Home » Posts tagged 'firewall' (Page 3)

Tag Archives: firewall

The Most Versatile VoIP Provider: FREE PORTING

The Definitive Quick Start Guide: Introducing Incredible PBX for XiVO


blank

Today we kick off a new Asterisk® adventure with the introduction of Incredible PBX™ for XiVO®. This pure GPL implementation of Asterisk has no strings, no gotchas, no hidden agenda, and no primadonnas. It’s open source code with no prohibitions on redistribution. The XiVO developers actively participate in the XiVO and PBX in a Flash™ communities and actually listen to constructive suggestions to improve their product. Changes happen in days, not years. Today we celebrate the return of true GPL project development and the end of closed-source ISOs and commercial modules with costly annual support contracts. Join us!

UPDATE: This article has been superseded. For the latest tutorial, go here.

If you’ve been following Nerd Vittles these past two months, then you already know there is literally nothing in the open source Unified Communications world that you can’t do faster, better, and cheaper with XiVO: automatic backups every night, seamless upgrades every three weeks, uncrippled endpoint provisioning for dozens of phones, powerful call centers, high availability redundant servers, real-time Asterisk technology out of the box, flexible SDK and APIs, and much more.

XiVO Installation Methodology

There are two ways to build XiVO servers. You can start with a minimal install of Debian 8 (64-bit), or you can use the 64-bit XiVO ISO. The advantage of the XiVO ISO is that building a system from the ISO gets you BOTH Debian 8 AND the basic XiVO install. However, you can only use the XiVO ISO on platforms that you own, not on virtual machines controlled by somebody else. Stated another way, if you plan to use dedicated hardware or VirtualBox or VMware ESXi, use the XiVO ISO. Otherwise, install a minimal Debian 8 (64-bit) operating system and nothing else on your platform of choice. Now you’re ready to choose your Incredible PBX installer. Install time: about 5-20 minutes depending upon the platform.

IMPORTANT: When you build your Debian 8 platform on either stand-alone hardware or as a virtual machine, use a fully-qualified domain name for your server’s hostname, e.g. xivo.incrediblepbx.com, NOT xivo. Disaster awaits if you forget this! But, don’t worry. If you do forget, the install will blow up, and you’ll get to start over. But you’ll remember the next time. 😉

Incredible PBX Feature Set

If you’ve been sleeping under a rock for the last few years, you may be wondering what the Incredible PBX offering includes. We’ve tried to preserve much of the functionality of prior releases in the XiVO implementation, and there is still more to come. Here’s a quick summary of two dozen features and applications that Incredible PBX offers for XiVO today:

blank

Recent Additions: Skype Connect, Port Knocker, PPTP VPN, Pico TTS, A La Carte installer, Telephone Alarms.

The 3 Flavors of Incredible PBX for XiVO

To kick off our Independence Day celebration, we introduced three new Incredible PBX turnkey installers for XiVO because of the numerous platforms on which XiVO will run. We’ve now combined all three of the original installers into a single script for ease of use.

For those new to XiVO, there are three steps in getting a XiVO PBX up and running: (1) Debian 8 OS installation, (2) XiVO installation, (3) and XiVO basic configuration (typically using a web browser). The Incredible PBX installer has different tasks based upon how far along in this installation process you happen to be on a particular platform. Our special thanks to Sylvain Boily for his Python wizard to assist us in providing turnkey installs to the greatest extent possible. So here’s the new installer, but you are well advised to actually follow the platform tutorial (below) for your provider because of special quirks that are provider-specific:

IncrediblePBX13-XiVO.sh – Suitable for Debian 8 (32-bit or 64-bit) minimal platform where XiVO is not installed. Use with Cloud VMs. Also works with Debian 8 (32-bit or 64-bit) platform with XiVO installed but not configured. This is typically the situation if you built your server using the XiVO ISO. And the new installer works with Debian 8 (32-bit and 64-bit) platform with XiVO installed and configured.

WARNING: Incredible PBX erases and replaces stuff as part of its installation procedure. NEVER install Incredible PBX over the top of an existing production server!

Incredible PBX Installation Procedure


We’ve taken the guesswork out of this for a number of platforms by providing detailed tutorials that you can follow:

Choosing a XiVO Hardware Platform

If your situation falls somewhere in between all of these, here’s a quick summary. For stand-alone systems and virtual machine platforms that you own (such as VirtualBox and VMware ESXi), download and install the 64-bit version of XiVO using the XiVO ISO. For most other virtual machine platforms in the Cloud, you’ll start by creating a 64-bit Debian 8 virtual machine with at least 1GB of RAM and a 20GB drive. For turnkey cloud servers such as RentPBX, simply choose the VM option that already has Debian 8 and XiVO preinstalled.

Once you have your platform up and running, simply download and run the Incredible PBX installer:

cd /root
wget http://incrediblepbx.com/IncrediblePBX13-XiVO.sh
chmod +x IncrediblePBX13-XiVO.sh
./IncrediblePBX13-XiVO.sh


Incredible PBX Initial Configuration

Here are the first steps to complete after you have finished your initial XiVO and Incredible PBX installation. Log into the web interface at the IP address of your server using username root and the web password you created during installation.

All of this initial setup will be completed under the IPBX option of the Services tab as shown below. For each of the categories below, click on the matching section and tab in XiVO’s IPBX toolbar and fill in the properties as indicated.

UPDATE: The latest Incredible PBX for XiVO installer automatically configures SIP defaults and a dozen SIP trunks for you using XiVO Snapshots if you elect to install all of the Incredible PBX features when you run the installer. If so, you can skip through the next few sections of this tutorial.

blank

General Settings:SIP Protocol

blank

WARNING: If your XiVO server is running as a virtual machine behind a hardware-based NAT router and the virtual host also is sitting behind the same router, you may experience failed calls by setting the external IP address and local network addresses in the following screen. Try calls first without these settings, and add them only if you experience calling issues such as failed calls or one-way audio.
blank

blank

Genl Settings:SIP Protocol:Signaling:Codecs

In order of priority, move desired Codecs from right to left by clicking on + icons. If you plan to use the IAX or SCCP protocol for phones and/or trunks, also select Default Codecs under General Settings:IAX Protocol:Default and General Settings:SCCP Protocol tabs, respectively.

blank

Genl Settings:SIP Protocol:Signaling:DNS

For DNS Manager and Server Lookup support (required for some SIP providers), enable the DNS Request field:

blank

IPBX Configuration:Contexts

XiVO differs from some other Asterisk implementations in the way it manages the routing of calls. XiVO uses Contexts to define what constitute Internal calls (Default), External calls (Outcalls), and Incoming calls (Incalls). Think of these contexts as dialing rules. They define how the three categories of calls are managed internally by the XiVO PBX and determine which callers can do what with your PBX resources. XiVO uses dial strings and ranges of phone numbers to manage and constrain how various classes of calls are routed. The reason for these call specifications is pretty simple. You don’t want outside callers dialing into your PBX and making outbound calls using your PBX trunks on your nickel.

blank

Some basic settings to enable internal calls and allow creation of user accounts were configured when you set up your XiVO PBX by running the configuration script. However, before anyone can make or receive calls to/from outside the XiVO PBX, you’ll need some additional specifications.

Edit the from-extern (Incalls) context and click Incoming Calls tab then the + icon. Add a range of DID numbers for incoming calls that will be allowed. These are the phone numbers assigned to SIP and IAX trunks that were acquired through commercial providers such as Vitelity. Note that the example below assumes that your incoming DID trunks deliver calls with 10-digit numbers. If you’re using a service such as Google Voice that delivers calls with 11-digit numbers starting with a 1, then add an additional range of numbers starting with a 1. If the provider delivers calls with +44, then you’d add an additional range with that prefix. Click Save once you’ve entered your settings.

blank

Let’s also modify the Default context to support MeetMe conferencing for your server. Edit the default context and click Conference Rooms tab then + icon. For the extension range, enter 2663-2665. 2663 spells C-O-N-F by the way. Then click Save. If you have a DAHDI timing source on your server, you then can add conferences: IPBX Setting:Conference Rooms. If you don’t have a DAHDI timing source or you don’t know what any of this means, keep reading. There’s an easier way to set up a conference room for your users.

blank

While you’re still in the (2) Default context, click on the (3) General tab and (4) move all of the sub-contexts to the left (Selected) column. (5) Then click the Save button.

blank

General Settings:Advanced (Time Zone)

blank

IPBX Settings:Users:Add User

Before you can actually make or receive calls with XiVO PBX, you’ll first need at least one User, Extension, and Line. So click on the (1) Users tab and then (2) the + icon and Add option (as shown below) to get started.

blank

Use the General tab entries below as a guide to create your first user account. You only need to fill in options (1) and (2) if you would like this user to receive a simultaneous call on a mobile phone whenever this user’s internal phone rings.

blank

In the Lines tab, assign an internal phone number for this user. By default, the initial configuration script created a range of extension numbers for you: 701-799. This can be changed in the next section to meet your specific requirements.

blank

Once you’ve chosen an extension, click the Save button and a Line will automatically be generated to associate with your new User account.

Next, goto IPX Settings:Lines and click the pencil icon to obtain your SIP username and password credentials. You’ll need these to connect a SIP phone or softphone to your user account.

blank

While you’re obtaining your username and password SIP credentials, fill in the blanks for the Line and click Save:

blank

IPX Settings:Users (Voicemail Setup)

There are two steps to setting up voice mailboxes correctly. First, you need to configure the voicemail system defaults to accommodate your required time zones. The system only comes with support for Europe/Paris.

blank

Go to (1) IPX General Settings:Voicemails and (2) click Time Zones tab and then (3) + Add. (4) Name your new time zone, (5) select the correct Time Zone from the pull-down list, and (6) add the following under Options and (7) Save your entry:

'vm-received' q 'digits/at' kM

Go to (1) IPX Settings:Users, edit your (2) User account, and click the (3) Voicemail tab. (4) Click the + icon to Add a new Voicemail account. (5) Check Enable Voicemail. (6) Fill in the form using the sample below. Be sure to choose the correct Time Zone for your voicemails. Uncheck Delete message after notification to retrieve voicemail messages by dialing *98 from an extension. (7) Click Save.

blank


Setting Up a Ring Group in XiVO

A ring group is a collection of extensions to which calls can be routed. In XiVO terminology, they’re known as Groups. Extensions in a Group can be set to ring simultaneously or in one of six round-robin configurations based upon factors such as previous call volume. Before you can create a ring group, you first have to enable a range of extensions to dedicate to Groups. Edit the Default context, click the Groups tab, and then click the + Add icon to add a range of extension numbers:

blank

To create a new ring group, choose IPX Setttings -> Groups and click the + Add icon. A typical setup to ring all extensions simultaneous and play a ring tone to the caller would look like this:

blank

Next, click on the Users tab and move the desired extensions to the the selected side of the window. Then click Save.

Setting Up Trunks and Routes for XiVO Calling

blank

Before you can make calls to phones outside your PBX or receive calls from outside your PBX, you’ll need one or more trunks. We’ve simplified the process of setting these up by providing step-by-step tutorials for the leading trunk providers. They are reproduced below for ease of reference:

XIVO Trunk Implementation Tutorials

Once you’ve added one or more trunks, you’ll need to tell XiVO how to route outgoing and incoming calls. Here are our step-by-step tutorials on setting up Outbound Calling Routes and Incoming Call Routes:

XIVO Call Routing Tutorials

Deploying Google Voice with OAuth on XiVO PBX

Beginning in mid-August, 2016, native Google Voice with OAuth support became available on the Incredible PBX for XiVO platform. It supports deployment of multiple Google Voice trunks on any XiVO server. This new Nerd Vittles tutorial will walk you through implementation.

Using an SMTP Mail RelayHost with Postfix

To cut down on spam, many ISPs no longer allow SMTP mail traffic that originates from downstream mail servers. If your server is connected to an ISP such as Comcast, that would be you. Here’s how to reconfigure the Postfix mail server included with XiVO to process your outgoing emails using your ISP as a mail relay.

First, edit /etc/postfix/main.cf and search for relayhost. Replace it with the entries below. If it’s not in the file, then just add the following entries to the end of the file:

relayhost = smtp.comcast.net:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasldb
smtp_sasl_security_options = noanonymous

Next, create /etc/postfix/sasldb and add the following entries: your ISP (smtp.comcast.net) followed by a TAB and then your full comcast login name, a colon, and your Comcast password. No spaces! Save the file.

Next, create a hashed version of the file: postmap sasldb

Then restart Postfix: /etc/init.d/postfix restart

Now send yourself a test email like this:

echo "test" | mail -s testmessage yourname@yourmailprovider.com

blank

Getting Started with SQLite3 on the XiVO Platform

Here are a couple SQLite3 queries to get you started with syntax:

sqlite3 /var/lib/asterisk/agi-bin/zipcodes.sqlite "select zip,city,state from zipcodes where zip=29401;"
sqlite3 /var/lib/asterisk/agi-bin/asteridex.sqlite 'select name,out from user1 where name LIKE "%Airlines%";'

A bonus script in /root will let you convert existing MySQL databases to SQLite3. For example, if you’re currently using AsteriDex on another Incredible PBX platform, it only takes a couple seconds to convert your MySQL database to SQLite3. The syntax to run the script looks like this:

./mysql2sqlite3.sh -u root -ppassw0rd yourdatabase | sqlite3 yourdatabase.sqlite

Move the script to the server on which your existing MySQL databases are stored and run it there using the above syntax. Then copy the asteridex.sqlite file to your XiVO server and save it in /var/lib/asterisk/agi-bin.

Getting Started with Incredible PBX Call Logs

To retrieve SQLite3 call log data, here are a few examples to get you started:

ALL: sqlite3 /var/log/asterisk/master.db "select * from cdr"
DATE: sqlite3 /var/log/asterisk/master.db "select * from cdr where calldate >= '2016-05-22'"
NPA: sqlite3 /var/log/asterisk/master.db "SELECT * from cdr WHERE clid LIKE '%<843%'"
DEST: sqlite3 /var/log/asterisk/master.db "SELECT * from cdr WHERE dstchannel LIKE '%411%'"
FLDS: sqlite3 /var/log/asterisk/master.db "PRAGMA table_info(cdr)"

To retrieve the CDR log in CSV format suitable for spreadsheets, download:

/var/log/asterisk/cdr-csv/Master.csv

Managing Your Logs with XiVO

XiVO is a busy place especially on a busy PBX. Call logs and traditional Asterisk and Linux logs grow like crazy. We have added the following entries to /etc/crontab to assure that you don’t inadvertently run out of disk space on your server. Modify them to meet your own requirements.

10 1    * * *  root    rm -f /tmp/tts* > /dev/null 2>&1
11 1    * * *  root    rm -f /var/log/asterisk/*.gz > /dev/null 2>&1
11 2    * * *  root    rm -f /var/log/asterisk/*.1.gz > /dev/null 2>&1
12 1    * * *  root    rm -f /var/log/*.gz > /dev/null 2>&1
12 2    * * *  root    rm -f /var/log/*.1.gz > /dev/null 2>&1

Activating Voice Recognition for XiVO

Google has changed the licensing of their speech recognition engine about as many times as you change diapers on a newborn baby. Today’s rule restricts use to “personal and development use.” Assuming you qualify, the very first order of business is to enable speech recognition for your XiVO PBX. Once enabled, the Incredible PBX feature set grows exponentially. You’ll ultimately have access to the Voice Dialer for AsteriDex, Worldwide Weather Reports where you can say the name of a city and state or province to get a weather forecast for almost anywhere, Wolfram Alpha for a Siri-like encyclopedia for your PBX, and Lefteris Zafiris’ speech recognition software to build additional Asterisk apps limited only by your imagination. And, rumor has it, Google is about to announce new licensing terms, but we’re not there yet. To try out the Voice Dialer in today’s demo IVR, you’ll need to obtain a license key from Google. This Nerd Vittles tutorial will walk you through that process. Don’t forget to add your key to /var/lib/asterisk/agi-bin/speech-recog.agi on line 72.

Adding DISA Support to Your XiVO PBX

If you’re new to PBX lingo, DISA stands for Direct Inward System Access. As the name implies, it lets you make calls from outside your PBX using the call resources inside your PBX. This gives anybody with your DISA credentials the ability to make calls through your PBX on your nickel. It probably ranks up there as the most abused and one of the most loved features of the modern PBX.

There are three ways to implement DISA with Incredible PBX for XiVO. You can continue reading this section for our custom implementation with two-step authentication. There also are two native XiVO methods for implementing DISA using a PIN for security. First, you can dedicate a DID to incoming DISA calls. Or you can add a DISA option to an existing IVR. Both methods are documented in our tutorial on the PIAF Forum.

blank

We prefer two-step authentication with DISA to make it harder for the bad guys. First, the outside phone number has to match the whitelist of numbers authorized to use your DISA service. And, second, you have to supply the DISA password for your server before you get dialtone to place an outbound call. Ultimately, of course, the monkey is on your back to create a very secure DISA password and to change it regularly. If all this sounds too scary, don’t install DISA on your PBX.

1. To get started, edit /root/disa-xivo.txt. When the editor opens the dialplan code, move the cursor down to the following line:

exten => 3472,n,GotoIf($["${CALLERID(number)}"="701"]?disago1)  ; Good guy

2. Clone the line by pressing Ctrl-K and then Ctrl-U. Add copies of the line by pressing Ctrl-U again for each phone number you’d like to whitelist so that the caller can access DISA on your server. Now edit each line and replace 701 with the 10-digit number to be whitelisted.

3. Move the cursor down to the following line and replace 12341234 with the 8-digit numeric password that callers will have to enter to access DISA on your server:

exten => 3472,n,GotoIf($["${MYCODE}" = "12341234"]?disago2:bad,1)

4. Save the dialplan changes by pressing Ctrl-X, then Y, then ENTER.

5. Now copy the dialplan code into your XiVO setup, remove any previous copies of the code, and restart Asterisk:

cd /root
sed -i '\:// BEGIN DISA:,\:// END DISA:d' /etc/asterisk/extensions_extra.d/xivo-extrafeatures.conf
cat disa-xivo.txt >> /etc/asterisk/extensions_extra.d/xivo-extrafeatures.conf
/etc/init.d/asterisk reload

6. The traditional way to access DISA is to add it as an undisclosed option in an IVR that is assigned to one of your inbound trunks (DIDs). For the demo IVR that we installed last week, edit the ivr-1.conf configuration file and change the "option 0″ line so that it looks like this. Then SAVE your changes.

exten => 0,1(ivrsel-0),Dial(Local/3472@default)

7. Adjust the inbound calls route of one of your DIDs to point to the demo IVR by changing the destination to Customized with the following Command:

Goto(ivr-1,s,1)

Here’s how ours looks for the Nerd Vittles XiVO Demo IVR:


blank

8. Now you should be able to call your DID and choose option 0 to access DISA assuming you have whitelisted the number from which you are calling. When prompted, enter the DISA password you assigned and press #. You then should be able to dial a 10-digit number to make an outside call from within your PBX.

SECURITY HINT: Whenever you implement a new IVR on your PBX, it’s always a good idea to call in from an outside number 13 TIMES and try every key from your phone to make sure there is no unanticipated hole in your setup. Be sure to also let the IVR timeout to see what result you get.


Setting Up a Softphone or WebRTC to Connect to XiVO

If you’re a Mac user, you’re lucky (and smart). Download and install Telephone from the Mac App Store. Start up the application and choose Telephone:Preference:Accounts. Click on the + icon to add a new account. To set up your softphone, you need 3 pieces of information: the IP address of your server (Domain), and your Username and Password. In the World of XiVO, you’ll find these under IPBX:Services:Lines. Just click on the Pencil icon beside the extension to which you want to connect. Now copy or cut-and-paste your Username and Password into the Accounts dialog of the Telephone app. Click Done when you’re finished, and your new softphone will come to life and should show Available. Dial the IVR (4871) to try things out. With Telephone, you can use over two dozen soft phones simultaneously on your desktop.

blank

Prefer to use WebRTC from your browser as a softphone? XiVO has you covered. Complete setup instructions available here.

For everyone else, we recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the XiVO Line. You’ll need the IP address of your server plus your Line username and password associated with the 701 extension. On the XiVO platform, do NOT use an actual extension number for your username with XiVO. Go to IPBX Settings:Lines to decipher the appropriate username and password for the desired extension. Click OK to save your entries.

blank

Test Drive of Sample Incredible PBX Apps

Once your softphone is registered, you can try out some of the Incredible PBX sample applications:

  • 4871 (IVR1) – Allison’s Demo IVR
  • 411 (Voice Dialing) – Call by Name (try "Delta Airlines")
  • 2663 (CONF) – Conference Room with Music on Hold
  • 951 – Yahoo! News Headlines (TTS)
  • 947 (ZIP) – NWS Weather by ZIP Code
  • 53669 (LENNY) – The Telemarketer’s Worst Nightmare

You can review the Dialplan code in the GUI by choosing IPBX Configuration:Configuration Files and clicking xivo-extrafeatures.conf. The sample IVR code is in ivr-1.conf. This Nerd Vittles tutorial will walk you through building your own IVRs for XiVO.

Using PBX Status with XiVO

For those that like to see how things are going from the Linux CLI, a modified version of pbxstatus is available for XiVO. From the Linux CLI, type: pbxstatus.

blank

Using FQDNs with the Travelin’ Man 3 Firewall

If you plan to use FQDNs with your IPtables firewall or if your remote users will be using a Dynamic DNS provider to keep their IP addresses fresh, be sure to review Step #5 in the Travelin’ Man 3 tutorial which explains how to configure your firewall to automatically refresh IP addresses based upon changes in dynamic addresses. All of the necessary components already have been activated. Simply insert your FQDN entries using /root/add-fqdn and modify /root/ipchecker.

PortKnocker for XiVO: Your Firewall Safety Net

If you use a dynamic IP address for your local PC and that address changes, you may find yourself locked out of your own server unless you have heeded the advice in the preceding section. But there’s still hope. Incredible PBX for XiVO now includes the PortKnocker utility which lets you ping three predefined TCP ports in sequence to regain access to your server. You can read all about PortKnocker in this Nerd Vittles article. Unfortunately, PortKnocker doesn’t do you a bit of good if you haven’t deciphered what the three-port secret handshake is for your server. Before you forget, review /root/knock.FAQ and put the information in a safe place where you can retrieve it if the need should ever arise.

Adding a PPTP VPN to XiVO

Microsoft introduced the Point-to-Point-Tunneling-Protocol (PPTP) with Windows 95. Back then we knew it as Dial-Up Networking. Suffice it to say that, in those days, PPTP was anything but secure. Unfortunately, the bad name kinda stuck. For the most part, the security issues have been addressed with the possible exception of man-in-the-middle attacks which are incredibly difficult to pull off unless you are a service provider or have access to the wiring closets of your employer. You can read the long history of PPTP VPNs on Wikipedia for more background. If you’re traveling to China or other democracy-challenged destinations, you probably shouldn’t rely upon PPTP for network security. If these security considerations aren’t applicable in your situation, keep reading because PPTP VPNs are incredibly useful and extremely easy to deploy for an extra layer of VoIP and network security in most countries that have severe wiretapping penalties in place.

PPTP VPNs also provide home-away-from-home transparency to home office network services. Simply stated, with a PPTP VPN, you get a private IP address on the XiVO PBX that lets you do almost anything you could have done sitting at a desk in the home office. PPTP VPNs probably won’t work on most OpenVZ platforms such as Wable and ImpactVPS. But they work great on virtual machines such as CloudAtCost and Digital Ocean. For a quick-and-dirty back door into your server, a PPTP VPN is hard to beat. Here’s how to set one up on your XiVO PBX using 128-bit encryption. Make up a very obscure username and password in the first two lines below:

PPTPUSER=somebodyspecial
PPTPPASS=someverysecurepassword
apt-get -y update
apt-get -y install pptpd
sed -i 's|#ms-dns 10.0.0.1|ms-dns 8.8.8.8|' /etc/ppp/pptpd-options
sed -i 's|#ms-dns 10.0.0.2|ms-dns 8.8.4.4|' /etc/ppp/pptpd-options
echo "localip 172.16.16.100" >> /etc/pptpd.conf
echo "remoteip 172.16.16.101-199" >> /etc/pptpd.conf
echo "$PPTPUSER pptpd $PPTPPASS *" >> /etc/ppp/chap-secrets
/etc/init.d/pptpd restart
# show logged in PPTP users
last | grep ppp

Connect to your PPTP server from a Windows or Mac in the usual PPTP way. Once connected, you will be assigned an IP address in the range of 172.16.16.101-199. You then can access your XiVO PBX on the following IP address: 172.16.16.100.

Everything You Need to Know About XiVO Backups

Another feature of XiVO that separates the men from the boys is its documentation. In the case of backups, you’ll find everything you need to know here. All backups are stored on your XiVO server’s local drive in /var/backups/xivo. Be sure you have ample storage space available and, if you’re smart, you’ll copy both data.tgz and db.tgz from the local drive to a safe remote location periodically just in case disaster strikes. The documentation shows you how to quickly restore a backup should that ever become necessary.

Upgrading XiVO to the Latest Release

The XiVO development cycle is nothing short of miraculous. A new version is released every three weeks! The average time to close a bug has dropped from 315 days in 2009 to 28 days in 2012! You’ll probably want to keep your system current. 🙂

Upgrading XiVO is even easier than restoring a backup. Upgrade documentation is available here. Because we’ve added the Travelin’ Man 3 firewall, we recommend stopping IPtables during an upgrade and then restarting it when you’re finished. Your phone system is disabled during the upgrade. When upgrading XiVO, remember to also upgrade all associated XiVO Clients. Be sure to verify that things are back to normal once the upgrade procedure is completed: xivo-service status.

The commands to upgrade your XiVO PBX are as follows:

/etc/init.d/netfilter-persistent stop
xivo-upgrade
iptables-restart
# restore Incredible PBX module and ODBC configuration
cp -p /etc/asterisk/modules.conf.dpkg-old /etc/asterisk/modules.conf
cp -p /etc/asterisk/res_odbc.conf.dpkg-old /etc/asterisk/res_odbc.conf
xivo-service restart
# code below reactivates Incredible PBX web apps
cd /
wget http://incrediblepbx.com/incredible-nginx.tar.gz
tar zxvf incredible-nginx.tar.gz
rm -f incredible-nginx.tar.gz
/etc/init.d/nginx restart

Google Voice CLI and SMS Messaging Support

Thanks to Nick Pettazzoni, beginning with the August 29, 2016 release of Incredible PBX for XiVO, you now can take advantage of the pygooglevoice implementation of gvoice as well as Nerd Vittles’ SMS messaging and message blasting utilities. If you’re using an earlier release, it’s easy to add this functionality to your server as well:

cd /root
wget http://incrediblepbx.com/install-gv-cli
chmod +x install-gv-cli
./install-gv-cli

Be advised that the Google Voice CLI interface (gvoice) uses plain-text Google Voice passwords, not OAuth. Before most Google Voice accounts will work with gvoice and smsblast, you’ll need to do the following and then immediately login to gvoice from the Linux CLI at least once to mark your account as safe for access from this location. Here are the steps:

  1. Log in to the Gmail account you plan to use with gvoice
  2. While logged in, open a new browser tab to this site and enable Less Secure Apps
  3. Open another browser tab and enable the Google Reset procedure here
  4. Return immediately to the Linux CLI and login to gvoice

Creating an SMS Message Blast with XiVO

Here’s how to take advantage of SMS Message Blasting using a Google Voice account with Incredible PBX for XiVO. Log into your server as root and do the following:

  1. Edit /root/smsmsg.txt and insert the text message to be sent
  2. Edit /root/smslist.txt and create a list of the phone numbers to receive the SMS message
  3. Edit /root/smsblast and insert your gvoice username and password
  4. Run /root/smsblast to kick off the SMS Blast

Incredible PBX Application Quick Start Guide

Here’s a quick refresher on some of the Incredible PBX applications that have been installed. There’s also a link for more information. This remains a work-in-progress so expect more applications in coming weeks.

XiVO and Incredible PBX Dial Code Cheat Sheets

Complete XiVO documentation is available here. But here are two cheat sheets in PDF format for XiVO Star Codes and Incredible PBX Dial Codes. See also the previous 7 Nerd Vittles XiVO tutorials, all of which are listed below. Enjoy!

blank

blank


Taking Nerd Vittles’ XiVO IVR for a Test Drive

There’s a Demo IVR running at www.pacificnx.com on their XenServer virtualization platform. Scott McCarthy, a leading outside XiVO developer and a principal at PacificNX, advises they have a $50 a month GOLD platform specifically tailored to XiVO for those needing 99.999% reliability, 24/7 support with nightly backups and enterprise level firewalls that have intelligence to stop attacks and look for viruses, spyware and more. That’s what you’ll be hearing when you call the Nerd Vittles Demo IVR: blank

Nerd Vittles Demo IVR Options
1 – Call by Name (say "Delta Airlines" or "American Airlines" to try it out)
2 – MeetMe Conference
3 – Wolfram Alpha (Coming Soon!)
4 – Lenny (The Telemarketer’s Worst Nightmare)
5 – Today’s News Headlines
6 – Weather Forecast (enter a 5-digit ZIP code)
7 – Today in History (Coming Soon!)
8 – Speak to a Real Person (or maybe just Lenny if we’re out)

Don’t Stop Reading Just Yet. We’ve been busy since this article was first published in June, 2016. Continue reading about the latest developments including XiVO Snapshots.

Published: Monday, June 27, 2016  Updated: Regularly


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Security 101: A Fresh Look at Incredible PBX Security Audit Methodology

Incredible PBX remains one of the most secure VoIP server platforms on the planet for one simple reason. We always deploy a preconfigured Linux IPtables firewall with a whitelist that hides your server from everyone except you and trusted VoIP providers. IPtables is automatically configured and deployed as part of every initial install of Incredible PBX regardless of your platform. This includes XiVO with Debian 8 as well as CentOS 6 and 7, Ubuntu 14.04, Raspbian 7 and 8, and even SHMZ OS (not recommended). If your server happens to be housed behind a hardware-based firewall as well, then so much the better. That obviously isn’t possible with most Cloud-based servers so IPtables firewall security is a must.

Unlike most other VoIP server platforms, we don’t leave firewall configuration to chance. Nor do we assume you’re a firewall expert. It really doesn’t matter whether you are or not, you still need a server platform that is secure and protected. So we do it for you initially and, if you are a firewall expert or study to become one, you then can modify the default settings to meet your own requirements down the road. In the meantime, you and your server are protected.

As you probably have surmised, we conduct periodic security audits of our servers testing for vulnerabilities. And we perform these audits locally as well as remotely using servers we’ve deployed throughout the world. We also deploy honeypot servers from time to time in order to gather important information about what the bad guys are up to. With as many platforms as Incredible PBX now supports, just conducting local and remote security audits is no small feat.

Today we want to share some of the methodology we use in conducting our audits, and we’ll provide the results of our most recent remote security audit. We encourage everyone with a VoIP server, whether it’s Incredible PBX or some other platform, to periodically test your server(s) for vulnerabilities AND access. It not only could save you thousands of dollars, but it also protects the rest of us by assuring that you haven’t inadvertently provided malicious individuals with a zombie platform from which to launch denial of service and spam attacks against the Internet community. So let’s get started.

The first step in testing your server is to log into your server as root using SSH or Putty from multiple IP addresses. These sites should include logins from the home base of your server if it’s a dedicated machine, from your home PC, from a neighbor’s PC, from a public WiFi hotspot, and from your smartphone as well as someone else’s. If you gain access from all of these sites, you’ve got a problem. It means SSH access is not protected in any way on your server. While SSH is relatively secure, it has had its share of problems. And zero day vulnerabilities are regularly discovered in various Linux utilities so exposing all of your server’s important resources to the Internet is a very bad idea.

The second test deciphers the existing firewall rules that have been activated on your server: iptables -nL. If the results look like the following, you’ve got a major problem. It means there are no firewall rules blocking any access to your server:

root@incrediblepbx:~ $ iptables -nL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Next, reboot your server and repeat the first two tests to make certain that your firewall still is activated properly whenever your server experiences a power outage and comes back on line.

If your firewall is not running, try issuing the command, iptables-restart, and then retest: iptables -nL. If you get the same results shown above, then something has come unglued. Here’s how to easily fix things up. First, move to the directory where the iptables rules are stored on your server. For CentOS/SL/RHEL, it’s /etc/sysconfig. For Debian/Ubuntu/Raspbian, it’s /etc/iptables.

Next, copy the default Incredible PBX firewall settings to the proper file location.

For CentOS/SL/RHEL platforms:

cp -p /etc/sysconfig/rules.v4.ubuntu14 /etc/sysconfig/iptables
cp -p /etc/sysconfig/rules.v6.ubuntu14 /etc/sysconfig/ip6tables

For Debian/Ubuntu/Raspbian platforms:

cp -p /etc/iptables/rules.v4.ubuntu14 /etc/iptables/rules.v4
cp -p /etc/iptables/rules.v6.ubuntu14 /etc/iptables/rules.v6

Next, edit iptables (CentOS/SL/RHEL) or rules.v4 (Debian/Ubuntu/Raspbian) and move to the bottom of the file where you’ll find a section that looks like this:

# The IP addresses are your server, user, and public addresses respectively
-A INPUT -s 8.8.4.4 -j ACCEPT
-A INPUT -s 8.8.8.8 -j ACCEPT
-A INPUT -s 74.86.213.25 -j ACCEPT

Replace the existing IP addresses with the actual IP addresses of your server, user workstation, and public IP address. Be very careful here. If you don’t whitelist the IP address of the machine on which you are performing these tasks, you will lock yourself out when you restart your firewall. Once you’ve made the changes, save the file.

Finally, restart IPtables using the following command: iptables-restart. Then retest: iptables -nL.

We’re not going to spend a lot of time addressing what the proper firewall rules for your VoIP server should be. If you’re interested, you can take a look at the IPtables firewall setup that is deployed with Incredible PBX. On RHEL/CentOS/SL servers, you’ll find the firewall rules in /etc/sysconfig/iptables. On Debian/Ubuntu/Raspbian servers, the rules are in /etc/iptables/rules.v4. Suffice it to say that, if the only remote access required with your server is to connect to VoIP service providers, there is no reason to expose your web server or your SIP ports to the Internet, period. And this is true whether your server is sitting behind a hardware-based firewall or not.

The Incredible PBX security design uses a whitelist to provide access to most network services other than those that are absolutely essential to the operation of your server. The reason we use a whitelist is because blacklists don’t work. Those interested in doing harm to your server are perfectly capable of altering their IP addresses until they find one that isn’t blacklisted. And they also are adept at poisoning blacklists with IP addresses that are absolutely essential to the operation of your server, e.g. DNS servers and NTP servers.

As part of every Incredible PBX firewall install, we provide SIP and IAX access to many of the major VoIP providers around the globe. You may be wondering why we use IP addresses for providers rather than fully-qualified domain names. The reason is that IPtables doesn’t directly support FQDNs. Instead, when IPtables starts up, it looks up every FQDN and converts it into an IP address. If a server matching the FQDN happens to be off line, IPtables crashes and burns. The same is true if the lookup is attempted before DNS services are running on your server. So, the short answer to why we use IP addresses is because it is safer. The downside, of course, is you can’t eyeball the IP address and decipher to whom it belongs. If you ever have any doubt about the identity of the provider associated with any specific IP address, there’s a simple utility you can run to identify its owner: nslookup 178.63.143.236.

Here is a list of the providers included in the default Incredible PBX whitelist. Others can be added using the add-ip and add-fqdn utilities in /root. If you use FQDNs, be sure to add the entries to /root/ipchecker so that your IP addresses are periodically checked and updated when necessary. This is especially important for dynamic IP addresses at remote locations.

outbound1.vitelity.net
inbound1.vitelity.net
atlanta.voip.ms
chicago.voip.ms
dallas.voip.ms
houston.voip.ms
losangeles.voip.ms
newyork.voip.ms
seattle.voip.ms
tampa.voip.ms
montreal.voip.ms
montreal2.voip.ms
toronto.voip.ms
toronto2.voip.ms
london.voip.ms
didforsale.com
callcentric.com
sipgate.com
chi-in.voipstreet.com
did.voip.les.net
magnum.axvoice.com
proxy.sipthor.net
sip.voipwelcome.com
incoming.future-nine.com
outgoing.future-nine.com
DEN.teliax.net
LAX.teliax.net
NYC.teliax.net
ATL.teliax.net
IPkall (defunct) used two IP addresses: 66.54.140.46 and 66.54.140.47
gvgw1.simonics.com
sip2sip.info
googlelabs.com
talk.google.com
gmail.com

The major drawbacks to firewall whitelists are (1) you can inadvertently lock yourself out of your own server and (2) someone that needs access to your server from remote locations may have more difficulty connecting without intervention by a network administrator to authorize remote access. With Incredible PBX, we’ve provided some tools to ease the pain. First, Incredible PBX is deployed with both the PPTP and NeoRouter VPN platforms already in place. With a VPN IP address, remote logins are minimized because they work from almost anywhere. Second, Incredible PBX includes the PortKnocker utility which lets a remote user "knock" on the server using three randomly assigned port numbers to gain temporary access. Many Incredible PBX platforms also support Travelin’ Man 4 which lets you authorize remote access by telephone. You also need to test remote VPN, PortKnocker, and Travelin’ Man 4 access as part of your security audits.

Testing for vulnerabilities is only half of the puzzle. Also make certain that your server has the proper Linux tools in place to allow you to whitelist additional IP addresses so that remote users can deploy phones or gain access to your server when necessary. Try to run the nslookup and dig utilities to verify that they are installed on your server. If not, install them with yum install bind-utils (CentOS/SL/RHEL) or apt-get install dnsutils (Debian/Ubuntu/Raspbian).

Security Audit Results. We’re pleased to report that no vulnerabilities were identified in any of the Incredible PBX platforms; however, good security practices dictate that the IPkall IP addresses should probably be removed from the whitelist now that the company has ceased providing VoIP services.

For CentOS/SL/RHEL platforms:

sed -i '/66.54.140.46/d' /etc/sysconfig/iptables
sed -i '/66.54.140.47/d' /etc/sysconfig/iptables
sed -i '/66.54.140.46/d' /etc/sysconfig/rules.v4.ubuntu14
sed -i '/66.54.140.47/d' /etc/sysconfig/rules.v4.ubuntu14
iptables-restart

For Debian/Ubuntu/Raspbian platforms:

sed -i '/66.54.140.46/d' /etc/iptables/rules.v4
sed -i '/66.54.140.47/d' /etc/iptables/rules.v4
sed -i '/66.54.140.46/d' /etc/iptables/rules.v4.ubuntu14
sed -i '/66.54.140.47/d' /etc/iptables/rules.v4.ubuntu14
iptables-restart

We did identify a couple of access anomalies that kept the add-ip and add-fqdn utilities in /root from functioning properly. These glitches meant that a few administrators could not easily add remote IP addresses to their whitelists. Three fixes are recommended. First, be sure the utilities documented in the previous paragraph are installed on your server. Second, on CentOS/SL/RHEL platforms or servers installed using the Incredible PBX ISO, issue the following commands after logging into your server as root:

sed -i 's|/etc/iptables/rules.v4|/etc/sysconfig/iptables|' /root/add-ip
sed -i 's|/etc/iptables/rules.v4|/etc/sysconfig/iptables|' /root/add-fqdn

Third, for Incredible PBX deployments on the CentOS 7 platform, issue these commands while logged in as root:

 chattr -i /root/add-ip
 sed -i 's|iptables-persistent|iptables|' /root/add-ip
 chattr +i /root/add-ip

Be safe!

Originally published: Tuesday, August 9, 2016




blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Taking a Fresh Look at the Asterisk, FreePBX, and Incredible PBX Security Models

About once a year, we try to shine the spotlight on Asterisk® security in hopes of saving lots of organizations and individuals a little bit (or a lot) of money. In light of last week’s major security lapse in the Asterisk® dialplan of those using FreePBX® since the Asterisk@Home days, now seemed like a good time for a review. As we’ve noted before, the problem with open source phone systems is they’re open source phone systems. So the bad guys can figure out how they work just like the good guys. Unfortunately, some of the bad guys are paying particular attention to Asterisk and FreePBX so it behooves all of us to remain vigilant and patch vulnerabilities quickly. The FreePBX Devs have done an admirable job in responding quickly to this issue.

Last week’s vulnerability involves the call transfer methodology that has been incorporated into FreePBX-based Asterisk servers for at least a decade. In a nutshell, it allows an internal or outside caller or called party to transfer a call using touchtones instead of a dedicated transfer button or hook flash. ## performs a blind transfer while *2 sets up an attended transfer where the person transferring the call can actually talk to the transfer recipient before executing the call transfer. Some of our foreign friends used this *2 methodology to initiate calls to Asterisk servers and then to transfer those calls to expensive destinations while the other party to the call listened to music on hold. Worse yet, it could be performed within an answering IVR on some servers so the administrator never knew the call transfer took place other than reviewing the call detail records. As with some previous vulnerabilities, this one had lain dormant since the inception of call transfer technology in Asterisk. The default settings in FreePBX permitted outside calling or called parties to initiate transfers using these feature codes. We’re reminded of a similar vulnerability that used to exist in many Asterisk voicemail systems that allowed callers to dialout to another number from within the voicemail system.

We hope to persuade you today that allowing transfer of calls using touch tones is a very bad idea to begin with. Even when you don’t get a surprise phone bill, it often results in unanticipated consequences such as depicted in this video shared on DSL Reports:


https://youtu.be/bnMVebywX6Y

Here’s how you can protect any server that uses all or some of the FreePBX GUI. First, be aware that the FreePBX developers are working on a rewrite of the Core component in versions 13 and 12. The fix would limit use of this technology to those on the internal side of a PBX. In other words, remote callers would be blocked from calling into an Asterisk server and transferring themselves to a phone on a cruise ship sailing in the Indian Ocean. In the meantime, issuing the following commands will patch things up:

mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = 'tr' where keyword = 'DIAL_OPTIONS' limit 1"
mysql -uroot -ppassw0rd asterisk -e "update freepbx_settings set value = '' where keyword = 'TRUNK_OPTIONS' limit 1"
amportal a r

For those using Incredible PBX™, the Automatic Update Utility will patch your server the next time you log in as root.

Olle Johansson has been one of the primary shakers and movers when it comes to educating folks on Asterisk security and inspiring developers to do a better job designing these systems. If you didn’t attend AstriCon 2013 and haven’t watched the Security Master Class, put these videos on your Bucket List. They’re all free and well worth your time.

When we began building out Incredible PBX on other platforms several years ago, we decided it was an opportune time to revisit our Asterisk security model and make it as bullet-proof as possible given the number of people now deploying Asterisk servers in the cloud. As a practical matter, there are no hardware-based firewalls to protect you with many of the cloud-based systems. So you literally live or die based upon the strength of your own software-based security model.

As in the past, security is all about layers of protection. A bundle of sticks is harder to break than a single stick. There now are Incredible PBX builds for CentOS, Scientific Linux, Ubuntu 14, and the latest Raspbian 8 for the Raspberry Pi 2 and 3. All of these releases include the new Incredible PBX security model. Here’s how it works…

The 7 Security Layers include the following, and we will go into the details below:

  1. Preconfigured IPtables Linux Firewall
  2. Preconfigured Travelin’ Man 3 WhiteLists
  3. Randomized Port Knocker for Remote Access
  4. TM4 WhiteListing by Telephone (optional)
  5. Fail2Ban
  6. Randomized Ultra-Secure Passwords
  7. Automatic Security Updates & Bug Fixes

1. IPtables Linux Firewall. Yes, we’ve had IPtables in place with PBX in a Flash for many years. And, yes, it was partially locked down in previous Incredible PBX releases if you chose to deploy Travelin’ Man 3. Now it’s automatically installed AND locked down, period. As installed, the new Incredible PBX limits login access to your server to those on your private LAN (if any) and anyone logging in from the server’s public or private IP address and the public IP address of the desktop machine used to install the Incredible PBX software. If you or your users need access from other computers or phones, those addresses can be added quickly using either the Travelin’ Man 3 tools (add-ip and add-fqdn) or using the Port Knocker application running on your desktop or smartphone. All you need is your randomized 3 codes for the knock. You can also enable a remote IP address by telephone. Keep reading!

blank

2. Travelin’ Man 3 WhiteLists. As in the past, many of the major SIP providers have been whitelisted in the default setup so that you can quickly add new service without worrying about firewall access. These are providers that we’ve used over the years. The preconfigured providers include Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. You are, of course, free to add other providers or users using the whitelist tools being provided. add-ip lets you add an IP address to your whitelist. add-fqdn lets you add a fully-qualified domain name to your whitelist. del-acct lets you remove an entry from your whitelist. Because FQDNs cause problems with IPtables if the FQDN happens to be invalid or non-functional, we’ve provided a customized iptables-restart tool which will filter out bad FQDNs and start up IPtables without the problematic entries.

Be advised that whitelist entries created with PortKnocker are stored in RAM, not in your IPtables file. These RAM entries will get blown out of the water whenever your system is restarted OR if IPtables is restarted. Stated another way, PortKnocker should be used as a stopgap tool to get new IP addresses qualified quickly. If these addresses need access for more than a few hours, then the Travelin’ Man 3 tools should be used to add them to your IPtables whitelist. If your whitelist setup includes dynamic IP addresses, be aware that using ipchecker in a cron job to test for changing dynamic IP addresses will remove PortKnocker whitelist RAM entries whenever an IP address change triggers an iptables-restart.

For more detail on Travelin’ Man 3, review our original tutorial.

blank

3. PortKnocker WhiteListing. We’ve previously written about PortKnocker so we won’t repeat the article here. Simply stated, it lets you knock on three ports on a host machine in the proper order to gain access. If you get the timing and sequence right, the IP address from which you knocked gets whitelisted for access to the server… with appropriate admin or root passwords, of course. The knocking can be accomplished with either a command line tool or an iOS or Android app using your smartphone or tablet. As noted above, it’s a terrific stopgap tool to let you or your users gain quick access to your server. For the reasons we’ve documented, don’t forget that it’s a stopgap tool. Don’t use it as a replacement for Travelin’ Man 3 whitelists unless you don’t plan to deploy dynamic IP address automatic updating. Just to repeat, PortKnocker whitelists get destroyed whenever IPtables is restarted or your server is rebooted. You’ve been warned.

4. TM4 WhiteListing by Telephone. Newer releases of Incredible PBX are preconfigured with ODBC support for telephony applications. One worth mentioning is our new Travelin’ Man 4 utility which lets a remote user dial into a dedicated DID and register an IP address to be whitelisted on the server. Within a couple minutes, the user will be sent an email confirming that the IP address has been whitelisted and remote access is now enabled. For phone systems and administrators supporting hundreds of remote users, this new feature will be a welcome addition. It can be configured in a couple minutes by following the Installation instructions in the Travelin’ Man 4 tutorial. Unlike PortKnocker, whitelisted IP addresses added with TM4 are permanent until modified by the remote user or deleted by the administrator.

blank

5. Fail2Ban. We’ve never been a big fan of Fail2Ban which scans your logs and blacklists IP addresses after several failed attempts to log in or register with SSH or Apache or Asterisk. The reason is because of documented cases where attacks from powerful servers (think: Amazon) completely overpower a machine and delay execution of Fail2Ban log scanning until tens of thousands of registration attempts have been launched. The FreePBX folks are working on a methodology to move failed login attempts to a separate (smaller) log which would go a long way toward eliminating the log scanning bottleneck. In the the meantime, Fail2Ban is included, and it works when it works. But don’t count on it as your only security layer.

blank

6. Randomized Passwords. With the new security model described above, we’ve dispensed with Apache security to protect FreePBX® access. These new Incredible PBX releases rely upon the FreePBX security model which uses encrypted passwords stored in MySQL or MariaDB. As part of the installation process, Incredible PBX randomizes ALL FreePBX passwords including those for the default 701 extension as well as the admin password. When your new Incredible PBX install completes, the most important things to remember are your (randomized) FreePBX admin password AND the (randomized) 3 ports required for Port Knocker access. Put them in a safe place. Sooner or later, you’ll need them. You can review your PortKnocker settings in /root/knock.FAQ. We’ve also included admin-pw-change in the /root folder for those that are too lazy to heed our advice. With the new security model, there is no way to look up your admin password. All you can do is change it… assuming you haven’t also forgotten your root password. 😉

7. Automatic Update Service. All new Incredible PBX builds include an automatic update service to provide security patches and bug fixes whenever you log into your server as root. It saved you just last week! If you don’t want the updates for some reason, you can delete the /root/update* file from your server. If the cost of maintaining this service becomes prohibitive, we may implement a pay-for-service fee, but it presently is supported by voluntary contributions from our users. It has worked extremely well and provided a vehicle for pushing out updates that affect the reliability and security of your server.

A Word About IPv6. Sooner or later Internet Protocol version 6 will be upon us because of the exhaustion of IPv4 IP addresses. Incredible PBX is IPv6-aware and IPtables has been configured to support it as well. As deployed, outbound IPv6 is not restricted. Inbound access is limited to localhost. You, of course, are free to modify it in any way desired. Be advised that disabling IPv6 localhost inbound access will block access to the FreePBX GUI. Don’t ask us how we know. 🙂

Originally published: Monday, April 18, 2016




blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

It’s Back: $10.50 Buys an Incredible PBX in the Cloud For Life… If You Hurry

In January, we began our new series on Cloud Computing by documenting how to build an awesome LAMP server in the Cloud using Linux. Today we’re again going to show you how to use the same Cloud platform and take advantage of the $10.50 coupon code TAKE70 to build an Incredible PBX in the Cloud FOR LIFE. When you’re finished, you’ll have a state-of-the-art Incredible PBX 13 server with hundreds of PBX features including free calling to the U.S. and Canada using any (free) Google Voice account. Keep in mind this isn’t $10.50 a month for your cloud server. It’s $10.50, period! The whole project takes less than an hour. Before we begin, let’s revisit our cautionary note for those that missed it in the previous article. It’s important.

There’s lots to hate at Cloud At Cost, a Canadian provider that offers virtual machines in the cloud for a one-time fee with no recurring charges. For $35 $10.50, you get a virtual machine with 512MB of RAM, 10GB of storage, and a gigabit Internet connection FOR LIFE. We haven’t seen a week go by when Cloud at Cost didn’t offer some sort of discount. Today it’s 70% which brings the total cost down to $10.50. That’s less than a burger at Five Guys. That’s the good news. But, if security, 99.999% reliability, performance, and excellent customer support are your must-haves, then look elsewhere. So why would anyone in their right mind sign up for a cloud solution that didn’t offer those four things? Did we mention it’s $10.50 for a lifetime cloud server?

If you take our recommendation and plunk down your $10.50, you’ll need to go into this with the right attitude. It’s not going to be flawless perfection computing. It’s a sandbox on which to experiment with [VoIP] and Cloud Computing. Will your virtual machine disintegrate at some juncture? Probably. Our experience is that the first couple days are critical. If you start seeing sluggish performance which degenerates to zero, don’t waste your time. Take good notes as you go along, delete the virtual machine, and rebuild a new one. It won’t cost you a dime, and it’ll save you hours of frustration. We suspect that bad folks get onto some of the servers and delight in bringing the machines to their knees. So the quicker you cut your losses, the better off you will be. Is CloudAtCost a good solution for production use? Absolutely Probably not so don’t try to fit a square peg in the round hole. It’s not gonna work, and you WILL be disappointed.

Today’s experiment will give you a platform on which to learn before you decide upon a more permanent deployment solution. And it will give you a terrific home for a backup server once you do move to a long-term solution so your $10.50 won’t be wasted.


The objective today is to show you how to build a rock-solid, secure VoIP server in the Cloud with all the bells and whistles you’d typically find on a PBX costing tens of thousands of dollars. Incredible PBX is pure GPL, open source code with one major difference. It’s FREE! And it’s supported by thousands of users on the PIAF Forum that started just like you.

Some of you are probably wondering why you would want a PBX at all. Hearing is believing as they say. Spend a couple minutes and call our CloudAtCost demo server. We preconfigured it using everything provided in today’s tutorial. It’ll let you play with some of the features that a PBX offers such a voice dialing from a directory, news and weather forecasts, and much more. And, in case you’re wondering, it’s been running 24/7 for two full months without a single hiccup. To try it for yourself, just dial: blank

Nerd Vittles Demo IVR Options
1 – Call by Name (say “Delta Airlines” or “American Airlines” to try it out)
2 – MeetMe Conference (password is 1234)
3 – Wolfram Alpha (say “What planes are flying overhead now?”)
4 – Lenny (The Telemarketer’s Worst Nightmare)
5 – Today’s News Headlines
6 – Weather Forecast (Just enter your ZIP Code!)
7 – Today in History
8 – Speak to a Real Person (or maybe just voicemail if we’re out)

For long time readers of Nerd Vittles, you already know that the component we continually stress is security. Without that, the rest really doesn’t matter. You’ll be building a platform for someone else to hijack and use for nefarious purposes. When we’re finished today, you’ll have a cloud-based VoIP server that is totally invisible to the rest of the world except a short list of VoIP providers that have been thoroughly vetted by Nerd Vittles staff. You can whitelist additional locations and phones to meet your individual needs without worrying about your server being compromised.

Creating Your Virtual Machine Platform in the Cloud

To get started, you’ve got to cough up your $10.50 at Cloud at Cost using coupon code TAKE70. Once you’ve signed up, CloudAtCost will send you credentials to log into the Cloud at Cost Management Portal. Change your portal password IMMEDIATELY after logging in. Just go to SETTINGS and follow your nose. HINT: DC2 is the preferred data center!

blank

To create your virtual machine, click on the CLOUDPRO button and click Add New Server. If you’ve only purchased the $10.50 CloudPRO 1 platform, then you’ll need all of the available resources shown in the pick list. Leave CentOS 6.7 64bit selected as the OS Type and click Complete. Depending upon the type of special pricing that Cloud at Cost is offering when you sign up, the time to build your virtual machine can take anywhere from a minute to the better part of a day. Things have settled down since the 90% off week so new servers typically are ready in a few minutes. However, we’ve learned to build new virtual machines at night where possible. Then they’re usually available for use by the next morning. Luckily, this slow performance does not impact existing virtual machines that already are running in the CloudAtCost hosting facilities.

Initial Configuration of Your CentOS 6.7 Virtual Machine

blank

With a little luck, your virtual machine soon will appear in your Cloud at Cost Management Portal and look something like what’s shown above. The red arrow points to the i button you’ll need to click to decipher the password for your new virtual machine. You’ll need both your IP address and the password for the new virtual machine in order to log into the server which is now up and running with a barebones CentOS 6.7 operating system. Note the yellow caution flag. That’s telling you that Cloud at Cost will automatically shut down your server in a week to save (them) computing resources. You can change the setting to keep your server running 24/7. Click Modify, Change Run Mode, and select Normal – Leave Powered On. Click Continue and OK to save your new settings.

blank

Finally, you’ll want to change the Host Name for your server to something more descriptive than c7…cloudpro.92… Click the Modify button again and click Rename Server to change it. IncrediblePBX13 has a nice ring to it, but to each his own.

Logging into Your New CentOS 6.7 Virtual Machine

In order to configure and manage your new CentOS 6.7 virtual machine, you’ll need to log into the new server using either SSH or, for Windows users, Putty. After installing Putty, run it and log in to the IP address of your VM with username root and the password you deciphered above. On a Mac, open a Terminal session and issue a command like this using the actual IP address of your new virtual machine:

ssh root@12.34.56.78

Before you do anything else, reset your Virtual Machine’s root password to something very secure: passwd

Next, let’s address a couple of CloudAtCost quirks that may cause problems down the road. CloudAtCost has a nasty habit of not cleaning up after itself with fresh installs. The net result is your root password may get reset every time you reboot even though you changed it.

sed -i '/exit 0/d' /etc/rc.local
killall plymouthd
echo killall plymouthd >> /etc/rc.local
rm -f /etc/rc3.d/S97*
echo "exit 0" >> /etc/rc.local

Installing Incredible PBX 13 with CentOS 6.7

Now we’re ready to build your VoIP server platform. There aren’t many steps so just cut-and-paste the code into your SSH or Putty session and review the results to make sure nothing comes unglued. If something does, the beauty of virtual machines is you can delete them instantly within your management portal and just start over whenever you like. So here we go…

We’ll begin by permanently turning off SELINUX which causes more problems than it solves. The first command turns it off instantly. The second line assures that it’ll stay off whenever you reboot your virtual machine.

setenforce 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

Now let’s bring CentOS 6.7 up to current specs and add a few important applications:

yum -y update
yum -y install net-tools nano wget tar
reboot

Once your server reboots, we’re ready to kick off the Incredible PBX 13 install:

cd /root
wget http://incrediblepbx.com/incrediblepbx13-12.2-centos.tar.gz
tar zxvf incrediblepbx*
./IncrediblePBX*

When the install begins, read the license agreement and press ENTER to agree to the terms and get things rolling. Now would be a great time to go have breakfast or lunch. Come back in about an hour and your server should be ready to go.

Implementing Dynamic DNS Service on Your Client Machines

Unlike some other PBX offerings that leave your server exposed to the Internet, Incredible PBX is different. Unless the IP address from which you are accessing the server has been whitelisted, nobody on the Internet can see your server. The only exception is the preferred providers list and those on the same local area network (which is nobody in the case of CloudAtCost). As part of the Incredible PBX install, the IP address of the computer you used to perform the install was whitelisted automatically. But there may be other computers from which you wish to allow access to the PBX in order to deploy telephones at remote sites. Some of these sites may have dynamic IP addresses that change from time to time. Or you may have traveling salesman that land in a new hotel almost every night with a new IP address. Fortunately, there are a number of free and paid Dynamic DNS providers. For sites with dynamic IP addresses, simply choose a fully-qualified domain name (FQDN) to identify each location where you need computer access or need to deploy a phone. Then run a dynamic DNS update utility periodically from a computer or router at that site. It reports back the current public IP address of the site and your DNS provider updates the IP address assigned to that FQDN whenever there are changes.

DNS update clients are available for Windows, Mac OS X, and many residential routers. They’re also available for Android devices. Then it’s just a matter of plugging in the remote users’ FQDNs so Incredible PBX knows to give them server access via the whitelist. You implement this in seconds using the add-ip and add-fqdn utilities in the /root directory.

There are other ways to gain access as well using the PortKnocker utility or Travelin’ Man 4 from a telephone. Both of these are covered in the Incredible PBX 13 tutorial so we won’t repeat it here.

Incredible PBX Preliminary Setup Steps

First, let’s check things out and make sure everything is working as it should. With your favorite web browser, visit the IP address of your new server. You should see the default Incredible PBX page, the Kennonsoft Menu. It’s divided into two parts, a Users tab (shown below) and an Admin tab with additional options that we’ll cover shortly.

blank

Now we need to jump back to SSH or Putty and log back into your server as root. You’ll note that the Incredible PBX Automatic Update Utility is run each time you log in. This is how important security updates are pushed to your server so do it regularly. And, no, you don’t need to contribute to our open source projects unless you want to. You’ll still get the updates as they are released.

After the Automatic Update Utility runs, the login script will execute status which tells you everything you need to know about the health of your server. After the initial install, it will look something like this with your server’s IP address obviously. We’ll cover the RED items down the road a bit.

blank

For now, we need to complete a few preliminary setup steps for Incredible PBX to make sure you can log into the various components which have been installed on your computer. There are several different credentials you will need. Most of these are configured using scripts in the /root folder of your server. First, you need your root password for the server itself, and you should have already set that up with a very secure password using passwd. These same credentials are used to login to WebMin.

Next you’ll need an admin password for the Incredible PBX GUI. This is the management utility and Asterisk® code generator which consists of FreePBX® GPL modules that are open source and free to use. The admin password is set by running admin-pw-change in the /root directory.

There are also a number of web-based applications such as Telephone Reminders, AsteriDex, phpMyAdmin, and VoiceMail & Recordings (User Control Panel). You obviously don’t want everyone with a telephone using all of these applications so they are protected using a couple different Apache web server credentials. First, you set up an admin password for the administrator-level applications using the htpasswd utility. Then you set up an end-user account and password for access to AsteriDex, Reminders, and the User Control Panel. With the User Control Panel, end users also will need a username and password for their particular phone extension and this is configured with the Incredible PBX GUI using Admin -> User Management -> Add New User. If this sounds convoluted, it’s really not. Apache credentials can be entered once in an administrator’s or end user’s browser and they’re stored permanently.

Here is a checklist of the preliminary steps to complete before using your server:

Make your root password very secure: passwd
Create admin password for Incredible PBX GUI access: /root/admin-pw-change
Create admin password for web apps: htpasswd /etc/pbx/wwwpasswd admin
Create joeuser password for web apps: htpasswd /etc/pbx/wwwpasswd joeuser
Set up UCP accounts for Voicemail & Recordings access using Incredible PBX GUI
Make a copy of your Knock codes: cat /root/knock.FAQ
Decipher IP address and other info about your server: status
Set your correct time zone: /root/timezone-setup

Activating Incredible Fax on Your Server

Incredible PBX also includes an optional (and free) faxing component that lets you send and receive faxes that are delivered to your email address. To activate Incredible Fax, run the following script and plug in your email address for delivery of incoming faxes: /root/incrediblefax11.sh. After entering your email address, you’ll be prompted for all sorts of additional information. Unless you have unusual requirements, pressing the ENTER key at every prompt is the appropriate response. You’ll need to reboot your server again when the fax installation is complete. Once you log back into your server as root, the bottom line of the status display should now be green UP entries.

Managing Your Server with the Incredible PBX GUI

About 99% of your time managing your server will be spent in the Incredible PBX GUI. To access it, fire up your browser and point to the IP address of your server. At the Kennonsoft menu, click on the Users tab which will change to Admin and bring up the Admin menu shown here:

blank

From the Administrator menu in the Kennonsoft GUI, click on Incredible PBX Administration. This will bring up the following menu:

blank

Click on the first icon to access the Incredible PBX GUI. You’ll be prompted for your credentials. For the username, enter admin. For the password, enter the password you set up using admin-pw-change above. You should then be greeted by the main status display in the Incredible GUI:

blank

If you’re new to Asterisk and FreePBX, here’s the one paragraph primer on what needs to happen before you can make free calls with Google Voice. You’ll obviously need a free Google Voice account. This gets you a phone number for people to call you and a vehicle to place calls to plain old telephones throughout the U.S. and Canada at no cost. You’ll also need a softphone or SIP phone (NOT a regular POTS telephone) to actually place and receive calls. YATE makes a free softphone for PCs, Macs, and Linux machines so download your favorite and install it on your desktop. Phones connect to extensions to work with Incredible PBX. Extensions talk to trunks (like Google Voice) to make and receive calls. We use outbound routes to direct outgoing calls from extensions to trunks, and we use inbound routes to route incoming calls from trunks to extensions to make your phones ring. In a nutshell, that’s how a PBX works. There are lots of bells and whistles that you can explore down the road.

As configured after installation, you have everything you’ll need except a Google Voice trunk, and we’ll cover that next. Then we’ll add a softphone with your extension 701 credentials, and you’ll be ready to make and receive calls. Before we move on, let’s decipher your extension 701 password so that you’ll have it for later. Choose Applications -> Extensions -> 701 and scroll down the screen to the Secret field and write down your password. You can also change it if you like and click Submit and then the Red button to update your settings. While you’re here, write down your extension 701 Voicemail Password.

Deploying Google Voice on Your Server

That leaves one RED entry on your status display, GV OAUTH. Whether to use plain text passwords or OAUTH 2 credentials with Google Voice accounts presently is a matter of choice although Google regularly threatens to discontinue access to Google Voice without OAUTH authentication. We suggest you play with Google Voice using plain text passwords just to get your feet wet because OAUTH implementation gets complicated. When you get ready to deploy a permanent Incredible PBX server, that would be the appropriate time to switch to OAUTH. This tutorial (beginning at step 1b) will guide you through the process.

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX. It’s free at least through 2013. Google Voice no longer is by invitation only so, if you’re in the U.S. or have a friend that is, head over to the Google Voice site and register.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. Google used to permit outbound Gtalk calls using a fake CallerID, but that obviously led to abuse so it’s over! You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Once you have your Google Voice account properly configured with Google, here is the proper sequence to get a Google Voice account working with Incredible PBX. First, using a browser, login to your Google Voice account. Second, make sure that Google Chat is activated in your Phone -> Settings. Third, in a separate browser tab, enable Less Secure Apps for your Google account. Fourth, in another separate browser tab, activate the Google Voice reset procedure. Fifth, in the Incredible PBX GUI, choose Connectivity -> Google Voice (Motif) and enter your Google Voice credentials:

blank

Sixth, save your settings by clicking Submit and the Red Button to reload the GUI. Finally, using SSH or Putty, log into your server as root and restart Asterisk: amportal restart.

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and your extension 701 password. Click OK.

blank

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:


DEMO - Allison's IVR Demo
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

Now you’re ready to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use the free Google Voice account we set up above. Unlike traditional telephone service where you were 100% dependent upon MaBell, there is no such limitation with VoIP. The smarter long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started. Here are a few of our favorites:

blank

Originally published: Friday, January 29, 2016   Republished: Monday, March 14, 2016




blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

The Ultimate Linux Sandbox in the Cloud for Less Than a $35 Raspberry Pi 2


blank

Every few years we like to drop back and take a fresh look at the best way to get started with Linux. For those coming from the Windows World, it can be a painful process. Learning with a Cloud-based server can be especially dangerous because of the security risks. And then there’s the cost factor. Not everyone has several hundred dollars to buy hardware and, frankly, learning about Linux on a $35 Raspberry Pi can drive most newbies to drink. So today we’ll show you another way. It’s not necessarily a better way. But it’s different, and it’s loads of fun for not much money. Today’s project only takes 30 minutes.

There’s lots to hate at Cloud At Cost, a Canadian provider that offers virtual machines in the cloud for a one-time fee with no recurring charges. For $35 or less, you get a virtual machine with 512MB of RAM, 10GB of storage, and a gigabit Internet connection FOR LIFE. We haven’t seen a week go by when Cloud at Cost didn’t offer some sort of discount. Today it’s 70% off with coupon code TAKE70 which brings the total cost down to $10.50. That’s less than a burger at Five Guys. That’s the good news. But, if security, 99.999% reliability, performance, and excellent customer support are your must-haves, then look elsewhere. So why would anyone in their right mind sign up for a cloud solution that didn’t offer those four things? Did we mention it’s $10.50 for a lifetime cloud server?

If you take our recommendation and plunk down your Alexander Hamilton, you’ll need to go into this with the right attitude. It’s not going to be flawless perfection computing. It’s a sandbox on which to experiment with Linux and Cloud Computing. Will your virtual machine disintegrate at some juncture? Probably. Our experience is that the first couple days are critical. If you start seeing sluggish performance which degenerates to zero, don’t waste your time. Take good notes as you go along, delete the virtual machine, and rebuild a new one. It won’t cost you a dime, and it’ll save you hours of frustration. We suspect that bad folks get onto some of the servers and delight in bringing the machines to their knees. So the quicker you cut your losses, the better off you will be. Is CloudAtCost a good solution for production use? Absolutely not so don’t try to fit a square peg in the round hole. It’s not gonna work, and you WILL be disappointed. You’ve been warned. Let’s get started. ENJOY THE RIDE!

Our objective today is to show you how to build a rock-solid, secure Linux server in the Cloud with all the bells and whistles that make Linux the server platform of choice for almost every organization in the world. We’ll finish up by showing you how to embellish the platform with WordPress to do something that’s special for you whether it’s your own blog like Nerd Vittles, or a school newspaper, or an on-line shopping site to sell comic books. The basic foundation for most Linux platforms is called a LAMP server which stands for Linux, Apache, MySQL, and PHP. Linux is an open source operating system that includes contributions from thousands of developers around the world. Apache is the web server platform on which most commercial businesses stake their reputation. MySQL is the open source database management system now owned by Oracle. If it’s good enough for Facebook, it’s good enough for you. And PHP is THE web-based programming language that will let you build almost any application using Linux, Apache, and MySQL.

So what’s the big deal? There are thousands of online tutorials that will show you how to build a LAMP server. For long time readers of Nerd Vittles, you already know that the component we continually stress is security. Without that, the rest really doesn’t matter. You’ll be building a platform for someone else to hijack and use for nefarious purposes. When we’re finished today, you’ll have a cloud-based server that is totally invisible to the rest of the world with the exception of its web interface. And we’ll show you a simple way to reduce the exposure of your web interface to some of its most likely attackers. Will it be 100% secure? Nope. If you have a web server on the public Internet, it’s never going to be 100% secure because there’s always the chance of a software bug that nobody has yet discovered and corrected. THAT’S WHAT BACKUPS ARE FOR!

Creating Your Virtual Machine Platform in the Cloud

To get started, you’ve got to plunk down your $10.50 at Cloud at Cost using coupon code TAKE70. Once you’ve paid the piper, they will send you credentials to log into the Cloud at Cost Management Portal. Change your password IMMEDIATELY after logging in. Just go to SETTINGS and follow your nose.

blank

To create your virtual machine, click on the CLOUDPRO button and click Add New Server. If you’ve only purchased the $10.50 CloudPRO 1 platform, then you’ll need all of the available resources shown in the pick list. Leave CentOS 6.7 64bit selected as the OS Type and click Complete. Depending upon the type of special pricing that Cloud at Cost is offering when you sign up, the time to build your virtual machine can take anywhere from a minute to the better part of a day. We’ve learned to build new virtual machines at night, and they’re usually available for use by the next morning. Luckily, this slow performance does not impact existing virtual machines that already are running in their hosting facility.

Initial Configuration of Your CentOS 6.7 Virtual Machine

blank

With a little luck, your virtual machine soon will appear in your Cloud at Cost Management Portal and look something like what’s shown above. The red arrow points to the i button you’ll need to click to decipher the password for your new virtual machine. You’ll need both the IP address and the password for your new virtual machine in order to log into the server which is now up and running with a barebones CentOS 6.7 operating system. Note the yellow caution flag. That’s telling you that Cloud at Cost will automatically shut down your server in a week to save (them) computing resources. You can change the setting to keep your server running 24/7. Click Modify, Change Run Mode, and select Normal – Leave Powered On. Click Continue and OK to save your new settings.

blank

Finally, you’ll want to change the Host Name for your server to something more descriptive than c7…cloudpro.92… Click the Modify button again and click Rename Server to make the change. Your management portal then will show the new server name as shown above.

Logging into Your CentOS 6.7 Virtual Machine

In order to configure and manage your new CentOS 6.7 virtual machine, you’ll need to log into the new server using either SSH or, for Windows users, Putty. After installing Putty, run it and log in to the IP address of your VM with username root and the password you deciphered above. On a Mac, open a Terminal session and issue a command like this using the actual IP address of your new virtual machine:

ssh root@12.34.56.78

Before you do anything else, reset your root password to something very secure: passwd

Installing the LAMP Server Basics with CentOS 6.7

Now we’re ready to build your LAMP server platform. We’ve chopped this up into lots of little steps so we can explain what’s happening as we go along. There’s nothing hard about this, but we want to document the process so you can repeat it at any time. As we go along, just cut-and-paste each clump of code into your SSH or Putty session and review the results to make sure nothing comes unglued. If something does, the beauty of virtual machines is you can delete them instantly within your management portal and just start over whenever you like. So here we go…

We’ll begin by permanently turning off SELINUX which causes more problems than it solves. The first command turns it off instantly. The second line assures that it’ll stay off whenever you reboot your virtual machine.

setenforce 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

Now let’s bring CentOS 6.7 up to current specs and add a few important applications:

yum -y update
yum -y install nano wget expect net-tools dialog git xz
yum -y install kernel-headers
yum -y install kernel-devel
reboot

After reboot, log back in as root. Now we’ll set up your Apache web server and configure it to start whenever you reboot your server:

yum -y install httpd
service httpd start
chkconfig httpd on

Now let’s set up your MySQL server, bring it on line, and make sure it restarts after server reboots. Unless you plan to add Asterisk® and FreePBX® to your server down the road, you’ll want to uncomment the two commands that begin with # by removing the # symbol and replacing new-password with a very secure password for your root user account in MySQL. Be sure to run the last command to secure your server. After logging in, the correct answers are n,Y,Y,Y,Y.

yum -y install mysql mysql-server
service mysqld start
chkconfig mysqld on
#/usr/bin/mysqladmin -u root password 'new-password'
#/usr/bin/mysqladmin -u root -p -h localhost.localdomain password 'new-password'
mysql_secure_installation

Next, we’ll set up PHP and configure it to work with MySQL:

yum -y install php
yum -y install php-mysql
service httpd restart

Finally let’s get SendMail installed and configured. Insert your actual email address in the last line and send yourself a test message to be sure it’s working. Be sure to check your spam folder since the message will show a sender address of localhost which many email systems including Gmail automatically identify as spam.

yum -y install sendmail
rpm -e postfix
service sendmail restart
yum -y install mailx
echo "test" | mail -s testmessage youracctname@yourmailserver.com

Installing Supplemental Repositories for CentOS 6.7

One of the beauties of Linux is not being totally dependent upon CentOS for all of your packaged applications. Let’s add a few other repositories that can be used when you need to add a special package that is not in the CentOS repository. Let’s start with EPEL. We’ll disable it by default and only use it when we need it.

yum -y install http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
sed -i 's|enabled=1|enabled=0|' /etc/yum.repos.d/epel.repo

We actually need the EPEL repo to install Fail2Ban for monitoring of attacks on certain Linux services such as SSH:

yum --enablerepo=epel install fail2ban -y
cd /etc
wget http://incrediblepbx.com/fail2ban-lamp.tar.gz
tar zxvf fail2ban-lamp.tar.gz


We also need the EPEL repo to install ipset, a terrific addition to the IPtables Linux firewall that lets you quickly block entire countries from accessing your server:

yum --enablerepo=epel install ipset -y

Next, we’ll add a sample script that documents how the country blocking mechanism works with ipset.1 For a complete list of countries that can be blocked, go here. If you need a decoder badge to match abbreviations against country names, you’ll find it here. To add other countries, simply edit the shell script and clone lines 4-7 using the names of the countries and country zone files that you wish to add. Be sure to insert the new lines before the commands to restart iptables and fail2ban. This script will need to be run each time your server reboots and before IPtables is brought on line. We’ll handle that a little later.

echo "#\\!/bin/bash" > /etc/block-china.sh
echo " " >> /etc/block-china.sh
echo "cd /etc" >> /etc/block-china.sh
echo "ipset -N china hash:net" >> /etc/block-china.sh
echo "rm cn.zone" >> /etc/block-china.sh
echo "wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone" >> /etc/block-china.sh
echo "for i in $(cat /etc/cn.zone ); do ipset -A china $i; done" >> /etc/block-china.sh
echo "service iptables restart" >> /etc/block-china.sh
echo "service fail2ban restart" >> /etc/block-china.sh
sed -i 's|\\\\||' /etc/block-china.sh
chmod +x /etc/block-china.sh

Another important repository is REMI. It is especially helpful if you decide to upgrade PHP from the default version 5.3 to one of the newer releases: 5.5 or 5.6. In this case, you’ll want to activate the specific repository to support the release you choose in /etc/yum.repos.d/remi-safe.repo.

yum -y install http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
sed -i 's|enabled=1|enabled=0|' /etc/yum.repos.d/remi-safe.repo

One final repository to have on hand is RPMForge, now renamed RepoForge. We’ll use it in a bit to install a dynamic DNS update utility which you actually won’t need at CloudAtCost since your server is assigned a static IP address. But it’s handy to have in the event you wish to assign a free FQDN to your server anyway.

yum -y install http://incrediblepbx.com/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
sed -i 's|enabled = 1|enabled = 0|' /etc/yum.repos.d/rpmforge.repo

Adding a Few Utilities to Round Out Your LAMP Server Deployment

If you’re like us, you’ll want to test the speed of your Internet connection from time to time. Let’s install a free script that you can run at any time by logging into your server as root and issuing the command: /root/speedtest-cli

cd /root
wget https://raw.githubusercontent.com/sivel/speedtest-cli/master/speedtest.py
chmod +x speedtest.py

blank

Next, let’s put in place a simple status display which will quickly tell you what’s running and what’s not. We’ve borrowed some GPL code from Incredible PBX to help you out. Run status-lamp at any time for a snapshot of your server.

cd /usr/local/sbin
wget http://incrediblepbx.com/status-lamp.tar.gz
tar zxvf status-lamp.tar.gz
rm -f status-lamp.tar.gz
sed -i 's|myip.pbxinaflash.com|myip.incrediblepbx.com|' /usr/local/sbin/status-lamp

blank

Now we’ll put the Linux Swiss Army Knife in place. It’s called WebMin, and it provides a GUI to configure almost everything in Linux. Pick up a good WebMin book from your public library to get started. Once installed, you access WebMin from your browser at the IP address of your server on the default port of 10000: https://serverIPaddress:10000. It’s probably a good idea to change this port number and the commented out line shows how to do it with the new port being 9001 in the example. The way in which we typically configure the Linux firewall will block all access to WebMin except from an IP address which you have whitelisted, e.g. your home computer’s public IP address.

cd /root
yum -y install perl perl-Net-SSLeay openssl perl-IO-Tty
yum -y install http://prdownloads.sourceforge.net/webadmin/webmin-1.780-1.noarch.rpm
#sed -i 's|10000|9001|g' /etc/webmin/miniserv.conf
service webmin restart
chkconfig webmin on

blank

Tweaking Your CloudAtCost Setup Improves Performance and Improves Security

Finally, let’s address a couple of CloudAtCost quirks that may cause problems down the road. CloudAtCost has a nasty habit of not cleaning up after itself with fresh installs. The net result is your root password gets reset every time you reboot.

killall plymouthd
echo killall plymouthd >> /etc/rc.local
rm -f /etc/rc3.d/S97*

With the exception of firewall configuration, which is so important that we’re covering it separately below, you now have completed the LAMP server installation. After completing the firewall steps in the next section, simply reboot your server and you’re ready to go.

The Most Important Step: Configuring the Linux IPtables Firewall

RULE #1: DON’T BUILD SERVERS EXPOSED TO THE INTERNET WITHOUT ROCK-SOLID SECURITY!

As installed by CloudAtCost, your server provides ping and SSH access from a remote computer and nothing else. The good news: it’s pretty safe. The bad news: it can’t do anything useful for anybody because all web access to the server is blocked. We want to fix that, tighten up SSH access to restrict it to your IP address, and deploy country blocking to show you how.

As we implement the firewall changes, you need to be extremely careful in your typing so that you don’t accidentally lock yourself out of your own server. A typo in an IP address is all it takes. The good news is that, if you do lock yourself out, you still can gain access via the CloudAtCost Management Portal by clicking the Console button of your virtual machine. Because the console is on the physical machine and the lo interface is whitelisted, you can log in and disable the firewall temporarily: service iptables stop. Then fix the typo and restart the firewall: service iptables start.

First, let’s download the new IPtables config file into your root folder and take a look at it.

cd /root
wget http://incrediblepbx.com/iptables-lamp.tar.gz
tar zxvf iptables-lamp.tar.gz

Now edit the /root/iptables-lamp file by issuing the command: nano -w /root/iptables-lamp

You can scroll up and down through the file with Ctl-V and Ctl-Y. Cursor keys work as well. Once you make changes, save your work: Ctl-X, Y, ENTER. You’re now an expert with the nano text editor, an absolutely essential Linux tool.

Here’s what that file actually looks like:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST              -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,FIN FIN                  -j DROP
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG                  -j DROP
-A INPUT -p tcp -m set --match-set china src                    -j DROP
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A INPUT -s 12.34.56.78 -j ACCEPT
#-A INPUT -s yourFQDN.dyndns.org -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Reminder: If you add another country to your block-china script, don’t forget to add a corresponding new country entry to your iptables file. See line 17 above that includes the word "china" for the syntax. There’s nothing much else to tweak except the two commented out (brown) lines that begin with #. First, remove the # symbol by moving the cursor to the right of the first one and hitting the backspace/delete key on your keyboard. Replace 12.34.56.78 with the public IP address of the computer from which you will be accessing your virtual machine. If you need multiple entries for multiple computers at different addresses, clone the line by pressing Ctrl-K and then Ctrl-U twice. Yes, we know. Some folks IP addresses change from time to time. In the next section, we’ll show you how to set up a Dynamic DNS entry with a utility that will keep track of your current IP address. In this case, uncomment the second commented line and replace yourFQDN.dyndns.org with your dynamic DNS address. Be very careful to assure that your FQDN is always on line. If the firewall cannot verify your DNS entry when it starts, the IPtables firewall will not start which means your server will be left unprotected. HINT: IP addresses are much safer because they are never verified.

Once you have your addresses configured, save the file: Ctl-X, Y, ENTER. Then issue the following commands to copy everything into place and restart the firewall.

mv /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
cp -p /root/iptables-lamp /etc/sysconfig/iptables
echo "/etc/block-china.sh" >> /etc/rc.local
/etc/block-china.sh

Always, always, always check to be sure your firewall is functioning: iptables -nL. If you don’t see your desktop computer’s public IP address near the end of the listing, then the firewall is dead. status-lamp should also show IPtables down. Check for an error message which will tell you the problematic line so you can correct it.

Implementing Dynamic DNS Service on Your Virtual Machine

There are a number of free and paid Dynamic DNS providers. The way this works is you choose a fully-qualified domain name (FQDN) to identify your computer. Then you run a dynamic DNS update utility periodically from that computer. It reports back the current public IP address of your computer and your provider updates the IP address assigned to your FQDN if it has changed. In addition to supporting sites with ever changing IP addresses, it also allows you to permanently assign an FQDN to your computer or server so that it can be accessed without using a cryptic IP address.

If that computer happens to be an Incredible PBX server or a LAMP server that you’ve set up using this tutorial, then the following will get the DNS client update utility loaded using the RPM Forge repository that we previously installed:

yum --enablerepo=rpmforge install ddclient -y

Similar DNS update clients are available for Windows, Mac OS X, and many residential routers. Then it’s just a matter of plugging in the credentials for your dynamic DNS provider and your FQDN. In the case of the CentOS client, the config file is /etc/ddclient/ddclient.conf. Now reboot your server and pick up a good book on Linux to begin your adventure.

Now For Some Fun…

First, let’s check things out and make sure everything is working as it should. With your favorite web browser, visit the IP address of your new server. You should see the default Apache page:

blank

Next, let’s be sure that PHP is working as it should. While still logged into your server as root using SSH or Putty, issue the following commands and make up some file name to replace test4567 in both lines. Be sure to keep the .php file name extension. Note to gurus: Yes, we know the second line below is unnecessary if you remove the space after the less than symbol in the first line. Unfortunately, WordPress forces the space into the display which left us no alternative.

echo "< ?php phpinfo(); ?>" > /var/www/html/test4567.php
sed -i 's|< |<|' /var/www/html/test4567.php

Now jump back to your web browser and access the new page you just created using the IP address of your server and the file name you made up: http://12.34.56.78/test4567.php

The PHPinfo listing will tell you everything you ever wanted to know about your web server setup including all of the PHP functions that have been enabled. That's why you want an obscure file name for the page. You obviously don't want to share that information with every bad guy on the planet. Remember. This is a public-facing web site that anyone on the Internet can access if they know or guess your IP address.

blank

When you're ready to set up your own web site, just name it index.php and store the file in the /var/www/html directory of your server. In the meantime, issuing the following command will assure that anyone accessing your site gets a blank page until you're ready to begin your adventure:

echo " " > /var/www/html/index.php

Ready to learn PHP programming? There's no shortage of books to get you started.

Adding WordPress to Your LAMP Server

Where to begin with WordPress? What used to be a simple platform for bloggers has morphed into an all-purpose tool that makes building virtually any type of web site child's play. If you want to see what's possible, take a look at the templates and sample sites shown on WPZOOM. Unless you're an art major and savvy web designer, this will be the best $70 you ever spent. One of these templates will have your site up and running in minutes once we put the WordPress pieces in place. For the big spenders, $149 will give you access to over 50 gorgeous templates which you can download and use to your heart's content on multiple sites. And, no, your sites don't blow up after a year. You just can't download any additional templates or updates unless you renew your subscription. The other alternative is choose from thousands of templates that are provided across the Internet as well as in the WordPress application itself.

WordPress templates run the gamut from blogs to newsletters to photographer sites to e-commerce to business portfolios to video to travel to magazines to newspapers to education to food to recipes to restaurants and more. Whew! There literally is nothing you can't put together in minutes using a WordPress template. But, before you can begin, we need to get WordPress installed on your server. This is optional, of course. And, if you follow along and add WordPress, we've set it up in such a way that WordPress becomes the primary application for your site. Stated differently, when people use a browser to access your site, your WordPress template will immediately display. When we finish the basic WordPress setup and once you upload an image or two, you'll have a site that looks something like this:

blank

Before you begin, we strongly recommend that you acquire a domain for your site if you plan to use it for anything but experimentation. The reason is because it can be complicated to migrate a WordPress site from one location to another.2 Once you've acquired your domain, point the domain to the IP address of your new server. With a dirt cheap registrar such as Omnis.com, it's easy:

blank

Now let's get started. To begin, we need to load the WordPress application onto your server:

cd /root
mkdir wordpress
cd wordpress
wget http://wordpress.org/latest.tar.gz
tar -xvzf latest.tar.gz -C /var/www/html

Next, we'll configure MySQL to support WordPress. We're assuming that you have NOT already created root passwords for MySQL. If you have, you'll need to add -pYourPassword to the various commands below immediately after root. There is no space between -p and your root password. Also edit the first line and make up a new password (replacing XYZ below) for the wordpress user account that will manage WordPress on your server before you cut and paste the code:

mysql -u root -e 'CREATE USER wordpress@localhost IDENTIFIED BY "XYZ";'
mysql -u root -e 'CREATE DATABASE wordpress;'
mysql -u root -e 'GRANT ALL ON wordpress.* TO wordpress@localhost;'
mysql -u root -e 'FLUSH PRIVILEGES;'

Next, we need to configure WordPress with your new MySQL credentials. Before you cut and paste, replace XYZ in the fourth line with the password you assigned in the preceding MySQL step:

cp /var/www/html/wordpress/wp-config-sample.php /var/www/html/wordpress/wp-config.php
sed -i 's|database_name_here|wordpress|' /var/www/html/wordpress/wp-config.php
sed -i 's|username_here|wordpress|' /var/www/html/wordpress/wp-config.php
sed -i 's|password_here|XYZ|' /var/www/html/wordpress/wp-config.php
chown -R apache:apache /var/www/html/wordpress

Before you forget, take a moment and create a very secure password for your MySQL root user accounts. Here are the commands. Just replace new-password with your new password before you cut and paste. Note that you also will be prompted for this password when you execute the second command because you will now have a root user password in place from executing the first command.

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -p -h localhost.localdomain password 'new-password'

Finally, we need to modify your Apache web server to support WordPress as the primary application. Be sure to enter your actual email address in the third line before you cut and paste the code below:

echo " " >> /etc/httpd/conf/httpd.conf
echo "" >> /etc/httpd/conf/httpd.conf
echo 'ServerAdmin somebody@somedomain.com' >> /etc/httpd/conf/httpd.conf
echo "DocumentRoot /var/www/html/wordpress" >> /etc/httpd/conf/httpd.conf
echo "ServerName wordpress" >> /etc/httpd/conf/httpd.conf
echo "ErrorLog /var/log/httpd/wordpress-error-log" >> /etc/httpd/conf/httpd.conf
echo "CustomLog /var/log/httpd/wordpress-acces-log common" >> /etc/httpd/conf/httpd.conf
echo "" >> /etc/httpd/conf/httpd.conf
echo " " >> /etc/httpd/conf/httpd.conf
service httpd restart

That should do it. Open a browser and navigate to the IP address of your server. You should be greeted with the following form. Fill in the blanks as desired. The account you're setting up will be the credentials you use to add and modify content on your WordPress site when you click Log In (as shown above). Make the username obscure and the password even more so. Remember, it's a public web site accessible worldwide! When you click Install WordPress, you'll be off to the races.

blank

After your server whirs away for a minute or two, you will be greeted with the WordPress login prompt. With the username and password you entered above, you'll be ready to start configuring your WordPress site.

blank

Once you're logged in, navigate to Appearance -> Themes and click Add New Theme. There's you will find literally hundreds of free WordPress templates that can be installed in a matter of seconds if WPZOOM is too rich for your blood. For a terrific all-purpose (free) theme, try Atahualpa. We'll leave our actual demo site running for a bit in case you want to explore and check out its performance. Installing and configuring the new theme took less than a minute:

blank

A Final Word to the Wise. WordPress is relatively secure but new vulnerabilities are discovered regularly. Keep your templates, plug-ins, AND the WordPress application up to date at all times! The WordFence plug-in is a must-have. And we strongly recommend adding the following lines to your WordPress config file which then will let WordPress update everything automatically. Microsoft has given automatic updates a bad name, but in the case of WordPress, they work well.

echo "define('WP_AUTO_UPDATE_CORE', true);" >> /var/www/html/wordpress/wp-config.php
echo "add_filter( 'auto_update_plugin', '__return_true' );" >> /var/www/html/wordpress/wp-config.php
echo "add_filter( 'auto_update_theme', '__return_true' );" >> /var/www/html/wordpress/wp-config.php

Special Thanks: Our special tip of the hat goes to a few web sites that we found helpful in putting this article together especially Unixmen and Matt Wilcox & friends and Programming-Review.

Wondering What to Build Next with your new $10.50 Server in the Sky? Check out the latest Nerd Vittles tutorial. Turn it into a VoIP server FOR LIFE with free calling to/from the U.S. and Canada. Call for free demo: blank


Originally published: Monday, January 25, 2016




blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest...

  1. It doesn't take long for the probing to begin. So watch your logs, look up the IP addresses to identify the countries, and block them unless you happen to be expecting visitors from that part of the world:
    [Sun Jan 24 00:36:12 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/w00tw00t.at.blackhats.romanian.anti-sec:)
    [Sun Jan 24 00:36:12 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/phpMyAdmin
    [Sun Jan 24 00:36:13 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/phpmyadmin
    [Sun Jan 24 00:36:13 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/pma
    [Sun Jan 24 00:36:13 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/myadmin
    [Sun Jan 24 00:36:14 2016] [error] [client 40.114.202.60] File does not exist: /var/www/html/wordpress/MyAdmin
    [Mon Jan 25 00:29:29 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/w00tw00t.at.blackhats.romanian.anti-sec:)
    [Mon Jan 25 00:29:29 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/phpMyAdmin
    [Mon Jan 25 00:29:29 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/phpmyadmin
    [Mon Jan 25 00:29:30 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/pma
    [Mon Jan 25 00:29:30 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/myadmin
    [Mon Jan 25 00:29:30 2016] [error] [client 137.116.220.182] File does not exist: /var/www/html/wordpress/MyAdmin
    []
  2. Should you ever have to migrate your WordPress site from one domain to another, here are two helpful tools to consider: the Automatic Domain Name Changer Plugin and the one we use, WordPress-Domain-Changer. []

Introducing the FUD-Free Firewall for FreePBX Distro and AsteriskNOW

After frequent complaints from our FreePBX® users, we introduced a firewall application for the PBX in a Flash™ and Incredible PBX™ platforms that protected FreePBX resources. That was over 5 years ago. The product became Travelin’ Man™ 3, an IPtables-based WhiteList that totally eliminated access to your Asterisk® server unless a WhiteList entry had been authorized by the administrator. The application was further embellished over the years to facilitate access by remote users. First, we introduced PortKnocker™ for Asterisk® and later we introduced Travelin’ Man 4 to let users call in with a passcode to authorize server access. For the past several years, a preconfigured firewall has been an integral component in what has become the 7-Layer Security Model included in all Incredible PBX builds. TIP: Security is not a new idea for us.

During this evolution, the FreePBX developers introduced their own distribution, the FreePBX Distro™. Conspicuously absent was a functioning firewall. We believed that the shortcoming would be remedied quickly. Hasn’t happened! In the meantime, a number of serious security vulnerabilities arose in the FreePBX product that compromised numerous servers running their distribution because of the absence of a functioning firewall. Digium® recently reintroduced AsteriskNOW™ as a clone of the FreePBX Distro. But still no firewall.

About a month ago, we decided to close the loophole for everyone’s security and develop a firewall for the only FreePBX-based distributions without a firewall, the FreePBX Distro and AsteriskNOW. Last week we began the rollout with a Nerd Vittles article explaining why this was essential, as if an explanation were necessary. Today, you get the GPL code.

Suffice it to say, our article was not well received. The usual Sangoma® players went into Damage Control Mode with what has become a predictable scenario whenever security issues are raised concerning the FreePBX design or vulnerabilities.

Meet The Sangoma 7.

  • The Good Cop: If only you’d purchase Genuine Sangoma Hardware, all of your security problems would disappear
  • The Bad Cop: Enjoy this nice Cup of FUD about your own distro which proves we’re all just alike
  • The Techie Cop: We thought of developing an open source firewall just the other day, and now you’re complaining
  • The Rest of "The Team": Let the Astroturfing Begin… Retweet, favorite, and cheer for the brilliance of My 3 Cops

The Good Cop offered to solve all your security woes if you’d just buy (some more Sangoma) hardware.

The Bad Cop suggested that, with "cookie cutter security, you might as well hand out your password." Just in case you have any doubts about whose approach has stood the test of time, let’s Google the FreePBX Security Vulnerability Track Record.

The Techie Cop claimed we had stolen his 2-day old idea to create an Open Source Firewall. Really?
Earth to Techie Cop: Where have you been for the past five years??

Funny stuff… if it weren’t so damaging to the Asterisk community and those trying to decide whether to put their faith in open source communications software.

Firewall Basics.

We’ve written dozens of articles on Asterisk security and firewall approaches so we won’t repeat all of the information. Here’s what you need to know. Software-based firewalls on Linux servers need to be integrated into the Linux kernel to be secure. IPtables is kernel-based and extremely reliable. Blacklist-based firewall designs, i.e. those that seek to identify the IP addresses of every bad guy on the planet don’t work very well. Bad guys aren’t stupid. They can do their damage by commandeering a little old lady’s Windows machine so you’re never going to collect all of the necessary "bad" IP addresses. They’re also smart enough to poison the blacklists with Internet resources you need such as DNS servers. So don’t waste your time with blacklists. WhiteLists work very well. You identify the IP addresses and FQDNs of all the Internet sites you need to support and all the SIP providers you wish to use. Nobody else even sees your server on the Internet. If the bad guys can’t see your server, they can’t attack it. Simple as that.

Travelin’ Man 3 WhiteList Tutorial.

Here are the fundamentals of the Travelin’ Man 3 design. We allow access from anybody and everybody on your private LAN. They still need a password to access FreePBX or to gain root access, but they can "see" your server. Private LAN addresses are non-routable over the Internet which means the bad guys can’t access your 192.168.0.4 IP address if you’re sitting behind a NAT-based hardware firewall. All of your internal phones will work with no firewall modifications. You may need to adjust these settings if you’re using a Cloud resource such as Amazon because they actually route non-routable IP addresses which would leave your server vulnerable without removing these entries (especially the 172 subnet for Amazon):

#-A INPUT -s 10.0.0.0/8 -j ACCEPT
#-A INPUT -s 172.16.0.0/12 -j ACCEPT
#-A INPUT -s 192.168.0.0/16 -j ACCEPT

Travelin’ Man 3 also authorizes access for certain mandatory services that are needed to keep your server operating properly. In addition, during installation, Travelin’ Man 3 whitelists localhost and the public and private IP addresses of your server as well as your PC or workstation. You obviously don’t want to lock yourself out of your own server.

As of today, Travelin’ Man 3 is primarily an IPv4 whitelist toolkit. IPv6 addresses are only supported to allow localhost access to your server. Any other IPv6 addresses must be added manually in /etc/sysconfig/ip6tables. We recommend not using FQDNs with IPv6 for the time being. And always restart IP6tables after adding new entries: service ip6tables restart.

You have the option of enabling the Incredible PBX collection of IP addresses used by many of the leading SIP providers around the world. Just run the enable-trusted-providers script in /root. The list of included providers is available here. You also have the option of adding (whitelisting) or deleting users’ and providers’ IP addresses and FQDNs yourself. Use the included scripts in the /root folder: add-ip, add-fqdn, and del-acct. For each account you set up, you get to define which access permission or combination of permissions will be available:

0 – ALL Services
1 – SIP (UDP)
2 – SIP (TCP)
3 – IAX
4 – Web
5 – WebMin
6 – FTP
7 – TFTP
8 – SSH
9 – FOP

Once you have made your selection, a user account will be created in /root with the name of the account and an extension of .iptables. Do NOT delete these files. They keep track of current IP addresses and accounts authorized for server access.

If you have remote users on the Internet, e.g. traveling salespeople, you can individually authorize access for them using a dynamic FQDN (add-fqdn) coupled with a dynamic DNS server that keeps IP addresses current as folks move around. Just load a dynamic DNS updater on their smartphone. Then plug the user entries into the included ipchecker script and execute a cron job on your server every few minutes to keep the FQDN entries refreshed. Simple.

echo "*/10 * * * * root /root/ipchecker > /dev/null 2>&1" >> /etc/crontab

IPtables does not directly support FQDN rules through the kernel. However, IPtables lets you configure your firewall rules using FQDNs which get translated into IP addresses whenever IPtables is restarted. The gotcha here is that, if an FQDN is not resolvable, IPtables fails to load, and you’re left with a vulnerable server. Travelin’ Man 3 takes care of this by employing a special restart script that temporarily disables unresolvable IP addresses.

The moral of the story:

ALWAYS USE iptables-restart TO RELOAD IPTABLES OR YOUR SERVER MAY END UP WITH NO FIREWALL!

We’ve also included support for a neat little trick that lets you whitelist remote SIP access to your server using a special FQDN. No further firewall adjustments are necessary. This is supported on most platforms except OpenVZ containers. The way this works is you first assign an obscure FQDN to your server’s IP address. It needs to be obscure because anyone with the FQDN gains SIP access to your server. But chances are pretty good that the bad guys will have a hard time figuring out that xq356jq.dyndns.org points to your server. You then can embed this FQDN in the SIP phone credentials for all of your remote users. The final step is to uncomment the last few lines in /etc/sysconfig/iptables after plugging in your obscure FQDN. Then restart IPtables: iptables-restart.

-A INPUT -p udp --dport 5060:5061 -m string --string "REGISTER sip:xq356jq.dyndns.org" --algo bm -j ACCEPT
-A INPUT -p udp --dport 5060:5061 -m string --string "REGISTER sip:" --algo bm -j DROP
-A INPUT -p udp --dport 5060:5061 -m string --string "OPTIONS sip:" --algo bm -j DROP

Finally, a word of caution about deploying Travelin’ Man 3 on the FreePBX Distro and AsteriskNOW platforms. We currently don’t have a vehicle in place to push security updates out to you as we do with Incredible PBX. This means you will have to remain vigilant to what’s happening in the telecommunications world and load updates yourself. You can stay current in a number of ways. We will post updates to this article in comments below so you can simply check back here periodically. An easier way to keep up with the latest security alerts and updates is to subscribe to the PBX in a Flash RSS Feed. This can be added to the FreePBX Status page by editing RSS Feeds in Settings -> Advanced Settings and adding:

http://pbxinaflash.com/rssfeed.xml

As you can see, there’s nothing "cookie cutter" about Travelin’ Man 3. It’s totally customizable to meet your own unique requirements. All we have done is tame IPtables and eliminate much of its complexity so that you can get a functional firewall up and running quickly. Now it’s deployment time!

Installing Travelin’ Man 3 for the FreePBX Distro & AsteriskNOW.

Log into your server as root from a desktop PC using SSH or Putty. This assures that you will have access from a device other than the console when you are finished. Then issue the following commands:

cd /root
wget http://incrediblepbx.com/tm3-firewall.tar.gz
tar zxvf tm3-firewall.tar.gz
./enable-iptables-whitelist

If you wish to enable the Incredible PBX trusted providers whitelist, issue the following command:

./enable-trusted-providers

ALWAYS use the following command to start or restart IPtables:

iptables-restart

NEVER use the following syntax with Travelin’ Man 3:

service iptables...

CHECK the status of your server at any time:

/root/status

blank

The GPL Is NOT Dead: Coming Soon to FreePBX Distro and AsteriskNOW…

Stay tuned for Incredible PBX GUI, all of the GPL modules you know and love with NO NAGWARE and NO GOTCHAS. This also will assist users that got duped by the Sangoma offer to convert PBX in a Flash into a proprietary FreePBX Distro. blank After reading the Sangoma disclaimer about the script being donated by an anonymous user, ask yourself this question. When was the last time Sangoma republished code that they did not own or create themselves? Try NEVER.

BEFORE:

blank

AFTER:

blank

blank

Originally published: Monday, August 10, 2015


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Firewalls 101: Why Every Asterisk Server Should Have a Functioning Firewall


Part of our fundamental disagreement with the FreePBX® design can be summed up in one word: FIREWALL or the lack of a functioning firewall in the FreePBX Distro and in the functionally identical Digium product, AsteriskNOW®.1 Most of the other design choices including the controversial, non-GPL compliant Module Signature Checking mechanism are touted as failsafe ways to detect altered systems even though changes in FreePBX MySQL tables and Asterisk config files can be modified easily without triggering alerts. In short, the Band-Aid® approach to module tampering does nothing to address the fundamental problem, prevention of unauthorized intrusions in the first place.

Some would contend that the included Fail2Ban product is specifically designed to prevent unauthorized intrusions by locking out the bad guys after a certain number of failed login attempts. Assuming Fail2Ban were functioning properly, which does not appear to be the case, putting all your eggs in the Fail2Ban basket also ignores several critical shortcomings in Fail2Ban. First, it has been documented that powerful servers such as Amazon EC2 and Twitter botnets give hackers almost unlimited intrusion attempts before Fail2Ban ever gets a time slice sufficient to scan logs for intrusion attempts. Second, Fail2Ban provides no protection against stealthy distributed bruteforcing activity. For example, if a botnet with 770,000 PCs attacked your server and each PC executed only two login attempts, Fail2Ban never gets triggered even assuming your server could handle the load and Fail2Ban got sufficient server resources to actually scan your logs. Finally, Fail2Ban provides no protection against Zero Day vulnerabilities where an intruder basically walks right into your server because of an unidentified vulnerability lurking in the existing code. Unfortunately, these are not hypothetical situations but regular occurrences over the past 10 years of Asterisk and FreePBX development. In a nutshell, that’s why you need a real firewall. It completely blocks all access to your server by unauthorized users all of the time.

Numerous companies have intentionally exposed Asterisk® servers to the public Internet in a continuing effort to identify problems before they affect "real servers." We know of no similar efforts with a platform that includes FreePBX as an integral component of the server. Why? Because the potential for Zero Day Vulnerabilities in a platform of modular design is enormous. One vulnerable component in FreePBX and the entire house of cards collapses because of the blank check server access that a compromised FreePBX asterisk user account gives to an intruder. It’s the fundamental reason that services such as Apache were engineered to run with different user credentials than a root user in the real world. In essence, the current FreePBX design with Asterisk has elevated asterisk user credentials to allow root-like access to almost every server file and function with the exception of SSH access. And SSH access becomes all but unnecessary given the scope of the GUI functionality provided within FreePBX and the escalated privileges it enjoys.

On FreePBX-based Asterisk servers, the absence of any user account separation means Asterisk, Apache, and FreePBX services all operate under the single asterisk user account. If any piece collapses due to a vulnerability, the intruder gets the keys to the castle including read/write access to Asterisk and FreePBX manager credentials and config files as well as broad MySQL access. This, in turn, exposes your VoIP account credentials in addition to facilitating SQL injection into any and all FreePBX database tables. Because FreePBX "hides" numerous settings in over a hundred MySQL tables, the Asterisk DB, and dozens of Asterisk config files, once the asterisk user account access is compromised, many of the major components on your server could be cleverly reconfigured without leaving much of a hint that your server had been compromised. In fact, VoIP account credentials could be extracted and used elsewhere with no traceable footprint back to your server. For all you would know, your provider compromised your credentials rather than the other way around. Just another reminder that keeping a credit card on file for automatic replenishment with VoIP providers is a very bad idea!

Providing the asterisk user with these broad permissions was a (poor) design choice. Why was it done? To make it easy for the developers to alter virtually everything on your Asterisk server using FreePBX’s integrated Module Admin component. Root user permissions are never required to do much of anything other than server platform upgrades once the FreePBX Distro or AsteriskNOW product is installed. That’s exactly the design one would expect to find in a commercial, closed source software platform. But it’s unusual in the open source community to put it charitably. We trust we’ve made the case why a rock-solid firewall with any product that uses FreePBX modules is absolutely essential. FreePBX is a wonderful GUI, but use of the platform without a properly configured, fully functional firewall could be financially catastrophic not to mention the serious damage it could cause to others including the good reputation of Asterisk in the Internet community.

blank

Our objective next week will be to help you implement a functioning Linux-based software firewall on the FreePBX Distro and AsteriskNOW platforms. It’s FREE! Not only will this improve the security of your server, but it will deny the bad guys a platform from which to launch mischievous acts against the rest of us. Unless you’re running Asterisk on a Cloud-based platform, do all of us a favor NOW! Run, don’t walk, to your nearest electronics store (including WalMart and BestBuy) and purchase one of the dozens of inexpensive NAT-based routers. Install it between the Internet and your server TODAY! This is the one we use, but there are plenty from which to choose including our refurbished one.2


NEWS FLASH:
Download the new FUD-Free Firewall for FreePBX Distro and AsteriskNOW.

Originally published: Monday, August 3, 2015


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Technically, IPtables is running on the FreePBX Distro and AsteriskNOW platforms; however, it’s sole function is to act as the shutdown mechanism for Fail2Ban-detected breaches. It does not independently examine packets. There is no functioning iptables config file. From our vantage point, serving as the Fail2Ban traffic cop doesn’t qualify as a functioning firewall since it lacks any of the traditional IPtables rules that manage PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING of packets. []
  2. Where prices are competitive or availability is a factor, we often recommend Amazon because Amazon provides financial support to Nerd Vittles through our referral links. We encourage everyone to shop independently and purchase products from suppliers that best meet your own requirements. []

Introducing Incredible PBX 13-12 with Incredible GUI for the Ubuntu 14 Platform

blank
[iframe-popup id="7″]

Two months ago we turned the page on Asterisk® GUIs by introducing a new GUI that hopefully provides the best of both worlds. It preserves the GPL components of the FreePBX® product that many of us have nurtured for almost a decade while removing the commercial pieces that have introduced some friction into the equation for users and companies that simply wished to deploy or redistribute a graphical user interface for Asterisk in accordance with the free GPL licenses under which the product and its components were licensed. We followed up by opening up the cloud component which serves as the lynchpin for GPL module administration within the GUI itself. We remain hopeful that these two tweaks will encourage Sangoma, the new owner of the FreePBX project, to do the right thing and get the non-commercial pieces of the project back on the right track moving forward. As we’ve stressed all along, we do not want to tarnish the incredibly hard work that dozens of developers in the open source community have poured into both of these projects over the past decade. We continue to be amazed at what they’ve been able to achieve, and we salute their accomplishments. The Asterisk 12 and 13 revolution never would have happened without the contributions of the FreePBX development team. We think the new Incredible PBX GUI stands as a testament to what can be accomplished while preserving the true spirit of open source development and the terms of the GPL licenses under which this product and its numerous modules are licensed.

Today we take the next step in the journey with release of a production-ready version of Asterisk 13 LTS for the Ubuntu 14 platform. It has all the bells and whistles to which you have become accustomed including Incredible Fax featuring HylaFax and AvantFax. It also includes literally dozens of turnkey applications that show off the very best features of Asterisk. In addition to Incredible PBX, you also gain unfettered access to our new GPL repository to maintain release 12 of the GUI. No strings, no gotchas, and no murky licenses. Pure GPL in Plain View!

Why Not Use FreePBX 13? Glad you asked. Despite the freepbx.org facelift1 and the eternal message that "The ‘Free’ Stands for Freedom," it turns out the business practices haven’t changed much since the Sangoma takeover. If your idea of "freedom" is a closed source VoIP platform with no way to emulate the repository used to manage and upgrade the "GPL" components in FreePBX 13 and no way to install the FreePBX 13 GUI or its "GPL" components other than switching to the proprietary FreePBX Distro, then FreePBX 13 may be just the ticket. If you’d prefer a RealGPL platform that lets you choose which components you’d like on your server, then keep reading. And drop the Sangoma and Digium honchos a note and let them know how you feel about FREEDOM.

William J. Wignall, President and CEO
Sangoma Technologies
100 Renfrew Drive, Suite 100
Markham ON L3R 9R6 CANADA

Danny Windham, CEO
Digium, Inc.
445 Jan Davis Drive Northwest
Huntsville, AL 35806 USA

Mark Spencer, Founder and CTO
Digium, Inc.
445 Jan Davis Drive Northwest
Huntsville, AL 35806 USA

Update: A GPL release of FreePBX 13 beta miraculously appeared shortly after publication of this article. Still no GPL repository is available that is compatible with the integrated Admin Module component of the product.

Building an Ubuntu 14.04 Platform for Incredible PBX

As a result of the trademark and copyright morass, we’ve steered away from the bundled operating system in favor of a methodology that relies upon you to put in place the operating system platform on which to run PBX in a Flash or Incredible PBX. The good news is it’s easy! With many cloud-based providers2, you can simply click a button to choose your favorite OS flavor and within minutes, you’re ready to go. With many virtual machine platforms such as VirtualBox, it’s equally simple to find a pre-built Ubuntu 14.04 image or roll your own.

If you’re new to VoIP or to Nerd Vittles, here’s our best piece of advice. Don’t take our word for anything! Try it for yourself in the Cloud! You can build an Ubuntu 14.04 image on Digital Ocean in under one minute and install today’s Incredible PBX for Ubuntu 14.04 in about 15 minutes. Then try it out for two full months. It won’t cost you a dime. Use our referral link to sign up for an account. Enter a valid credit card to verify you’re who you say you are. Create an Ubuntu 14.04 (not 14.10!) 512MB droplet of the cheapest flavor ($5/mo.). Go to the Billing section of the site, and enter the following promo code: UBUNTUDROPLET. That’s all there is to it. A $10 credit will be added to your account, and you can play to your heart’s content. Delete droplets, add droplets, and enjoy the free ride!

For today, we’ll walk you through building your own stand-alone server using the Ubuntu 14.04 mini.iso. If you’re using Digital Ocean in the Cloud, skip down to Installing Incredible PBX 13-12 (HINT: 13 tells you the Asterisk release and 12 tells you the GUI release). If you’re using your own hardware, to get started, download the 64-bit Ubuntu 14.04 "Trusty Tahr" Minimal ISO from here. Yes, the 32-bit platform is also supported. Now burn the ISO to a CD/DVD or thumb drive and boot your dedicated server from the image. Remember, you’ll be reformatting the drive in your server so pick a machine you don’t need for other purposes.

For those that would prefer to build your Ubuntu 14.04 Wonder Machine using VirtualBox on any Windows, Mac, or existing Linux Desktop, here are the simple steps. Create a new virtual machine specifying the 64-bit version of Ubuntu. Allocate 1024MB of RAM (512MB also works fine with a swap file) and at least 20GB of disk space using the default hard drive setup in all three steps. In Settings, click System and check Enable I/O APIC and uncheck Hardware Clock in UTC Time. Click Audio and Specify then Enable your sound card. Click Network and Enable Network Adapter for Adapter 1 and choose Bridged Adapter. Finally, in Storage, add the Ubuntu 14.04 mini.iso to your VirtualBox Storage Tree as shown below. Then click OK and start up your new virtual machine. Simple!

blank

Here are the steps to get Ubuntu 14.04 humming on your new server or virtual machine once you’ve booted up. If you can bake cookies from a recipe, you can do this:

UBUNTU mini.iso install:
Choose language
Choose timezone
Detect keyboard
Hostname: incrediblepbx < continue >
Choose mirror for downloads
Confirm archive mirror
Leave proxy blank unless you need it
< continue >
** couple minutes of whirring as initial components are loaded **
New user name: incredible
< continue >
Account username: incredible
< continue >
Account password: makeitsecure
< continue >
Encrypt home directory < no >
Confirm time zone < yes >
Partition disks: Guided - use entire disk and set up LVM
Confirm disk to partition
Write changes to disks and configure LVM
Whole volume? < continue>
Write changes to disks < yes> < -- last chance to preserve your disk drive!
** about 15 minutes of whirring during base system install ** < no touchy anything>
** another 5 minutes of whirring during base software install ** < no touchy anything>
Upgrades? Install security updates automatically
** another 5 minutes of whirring during more software installs ** < no touchy anything>
Software selection: *Basic Ubuntu server (only!)
** another couple minutes of whirring during software installs ** < no touchy anything>
Grub boot loader: < yes>
UTC for system clock: < no>
Installation complete: < continue> after removing installation media
** on VirtualBox, PowerOff after reboot and remove [-] mini.iso from Storage Tree & restart VM
login as user: incredible
** enter user incredible's password **
sudo passwd
** enter incredible password again and then create secure root user password **
su root
** enter root password **
apt-get update
apt-get install ssh -y
sed -i 's|without-password|yes|' /etc/ssh/sshd_config
sed -i 's|yes"|without-password"|' /etc/ssh/sshd_config
sed -i 's|"quiet"|"quiet text"|' /etc/default/grub
update-grub
ifconfig
** write down the IP address of your server from ifconfig results
reboot
** login via SSH to continue **

Installing Incredible PBX 13-12 on Your Ubuntu 14.04 Server

Adding Incredible PBX 13-12 to a running Ubuntu 14.04 server is a walk in the park. To restate the obvious, your server needs a reliable Internet connection to proceed. Using SSH (or Putty on a Windows machine), log into your new server as root at the IP address you deciphered in the ifconfig step at the end of the Ubuntu install procedure above. First, make sure to run the update step for Ubuntu below before you begin the install. This is especially important if you’re using a cloud-based Ubuntu 14 server.

ALERT: Ubuntu has introduced a new MySQL bug in their June, 2016 upgrade. Do NOT run apt-get upgrade, or Incredible PBX installation will fail.

apt-get update && touch /root/COPYING

WARNING: If you’re using a 512MB droplet at Digital Ocean, be advised that the DO Ubuntu setup does NOT include a swap file. This may cause serious problems when you run out of RAM. Uncomment ./create-swapfile-DO line below to create a 1GB swap file which will be activated whenever you exceed 90% RAM usage on Digital Ocean.

Now let’s begin the Incredible PBX 13-12 install. Log back in as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/incrediblepbx13-12.2-ubuntu14.tar.gz
tar zxvf incrediblepbx*
apt-get install dialog
#./create-swapfile-DO
./Incredible*

Once you have agreed to the license agreement and terms of use, press Enter and go have a 30-minute cup of coffee. The Incredible PBX installer runs unattended so find something to do for a bit unless you just like watching code compile. When you see "Have a nice day", your installation is complete. Hit the Enter key to reboot the server unless you need to add additional entries to your firewall whitelist.

Once the server restarts, log back in as root and you should be greeted with a status display that looks something like this after the Automatic Update Utility runs:

blank

Assuming you’ve already created a very secure root password (update it by running passwd), perform the following 5 Steps to get everything locked down:

  1. Create an admin password for GUI access: /root/admin-pw-change
  2. Create an admin password for Apache web access: htpasswd /etc/pbx/wwwpasswd admin
  3. Configure the correct timezone for your server: /root/timezone-setup
  4. Retrieve your PortKnocker setup like this: cat /root/knock.FAQ
  5. Add IPtables WhiteList entries for remote access: /root/add-ip or /root/add-fqdn

Incredible PBX includes an automatic update utility which downloads important updates whenever you log into your server as root. We recommend you log in once a week to keep your server current. Now would be a good time to log out and back into your server at the Linux command line to bring your server up to current specs.

You can access the Incredible PBX GUI using your favorite web browser to configure your server. Just enter the IP address shown in the status display.

blank

When the Kennonsoft menu (shown above) appears, click on the User tab to open the Admin menu. Then click on Incredible GUI Administration to access the Incredible PBX GUI. The default username is admin with the password you created above. Now edit extension 701 so you can figure out (or change) the randomized passwords that were set up for default 701 extension and voicemail: Applications -> Extensions -> 701.

blank

Setting Up a Soft Phone to Use with Incredible PBX

Now you’re ready to set up a telephone so that you can play with Incredible PBX. We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You’ll need the IP address of your server plus your extension 701 password. Choose Settings -> Accounts and click the New button. Fill in the blanks using the IP address of your server, 701 for your account name, and whatever password you created for the extension. Click OK.

blank

Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. You can dial a few of these to get started or, better yet, take Allison’s Incredible PBX IVR for a spin by dialing D-E-M-O (3366). NOTE: The Voice Recognition options will not work until you first enter your credentials (covered below).

123 - Reminders
222 - ODBC Demo (use acct: 12345)
947 - Weather by ZIP Code
951 - Yahoo News
*61 - Time of Day
*68 - Wakeup Call
TODAY - Today in History

The next step is establishing an interface on your PBX to connect to the telephones in the rest of the world. If you live in the U.S., the easiest way (at least for now) is to use an existing (free) Google Voice account. Google has threatened to shut this down but as this is written, it still works with previously set up Google Voice accounts. The more desirable long-term solution is to choose several SIP providers and set up redundant trunks for your incoming and outbound calls. The PIAF Forum includes dozens of recommendations to get you started.

blank

Incredible PBX Wholesale Providers Access

Nerd Vittles has negotiated a special offer that gives you instant access to 300+ wholesale carriers around the globe. In lieu of paying the $650 annual fee for the service, a 13% wholesale surcharge is assessed to cover operational costs of TelecomsXchange. In addition, TelecomsXchange has generously offered to contribute a portion of the surcharge to support the Incredible PBX open source project. See this Nerd Vittles tutorial for installation instructions and signup details.

Configuring Google Voice

If you want to use Google Voice, you’ll need a dedicated Google Voice account to support Incredible PBX. If you want to use the inbound fax capabilities of Incredible Fax 11, then you’ll need an additional Google Voice line that can be routed to the FAX custom destination using the GUI. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now. So keep this account a secret!

We’ve tested this extensively using an existing Google Voice account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Use a previously configured and dedicated Gmail and Google Voice account, and use it exclusively with Incredible PBX 11.

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for The Incredible PBX to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you’re probably out of luck. Google has disabled the option in newly created accounts as well as some old ones that had Google Chat disabled. Now go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF
  • Call Options (Enable Recording)OFF
  • Global Spam FilteringON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

UPDATE: Google has improved things… again. You may not see the options documented above at all. Instead, you may be presented with the new Google Voice interface which does not include the Google Chat option. But fear not. At least for now there’s still a way to get there. After you have set up your new phone number, click on (1) Settings -> Phone Numbers and then click (2) Transfer (as shown below). That returned the old UI. Make sure the Google Chat option is selected and disable forwarding calls to default phone number.


blank

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work!

Now you’re ready to set up your Google Voice trunk in the GUI. After logging in with your browser, click the Connectivity tab and choose Google Voice/Motif. To Add a new Google Voice account, just fill out the form. Do NOT check the third box or incoming calls will never ring!

blank

IMPORTANT LAST STEP: Google Voice will not work unless you restart Asterisk from the Linux command line at this juncture. Using SSH, log into your server as root and issue the following command: amportal restart.

If you have trouble getting Google Voice to work (especially if you have previously used your Google Voice account from a different IP address), try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

And here’s another way to access Google Voice securely using an inexpensive commercial SIP gateway:

Troubleshooting Audio and DTMF Problems

You can avoid one-way audio on calls and touchtones that don’t work by entering these simple settings in the GUI: Settings -> Asterisk SIP Settings. Just plug in your public IP address and your private IP subnet. Then set ULAW as the only Audio Codec.

blank

Adding Voice Recognition to Incredible PBX

To support many of our applications, Incredible PBX has included Google’s speech recognition service for years. These applications include Weather Reports by City (949), AsteriDex Voice Dialing by Name (411), and Wolfram Alpha for Asterisk (4747), all of which use Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for "personal and development use." If you meet those criteria, keep reading. Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

Now you’re ready to try out the speech recognition apps. Dial 949 and say the name of a city and state/province/country to get a current weather forecast from Yahoo. Dial 411 and say "American Airlines" to be connected to American.

To use Wolfram Alpha by phone, you first must install it. Obtain your free Wolfram Alpha APP-ID here. Then run the one-click installer: /root/wolfram/wolframalpha-oneclick.sh. Insert your APP-ID when prompted. Now dial 4747 to access Wolfram Alpha by phone and enter your query, e.g. "What planes are overhead." Read the Nerd Vittles tutorial for additional examples and tips.

A Few Words about the Incredible PBX Security Model for Ubuntu

Incredible PBX for Ubuntu 14 is a very secure, turnkey PBX implementation. As configured, your server is protected by both Fail2Ban and a hardened configuration of the IPtables Linux firewall. Nobody can access your PBX without blank your credentials AND blank an IP address that is either on your private network or that matches the IP address of your server or the PC from which you installed Incredible PBX. Incredible PBX is preconfigured to let you connect to many of the leading SIP hosting providers without additional firewall tweaking.

You can whitelist additional IP addresses for remote access in several ways. First, you can use the command-line utilities: /root/add-ip and /root/add-fqdn. You can also remove whitelisted IP addresses by running /root/del-acct. Second, you can dial into extension 864 (or use a DID pointed to extension 864 aka TM4) and enter an IP address to whitelist. Before Travelin’ Man 4 will work, you’ll need to add credentials for each caller using the tools in /root/tm4. You must add at least one account before dial-in whitelisting will be enabled. Third, you can temporarily whitelist an IP address by successfully executing the PortKnocker 3-knock code established for your server. You’ll find the details and the codes in /root/knock.FAQ. Be advised that IP addresses whitelisted with PortKnocker (only!) go away whenever your server is rebooted or the IPtables firewall is restarted. For further information on the PortKnocker technology and available clients for iOS and Android devices, review the Nerd Vittles tutorial.

HINT: The reason that storing your PortKnocker codes in a safe place is essential is because it may be your only available way to gain access to your server if your IP address changes. You obviously can’t use the command-line tools to whitelist a new IP address if you cannot gain access to your server at the new IP address.

We always recommend you also add an extra layer of protection by running your server behind a hardware-based firewall with no Internet port exposure, but that’s your call. If you use a hardware-based firewall, be sure to map the three PortKnocker ports to the internal IP address of your server!

The NeoRouter VPN client also is included for rock-solid, secure connectivity for remote users. Read our previous tutorial for setup instructions.

As one would expect, the IPtables firewall is a complex piece of software. If you need assistance configuring it, visit the PIAF Forum for some friendly assistance.

Adding Incredible Fax 11 to Your Server

Once you’ve completed the Incredible PBX install, log out and log back in to load the latest automatic updates. Then reboot. Now you’re ready to continue your adventure by installing Incredible Fax 11 for Ubuntu. Special thanks to Josh North for all his hard work on this! The latest download includes the Incredible Fax 11 installer, but it needs updating. Follow this tutorial to load the appropriate update onto your server. Then just run the script:

cd /root
./incrediblefax11_ubuntu14.sh

Accept all of the defaults during the installation process. IMPORTANT: Once you complete the install, reboot your server. After rebooting, log into the GUI and choose Module Admin and enable the AvantFax module. When you log out of the GUI, there now will be an option for AvantFax on the GUI’s main login screen. Choose it and enter admin:password to login and change your default password. You also can set your AvantFax admin password by logging into the Linux CLI and… /root/avantfax-pw-change.

Incredible Backup and Restore

We’re pleased to introduce our latest backup and restore utilities for Incredible PBX. Running /root/incrediblebackup will create a backup image of your server in /tmp. This backup image then can be copied to any other medium desired for storage. To restore it to another Incredible PBX server, simply copy the image to a server running Asterisk 13 and the Incredible PBX 13-12 GUI. Then run /root/incrediblerestore. Doesn’t get much simpler than that.

Incredible PBX Automatic Update Utility

Every time you log into your server as root, Incredible PBX will ping the IncrediblePBX.com web site to determine whether one or more updates are available to bring your server up to current specs. We recommend you log in at least once a week just in case some new security vulnerability should come along. Also be sure to check the PBX in a Flash RSS Feed inside the GUI for the latest security alerts.

Mastering the Incredible PBX Applications

Your next stop should be a quick read of the Application User’s Guide for Incredible PBX. Even though the target audience was Raspberry Pi users, the feature set is identical, and this guide will tell you everything you need to know about the dozens of applications for Asterisk that have been installed on your new server.

We also want to encourage you to sign up for an account on the PIAF Forum and join the discussion. In addition to providing first-class, free support, we think you’ll enjoy the camaraderie. Come join us!

Originally published: Wednesday, July 8, 2015


blankSupport Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Ironically, the word "GPL" only appears once on the FreePBX web site, and that’s to remind you that Sangoma’s commercial "modules are not Open Source GPL and are only designed to work with CentOS or RHEL systems." []
  2. With some providers including ones linked in this article, Nerd Vittles receives referral fees which assist in keeping the Nerd Vittles lights burning brightly. []