. Next, click on the Advanced tab and enter the SIP URI for this OpenSIPS User account as the Dial option, e.g. SIP/7709@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

FYI: Matching Custom Extension numbers on the Asterisk platform to identical extensions on your OpenSIPS server does not create the registration problems we cautioned against earlier. Only Asterisk extensions requiring actual SIP registration need to remain unique from accounts on your OpenSIPS platform.

6. A Few Words About Security

If you’ve been using Incredible PBX with its Travelin’ Man 3 firewall, it’s not unlike living in a gated community where most of the outside world doesn’t even know you exist. Adding a "second home" with OpenSIPS is not unlike buying a summer place next door to Fred Sanford in Watts. You might as well have set up shop in the middle of Russia because, for all intents and purposes, you have. Anybody in the world can guess your IP address and spend the day trying to break into your server. So the name of the game is vigilance. Especially for the first few weeks, you need to run iptables -nL regularly and see how quickly your Fail2Ban blacklist is filling up. If you heeded our advice and set up your OpenSIPS server on a KVM platform (instead of OpenVZ), we’ve got a handy little script that will let you move bad guys snagged by Fail2Ban to the permanent IPset blacklist. Just download the script and run it daily to move the Fail2Ban entries to permanent block status in the IPset blacklist:

cd /root
wget http://incrediblepbx.com/move-fail2bans-to-ipset.tar.gz
tar zxvf move-fail2bans-to-ipset.tar.gz
rm -f move-fail2bans-to-ipset.tar.gz
./move-fail2bans-to-ipset

Once you have verified that the IP addresses actually are being populated in the IPset blacklist table (ipset list | sort), you can add the script to /etc/crontab to run automatically each night:

echo "2 4 * * * root /root/move-fail2bans-to-ipset > /dev/null 2>&1" >> /etc/crontab

If you’d like a head start on your IPset blacklist, simply download our latest list and then reboot your server:

cd /etc
wget http://incrediblepbx.com/badguys.tar.gz
tar zxvf badguys.tar.gz
rm -f badguys.tar.gz 

Another potential vulnerability is SSH. This command will tell you who has attempted to login to your server as root: cat /var/log/auth.log | grep password. If you ever see a failed login and it wasn’t a mistake on your part, change your SSH access port immediately if not sooner: nano -w /etc/ssh/sshd_config. Then restart SSH: /etc/init.d/ssh restart. Better yet, set up SSH public key authentication.

The other major consideration is the number of holes you punch into the security of your Asterisk server using the OpenSIPS asterisk-add-forward script. Every time you add an extension to this list, you open another (read-only) window into your Asterisk communications world. And anybody can connect to these extensions using either the FQDN of your OpenSIPS server or its IP address. Even though we don’t practice what we preach, we strongly recommend using alphanumeric UUIDs instead of numbers for these access points. That at least avoids random calls from bad guys that are accustomed to numeric numbers only in SIP URIs. Regularly review your OpenSIPS log for unusual strings of forwarded calls and adjust your forwarding UUIDs accordingly: cat /var/log/opensips.log | grep forwarded.

In our previous article, we’ve already addressed how important it is to limit User accounts to your FQDN and never the IP address of your OpenSIPS server. In this way, you limit OpenSIPS registration exposure to your FQDN and never the IP address of your server. Fail2Ban also assists here by blocking failed login attempts after a single failure unless you have whitelisted the IP address in Fail2ban’s ignoreip list in /etc/fail2ban/jail.conf and restarted Fail2Ban with this command: /etc/init.d/fail2ban restart. These are the only entry points that offer the ability to actually register to your server. AVPs never do. Obviously, a successful SIP registration is much more dangerous than a random phone call on a SIP URI set up using AVP extension forwarding.

Finally, passwords now matter on your Asterisk PBX for any port forward you’ve established with OpenSIPS. For example, if you’ve set up a generic forward to access voicemail, then it means anybody guessing the SIP URI you created can spend the day (at no cost) attempting to break into ANY voicemail account on your Asterisk server by guessing the PIN. Fail2Ban will not protect you here. If you’ve set up DISA-like access to your Asterisk server on OpenSIPS, then the same applies except now the attacker gets a blank check to make commercial calls if they can guess your access PIN. Worried yet? We hope so. Sure beats a $100,000 phone bill.

7. Taking OpenSIPS for a Test Drive

We usually provide a Demo Line for readers to try out our latest creations. For obvious reasons, we prefer not to disclose our OpenSIPS FQDN to the general public. But we have set up a port forward from a DID that we temporarily configured on our OpenSIPS server. So, if you’d like to sample the voice quality of placing a call to a DID in Atlanta forwarded to an OpenSIPS server in New York forwarded to an Asterisk server in Miami and then back to you, try calling 843-606-0555 for a weather report in your favorite ZIP code. We’re betting you will be dumbfounded by the quality of the call. Enjoy!

Originally published: Monday, May 20, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Adding SIP URI Dialing to Asterisk for Free Worldwide Calling



Since giving up on Google Voice, we’ve been extolling the virtues of SIP URI dialing which gives you unlimited free calls to anyone else in the world that happens to have their own SIP URI address. SIP URIs look very much like email addresses except they’re used to share phone conversations instead of email messages. And, as we’ve mentioned previously, if everyone in the world had their own SIP URI, paying for phone calls would become a thing of the past. We hope you’ll join us in making that happen. As a fallback, give our $50 credit at Skyetel a try.

One of the drawbacks of Asterisk® PBXs using the FreePBX® GUI has been the inability to place outbound SIP URI calls from SIP phones registered as extensions on the PBX. Today we first want to address that shortcoming. Our SIP URI dialing solution for Asterisk should work with any FreePBX-based implementation including Incredible PBX® and Issabel as well as on Raspberry Pi platforms. We’ll wrap things up by providing some tips on obtaining and deploying your own SIP URI at little or no cost and pointing you to some excellent resources that facilitate calling millions of SIP phones around the world at zero cost. All you need is an Internet connection, and we’ll point you to a terrific softphone to begin your adventure.

Let’s begin by examining why SIP URI dialing is a problem with FreePBX. The reason is pretty simple. FreePBX interprets dial strings by matching them against some rules to determine whether you’re making an internal call or a call outside your PBX. It matches internal calls against a list of available internal extensions. External calls are matched against rules defined in your outbound routes which are associated with trunks. Since SIP URI calls don’t match any extension or outbound route, the caller receives a congestion tone.

The traditional workaround has been to define a custom extension using the FreePBX GUI which points to a SIP URI. Then the user can dial the custom extension, and the call will be routed to the defined SIP URI. These custom extensions also can be defined in extensions_custom.conf within the from-internal-custom context. For example, the following dialplan code would let users dial 411 to reach AT&T’s Toll-Free Directory Assistance: exten => 411,1,18005551212@switch.starcompartners.com.

But there’s a better way. Wouldn’t it be nice to be able to dial any SIP URI from a softphone or to store SIP URI addresses in the phonebook of your SIP phone?1 Well, now you can. Before we actually put the dialplan code in place, let us explain how this will work. First, FreePBX still needs to be able to distinguish a SIP URI call from a "regular call." The reason this gets tricky is because Asterisk typically throws away the destination hostname when you place a call. For example, calls to 8005551212 and 8005551212@sip2sip.info are processed by Asterisk in exactly the same way, i.e. dropping the host address before dialing.

Using the new dialplan code in the next section, here’s how calls will be processed:

User dials                    Asterisk processes call as
------------------------      ---------------------------------------------
701                           internal call to local extension 701
4045551212                    external call using NXXNXXXXXX outbound route
2233435945@sip2sip.info       SIP URI call to Lenny by acct at sip2sip.info
lennybgood@sip2sip.info       SIP URI call to alias lennybgood@sip2sip.info 

Cautionary Notes: Our code should work fine with any Asterisk 13 and FreePBX 13 or Incredible PBX deployment on any Linux platform; however, with servers other than Incredible PBX, make sure you have added the following entries to sip_general_custom.conf, or you can configure them in the GUI by making the changes in Settings -> Asterisk SIP Settings -> Chan SIP Settings:

srvlookup=yes
allowguest=yes

You also need to test a traditional outbound call (e.g. 8005551212) immediately after you finish the install procedure. Monitor the Asterisk CLI (asterisk -rvvvvvvvvvv) and observe the first few lines of the log after you place a call. The second line will show SIPDOMAIN which should be either the FQDN of your server or an IP address depending upon how you registered your softphone extension. The first line should display the MyDomain variable. If it is empty or doesn’t match the SIPDOMAIN entry, the outbound call will fail. To fix it, add an entry to the Asterisk database from the Asterisk CLI using syntax like the following: database put MyDomain FQDN 10.0.0.11 or database put MyDomain FQDN sip.me.com where 10.0.0.11 or sip.me.com matches the SIPDOMAIN entry shown on the second line. Then retry your outbound call, and it should complete successfully. We’ve tested this back to the early Asterisk 11 days with FreePBX 2.11 without any problems. If your calls still fail, then you will probably need to remove the new code from your platform until you upgrade to a more current version of Asterisk and FreePBX. The code hasn’t been tested with FreePBX 14 and 15.

Finally, you may want to manually set the CallerID for your outgoing SIP URI calls. From the Asterisk CLI, issue a command for every extension from which you will be placing SIP URI calls, e.g. extension 701 syntax: database put 701 user_sipname "Nerd Uno"

Enabling SIP URI Dialing with FreePBX

To enable SIP URI dialing from phones registered with your Asterisk PBX, we’ll modify the dialplan in order to detect SIP URI dial strings entered into a softphone or retrieved from a phonebook associated with almost any SIP phone. When a SIP URI dial string is detected, we’ll send the call out as requested rather than passing the call through the outbound routes and trunks associated with your PBX. All of this dialplan code is open source and is licensed pursuant to the GPL2 license.

SECURITY ALERT: Never use the SIP URI MOD on a server with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.

FEB. 21 UPDATE: There was a bug in the original code which caused some internal calls to fail including calls to a DISA extension. Simply install the application again, and it will overwrite the previous version.

MAR. 5 UPDATE: A bug was discovered in previous releases that treated 911 and 933 calls as internal calls when, in fact, they should have been routed out using your outbound trunks. Simply install the application again, and it will overwrite the previous version.

MAR. 13 ALERT: This software is not compatible with the Debian, Raspbian, and Ubuntu platforms.

To begin or update your installation, log in to your PBX as root using SSH or Putty and issue these commands:

cd /tmp
wget http://incrediblepbx.com/sipuri-mod.tar.gz
tar zxvf sipuri-mod.tar.gz
rm -f sipuri-mod.tar.gz
./install-sip-uri-mod.sh

Obtaining Your Own SIP URI

There are a number of ways to obtain your own SIP URI. Perhaps the easiest is to set up the open Incredible PBX cloud platform that we introduced several weeks ago. Then you can create as many SIP URIs as you like, and they can be used to perform any task that’s available with Asterisk. If you’re not quite ready to make that leap, a free or almost free SIP URI is available from the following sources. VoIP.ms provides a SIP URI for every subaccount you create. Just set up an internal extension number for the subaccount, and that becomes a SIP URI to connect back to your registered server or SIP phone. In the alternative, VoIP.ms will also provide you with a free iNUM DID which can be reached at the following IP address: 81.201.82.50. CallCentric provides a SIP URI matching your account number which can be reached @in.callcentric.com. CallCentric will also provide you with a free iNUM DID which can be reached at the following IP address: 81.201.82.50. LocalPhone provides the same two options as CallCentric: you can be reached by your account number @localphone.com. Or the LocalPhone-assigned iNUM DID can be reached @81.201.82.50. Then there’s pbxes.org. Your account name can be used for SIP URI access @pbxes.org. And, of course, if you’re a 3CX user, you can set up a SIP URI for each extension on your PBX. Just navigate to the Options tab of the desired extension(s) and enter a unique SIP ID for each extension. The SIP URI becomes SIPID@YOUR-3CX-FQDN. SIP URI calls to 3CX Clients on smartphones are also free! This list is not exhaustive. There are now more than 2,000 VoIP networks that support SIP URI access. Using a SIP URI dialing prefix, call any of the referenced networks @sipbbroker.com.2

Choosing a SIP Phone or Softphone

You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we’ll get you started with one of our favorite (free) softphones, YateClient. It’s available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for an extension on your PBX. You’ll need the IP address of your server plus your extension number and its password. Fill in the Yate Client template using the IP address of your PBX as well as your extension credentials. Click OK to save your entries.

Once the Yate softphone shows that it is registered, try a test call to Lenny using one of the following SIP URIs: 2233435945@sip2sip.info or 883510001198938@81.201.82.50. Better yet, try out a few Incredible PBX samples from the public server we previously deployed:

Yahoo News Headlines    - news@demo.nerdvittles.com
Weather by Zip Code     - weather@demo.nerdvittles.com
Directory Assistance    - information@demo.nerdvittles.com
Lenny for Telemarketers - lenny@demo.nerdvittles.com

Originally published: Monday, February 11, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Special thanks to Olivier Adler and voip-info.org for their early work on SIP URI dialing with Asterisk. []
  2. Some of our links refer users to sites or service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. []