Home » Posts tagged 'piaf' (Page 3)

Tag Archives: piaf

The Most Versatile VoIP Provider: FREE PORTING

Where to Begin: A Comparison of Open Source Features in Asterisk Aggregations

[purehtml id=19]

We receive frequent inquiries requesting that we document the feature set in the open source Asterisk® distributions that Nerd Vittles writes about each week. So today we’re pleased to provide a Feature Matrix that we will attempt to keep current as we move forward. Just bookmark this page, and you can check back periodically to get a quick thumbnail sketch of what each of these distributions currently supports.1 A chart, of course, doesn’t tell the whole story. But it’s a good starting point.

Not covered this week are the Asterisk aggregations that are either non-GPL code or are produced by organizations whose primary focus is the sale of commercial hardware and/or software. But don’t despair. Nerd Vittles is weeks away from announcing a commercial solution with some surprises that may encourage non-hobbyists to reevaluate your options and to take a fresh look at commercial alternatives, some of which may soon be free. So… hold on to your checkbook a bit longer!

All of the Asterisk aggregations we’re covering today have several things in common. First, all of the products rely upon industry-standard operating system platforms including CentOS, Scientific Linux, Ubuntu, and Raspbian. Each has an enormous user base and technical support team to assure that your operating system remains stable, secure, and non-proprietary for the life of your PBX. All of today’s products also support open source, non-proprietary, and free fax solutions with installers customized to the various platforms. Unlike other alternatives, all of these aggregations compile Asterisk and the graphical user interface used to manage your PBX as part of the install process. That means your compiled code is tailored to your particular hardware, and the source code is always installed on your server to simplify the task of making changes or enhancements to the default install without spending hours scouring the Internet to track down dependencies and missing source components. Try finding 3-year-old source code of some of the other distributions (as the GPL requires), and you’ll appreciate our SourceForge repository which goes back almost 5 years. Last but not least, all of these aggregations support Google Voice directly with free calling and free faxing throughout the U.S. and Canada in just minutes.

Once you’ve identified the feature set that best meets your needs, the next step is finding a tutorial to get you started. Look no further than Nerd Vittles for step-by-step instructions tailored to your specific platform whether it’s dedicated hardware, a virtual machine, or a Cloud-based platform. You won’t find an equivalent resource anywhere else. And, of course, the most user-friendly forum on the planet stands ready to help should you ever hit a snag.

Originally published: Tuesday, February 17, 2015


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Our special thanks to Captain Anonymous for the terrific code that made an HTML layout of this feature comparison chart possible. []
  2. RentPBX is a Platinum Sponsor of the PBX in a Flash project. Install PIAF in the Cloud for $15/mo. with Coupon Code: PIAF2015 []

We Have a Dream, Too: The Return of (Gotcha-free) Open Source GPL Software

blank

History repeats itself. That’s the timeless old saying, and we have a theory about that. The reason history repeats itself is because most folks never spent much time studying history so they didn’t learn from the mistakes and greed of those that preceded them. Here’s our brief history lesson on technology and what we’ve learned about choosing a pumpkin.

With a Single Pumpkin Provider, Expect to Take Home a Crappy Pumpkin!

Let’s turn back the clock 30 years, shall we? It was 1985. IBM had just introduced the PC/AT. Hewlett Packard was on the verge of releasing the LaserJet printer. The typical office had a dedicated word processing machine from one of a handful of very rich companies. The PC software world had their new Big Three: dBASE III, WordPerfect, and Lotus 1-2-3. Life was good! Copy-protection was still a sparkle in the eye of many software companies, and shrink-wrap licensing agreements were just beginning to keep law firms busy. You may recall that IBM introduced the IBM PC just four years earlier, and DOS 1.0 was released for $30 with the source code for the operating system in the loose leaf notebook. How quickly things would change. The cassette player adapter was no longer viewed as the storage device of choice. Meet the 20MB hard drive!

It didn’t take long for most of these companies to forget what made them household names. With the notable exception of IBM and WordPerfect, it was all about copy protection, a concept that made it almost impossible for major companies and the government to deploy PCs. There was no Internet or Intranet, and there were no networks or email, just dial-up bulletin board systems using state-of-the-art 1200 baud Hayes modems. If you wanted to deploy software at multiple sites, you mailed floppy disks and crossed your fingers. Meet Sneakernet!

At the time, I was building a new PC-based case management system in Atlanta for the 95 bankruptcy courts that were scattered across hundreds of cities in the United States. These courts were literally buried in paperwork from lawyers. It was not uncommon to wait years before your case was scheduled for a hearing. The Administrative Office of U.S. Courts in Washington was deploying mainframe-based bankruptcy software to a handful of courts each year. Thanks to the IBM PC/AT and HP LaserJet printer, we revolutionized case processing in the bankruptcy courts in less than a year. Backlogs quickly disappeared as the bankruptcy courts spit out more paper than even the lawyers could handle.

The major wrinkle in rolling out a PC-based solution wasn’t the lack of hardware and tools. It was copy-protection. Luckily, there was The Lone Victor, a college-dropout whiz kid that worked for one of the big banks headquartered in Atlanta. Because his bank was a beta site for all of the major PC software, he typically cracked the copyright protection schemes and published the fixes on the local BBS the same day the software was released to the public. This meant DBMS software could be purchased and distributed by mail without having to visit hundreds of sites to manually install the basic software components needed to run application software. The courts were not yet following the business playbook so shrink-wrap licensing agreements were non-existent. The theory that violating a license agreement meant you were violating a copyright had not yet been concocted. And the Bigwigs in California were dumbfounded that their costly, (failsafe) copy protection schemes were cracked on Day 1 of each new software release. The identity of The Lone Victor was never exposed… until now. Just kidding!

It was also the beginning of the shareware era. People were tired of paying exorbitant prices for buggy, copy-protected PC software that was rushed to market to cash in on the PC Gold Rush. We were fortunate enough to be amongst several dozen developers that participated in the Association of Shareware Professionals and set some standards for this revolutionary new industry. Our dBASE III clone, WAMPUM, became an overnight hit thanks to an article in the 800-page tabloid of the time, Computer Shopper. I still remember driving home from a weekend trip to find our mailbox literally spilling over into the street with checks from people that had just discovered the magic of shareware. WAMPUM is still available by the way and runs swimmingly on VirtualBox.

The history lesson here could not be more clear. All of these commercial companies and banks viewed themselves as invulnerable because every one of them dominated a particular niche in the marketplace. Could life possibly get any better? Of course, you know the rest of the story. Not a single one remains in the PC business today. All the Big Banks of the 80’s and all the dedicated word processors and their larger-than-life corporate sponsors are pretty much gone as well.

If you have a teenage son or daughter, take a look at what they use today for messaging and communications. That’s a pretty big hint about the chances that today’s VoIP solutions will still be around even 10 years from now. It’s History 101.

As Grandma used to say, "Never get too big for your britches." When you start resting on your laurels and believing you’re too big to fail, along comes another whiz kid to build a better mousetrap. Yes, we have a dream, too.

With a Single Pumpkin Provider, Expect to Take Home a Crappy Pumpkin!

Pardon our repetition! So what does all of this have to do with Asterisk® and 2015? Well, take another look at last week’s article. Asterisk has a strong open source competitor in FreeSwitch. Without FreeSwitch, we doubt you ever would have seen a product as ambitious as Asterisk 12. The competition has been healthy for both companies AND for those of us that actually use the software. But, in the GUI department, we’re back to the era in which a single product dominates this essential market category. Their way or the highway is the comment we hear over and over from frustrated users. We ended up in this predicament because Digium folded the tent on Asterisk-GUI because of the purchase of a (better) commercial GUI, Switchvox. It actually makes money for the company. Did it mean Asterisk-GUI was flawed? Not at all. In fact, our experimentation suggests quite the opposite. Asterisk-GUI is a better mousetrap in many ways, but development wasn’t generating revenue and was costing Digium manpower money that could be put to better use with a financial return on investment. In case you haven’t noticed, all of the major open source VoIP companies now have commercial VoIP hardware and software offerings. Invariably, open source offerings morph into loss leaders or marketing tools to channel customers to commercial products. That’s what most for-profit companies have had to do to stay afloat. But there’s a right way and a wrong way to go about it, and that’s what last week’s article was all about.

The simple solution to fix market dominance is CHOICES. When you put all your eggs in one basket, we all know what happens. And it has. We’re working very hard to bring more choices and some new players and alternatives to the Asterisk community. We hope you’ll be reading about more of them here… soon. What would happen if there were an open source offering of a Switchvox-like product? What would happen if there were an open source offering of a drag-and-drop GUI for a realtime version of Asterisk? Do we have a crystal ball? Not at all. Do we like to dream of the possibilities and what they would mean to the future of Asterisk and the VoIP community? Absolutely.

In the meantime, do your part. Try out some alternatives. We’re doing our part by bringing them to you with Incredible PBX. It provides a compelling feature set of add-on applications and development tools for Asterisk including text-to-speech, voice recognition, Google Voice free calling and SMS messaging, free fax support, and simplified tools for configuration of Asterisk trunks, extensions, and dialplan code. Initially, the focus of Incredible PBX and PBX in a Flash was broadening the operating system platforms on which Asterisk could be run. In addition to CentOS, we released versions for Fedora, Scientific Linux, Ubuntu, and Debian. Next came virtual machine editions for the Cloud and even for Windows and Macs. Then we tackled tiny hardware platforms to make Asterisk more accessible to a much broader range of users. This included the Raspberry Pi, BeagleBone Black, CuBox-i, and even the PogoPlug. When you can run Asterisk reliably on a $15 to $50 piece of hardware, it’s a big deal.

blank

And that brings us to 2015. Our focus this year is providing a CHOICE of options for actual configuration of Asterisk. We also want to broaden the base from English to support for other languages and countries. Not everyone in the world has a 10-digit phone number. And not everyone needs a product as complex as FreePBX® to set up a VoIP server for their home or business. If all you need is a secure VoIP phone system with SIP phones to make economical phone calls with a high-tech feature set of IVRs, auto-attendants, voicemail, email, SMS messaging, faxes, and smartphone integration, then there are numerous alternatives without the overhead of maintaining and managing a complex database management system, a mail server, a web server, a firewall, and literally hundreds of other Linux applications that many probably never knew were running on their server in the first place.

Does it mean we’re dropping support for FreePBX? Not at all. There’s still hope with new ownership. Does it mean you’re nuts to only consider an Asterisk-based server that includes FreePBX? Absolutely. So what’s out there?? Starting next week, we’ll begin introducing new versions of Incredible PBX for the Asterisk-GUI, for Elastix 3.0 Multi-Tenant, for Gemeinschaft, and…

The best is yet to come. Stay tuned!

Originally published: Monday, January 19, 2015


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

An Open Letter to Sangoma: Here’s to a New Beginning in 2015

2015 is starting off with lots of surprises for the VoIP community so let’s get right to it. Sangoma Technologies has purchased Schmooze Com with all its assets including FreePBX® on January 1. You can read all about it here and here. Please do. The bottom line is the ownership of FreePBX has changed, but the development staff and presumably the future direction of the project have not. As usual, there is more than a little bad mouthing of Fonality for the direction it took the trixbox project while promising to be "different" with this acquisition. We hope so. Keep reading for the rest of the story…

We’ve known the original developers of FreePBX since the Asterisk Management Portal days. And the same goes for the Asterisk@Home and trixbox project team as well as the current FreePBX development team. When we began the PBX in a Flash project, the very first financial backer of our project was Sangoma, and their support of the open source community has been unwavering. What follows is a wakeup call that all is not well in the FreePBX community, and now Sangoma is in a position to fix it. We hope they will… and soon!

When Schmooze Com decided to discontinue its commercial PBX offering and roll it into commercial modules for FreePBX, we were one of the early testers and supporters of those modules and the new approach. We also had an ongoing discussion with Tony Lewis regarding patents, copyrights, commingling of commercial modules with open source code, and numerous other topics. The objective for us and for Tony was to develop a long-term strategy for Schmooze Com that would assure commercial viability while protecting the open source character of FreePBX. In exchange for including commercial module support in the PBX in a Flash offerings, Schmooze Com agreed to build a web site that could detect the platform of the user so that a portion of the proceeds of the commercial purchases could be returned to our project to fund our development efforts. We never saw a dime!

During this same period, we also were seeking a commercial VoIP provider to provide commercial-quality technical support for PBX in a Flash users whenever the need arose. Schmooze Com seemed like a natural fit given our joint development efforts. In May of 2012, we entered into a partnership arrangement with Schmooze Com, a copy of which is reproduced below:

blank

Support and commercial module development continued uneventfully through the end of 2012 with checks to the PBX in a Flash project tallying up to less than $1,000. That just meant our users didn’t have many problems, or so we thought. On January 10, 2013, we received the following email from Tony… but no check:

We have been tracking down some weird issues with a few modules in PBXiaF and have it tracked down that your sysadmin RPM is really old.

Because that RPM is always changing we have created a new REPO that only contains the 3 needed RPMS for commercial module support.

Can you include this repo in your upgrade scripts and next build instead of relying on updating your repos when we change the RPMS

We will always keep this repo updated with the RPMS needed for commercial modules

A week later, we received a follow up email… but no check:

We now have our Portal setup to track Commercial Modules on a per system type basis so we can start paying you a commission on PBXiaF systems.

We seem to keep having issues with PBXiaF users not having updated RPMs such as sysadmin.

We have setup a repo that we would like you to include that way they are pulling the needed RPMs from our repo. Its [sic] the same repo we are now using in FreePBX and Asterisk Now is now also using.

We made the necessary changes to PBX in a Flash and incorporated the Schmooze commercial repo based upon the assurance that it would only "contain the 3 needed RPMS for commercial module support." This is critically important from a security standpoint since any repo activated on a Linux server basically gets a blank check with root privileges to modify virtually anything on that server. Keep reading! It gets worse.

In February, 2013, Schmooze Com acquired FreePBX from Bandwidth.com. Perhaps not coincidentally, that also marked the end of the money trail from Schmooze Com to the PBX in a Flash project. Shortly thereafter, we began receiving reports from various PIAF users that their (paid) call for commercial technical support was more of a sales pitch urging them to switch to the FreePBX Distro for "better support." Compare that advice to Section 5 of the Memorandum of Understanding we have reproduced above.

In 2014, our relationship with Schmooze Com went from bad to worse as the company began squeezing other contributors to the PBX in a Flash project for money. One provider of SIP services developed an add-on open source module which end-users could download and install into FreePBX to facilitate configuration of their SIP credentials. This provider, who also happened to be a competitor of Schmooze Com’s SipStation, received a threatening email in March of 2014 which included the following:

We also see you have a FreePBX module that is used to manage and configure your trunks which violates our Copyright Policy on using the FreePBX Framework and module system. As stated on our trademark page.

"FreePBX provides a module system to allow plugging in 3rd party modules into your FreePBX system. Any module that uses the FreePBX Module, Framework or GUI system must be released as GPL and use of the module must be for controlling or managing other GPL or open source software. Schmooze Com, Inc as the copyright holder does reserve the right to release modules that are not GPL and under a different license under a dual license model."

Since you [sic] modules sole purpose is to configure and manage your trunking service this would be in violation of FreePBX usage policy.

Imagine the reaction from Sangoma if Digium had ever announced that Asterisk modules to support analog cards from suppliers other than Digium could not be used with Asterisk because it would violate Digium’s "Copyright Policy on using the [Asterisk] Framework and module system."

Shortly thereafter, a number of cloud service providers contacted us indicating that Schmooze Com was demanding royalties for use of the open source FreePBX product in cloud offerings of the open source PBX in a Flash product line. Never mind that Schmooze Com uses hundreds of open source products commercially including Asterisk, Apache, PHP, and MySQL without payment of any license fees.

Get the picture? Now mere use of the open source FreePBX product in a commercial offering was prohibited without payment of a Schmooze Com "trademark and copyright fee." Now tell me again that yarn about Fonality being a lousy steward of the trixbox project. They never pulled a stunt like this! And then, of course, there’s the plain language of the FreePBX GPL license:

1. You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

The final straw (as if we needed one) was the recent declaration that FreePBX commercial modules "are not Open Source GPL and are only designed to work with the FreePBX Distro." This, of course, is long after many PBX in a Flash users had purchased commercial modules on the frequent recommendation of Schmooze Com employee postings on the PIAF Forum.

blank

blank

And to start the new year off with a bang, Schmooze Com quietly added additional (non-commercial) components to their commercial repository which immediately broke the Fail2Ban security module used by PBX in a Flash. Through the commercial module repo, we now have a backdoor security issue because Schmooze Com is no longer honoring their agreement to restrict the Schmooze Com commercial repo to "the 3 needed RPMS for commercial module support."

We will fix it shortly… and permanently.

Ultimately you, our readers, get to judge whether Schmooze Com’s stewardship of the FreePBX project has been a model for the open source community. From our vantage point, it has been anything but that. Sangoma has enormous good will in the open source community. We trust they will take the necessary steps to correct these abuses for the benefit of the open source FreePBX project and those who continue to develop and use it.

Continue reading Page 2…

Originally published: Monday, January 12, 2015


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Some Recent Nerd Vittles Articles of Interest…

Lessons Learned: Getting Started in the Billion Dollar VoIP Business

So you’ve built a few VoIP PBXs for your neighbors and your friends’ small businesses. And now you want to make a living doing it full time. After all, it wasn’t that hard to get started since all of the VoIP software was practically free, and the hardware investment was only a few hundred bucks. But now your friends need a way to make reliable phone calls every day, and they want someone to call when the phones don’t work. Welcome to the VoIP Business! Our objective today is to paint you a picture of what actually lies ahead in the Asterisk® and FreePBX® business so that you don’t get blindsided.

Lesson #1. Asterisk is a business run by Digium to make money for the corporation. FreePBX is a business run by Schmooze Com to make money for the corporation. Both companies do this in several ways. They sell hardware. They sell commercial software. They sell hosted phone service. They sell phone trunks to make and receive phone calls. And they sell support. The lifeblood of these companies is paying customers, lots of them. There’s nothing necessarily sinister about any of this. It’s the way all corporations work.

Lesson #2. You can’t do it all. You may be a super salesman, a talented programmer, or a great customer service guy. But you’re probably not all three. And, if you have a family, the rest of them probably don’t want the phones ringing off the hook starting at dinner time until 2 a.m. every morning. There’s a reason corporations charge a pretty penny for support. Somebody has to be there during dinner time and at 2 a.m. to answer the phone calls and solve the problems.

Lesson #3. Your friends are cheap frugal. They’d prefer to pay nothing for their phone system, and they’d prefer to pay nothing when they need to call you to fix it. You’re a nice guy so you don’t want to leave your friends in the lurch when you decide to take that Christmas ski trip. What to do? Hire an outside company to provide your support. Heh! Keep reading.

Lesson #4. The stark reality at the corporate end of the VoIP business is RECURRING REVENUE. They can’t stay afloat just selling hardware and software. Once folks have bought it, the company either needs new paying customers or a way to keep existing customers paying to keep the lights on. There are three options: hosted phone service, phone trunks, and support.

If you’ve done your homework, you know that you can buy incoming phone lines for your PBXs at a monthly cost of a few bucks. Or you can stick with Ma Bell for incoming trunks and up the monthly cost by a factor of ten in exchange for reliability and support. Outgoing phone calls can be made for a penny or two a minute to all but the most exotic and remote areas of the world. Or you can use trunks provided by Ma Bell or Comcast or Time Warner for ten times the monthly cost. Then there are the so-called unlimited trunks from companies such as Digium and Schmooze Com. For $20+ to $25+ per month, you get the ability to make or receive several thousand minutes of calls each month so long as the calls arrive one at a time. If you want to make or receive multiple calls simultaneously, multiply the cost for each simultaneous call by twenty to twenty-five bucks depending upon your provider choice. All of a sudden, Ma Bell isn’t looking that expensive, is she?

blank Lesson #5. When you’ve grown your user base to the point that you don’t want to lose your customers, be careful in choosing a company to provide your support. If they happen to be in the same business as you (and they probably are), ask yourself this question. Would you send your girlfriend alone on a two-week cruise with any of your male buddies? Didn’t think so. Reread Lesson #1.

To be continued… Happy New Year!!

Originally published: Monday, December 29, 2014


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

The Definitive VoIP Quick Start Guide: Introducing PBX in a Flash 3

blank

It’s been an interesting year with RedHat’s acquisition of CentOS™. But the dust is slowly settling, and we’ve developed a new installation methodology for PBX in a Flash™ which we believe provides everyone with the best of all worlds. Like it or not, Red Hat® is in the driver’s seat now with CentOS, and Scientific Linux™ already has announced that they plan to fold into CentOS with the 7.0 release. That left the rest of us with two choices: fork CentOS and roll your own operating system or comply with the RedHat requirement to initially build a system with their ISO and then embellish it. The PBX in a Flash aggregation is just that. It’s always been built on a superset of the base CentOS operating system. That’s why we found the RedHat fanboy diatribes particularly offensive. PBX in a Flash has never provided a diluted or otherwise marginalized version of CentOS. If you don’t believe it, compare the list of RPMs on today’s build with the list on prior releases. They’re virtually identical even though (as you will see) the installation methodology is different. The bottom line is we don’t want to be in the operating system business, and the recent nightmare with OpenSSL should tell you why. Red Hat has a staff of hundreds to maintain RedHat and now CentOS. So why reinvent the wheel? When you peel away the marketing guys and the lawyers and the fan boys, that’s what open source has always been about. RedHat does what it does best, and we do the same. It never has meant you were getting a product that wasn’t genuine. You were getting a product that was embellished and enhanced to perform a specific task, telephony! By sticking with CentOS 6.5, we’ll all have a supported operating system on which to build telephony applications until the end of November, 2020. We can’t do better than that.

If you’re new to the VoIP community, we recommend you begin by watching this video. Before you begin the PBX in a Flash install procedure, you need to do three things first: pick your hardware platform, think about what types of phones you plan to use, and choose at least a couple of service providers to interconnect your PBX with the rest of the telephones in the world.


Making a Hardware Selection

We’re going to assume that you need a VoIP telephony solution that will support an office of up to several dozen employees and that you have an Internet connection that will support whatever your simultaneous call volume happens to be. This is above and beyond your normal Internet traffic. To keep it simple, you need 100Kbps of bandwidth in both directions for each call.1 And you need a router/firewall that can prioritize VoIP traffic so that all your employees playing Angry Birds won’t cause degradation in VoIP call quality. Almost any good home router can now provide this functionality. Remember to disable ALG on your router, and it’s smooth sailing.

For computer hardware, you’ll need a dedicated machine. There are many good choices. Unless you have a burning desire to preserve your ties with Ma Bell, we recommend limiting your Ma Bell lines to your main number. Most phone companies can provide a service called multi-channel forwarding that lets multiple inbound calls to your main number be routed to one or more VoIP DIDs much like companies do with 800-number calls.

If you’re building a system for home or SOHO use, you probably don’t need PBX in a Flash. If you want the same functionality for under $50 then go with a BeagleBone Black and add RasPBX and Incredible PBX. Our tutorial will show you how to do it. For the business model we’ve described above, any good dual-core Atom computer will suffice. You’ll find lots of suggestions in this thread. And the prices generally are in the $200-$400 range. For larger companies and to increase Asterisk’s capacity with beefier hardware, see these stress test results.

If your requirements involve retention of dozens of Ma Bell lines and complex routing of calls to multiple offices, then we would strongly recommend you spend a couple thousand dollars with a consultant. Some of the best in the business frequent the PBX in a Flash Forum, and they do this for a living. They can easily save you the cost of their services by guiding you through the hardware selection process. For business or for home, another alternative is available if you don’t want to babysit your own hardware. That’s a cloud-based solution such as RentPBX. For $15 a month, you don’t have to worry about electricity and a reliable Internet connection ever.

Choosing the Right Phones

If there is one thing that will kill any new VoIP deployment, it’s choosing the wrong phones. If you value your career, you’ll let that be an organization-driven decision after carefully reviewing at least 6-12 phones that won’t cause you daily heartburn. You and your budget team can figure out the price points that work in your organization keeping in mind that not everyone needs the same type of telephone. Depending upon your staffing, the issue becomes how many different phone sets are you and your colleagues capable of supporting and maintaining on a long term basis.

blank

Schmooze Com has released their commercial End Point Manager (EPM) at a price point of $99 per server. They’ve been using the application internally to support their commercial customers for two years. If you’re doing a major installation, it’s the best money you will ever spend. Just sign up for an account with Schmooze to purchase the software. You can review the Admin User Guide here. The beauty of this software is it gives you the flexibility to support literally hundreds of different VoIP phones and devices almost effortlessly. Using a browser, you can configure and reconfigure almost any VoIP phone or device on the market in a matter of minutes. So the question becomes which phones should you show your business associates. That again should be a decision by you and your management and budget teams, but collect some information from end-users first. Choose a half dozen representative users in your company and get each of them to fill out a questionnaire documenting their 10 most frequent daily phone calls and listing each step of how they process those calls. That will give you a good idea about types and variety of phones you need to consider for different groups of users. Cheaper rarely is better. Keep in mind that phones can last a very long time, even lousy ones. So choose carefully.

The phone brands that we would seriously consider include Yealink, Digium, Snom, Aastra, Mitel, Polycom, Cisco, and Grandstream. Do you need BLF, call parking or multiple line buttons, a hold button, conferencing, speakerphone, HD voice, power over Ethernet support, distinctive ringtones for internal and various types of external calls, Bluetooth, WiFi, web, SMS, or email access, an extra network port for a computer, headset support, customizable buttons (how many?), quick dial keys, custom software, XML provisioning, VPN support? How easy is it to transfer a call? Do you need to mimic key telephones? Also consider color screens, touch screens, busy lamp indicators, extension modules (what capacity?). What do we personally use: Yealink’s T46G is our favorite, and we also have several Digium phones of various types, a couple of Aastra phones, a Grandstream GXP2200, a collection of Panasonic cordless DECT phones, a Samsung Galaxy S4 and Moto X connected through an OBi202 with an OBiBT Bluetooth Adapter, and a Samsung Galaxy S3 extension interconnected with Vitelity’s vMobile service to provide transparent connectivity on both WiFi and cellular networks. You can read all about vMobile here. It is the future of VoIP telephony.

Choosing VoIP Service Providers

One of the design differences between VoIP and the Ma Bell network that we’re all familiar with is that you no longer have to put all your eggs in one basket. The company or companies that you use to make outbound calls need not be the same as the ones you use to handle incoming calls. For home use, VoIP providers typically offer two types of plans: all-you-can-eat (which isn’t really) and pay-by-the-minute (which, in most cases, is priced by the fraction of the minute that you actually use the service). For business use, you have a choice of pay-by-the-trunk (each simultaneous call uses a trunk) and pay-by-the-minute (where you don’t have to manage your simultaneous calls). There was a third option over the past 5 years, and that was Google Voice which was free. But, good things don’t last forever, and Google is in the process of shutting down that service except for those that like making calls with a web browser. Hello, Ring.to.

blank

For businesses, we strongly recommend that you stick with Ma Bell for your main business number only. That gets you listed in the phone book and provides 99.999% reliability for access to your business. Most phone companies can provide a service called multi-channel forwarding that lets multiple inbound calls to your main number be routed to one or more VoIP DIDs much like companies do with 800-number calls. For other business lines as well as home and SOHO setups, ditch Ma Bell as quick as you can. You’ll save boatloads of money. Give some thought to how much non-cellphone usage actually occurs in your situation. In many cases, you will find that pay-by-the-minute service for outbound calls is much less expensive than all-you-can-eat plans. Remember, there are no long term contracts on pay-by-the-minute services so try it and see what your usage habits actually are if you’re unsure. Keep in mind that acquiring inbound trunks for DIDs or phone numbers is almost always all-you-can-eat service ranging in price from $2-$8 a month. The PBX in a Flash Forum is chock full of recommendations. Just remember that, in doing your calculations, separate out the the time spent on incoming calls from the time spent placing outbound calls. Also keep in mind that redundancy is a luxury you never had in the Ma Bell days. Take advantage of it and sign up with multiple pay-by-the-minute providers for outbound (termination) service. You only pay for what you actually use. For inbound trunks, many providers offer failover service to different numbers if the primary connection dies. Even if the failover is to your cellphone, it beats missing the call. If international calling is a frequent part of your business or lifestyle, then spend some time exploring the options that are available. There are numerous all-you-can-eat solutions at incredibly affordable rates if you do your homework. Now let’s get started…

Installing CentOS 6.5

The new installation methodology for PBX in a Flash™ works like this. First, you’ll download the CentOS 6.5 server ISO for what is known as a minimal install. You still have your choice of 32-bit (339.7 MB) or 64-bit (417.3 MB) flavors. Burn the ISO to a USB Thumb Drive or a CD/DVD using a Mac or Windows machine.

If you’re building a system in the cloud or in a hosted environment, the base CentOS install usually has been done for you so you can skip this step.

If you’re using a dedicated PC or virtual machine with no operating system, boot from the CentOS 6.5 CD/DVD or ISO and go through the standard CentOS install procedure. Here are the CentOS 6.5 setup steps and entries that we recommend [in brackets] which will assure that your new server has wired network connectivity through DHCP and a non-LVM partition configuration which is easier to back up and restore. Don’t be intimidated by the list. The entire CentOS setup process only takes a minute or two.

1. Install or upgrade existing system
2. Test media [skip]
3. Begin setup [Next]
4. Choose language [English]
5. Keyboard [U.S. English]
6. Type Devices [Basic Storage Devices]
7. Discard Existing Data [yes]
8. Hostname [localhost.localdomain] ** BEFORE YOU CLICK NEXT, DO STEP 8a. **
  8a. Configure Network [Click eth0 & Edit. Check:Connect Automatically then Apply & Close]
9. Time Zone [New York] ** Uncheck: System Clock Uses UTC **
10. Root Password [** make it very secure **]
11. Type Installation: Create Custom Layout with Primary Partition checked for 11a and 11c
  11a. Create -> Standard Partition -> Mount Point: /boot Type: ext4 Size:200  Fixed
  11b. Create -> Standard Partition -> Mount Point: blank Type: swap Size:2048 Fixed
  11c. Create -> Standard Partition -> Mount Point: /     Type: ext4 Size:Fill to Max Size
12. NEXT
13. FORMAT
14. WRITE CHANGES
15. Checked: Install boot loader on /dev/sda  Boot loader CentOS List: /dev/sda3
16. Reboot when finished

Next, log in to your new server with your root credentials. First, check your disk partitioning to make sure everything looks okay: fdisk -l. Here’s what the partitioning looks like with a 20GB drive. For larger drives, your sda3 partition will obviously be larger.

Device    Boot Start   End  Blocks  ID System
--------- ---- ----- ----- -------- -- ----------
/dev/sda1   *      1    26   204800 83 Linux
/dev/sda2         26   287  2097152 82 Linux swap
/dev/sda3        287  2650 18979840 83 Linux

Installing PBX in a Flash

Now let us welcome you to the World of PBX in a Flash™. This is our best release ever whether you’re a total newbie or an experienced Asterisk developer. You can’t really appreciate what goes into an open source product like PBX in a Flash until you try doing it yourself. If you want to actually learn about Asterisk from the ground up using pure source code to customize your VoIP deployment, PBX in a Flash has no competition because your only other option is to roll your own starting with a Linux DVD. So our extra special kudos go to Tom King, who once again has produced a real masterpiece in that it is very simple for a first-time user to deploy and, at the same time, incredibly flexible for the most experienced Asterisk developer. The new PIAF3™ release not only provides a choice of Asterisk and FreePBX versions to get you started. But now you can build and deploy standalone servers for SugarCRM™, NeoRouter™ VPN, YATE™, FreeSwitch™, and OpenFire™ XMPP using the standard PIAF3 installer. So let’s get started.

First, let’s prepare your server for installation of PBX in a Flash 3. None of these commands will do any damage if your server happens to already be configured properly.

The recommended platform is CentOS or Scientific Linux. Start here:

sed -i 's|no|yes|' /etc/sysconfig/network-scripts/ifcfg-eth0
ifup eth0
setenforce 0
yum -y upgrade
yum -y install net-tools nano wget
ifconfig # to figure out your server IP address here
sed -i 's|quiet|quiet net.ifnames=0 biosdevdame=0|' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
# for CentOS/Scientific Linux 6.5/6.6 only, perform these additional steps:
wget http://pbxinaflash.com/update-kernel-devel
chmod +x update-kernel-devel
./update-kernel-devel
reboot

Now we’re ready to begin the PIAF3 install. Issue the following commands to get started:

cd /root
wget http://pbxinaflash.com/piaf3-install.tar.gz
tar zxvf piaf3-install.tar.gz
./piaf3-install

When the install begins, there’s a 5-10 minute process to reconfigure CentOS by adding over 500 applications to the base install. Be patient. When it completes, your server will reboot, and you’re ready to begin the PBX in a Flash installation process. Choose option A to continue with the installation. While PBX in a Flash supports a number of versions of Asterisk and FreePBX, we believe the combination of Asterisk 11 and FreePBX 2.11 is so compelling in terms of functionality, stability, and security that the other options are no longer worth considering. We wholeheartedly recommend choosing PIAF-Green with FreePBX 2.11 as your platform.

blank

For today, we’re installing PBX in a Flash. So leave it highlighted, tab to OK, and press Enter.

blank

Now pick your PIAF flavor, tab to OK, and press Enter. HINT: Green is the fourth option. 🙂

The PIAF Configuration Wizard will load. Press Enter to begin.

Unlike any other aggregation, PIAF gives you the opportunity to fully configure Asterisk using make menuconfig if you know what you’re doing. For everyone else, type N and then confirm your choice. For the time being, type Y. When the menuconfig menu displays during the install, type X to save your settings and exit. No changes are required.

blank

Next, you’ll need to choose your Time Zone again for PHP and FreePBX. Don’t worry if yours is missing. A new timezone-setup utility is also available to reconfigure this to any worldwide time zone once the install has completed.

Next, choose your version of FreePBX to install. As we said, we recommend FreePBX 2.11. Note that Incredible PBX 11 requires PIAF-Green and FreePBX 2.11.

Finally, you need to choose a very secure maint password for access to FreePBX using a browser. You can pick your own, or the installer will generate one for you. Don’t forget it.

The installer will give you one last chance to make changes. If everything looks correct, press the Enter key and go have lunch. Be sure you have a working Internet connection to your server before you leave. :wink:

blank

In about 30-60 minutes, your server will reboot. You should be able to log in as root again using your root password.

Because of a version update to PEAR that is not supported by FreePBX, you’ll need to issue the following commands to clean things up: [NOTE: This has been resolved in latest PIAF3 releases.]

chattr -i /usr/bin/pear
chmod +x /usr/bin/pear
amportal restart
status

We also strongly recommend that you immediately upgrade your version of Asterisk to the current release. If you’re using PIAF-Green with Asterisk 11, we have a script that will do the heavy lifting for you: [NOTE: This already has been addressed in latest PIAF3 release.]

cd /root
wget http://pbxinaflash.com/upgrade-asterisk11-piaf.tar.gz
tar zxvf upgrade-asterisk11-piaf.tar.gz
rm upgrade-asterisk11-piaf.tar.gz
./upgrade-asterisk-piaf

Write down the IP address of your server from the status display (above) and verify that everything installed properly. Note that Samba is disabled by default. If you want to use your server with Windows Networking, run configure-samba once your server is up and running and you’ve logged in.

If you’re familiar with Asterisk and FreePBX, then you can take it from here. You now have a fully functioning platform on which to create your latest VoIP masterpiece. If you’re new to all of this, keep reading…

Configuring PBX in a Flash

Most PIAF Configuration is accomplished using the FreePBX Web GUI. Point your browser to the IP address shown in the status display above to display your PIAF Home Page. Click on the Users tab. Click FreePBX Administration. When prompted for your username and password, the username is maint. The password will be the FreePBX master password you chose in the Config Module phase of the PBX in a Flash installation procedure above.

blank

Here’s a quick overview of what needs to happen before you can start making and receiving calls. You’ll need an account with at least one phone number for people to call you (known as a DID), and you’ll need an account to place outbound calls to plain old telephones throughout the world. Our Vitelity DID deal at the bottom of this article is a terrific service, and Vitelity also provides tremendous financial support to both the Nerd Vittles and PBX in a Flash projects. For outbound calling, you also can use Vitelity or choose from the provider recommendations on the PIAF Forum.

You’ll also need a softphone or SIP phone to actually place and receive calls. YATE makes a free softphone for PCs, Macs, and Linux machines so download your favorite and install it on your desktop. Phones connect to extensions in FreePBX to work with PBX in a Flash. Extensions talk to trunks to make and receive calls. FreePBX uses outbound routes to direct outgoing calls from extensions to trunks, and FreePBX uses inbound routes to route incoming calls from trunks to extensions to make the phones actually ring. In a nutshell, that’s how a PBX works. There are lots of bells and whistles that you can explore down the road. FreePBX now has some of the best documentation in the business. Start here.

To get a minimal system functioning to make and receive calls, here’s the 2-minute drill. Create at least one extension with voicemail. Next, configure a trunk to handle your outside calls. Then set up inbound and outbound routes to manage incoming and outgoing calls. Finally, add a telephone or softphone with your extension credentials.

blank

If this sounds like Greek to you, then install Incredible PBX 11. It’s a 5-minute task. Incredible PBX does all the heavy lifting for you by configuring an extension, building dozens of trunks for the major SIP providers, and creating default routes to manage your calls. You also get a terrific collection of utility programs for Asterisk that handle everything from telephone reminders and wakeup calls to weather and news reports. To get started, log into your server as root and issue the following commands. Then jump to the Incredible PBX 11 tutorial and continue your journey there.

cd /root
wget http://incrediblepbx.com/incrediblepbx11.gz
gunzip incrediblepbx11.gz
chmod +x incrediblepbx11
./incrediblepbx11

A Few Words About Security. PBX in a Flash has been engineered to run on a server sitting safely behind a hardware-based firewall with NO port exposure from the Internet. Leave it that way! It’s your wallet and phone bill that are at stake. If you’re running PBX in a Flash in a hosted environment with no hardware-based firewall, then immediately read and heed our setup instructions for Securing Your VoIP in the Cloud Server. DO NOT RUN PBX IN A FLASH IN THE CLOUD WITHOUT INSTALLING AND ACTIVATING THE IPTABLES FIREWALL. HINT: TRAVELIN’ MAN 3 WILL DO THE HEAVY LIFTING FOR YOU. We would encourage you to visit your PIAF Home Page regularly. It’s our primary way of alerting you to security issues which arise. You’ll see them posted (with links) in the RSS Feed shown above. If you prefer, you can subscribe to the PIAF RSS Feed or follow us on Twitter. For late-breaking enhancements, regularly visit the Bug Reporting & Fixes Topic on the PIAF Forum. Enjoy!

Originally published: Wednesday, May 28, 2014 Updated: Wednesday, December 3, 2014


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.



 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 




Some Recent Nerd Vittles Articles of Interest…

A Firsthand Look at Disaster Recovery: Tethering and IAX with Asterisk

blank

One of the exciting challenges of building a swimming pool is knowing that it’s just a matter of time until your Internet connection dies. As you might imagine, swimming pools are major construction and involve a lot of digging. And digging usually means some oops moments when cables get cut. In our case, we had watched the folks digging the trenches for all of the pool plumbing to be sure they didn’t accidentally whack one of three coax cables coming into our house. And, when it came time to cover up the trenches, we pointed out the orange cables to the Bobcat driver knowing we were finally home free. Not so fast! Two minutes later, Mario had driven the Bobcat right over the primary Internet cable leaving the shredded remains sticking up through the dirt. Oops. Sorry. Shit happens!

Looking on the positive side, we chuckled, "What a perfect opportunity to test our backup Asterisk® system!" Our backup system is pretty clever if we do say so. It relies upon a Verizon WiFi HotSpot running on our Galaxy smartphone and a duplicate of our Asterisk-based PBX in a Flash™ server running as a virtual machine under VirtualBox on an iMac desktop. The entire setup takes less than a minute to activate. Well, that was the plan anyway.

It turns out that Verizon does SIP a little differently with a SIP ALG in the path so Asterisk couldn’t register with all but one of our dozen SIP providers. Congratulations, CallCentric! The workaround is to enable STUN. That is now possible with Asterisk 11. Short of that, you’re left with CallCentric. Unfortunately for us, we don’t do much SIP trunking with CallCentric, and none of our primary DIDs are connected through them. The other option is to add port=5080 to your trunk setup with any SIP trunks you register with VoIP.ms using a username and password. Our attention span was too short to tackle STUN in the middle of this crisis. But there’s good news. Verizon doesn’t mess with IAX network traffic at all. Since a couple of our primary DIDs are registered with VoIP.ms using IAX trunks, restoring these IAX trunks to full functionality took less than a minute. That is step one of a three-step process. You need inbound trunks, phones, and outbound trunks to get your redundant VoIP server back in business.

blank

Getting phones to function on what is now a purely WiFi network (through the Verizon HotSpot) can be problematic unless you’ve done your homework and sprinkled a few WiFi-capable SIP phones around your home or office. In our case, we still have Grandstream’s GXP2200 Android phones scattered everywhere so it was just a matter of plugging in the WiFI adapters and rebooting. The newer GXV3240 would work just as well.1

All that remained was enabling several trunks for outbound calls. Since VoIP.ms IAX trunks support both incoming and outgoing calls, we were home free. And, with Google Voice trunks, it was simply a matter of jumping through Google’s security hoops to reenable the connections on a new IP address.

Lessons Learned. Here’s a quick checklist for those of you that think about disaster recovery for your home or for clients and businesses. Nothing beats some advance planning. If money is no object, then WiFi tethering from a smartphone with one of the major providers whose service works well in your home or office environment is the way to go. 4G is a must!

blank

In our case, money was an object so we had the foresight to acquire a Verizon SIM card from eBay that included an unlimited data plan. With this setup, it costs only $1 a day extra to add WiFi tethering, and you can turn it off and on as often as you like without any additional fees or surcharges. There also are no additional charges for using boatloads of data! We’re actually writing this column with a tethered connection from a hotel in Washington (results above). To give you some idea of why an unlimited data plan is important, our home operation burned through 4 gigs of data in less than 24 hours once we activated WiFi tethering. Of course, there were people doing things other than making phones calls, but tethering enables 5 connections to function just about like the cable modem service you originally had in place. So expect the data usage to be substantial. Everybody likes 24/7 Internet service.

Loss of phone calls through a PBX is more of an annoyance than a crisis these days because almost everyone also has a smartphone. Even so, the SIP gotcha with Verizon Wireless was a surprise because we hadn’t really tested our super-duper emergency system in advance. That wasn’t too smart obviously. The old adage applies. Do as we say, not as we do. Unplug your cable modem or DSL connection and actually test your backup system before D-Day arrives.

blank

On the VoIP provider end, now is the time to set up an account with a provider that offers both SIP and IAX connectivity. Step 2 is to actually configure an IAX trunk (as a subaccount to use VoIP.ms parlance) and test it. IAX trunks actually have fewer headaches with NAT, but there are only a handful of providers that still provide the service. Find one now and make certain that your primary DIDs will roll over to the IAX trunk in case of an outage. I’m always reminded that we have Mark Spencer to thank for IAX. It was his brainchild. Thank you, Mark! With VoIP.ms, you also can spoof your CallerID so that calls will still appear to originate from your primary Asterisk PBX.

Keep in mind that a VirtualBox-based Asterisk virtual machine and a Desktop computer both need an IP address and will have to be started on WLAN0 rather than ETH0. Remember, your wired connection is now dead.

You’re also going to want to acquire at least a couple of WiFi-capable SIP phones that can be connected with your Asterisk server using your WiFi HotSpot. Also make certain that you have a preconfigured IPtables firewall on your backup system. Remember, your hardware-based firewall connected to your cable modem won’t provide any protection once you switch to HotSpot operation. Lucky for you, Incredible PBX™ servers come preconfigured with a locked-down IPtables firewall and a WhiteList. Just add the new IP addresses of your server and phones, and you’re secure on the public Internet.

Finally, let’s do the HotSpot connection math. You’ll need an IP address for your desktop computer running VirtualBox. You’ll need a second IP address for the Asterisk virtual machine. Then you’ll need an IP address for every WiFi-enabled SIP phone. If the maximum number of connections is five on your HotSpot, that means you’ve got the necessary capacity for at most 3 WiFi SIP phones assuming you don’t enable a WiFi printer and if nobody else wants to use a computer during the outage. The other option is to add an inexpensive travel router with bridge mode to your mix of 5 devices. We always keep one handy for extended trips. A properly configured travel router provides an additional WiFi network with some extra WiFi connections. Good luck!


Security Alerts. Serious SSL and FreePBX security vulnerabilities have been discovered AND patched during the past week. If you have not patched your server and Asterisk, FreePBX, Apache, and/or WebMin are exposed to the public Internet, you have a serious problem on your hands. See this thread for details on the FreePBX vulnerability. And see this thread for the steps necessary to patch SSL in Asterisk, Apache, and Webmin. While Incredible PBX servers were automatically patched for the FreePBX vulnerability, the SSL issues require manual patching and an Asterisk upgrade. A script for upgrading Asterisk 11 servers is included in the message thread linked above. ALWAYS run your VoIP server behind a firewall with no Internet port exposure to Asterisk, FreePBX, SSH, or the Apache and Webmin web servers! And, if you think all of this security stuff is just a silly waste of your time, then read about the latest lucky recipient of a $166,000 phone bill.

Originally published: Monday, October 20, 2014


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

Zero Day Vulnerability Protection and More: Introducing Cover Your Asterisk

It’s been a difficult couple of weeks for the Linux® and Asterisk® communities with the back-to-back disclosures of the BASH Shellshock bug and then the FreePBX® Asterisk Recording Interface (ARI) bug a few days later. Both of these vulnerabilities have been circulating in the wild for years. We won’t repeat Wikipedia’s Zero Day Attack analysis other than to note that what makes these particular bugs so scary is not only the fact that both went undetected and unpatched for years but also that the attack vectors for both bugs were so simple. Anyone with a web server exposed to the Internet that was running any flavor of Linux or any Asterisk server with the FreePBX GUI was fair game for a seriously compromised server.

For those with shared servers in a hosted environment running under cPanel, your web platform typically runs with the equivalent of root privileges which means that any web intrusion inherits the same server privileges that you as the administrator had. This is similar to the way FreePBX runs with Asterisk. The same user account used for web access controls all of the Asterisk assets on your server. While it’s convenient, it’s also dangerous whenever there’s a web vulnerability because the entire Asterisk platform has exposure.

We always chuckle when one of the anonymous forum trolls launches a tirade claiming that these alerts are nothing more than Monday morning quarterbacking disguised as Chicken Little. What’s more amazing is that anyone would take the comments of an anonymous poster seriously especially on a matter involving server security. It’s one thing to label folks as alarmists for suggesting that the sky is falling when it isn’t. It’s quite another to launch these anonymous personal attacks even when there is documented evidence that the Internet sky was indeed caving in. Kinda reminds us of the global warming naysayers when the polar ice caps are melting beneath their feet.

According to the naysayers, we’re all doomed when it comes to cyberterrorism so why fight it. Here’s why. While reacting to security vulnerabilities has always been a defensive game of cat and mouse, that doesn’t mean you shouldn’t proactively do what you can to patch serious security holes in your servers. The alternative is to give cybercriminals a blank check to launch bots from your server that generate spam or participate in large-scale zombie attacks on our most trusted resources whether they’re DNS root servers, utility infrastructure and our electric grid, banking assets, and even national security resources. So let’s circle back and address what you can do to assure that you’re part of the solution rather than part of the problem.

The Way It Is: Do I Need a Public Web Server with Asterisk?

For purposes of this discussion, our focus today is Asterisk server security. And the number one thing you can do to insulate your server from these vulnerabilities is to make certain that your web server is not exposed to Internet access by the general public. Neither Asterisk nor FreePBX requires public web server access to manage your server. In fact, neither Asterisk nor FreePBX requires any public access to your server to properly perform all required telecommunications functions. And the second paragraph above explains why this is especially dangerous with servers running both Asterisk and FreePBX.

So why do people still publicly expose their web servers and UDP ports 5060 and 10000-20000 to the Internet? As much as we hate to say it, it’s because it’s always been done that way. It’s also because there are a handful of SIP providers that still require UDP 5060 access to make and receive calls. Most do not! And even for those that do require UDP 5060 access, their requirements can be satisfied with a properly configured firewall that supports whitelisting of "safe" IP addresses for limited access. Incredible PBX comes preconfigured with a locked down WhiteList. The same can be added to PBX in a Flash by installing Travelin’ Man 3. We hope the other aggregations will follow suit. It’s long overdue.

Public web server access often is because there are more than a few (lazy) VoIP providers that install systems in a way that makes it easy for them to manage remote sites. Of course, a VPN would provide secure access to the same resources but that’s a little more work on the deployment end. With NeoRouter VPN, it’s a 5-minute job!

There also are companies with remote users or traveling salesmen that claim their servers must be open to the Internet to keep the company running. First, it’s hard to imagine a company whose salespeople don’t have cellphones that require no link to home base. Second, there are numerous solutions for safe connectivity with a home office: VPNs, FQDNs with dynamic DNS support, Port Knocker, and Travelin’ Man 4 to name just a few of the ones we previously have recommended. With the exception of the lazy VoIP installer, you will note that none of the above scenarios ever require web access to a VoIP server. So the rationale for public exposure of an Asterisk web server is all but non-existent.

The bottom line is that, if your server is not and has never been accessible from the Internet by typing its IP address into a public web browser and assuming your root password has not been compromised, then the BASH and ARI vulnerabilities are purely an academic discussion from your vantage point. Should you apply the patches anyway? Absolutely. Will your server be compromised if you don’t? Probably not… at least not from these two vulnerabilities.

Life Is Good: Why Do I Need ‘Cover Your Asterisk’

That brings us to our topic for today. Having said all of the above, how do you really know if your server has been compromised by some zero day attack vector that none of us yet know about? After all, there are tens of thousands of applications installed on a typical Linux server. And a zero day vulnerability could be hiding almost anywhere.

First, a few words about what Cover Your Asterisk is not. This application won’t detect previously compromised servers! Wearing a condom the day after your wild night on the town isn’t all that helpful. If your server has been running as a public web server for the last 5 years, then our best advice is to start with a fresh install to a new, secured server. Then manually copy the settings (not the files!) from your old server to the new platform. Now you’re ready to protect your server.

Second, more than a few words about the VoIP environment in which we find ourselves. If you’re running any of the so-called Asterisk aggregations including PBX in a Flash, Incredible PBX, AsteriskNOW, FreePBX Distro, or Elastix, then your server includes some flavor of the FreePBX GUI, a web-based application to manage and configure Asterisk. As part of the FreePBX GUI setup, you give FreePBX 2.11 and beyond an expansive set of privileges on your server. These include read, write, and delete access to all of your web assets, all of your VoIP-related MySQL database assets, and all of your Asterisk assets. You also grant FreePBX rights to inventory and monitor critical pieces of information about your server so that you can be informed about pertinent FreePBX updates. We don’t see this as a bad thing. But, even with the incredibly talented FreePBX development team, this application design can be dangerous for a number of reasons not the least of which is the events of the past week. Consider for a moment a scenario in which a disgruntled employee or a web vulnerability allows somebody to modify a critical Asterisk configuration file such as manager.conf which controls access to the Asterisk Manager Interface, or to adjust MySQL’s admin.ampusers table which controls web access to the FreePBX GUI, or even to insert a malicious module into FreePBX which "looks and feels" like part of FreePBX. When you don’t know what you’re looking for, detecting subtle changes can be extremely difficult even for the most talented people in the business. For everyone else, it’s next to impossible. This is especially true when the changes aren’t noticeable in the standard day-to-day operation of your server. That was what led us to conclude that an additional detection mechanism was essential to highlight hidden changes made to any of the critical components that make up the Asterisk platform. Thus was born Cover Your Asterisk.

The Elastix folks apparently weren’t comfortable with this arrangement and forked FreePBX years ago and moved to a self-managed environment. The drawback has been their pace of releasing updates and patches, and that apparently applies to the unaddressed ARI bug as well.

The remaining aggregations all function as we’ve described. Before we delve into Cover Your Asterisk, here’s a little known tip. On the output side, FreePBX is basically a code-generator for Asterisk. Once you’ve configured your server using the FreePBX GUI, there is no Asterisk-FreePBX linkage of which we’re aware that requires your web server to remain operational. That turns out to be a good thing. What this means is you can shut down Apache and still have a fully functional Asterisk server with all of the functionality of your FreePBX-designed configuration. Given the times in which we live, that may not be such a bad idea.

An Overview of Cover Your Asterisk

So what does Cover Your Asterisk do? What we’ve sought to do with this GPL2 application is to take a snapshot of your most valuable Asterisk and FreePBX assets and then create checksums of all the individual components. This includes the /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directories as well as the Asterisk DB and MySQL’s asterisk database. Periodically, you then run another script which compares your current setup to the previous snapshot and identifies the changes for further examination. Once you are satisfied that any reported changes are legitimate, you then take a new snapshot of your server and periodically check it to make certain no unexpected modifications have crept into your system. A duplicate of these production assets is always maintained in a separate directory structure (/etc/asterisk.snapshot) accessible only by root. It can easily be converted into a gzipped tarball: tar -cvzf cya.tar.gz /etc/asterisk.snapshot. Then simply store the tarball off site for a rainy day emergency… when the sky falls once again.

Because this application was designed for production servers, its testing and scope have been limited to the Asterisk 11 and FreePBX 2.11 platform. For our installed base, that translates into PIAF-Green with FreePBX 2.11 and all flavors of Incredible PBX 11 running atop CentOS, Scientific Linux, Ubuntu 14, Debian, and Raspbian platforms on both Intel and ARM hardware including the Raspberry Pi, BeagleBone Black, CuBox, and PogoPlug.

Installation and Operation of Cover Your Asterisk

Log into your Asterisk 11 server as root and issue the following commands to install the Cover Your Asterisk software:

cd /root
wget http://incrediblepbx.com/cover-your-Asterisk.tar.gz
tar zxvf cover-your-Asterisk.tar.gz
rm -f cover-your-Asterisk.tar.gz

To take the original snapshot of your server, run: /root/protect-your-ASSets.sh

To check your current setup against the snapshot, run: /root/check-your-ASSets.sh

To compare a file with its snapshot, run: diff /dirpath/filename /etc/asterisk.snapshot/dirpath/filename

To restore a snapshot file to your current Asterisk configuration, run these commands:

cp -p /etc/asterisk.snapshot/etc/asterisk/filename /etc/asterisk/filename
amportal restart

For Raspberry Pi and BeagleBone Black users, change the MySQL root password in both scripts:

sed -i 's|passw0rd|raspberry|' /root/protect-your-ASSets.sh
sed -i 's|passw0rd|raspberry|' /root/check-your-ASSets.sh

Finally, let us close with several recommendations. First, before making changes to your server with FreePBX, always run check-your-ASSets.sh, correct any detected problems, and then run protect-your-ASSets.sh to create a new snapshot of your server. After making any changes with the FreePBX GUI, run check-your-ASSets.sh again to verify that the changes you sought to make were, in fact, the changes that actually were made to your server. Then finish up by taking a new snapshot. These scripts take less than 30 seconds to run on a typical server so this is not a cumbersome process.

Before you restore any snapshot file or if you are puzzled by any changes you see listed after running check-your-ASSets.sh, we strongly recommend that you first seek advice from the gurus on the PIAF Forum. They can help you identify the severity of the problem, if any, and recommend an appropriate course of action for correction of the problem.

Finally, a cautionary note. Cover Your Asterisk is still a project in development. This means there will be changes/improvements as the coming weeks go by. One wrinkle with updates is your previous snapshots will have to be checked before you update. And then the newest protect-your-ASSets.sh script will need to be run following the update. To keep track of future releases and what’s included, visit this development thread on the PIAF Forum. Enjoy!

Originally published: Monday, October 6, 2014


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Hold On to Your Wallet: Another Huge VoIP Phone Bill May Be Lurking


We interrupt our regularly scheduled content to bring you an urgent security alert. A couple days ago, a FreePBX® user reported unusual call activity. He traced the calls to a System Admin Dashboard module that was linked back to an IP address in the Netherlands. When the problem was reported, the FreePBX Community Manager quite accurately noted that it wasn’t FreePBX code. When a second user reported the exact same exploit, alarm bells apparently went off.

Further digging by the FreePBX Dev Team found that the legacy ARI module (once again) had been compromised, this time with a Remote Code Execution and Privilege Escalation exploit. Previous security vulnerabilities in this module led the PBX in a Flash developers many years ago to abandon the FreePBX security model in favor of Apache security so that we could totally block ARI access unless the user had administrator privileges. We want to stress that this wasn’t the fault of any of the current FreePBX developers. Instead, our move to Apache security was based upon our realization that this old legacy code was difficult to maintain because none of the original developers were still around. To their credit, the FreePBX developers have introduced a new User Control Panel with the strongest recommendation that the older ARI module be abandoned. Unfortunately, it still exists on all but the very latest FreePBX 12 systems including FreePBX 12 systems which were upgraded from a previous release. In addition, FreePBX 12 now provides checksum protection for all registered modules which will go a long way toward eliminating attacks such as this. So what can you do to protect your servers and your wallet today? For openers, upgrade your FreePBX fw_ari module NOW and clean the malicious module off your server:

rm -rf AMPWEBROOT/admin/modules/admindashboard
amportal a ma upgrade fw_ari

If you encounter an error that FreePBX cannot connect to the Asterisk Manager, do the following from the Linux CLI:

sed -i 's|localhost|127.0.0.1|' /etc/freepbx.conf
amportal restart
amportal a r

Protecting Your Server from Remote VoIP Attacks

Let’s approach the long-term solution on several levels starting with vulnerability exposure. If you can access TCP ports 22 (SSH) and 80 (HTTP) and TCP/UDP port 5060 (SIP) of any of your Asterisk® and FreePBX-based servers anonymously from the Internet, you’re either nuts or rich.

We’ve cautioned against this for nearly a decade and yet even some developers still configure Asterisk and FreePBX-based servers with port 80 Internet exposure. Why? We can only assume it’s because it makes their job of accessing and maintaining these systems easy. Don’t do it! There still are numerous ways to gain access to the FreePBX GUI on any server. Here’s our short list…

Safest. Put your server behind a hardware-based firewall with no Internet port exposure. Then use a VPN to access the FreePBX GUI. In a perfect world, you can run a VPN on all of your VoIP phones so that you have end-to-end protection for your server and all of your users.

Safer. If a hardware-based firewall isn’t possible, use the Linux IPtables firewall and lock down all the ports on your server, especially TCP ports 22 and 80 and TCP/UDP port 5060. Then create a WhiteList of IP addresses that need access privileges. It’s worth stressing that Fail2Ban is completely worthless when it comes to security vulnerabilities such as the ARI RCE flaw because the bad guys walk right in without even being challenged for a password.

Safe. If you need remote access from various remote locations and these sites have dynamic IP addresses, then deploy the Port Knocker technology in addition to locking down your server with the IPtables firewall. This lets you gain temporary access to your server without providing a blank check (literally) to everybody on the Internet. There’s a reason it’s called the World Wide Web and not the Good Guys Web!

Worse. Exposing TCP port 5060 and UDP port 5060 to public Internet access is dangerous. Some providers unfortunately still require direct access to 5060 to make VoIP calls with SIP. TIP: Switch to a provider that allows SIP registrations so that you don’t have to expose port 5060 directly to the Internet EVER!

Worser. Pardon our grammar, but exposing TCP port 22 to public Internet access is a bad idea. At the very least, change the SSH port so that typical port scanners don’t discover your open SSH port. SSH has been compromised in the past. It probably will happen again, or it may have already happened and we just don’t (yet) know about it. Fail2Ban helps with SSH attacks, but it’s not infallible particularly when high performance servers are used in the attacks. Fail2Ban has to scan your logs and, before it can do that, it has to have a sufficient time slice to accomplish the scan, something that may never happen with an attack launched from a platform such as Amazon EC2.

Worst. Never expose TCP port 80 to public Internet access. If you do, then you obviously haven’t had the pleasure of trying to maintain a public web server. TIP: Unless you are a web expert or sleep with one, don’t do it EVER! Earlier this week BASH provided a revolving door to your Internet assets using simple web requests. Earlier this year, OpenSSL was compromised. There will be another vulnerability because it’s the easiest attack target. So it’s just a matter of time until your server is compromised unless you deploy an effective firewall that blocks public access to port 80.

Server Design Still Matters

For our own PBX in a Flash and Incredible PBX users, you can sleep well tonight. Today’s vulnerability is mostly academic for you. PBX in a Flash blocks all access to ARI without the maint password. Incredible PBX blocks all access to ARI through its IPtables WhiteList. It’s still a good idea to apply the FreePBX update just to be double-safe. And Incredible PBX users will have the patch applied the next time they log into their server as root. For everyone else using FreePBX, keep reading.

With our Incredible PBX open source project, we provide state-of-the-art security methodology. While it is not infallible, all of the code is freely available for any and all VoIP developers to review, improve, and deploy. We would encourage our fellow VoIP developers to do so. There were reasons in the past for not deploying Apache security. After all, it lacks the flexibility of the FreePBX security model, and Apache also can be compromised. But we can’t think of any reason today for not deploying a hardened, preconfigured IPtables firewall AND a functional WhiteList as an integral component in every VoIP server install. This is especially important for any product deployed with the FreePBX GUI. Our Travelin’ Man 3 WhiteList implementation has been available for more than 2½ years! While there are downsides to any sort of push technology, we also believe the Incredible PBX (opt-in) update service is worth a careful look. It has been a godsend for us. With every new login, the server checks for important updates and processes them unless the administrator chooses not to use the service.

Keep in mind that FreePBX masquerading as the asterisk user has complete read/write privileges to virtually every Asterisk and web asset on your server. Any compromise is extremely dangerous because the asterisk user on these platforms has such expansive privileges. We recently encountered a trojan authorization lurking inside the permissions list of Asterisk’s manager.conf table. The matter is still under investigation so we can’t reveal much more other than to note that the entry was harmless on the few affected Incredible PBX servers because of the hardened IPtables WhiteList which is a key component of every Incredible PBX server. Had this happened on a server with no firewall protection, the intruder would have had complete access to the Asterisk AMI which pretty much gives the intruder a blank check to Asterisk… using your checkbook. The silver lining was the Incredible PBX update utility which provided a quick way to remove the vulnerability.

The FreePBX Dev Team’s efforts to design and deploy a checksum-based system for FreePBX 12 modules is certainly a step in the right direction. We think more safeguards are warranted. We already are exploring new ways to provide alerts when critical Asterisk or FreePBX resources are modified on PBX in a Flash and Incredible PBX servers. Something akin to the Mac’s admin authorization requirement before critical Asterisk or FreePBX changes are made would be ideal, but we have some other ideas as well. Stay tuned!

Originally published: Wednesday, October 1, 2014


blank
Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

blankBOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

blankThe lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

blankVitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

blankSpecial Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…