Home » Posts tagged 'security' (Page 5)

Tag Archives: security

The Most Versatile VoIP Provider: FREE PORTING

The Next Plateau: VoIP Communications with Asterisk in Amazon’s EC2 Cloud


We’ve spent considerable effort exploring and enhancing the VoIP cloud offerings for our followers, and today we’re delighted to introduce another terrific service: Amazon’s Elastic Compute Cloud (EC2). This is one of several Amazon Web Service (AWS) offerings that provides resizable compute capacity in the cloud and is designed to make web-scale computing easier for developers. That’s the Amazon pitch for their service. Ours is a bit different. For anyone with mission-critical operations or that has ever given a moment’s thought to business continuity planning (THINK: hurricanes, tornados, earthquakes, blizzards, fires, floods, bombs), you need an EC2 backup plan for VoIP communications. It really doesn’t matter whether your organization uses a proprietary phone system, or Asterisk®, or good ol’ black telephones, the point is simply this. When your lights go out and you still need a communications system for your employees and your customers, what’s your plan? Staying home in bed isn’t a choice for most folks. So our focus is not to persuade anybody to move their primary communications platform to Amazon EC2 although it’s certainly worth considering. For today, let’s tackle emergency planning and Disaster Recovery 101 for that dreadful day when you really don’t have a choice. And D-Day is a really bad day to start thinking about communications alternatives. You’ll have plenty of other things to do.

We’re going to make this fun today and provide all the tools you’ll need to set up shop in Amazon’s EC2 Cloud. The good news is that EC2 is almost free for your first year so getting started isn’t going to be a financial burden. Once you have everything built, you can turn it off and hope you never have to use it. On the other hand, it’s dirt cheap for an entire year so enjoy yourself and learn why VoIP communications can revolutionize your business at a fraction of the cost of a proprietary communications system. For our Asterisk aficionados that have already discovered the beauty of free VoIP communications, we’ve got some additional goodies today, Incredible Backup and Incredible Restore, that will let you quickly move your communications platform back and forth between EC2 and a local server or virtual machine effortlessly.

For those just getting started, the real beauty of VoIP communications is that, once your server platform is operational, you can bring up communications services for your employees without any hardware investment. A notebook computer and a free SIP softphone will let you make and receive calls through your EC2 communications system. By adding trunks from Google Voice or any SIP service provider, you complete the communications circle to connect to any phone in the world. We do this for a living so, if your business needs some hand-holding to get started, drop us a note. We like to travel.

The Choice is Yours: PIAF-Purple with Asterisk 1.8 or PIAF-Green with Asterisk 11

Getting Started. For your communications platform, we’ve built two new versions of PBX in a Flash™ for Amazon EC2: PIAF-Purple and PIAF-Green. You can’t beat the price. Both are free! These two builds are based upon the two long-term support (LTS) releases of Asterisk: 1.8 and 11. In our testing, both are rock solid and production-ready. If tried and true is your cup of tea, then PIAF-Purple with Asterisk 1.8 and FreePBX 2.10 is your baby. If you want to get a jump on the future, then PIAF-Green with Asterisk 11 and FreePBX 2.11 is worth a careful look. But, to use either one, you first need to get set up with an Amazon EC2 account. So head over to Amazon and click on Sign Up Now. A word to the wise here. You don’t want the bad guys breaking into your account unless you have an unlimited budget. There are lots of non-free Amazon EC2 services that could max out your credit card quickly. So, in addition to signing up for your Amazon account, also activate Multi-Factor Authentication. It’s your bank account!

Once your account is activated, sign in to the Amazon Management Console. After entering both your passwords, the AWS Management Console will appear. Click on EC2 to bring up the EC2 Dashboard (shown above). This is home base in EC2. The Launch Instance button is used to start a new virtual machine. We’ll walk you through that process in a minute. In the left margin are the functions you’ll be using most often. Instances displays your existing virtual machines, both running and stopped. Volumes are the virtual hard disks associated with your virtual machines or instances in Amazon-speak. A volume gets created as part of the VM launching process. When you delete instances, it’s important to also delete the associated volume, or you get billed for it separately. Elastic IPs lets you assign an IP address to an Instance using Amazon’s DHCP servers. You access your virtual machines using SSH and, without an IP address, you can’t gain access. For SSH security, EC2 uses Key Pairs. As part of launching a new virtual machine, we’ll walk you through creating one. Amazon EC2 also has its own firewalls called Security Groups. Basically, all services are blocked until you open them up. We’ll also walk you through that process as well. Once you’ve created your Key Pair and Security Group, you can use them with multiple instances. Now you’re an expert so let’s Launch a New Instance.

Creating a New Virtual Machine. Click on the blue Launch Instance button in the EC2 Dashboard to begin. Choose Classic Wizard. You build a new instance by starting with one that someone else has already built. Be careful here. There are literally thousands to choose from and, unless you know the creator, use Name Brand, trusted instances only. Anybody can hide anything in an instance that they’ve made publicly available. Think of your worst Trojan Horse horror story, and there’s probably a public Amazon instance to match it. For our purposes, the magic number you need to know is 399149154715. That’s our Amazon EC2 account number, and it means any instances prefixed with that number or our mugshot were created by us. So click on the Cloud Market and search for PIAF. In about a minute, both PIAF2 AMIs will appear. Pick your favorite but be sure the file name displays our smiling face. Then click Select. For the Instance Type, make sure T1 Micro is chosen. That’s the only free option during your first year. Leave the Availability Zone at No Preference and Number of Instances set to 1. Click Continue. In Advanced Instance Options, accept all of the defaults and click Continue. For Storage Device Configuration, accept the defaults by clicking Continue. Next, you’ll be prompted to add Tags to your Instance. This is a short-hand description to help you distinguish one instance from another. For the Name Value, enter something like PIAF-Purple-64 or PIAF-Green-64 and click Continue. Next, you’ll be prompted to create a Key Pair to use with the instance. If you don’t already have one, click Create New Key Pair and Continue. Once the key pair is created, the .pem file will be downloaded to your desktop computer. Change the permissions on the .pem file to what SSH requires: chmod 700 mykey.pem. You’ll need this key file to log into your instance with SSH so move it to a safe place. Next, you’ll create or use an existing Security Group. This sets up the firewall rules to use with your instance. For PBX in a Flash, you’ll need at least the following Inbound Rules in your Security Group: TCP 22 (SSH), TCP 80 (Web), TCP 1723 (for PPTP VPN only), and TCP 9001 (for WebMin access). For VoIP services, you’ll need UDP 5060 (SIP), UDP 10000-20000 (RTP), UDP 4569 (IAX), and UDP 69 (TFTP, if desired). EC2 lets you lock down Security Group entries to individual IP addresses. We strongly recommend this for SSH, Web, SIP, IAX, and TFTP services. If you need access from multiple IP addresses, just add additional Security Group rules for each address and service. Finally, you’ll be shown a summary of all your selections. If everything looks OK, click Launch to start the instance. While it’s starting up, click Elastic IPs from the left column of the EC2 Dashboard. Choose Allocate New Address and then Associate Address to connect it with the instance that just launched. Write down the IP address. You’ll need it for SSH access. Finally, click Instances and wait for your virtual machine to come on line with a green check mark.

Your First Login. Now you can log into your EC2 instance via SSH using your key file and the IP address associated with the instance: ssh -i mykey.pem -v ec2-user@54.235.12.34. If you’re using a Windows machine with Putty, use PuttyGen.exe to convert your .pem key into something Putty can understand before attempting to log in. Once you’re logged in, you need to immediately change all the default passwords:

  • sudo passwd (to change your ec2-user password)
  • sudo passwd root (to change your root password)
  • su root (to switch to the root account with your new password)
  • passwd-master (to change your FreePBX and web passwords)
  • cd /root (to switch to the /root directory)

Keep in mind that PBX in a Flash is a little different than a standard Linux install. It has been designed for use as the root user only. So, whenever you log into a PIAF instance in EC2, always execute the following command: su root && cd /root. Most Linux and PBX in a Flash utilities will not work properly if you attempt to execute them as the ec2-user! For web access and management of your server, point your browser to the IP address of your EC2 instance. If you’re new to PBX in a Flash, stop here and read the PBX in a Flash 2.0.6.3 Quick Start Guide. It’ll tell you everything you need to know to get started with PBX in a Flash.

Installing Incredible PBX. We’ve got a few more surprises for you today. First, there are new, GPL2-licensed releases of Incredible PBX: version 10 for FreePBX 2.10 and version 11 for FreePBX 2.11. If you’re new to all of this, Incredible PBX provides some additional layers of security for your server while also giving you dozens of turnkey Asterisk applications including text-to-speech, speech-to-text, SMS messaging, news, weather, stocks, and tide reports, and much more. You can read the Incredible PBX tutorial here. To install Incredible PBX while logged into your EC2 instance as root, issue the following commands and plug in your passwd-master password when prompted. If you’re using the PIAF-Green AMI, replace incrediblepbx10 with incrediblepbx11 below.

cd /root
wget http://incrediblepbx.com/incrediblepbx10.gz
gunzip incrediblepbx10.gz
chmod +x incrediblepbx10
./incrediblepbx10

Installing Incredible Fax. Yes, there’s more. Incredible Fax also works just fine on the EC2 platform. If you want the added convenience of having your Incredible PBX double as a free fax machine, run install-incredfax2 after the Incredible PBX 10 install completes. For Incredible PBX 11, run /root/incrediblefax11.sh. Plug in your email address for delivery of incoming faxes and enter your home area code when prompted. For every other prompt, just press the Enter key. If you’d like to also add the optional OCR utility, just choose it when prompted. For complete documentation, see this Nerd Vittles article. Don’t forget that a REBOOT OF YOUR SERVER is required when the install is finished, or faxing won’t work! Then log in to AvantFax through the PBX in a Flash GUI using maint:password. Be sure to change your password!

Also be sure to set up a second, dedicated Google Voice number if you want support for inbound faxing. Once the Google Voice credentials are configured in FreePBX for the additional Google Voice line, simply add an Inbound Route for this DID to point to the fax destination. Just plug in your 10-digit Google Voice number and other entries shown in the form below. Save your setup and reload FreePBX. Done!

Introducing Incredible Backup and Restore. Last, but not least, we have new GPL2-licensed backup and restore utilities to simplify the task of moving PBX in a Flash setups between Amazon EC2 and other standalone or virtual machine platforms. To complement these new utilities, we’ve also released a new 64-bit PIAF-Purple Virtual Machine image for VirtualBox. PIAF-Purple-64.ova is a free download from SourceForge and will run under VirtualBox on any Windows, Mac, Linux, or Solaris desktop computer. Our VirtualBox tutorial is available here. You also have the option of downloading the current 64-bit PIAF-20631 ISO from SourceForge and building your own server or virtual machine. All three platforms (Amazon EC2 AMI, VirtualBox OVA, or PIAF 64-bit ISO) are 100% compatible with Incredible PBX, Incredible Fax, and the new Incredible Backup. Once you have matching platforms, you can backup your PIAF or Incredible PBX setup on one platform and then restore it to a different platform by simply copying the backup image to the new platform and running Incredible Restore. The entire procedure takes only a couple of minutes.

To install the backup and restore utilities on either of the platforms, simply issue the following commands:

cd /usr/local/sbin
wget http://incrediblepbx.com/incrediblebackup10.tar.gz
tar zxvf incrediblebackup10.tar.gz
rm incrediblebackup10.tar.gz

Because Incredible Backup shuts down Asterisk, MySQL, and Apache, do NOT run this when folks are using your PBX! To make a backup, log into your server as root and type: incrediblebackup.

The restore procedure essentially erases ALL of your existing FreePBX, Asterisk, TFTP, and web data. To restore a backup, copy the backup file to be restored to /tmp on the new server. Make sure the new server has Asterisk, FreePBX, and Incredible PBX versions that match what’s shown in the backup filename. There is NO error checking presently. To restore, log into your server as root, write down the filename of the backup file, and type: incrediblerestore /tmp/filename.tar.gz. If this is a new server and you’re still using your old one as well, then remove the DUNDI secret and secretexpiry entries from the Asterisk DB and restart Asterisk once the restore is completed:

asterisk -rx "database del dundi secret"
asterisk -rx "database del dundi secretexpiry"
amportal restart

For additional usage instructions and tips, see this thread on the PIAF Forum. Enjoy!

Originally published: Monday, February 11, 2013  Updated: Thursday, February 14, 2013


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forum. It’s the best Asterisk tech support site in the business, and it’s all free! Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you.


Need help with Asterisk? Visit the PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Sleep Like a Baby: 20 Failsafe Tips to Enhance Asterisk PBX Security

We often tell the tale of the early Asterisk@Home days when almost every server was configured with no firewall, unlimited web access, and a 201 extension with a password of either 201 or 1234. What could possibly go wrong? Remember this Monday morning newspaper headline? "Small business gets $120,000 phone bill after hackers attack VoIP phone." News.com.au ran this story back in 2009: "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours… 115,000 international mobile calls were made… over a six month period."

Much has changed over the past ten years in Asterisk® Land. And, to get everyone in the football mood, today we want to do a little sofa quarterbacking and take a fresh look at security applying some 20-20 hindsight to everything we’ve all learned over the years. Whether you’re running PBX in a Flash or Incredible PBX in your basement or on a virtual machine in the cloud somewhere, security matters and the checklist that follows hopefully will assist everyone in tightening up your systems so that you or your company aren’t the next headline waiting to happen.

PBX in a Flash Security Alert: Run upgrade-programs then upgrade-fixes to secure your server today!

1. Review PIAF Security Alerts Daily. We devote a lot of time to making sure PBX in a Flash and Incredible PBX are secure. But stuff happens! For privacy and security reasons, we don’t push fixes to your server. You have to go get them. If you never see the alerts, our attention to security is for naught. Here are 3 Easy Ways to Keep Informed:

  1. Subscribe to the PBX in a Flash RSS Security Feed
  2. Follow @NerdUno on Twitter
  3. Review the RSS Feed in the PIAF Dashboard with a browser

Every security alert has a link to a solution. Finally, visit the PIAF Forums and click on the What’s New link. It only takes a minute to scan the list for security issues.

2. Hardware-Based Firewall Protection. Unless your PBX is operating on a shared server in the cloud, always run it on a private LAN behind a hardware-based firewall with no Internet port exposure. The one exception would be for those with remote telephone extensions, and we’ll get to that in a minute. The cheapest consumer grade router/firewall provides more security for your server than all of the other security mechanisms combined. Use it!

3. The Linux iptables Firewall. All PBX in a Flash and Incredible PBX servers have the iptables firewall in place. With PBX in a Flash, you have to configure it yourself unless you deploy Travelin’ Man 3. With Incredible PBX, iptables is preconfigured if you opt to install Travelin’ Man 3 as part of the installation process. It doesn’t do much good to have iptables if it’s not functioning. So check it regularly and especially after rebooting your server. On CentOS-based systems, issue the command: iptables -nL. On the Raspberry Pi, type: iptables-save. You should see a list with a lot of permitted IP addresses for preferred providers. If not, restart iptables and then check it again. To restart iptables on CentOS: service iptables restart. On the Raspberry Pi, issue the command: iptables-restore /etc/network/iptables. If you discover that your iptables firewall was not functioning and you’re running PBX in a Flash or Travelin’ Man 3, a security alert has been issued to address the problem. You can get the security fix here.

4. IP Address Filtering. Even with remote phones and dynamic IP addresses, it often is relatively easy to narrow down the range of permissible IP addresses that should have access to your server. With the Linux iptables firewall, you can implement dynamic DNS FQDNs for your remote users. With many hardware-based firewalls, you can’t. But often you can limit remote access to a range of IP addresses. A little protection is still better than none. With a hardware-based firewall, these IP address ranges usually can be changed via web access to your firewall. The minute it takes to make necessary changes is well worth the effort. Just make sure your hardware-based firewall has a long password with upper and lower case letters as well as numbers and non-alphanumeric characters if your firewall supports them.

5. Fail2Ban Access Monitoring. On PBX in a Flash and CentOS-based Incredible PBX servers, fail2ban is activated to limit access attempts to protected resources such as SIP extensions, SSH, and Apache. It is not infallible particularly in this age of megaservers such as Amazon’s S3 service. Because fail2ban reads your logs looking for failed login attempts, it can be defeated with powerful servers attempting thousands of access attempts simultaneously because fail2ban never gets sufficient Linux resources to read logs and block access. It’s better than nothing, but not by much.

6. Deploy WhiteLists for Remote Access. If your server is in the Cloud (meaning it is directly exposed to the Internet) or if you have remote extensions directly connected to your server, your primary line of defense against the bad guys is your iptables firewall. We’ve tried many designs with the objective of letting the good guys in while keeping the bad guys out. The one failsafe solution is IP address WhiteLists. What this means is, if an IP address is listed as safe in iptables, then connections to certain resources from that IP address are permitted. Otherwise, your server remains invisible to the outside world. We have a couple of tools to assist you in setting this up. Travelin’ Man 2 lets authorized users manage their remote IP addresses themselves through a simple browser interface to your server. Travelin’ Man 3 lets a system administrator manage remote IP addresses using both permitted IP addresses and fully-qualified domain names. In the case of remote users with dynamic IP addresses, DynDNS management tools can be deployed on Macs, Windows machines, and Android devices to automatically update FQDNs used in conjunction with Travelin’ Man 3. As noted previously, a security alert has been issued with Travelin’ Man 3. You can get the security fix here.

7. Remote Access with User Agent Knocking. A new approach to remote user access uses a derivative of the original Sunshine Networks port knock utility. With jeffmac’s new design, you define a customized "User Agent" string on your remote phones and then define iptables rules that permit access from SIP devices that attempt server connections using one of these obscure user agent strings. Here’s how to deploy it. To use this approach you’ll need remote phones that permit customization of the user agent string or that have sufficiently obscure, predefined user agent strings that wouldn’t lend themselves to dictionary-style, brute force hacking attempts by the bad guys.

8: Implement VPNs for PBX Systems. There are install scripts for PBX in a Flash to deploy a NeoRouter VPN or a PPTP VPN. Either or both of them can be installed and configured in minutes! VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. Encourage remote users to deploy softphones on their Windows and Mac machines, and use secure, VPN access to connect to your server using these softphones.

9. Don’t Use ‘Normal Ports’ for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you’ve done. Read that last sentence again. It’s important! With a hardware-based firewall, this is easy. dLink routers call them Virtual Servers. Other routers have similar functionality. Here is a typical entry:

HTTP 192.168.0.150 TCP 22/2319 Allow All Always
This entry redirects a specified port to a different port for Internet access. Don’t do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. WE STRONGLY DISCOURAGE EVER OPENING HTTP ACCESS TO YOUR SERVER FROM THE INTERNET. But you may need SSH access from remote locations. For example, port 22 typically is the default SSH port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) SSH access, simply remap TCP port 22 to some obscure port and change it periodically. For example, you might redirect TCP port 22 to port 2319. Once the setting is saved, you access SSH like this from the Internet: ssh -p 2319 root@pbx.mydomain.com. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don’t use these numbers obviously! Make up your own.

The key here is that 2 minutes work every month will keep SSH access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 22 every night while you’re sleeping. As previously mentioned, most of these routers also will let you block access to certain ports during certain hours of the day. If you’re sleeping, there’s really not much need to provide SSH access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world’s best crackers reside in countries where daytime happens to be nighttime in the U.S.

10. Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our guess is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn’t Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. It may seem obvious but really secure passwords really do matter. And it’s more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, multiply this advice by 10. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). Remember, it’s your phone bill.

11: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn’t begin to describe some of what lies under the FreePBX covers. While the FreePBX Dev Team is vigorously rewriting much of this old code, some of it still lingers. Our recommendation is to make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to any Asterisk PBX goes like this. Don’t! And, for FreePBX web access from the Internet. Never! If the bad guys ever get into FreePBX, the security of your PBX has been compromised… permanently! This means you need to start over with all-new passwords and install a fresh system. You can’t fix every possible hole that has been opened on a FreePBX-compromised system!

12. Choosing VoIP Providers. So long as you use reputable VoIP providers that support registration of your SIP and IAX accounts, NO INTERNET PORT EXPOSURE TO YOUR SERVER IS EVER REQUIRED! If a VoIP provider doesn’t support SIP/IAX account registration, don’t use them! Add your public and private IP addresses in FreePBX’s Asterisk SIP Settings module to eliminate one-way audio issues.

13. Never Activate Auto-Replenishment. If you’re using VoIP providers that you pay by the minute, do your wallet a favor. Never, ever activate auto-replenishment on your accounts. By manually controlling the money flow to your accounts, you automatically insulate yourself from a huge phone bill. If something does come unglued, your financial exposure is limited to the preauthorized amount in each of your VoIP provider accounts.

14. Tighten Up International Calling. Almost every VoIP provider gives you the option of restricting international calls. If you don’t make international calls, use it! If you do make international calls, implement Outbound Routes in your FreePBX® dial plan with designated country codes. If you never call Africa, China, or cruise ships in international waters, make sure your dialplan doesn’t allow these calls.

15. Time of Day Calling Restrictions. Whether your server is for business or home use, time of day restrictions can save you a bundle. If remote telephone extensions are a must have for your server, chances are that those extensions don’t place calls in the middle of the night. Almost every hardware-based router/firewall allows creation of time of day rules for access. Implement these restrictions to minimize exposure to those that are hacking while you’re sleeping.

16. Minimize Simultaneous Calls. Especially with pay-as-you-go VoIP providers, often there is no limit to the number of simultaneous calls that can be placed from a trunk on your server. If someone manages to gain access to your accounts or your server, that can be really bad news. Some providers offer tools to restrict the number of simultaneous calls that can be placed. Take advantage of it to limit your financial exposure. Similarly, FreePBX includes a Maximum Channels option when you configure a Trunk. Don’t leave it blank. Set it to what you need to meet your needs.

17. Outbound Route Passwords. For outbound routes to international numbers and 900 numbers, always take advantage of the FreePBX Outbound Route option to prompt for a password. Just enter a numeric Route Password when you configure these outbound routes, and FreePBX will handle the rest.

18. IP Address Filtering with Asterisk Extensions. With the number of Asterisk SIP vulnerabilities reported over the years, suffice it to say IP address filtering at the Asterisk extension level is not something you should rely upon exclusively to protect your server. But it’s better than nothing. And, when used in conjunction with the other security mechanisms we’ve outlined, it provides another layer of security for your server. The extension setup in FreePBX includes the permit field which can be used to limit connections to a particular extension based upon an IP address or range of IP addresses. In addition, Travelin’ Man 2 deploys additional permit tables using an include list in sip_custom_post.conf in conjunction with include files for specified extensions, e.g. 701.inc, to define additional authorized IP addresses.

To restrict an extension to a private LAN address with a FreePBX extension entry in permit like this: 192.168.0.0/255.255.255.0. Then you can broaden this restricted access with specified WhiteList addresses using an include file in /etc/asterisk that looks like this:

[701](+)
permit=150.155.90.143/255.255.255.255

You, of course, would also have to authorize the specified IP address in your iptables configuration as well. That’s essentially how Travelin’ Man 2 works.

19: Check Your Logs Every Day. We’re still dumbfounded by the following quote from the article we cited above: "115,000 international mobile calls were made using the small business’s VoIP system over a six month period." Six months and they never checked their call logs? FreePBX provides an incredibly simple way to review your call logs. Click the CDR Reports link and look at your call log showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day!

20: Do Some Reading… Regularly. No security implementation is complete without a little regular effort on your part: reading. If you’re going to manage your own network or PBX, then you need to keep abreast of what’s happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the FreePBX Forum, and Asterisk News. Aside from reviewing your call logs, it’s the best 15 minutes you could spend to safeguard your system.

Originally published: Monday, October 1, 2012


Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.



Need help with Asterisk? Visit the PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Travelin’ Man 3: Securing a PBX in a Flash or VoIP in the Cloud Server

UPDATE: Be sure to read about the latest enhancement to Travelin' Man 3 here.

We're big fans of playing with our own VoIP hardware. It has the advantage of allowing the installation of everything behind a secure, hardware-based firewall thereby eliminating almost all of the security issues associated with VoIP telephony. With PBX in a Flash™ and its Zero Internet Footprint™, you can run a secure VoIP server in your home or office with no port exposure to the Internet. This setup, of course, assumes that you have the necessary bandwidth to support Internet telephony and that you possess the necessary skill set to maintain your own Linux® server running Asterisk®, FreePBX®, Apache®, SendMail®, PHP®, and on and on. Not everyone does. And, of course, there are thousands of organizations in which employees and their phones are not colocated with the home office VoIP communications server. And, believe it or not, there are folks that run their VoIP server on the public Internet without any firewall protection. For all of you, today's your lucky day.

Lest you think that we've bitten off more than we can chew, we want to acknowledge the dozens of thought-provoking comments on the PIAF Forums that ultimately led to today's new release. That is the hidden beauty of open source development. So, thank you dad311, atsak, tbrummell, Hyksos, markieb, Ramblin, darmock, lowno, blanchae, bmore, vcallaway, jroper, mag, briankelly63, mbellot, phonebuff, The Deacon, Astrosmurfer, frontline, ou812, LostTrunk, lgaetz, kh40s, rossiv, and all of our other gurus that make the PIAF Forums a great place to learn something new every day.

Thanks to our good friends at RentPBX, who provide terrific technical and financial support to both Nerd Vittles and the PBX in a Flash project, you don't have to roll your own. And your phones can be anywhere because your communications server sits on the public Internet. If cost is a factor or for those outside the United States that need a U.S. presence to take advantage of services such as Google Voice, the $15 a month price point using the PIAF2012 coupon code makes RentPBX more than competitive with what it would cost you in electricity, Internet bandwidth, and hardware resources to do it yourself... minus the headaches. You get a stable PBX in a Flash or Incredible PBX platform from the git-go. In addition, issues of jitter and latency all but disappear from the VoIP equation because you can choose the site of your hosted PBX from a worldwide list of Internet POPs including five regions in the U.S. as well as Canada and Europe. Many sit within a few milliseconds of the Internet backbone.

What you don't have with a hosted PBX solution is a hardware-based firewall sitting between your server and the Big, Bad Internet. With PBX in a Flash, the risk is lessened because the IPtables Linux Firewall is baked into the fabric of PBX in a Flash. For a comprehensive overview of how IPtables works, read this article. It explains IPtables better than any book you could buy.

Today we're pleased to introduce Travelin' Man 3™, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that's lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce. We'll quickly cover the mechanics of this new IPtables methodology that allows you to secure your hosted PBX without compromising flexibility. The nitty gritty details of IPtables and firewalls we'll leave for you to explore at your leisure.

And, speaking of leisure, we always get the question: "Have you tested it?" For frequent readers of Nerd Vittles, you already know the answer. We eat our own dog food! In the case of Travelin' Man 3, we gave it a healthy workout just last week from the deck of the Carnival Fantasy as we passed by Cape Canaveral and in Key West with 4G service, and finally in several ports with WiFi access in the Bahamas. The beauty of the new design is you'll know instantly if it's not working because you'll never get your VoIP SIP phone to connect back to your VoIP server. We had zero problems using nothing more than an Android phone for both DynDNS updates and Bria SIP phone service. Being a pioneer isn't always easy, but... Somebody's gotta do it™. 😉

Unlike previous iterations of Travelin' Man, version 3 lets you configure remote phone access from the server and keep one or hundreds of phones in sync even with changing IP addresses using dynamic DNS update software at the sites of the remote phones. Whether the site is a remote office or a floating hotel room, any PC or Mac whether it's a desktop or netbook can automatically manage the dynamic DNS updates while keeping all of the local phones securely connected to the VoIP Cloud. And any jail-broken iPhone can manage the updates as well. With Android phones, it's even better. You have your pick of several great apps: DynDNS Client, Dynamic DNS Client, or Dynamic DNS Updater. We've found the DynDNS Client to be nearly perfect. As we'll explain in a minute, this version of Travelin' Man is not compatible with prior versions so you'll need to choose either the manual methodology of previous iterations or version 3 which does it automagically.

A New Approach to WhiteLists. Our new approach to IPtables is to lock down your server using a WhiteList of safe IP addresses and fully-qualified domain names (FQDNs) that should be given access to your hosted VoIP server. Then we'll periodically check to see if the IP addresses associated with the FQDNs have changed and make the necessary adjustments automatically. If any intruder attempts to access any port on your PBX, their packets are simply discarded by IPtables so the bad guys never know your server exists.

We've experimented with BlackLists for VoIP security, and the bottom line is they just don't work because of inherent problems with reliability and completeness. You spend your entire day updating lists of the bad guys only to discover that they've morphed to thousands of new IP addresses. Think Whack-A-Mole. IP addresses can easily be changed, and zombies have made attacks from third-party PCs a daily occurrence. Earlier this month, Nerd Vittles was hit with a denial of service attack from 30,000+ zombie PCs. This was in spite of the fact that we already block well over 100,000 IP addresses with the world's finest blacklists. Now it's 130,000. 🙄 Of course, none of the owners of these PCs had any idea how their computers were being used. I'm reminded of a famous judge's secretary who received a knock at her door one Sunday morning from the FBI. They informed her that she was using her computer to host porno movie downloads. I won't offend your tender sensibilities by repeating what she actually told those "young men."

There's also the problem of dynamic IP addresses which means an address that was used by a bad guy yesterday may be handed out by the same ISP to your grandma tomorrow. And it didn't take the bad guys long to poison blacklists with IP addresses that you actually need for services such as DNS or network time services. If you've ever had an IP address that ended up on one of the major blacklists, you know what a hassle it is to get your IP address unBlacklisted. The Soup Nazi has nothing on these folks.

Bottom Line: Public web sites are pretty much forced to use BlackLists because they want their sites to be generally accessible. With a VoIP server, we have the luxury of choice, and WhiteLists are much more effective for server security.

Overview. Our recommended design works like this. Block everything. Then permit packets from known hosts and non-routable IP addresses only, and limit known hosts to only the services they actually need. For example, a VoIP provider such as Vitelity that is providing a DID for your inbound calls doesn't need web access to your server. They need SIP and RTP access. Nothing more. The same goes for a remote user: SIP and RTP access so their SIP phone works. Nothing more. You, as Administrator, need complete access to the server but only from a specific, defined IP address. We, of course, don't want IPtables to have to inspect and filter every single packet flowing into and out of your server because that would bog things down. And we don't want users on your private LAN and remote users with dynamic IP addresses to have to wrestle with updating their phones just to stay connected. So, we've opened up all non-routable IP addresses and, once we've verified that a remote site is authorized access, then subsequent packets flowing into and out of the server for that IP address will be passed along without additional packet inspection. And once we set up the FQDN for a remote user, local dynamic DNS update clients can be used to automate the process of keeping IP addresses current. Then, every few minutes, we'll let your server check whether there's been a change in any users' dynamic IP addresses. If so, we'll simply refresh the IP addresses of all FQDNs using an IPtables restart to bring the phones back to life. To end users, The Phones Just Work™.

Finally, a word about security for VoIP in the Cloud servers. If you run a virtual machine from any hosting provider with wide open access to SIP, IAX, and web services, it's just a matter of time before your server is going to be compromised, period! If you foolishly use credit card auto-replenishment for one or more of your hosting providers then you might as well mail a blank check to the bad guys and wait for them to cash it. Today's tools will take you less than a minute to permanently lock down your server. So... JUST DO IT™.

To give you some idea of how far the Android platform has come, here are a couple screenshots of our Samsung 4G Skyrocket smartphone running three simultaneous VoIP apps all day, every day: Bria SIP extension to our PIAF2 server in Charleston, CSipSimple extension to our RentPBX VM in California, and GrooveIP session with Google Voice. Try that on your 3G iPhone 4S. 😉

We're officially releasing this for RentPBX users running PBX in a Flash or Incredible PBX 3™. These folks have been our pioneers for a very long time, and we like to take care of them first. Properly installed, Travelin' Man 3 should work fine on any PIAF™ or Incredible PBX system. We'll make a backup of /etc/sysconfig/iptables before replacing your IPtables setup with the PIAF default setup. It assumes ALL of your traffic is flowing on eth0. If that's not the case, don't use it without major modifications! We would hasten to add that Travelin' Man 3 is licensed as GPL2 open source software. So it's available NOW to everyone to use or to embellish as they see fit. We hope every provider of VoIP services offering virtual machines in the cloud as well as those without a hardware-based firewall to protect your Asterisk server will take advantage of the opportunity to customize and deploy this code for their particular IPtables environment. To paraphrase Bill Clinton: "It's your phone bill, stupid!"

Deploying Travelin' Man 3. Here's how to deploy Travelin' Man 3 on your server. In Step #1, we run secure-iptables. This locks down virtually all IP ports and services in the original IPtables configuration for PBX in a Flash to either the IP address or the FQDN of the administrator. Be advised that this setup uses the default ports for all PIAF services, e.g. SSH, WebMin, HTTP, etc. If you use custom ports, you'll need to modify the script accordingly. If the administrator is on the move or has a dynamic IP address on his or her desktop or notebook PC/Mac that will be used to administer the cloud server, then use an FQDN, not a static IP address, when you run secure-iptables.

Step #2 is automatic and is part of secure-iptables. It opens SIP and IAX port access for "trusted providers" such as Google, Vitelity, etc. This is covered in detail below. We also open accessibility from non-routable IP addresses. You obviously can close or limit private LAN access, if desired. We included it for the benefit of those running and administering PBX in a Flash on private LANs where internal security is not a concern.

In Step #3, we'll let you set up additional access for other providers, users, and phones. You get your choice of up to 9 separate services in addition to the whole enchilada, and each account gets a name and a file to keep track of the latest IP address entry: somename.iptables. These are stored in /root. Don't delete them! New accounts can be added using either a static IP address (add-ip) or an FQDN (add-fqdn). These accounts also can be deleted whenever necessary (del-acct). You can rerun secure-iptables whenever you like, but it automatically deletes all custom user accounts. Here's the list of services from which to choose. Mix and match as desired to meet your own requirements.

0 - All Services
1 - SIP (UDP)
2 - SIP (TCP)
3 - IAX
4 - Web
5 - WebMin
6 - FTP
7 - TFTP
8 - SSH
9 - FOP

Just a word of caution. IPtables stores its setup in /etc/sysconfig/iptables, but it actually runs from an image in memory on your Linux server. As part of the load process, IPtables converts all FQDNs stored on disk to static IP addresses. This speeds up firewall processing enormously. While it's possible to add IPtables rules in memory without writing them to disk (as in the original Travelin' Man design), don't do it with Travelin' Man 3! You will lose these settings whenever IPtables is restarted by running any of the above scripts or whenever a refresh of FQDN IP addresses becomes necessary. Whatever you do, never ever run the command: service iptables save. This command is used to write the IPtables entries in memory to disk. In doing so it writes only static IP addresses to disk. This will erase (a.k.a. ruin) your Travelin' Man 3 FQDN setup and force you to start over with Step #1. Otherwise, none of your FQDN's would ever get refreshed because they've all disappeared and become static IP addresses.

IPtables also has a major shortcoming IMHO. We support FQDNs in IPtables to make it more flexible. However, a failed FQDN during an IPtables restart will cause IPtables not to load at all. We have worked around this by adding our own restart command which you should always use: iptables-restart. You've been warned.

Locking Down Your Server. While there's still time, let's spend a minute and lock down your server to the public IP address of the PC that you use to administer the system. If you don't know the public IP address of the desktop machine you use to manage your server, then click on this link using a browser on that machine, and our web site will tell you the IP address.

Now log into your virtual machine as root using SSH and issue the following commands:

cd /root
wget http://incrediblepbx.com/travelinman3.tar.gz
tar zxvf travelinman3.tar.gz
yum -y install bind-utils
./secure-iptables

When prompted for the FQDN or IP address of your Administrator PC, use the FQDN if you have one. Otherwise, type in the IP address and press the Enter key. Agree to the terms of service and license agreement by pressing Enter. When the IPtables file displays, verify that you have typed your FQDN or IP address correctly, or you will lock yourself out of your own server. Press Ctrl-X to exit the editor, and then press Enter to update IPtables and save your new configuration.

NOTE: If you are running PBX in a Flash in a cloud environment, be sure to add an entry to Travelin' Man 3 with the IP address of your cloud server. ifconfig will tell you what the IP address is. To add the entry, issue the command: /root/add-ip cloud 12.34.56.78 using your actual cloud IP address.

WARNING: If you use an FQDN for your Administrator PC and it points to a dynamic IP address, be sure to also add this same FQDN using add-fqdn. Otherwise, IP address changes will not be detected, and you may lock yourself out of your own server.

Nobody can access your server except someone seated at your PC or on your private LAN with your login credentials. You can repeat this process as often as you like because each time the script is run, it automatically restores your original IPtables configuration. Now let's grant access to your SIP providers and those using remote SIP or IAX phones.

Using DynDNS to Manage FQDNs. The key ingredient with Travelin' Man 3 is automatic management of dynamic IP addresses. When a user or even the administrator moves to a different location or IP address, we don't want to have to manually adjust anything. So what you'll first need is a DynDNS account. For $20 a year, you can set up 30 FQDNs and keep the IP addresses for these hostnames current 24-7. For $30 a year, you can manage 75 hostnames using your own domain and execute up to 600,000 queries a month. That's more than ample for almost any small business but, if you need more horsepower, DynDNS.com can handle it. What we recommend is setting up a separate FQDN for each phone on your system that uses a dynamic IP address. This can include the administrator account if desired because it works in exactly the same way. When the administrator extension drops off the radar, a refresh of IPtables will bring all FQDNs back to life including the administrator's account. Sounds simple? It is.

Preparation. Before we make further modifications to IPtables in Step #3, let's make a list of all the folks that will need access to your VoIP Server in the Cloud. For each entry, write down the name of the person, server, or phone as well as the type of entity which needs server access. Then provide either the static IP address or FQDN for each entry. If one or more of your IP addresses are dynamic (meaning the ISP changes them from time to time), we'll cover managing dynamic IP addresses in a minute. For now, just make up a fully-qualified domain name (FQDN) for each dynamic IP address using one of the available DynDNS domains. For static IP addresses, use the FQDN or the IP address. HINT: FQDNs make it easy to remember which entry goes with which provider.

Make a list of your providers NOT in this list: Vitelity (outbound1.vitelity.net and inbound1.vitelity.net), Google Voice (talk.google.com), VoIP.ms (city.voip.ms), DIDforsale (209.216.2.211), CallCentric (callcentric.com), and also VoIPStreet.com (chi-out.voipstreet.com plus chi-in.voipstreet.com), Les.net (did.voip.les.net), Future-Nine, AxVoice (magnum.axvoice.com), SIP2SIP (proxy.sipthor.net), VoIPMyWay (sip.voipwelcome.com), Obivoice/Vestalink (sms.intelafone.com), Teliax, and IPkall. The providers listed above are already enabled in the secure-iptables setup script. We call them Trusted Providers only because we trust them and have personally used all of them. We consider them reliable folks with whom to do business. It doesn't mean others aren't. It simply means these are ones we have tested with good results over the years. The only providers you'll need to add are ones we haven't provided. Also be sure to check whether the FQDNs of the providers above cover the server for your account. If not, you'll need to manually add those FQDNs as well. Keep in mind that trusted providers will have full SIP and IAX access to your server so stick with tried-and-true providers for your own safety. The PBX in a Flash Forum and DSL Reports are good sources of information on The Good, The Bad, and The Ugly.

Finally, list with a name each phone that will be connected to an extension on your server. If you have 10 traveling salesmen, then you might want to name them all by last name and also provide FQDNs with their last names, e.g. smith.dyndns.org and jones.dyndns.org. No spaces or punctuation in names or FQDNs! We strongly recommend using FQDNs wherever you can because it means zero work for you when a provider changes an IP address. Here's the table we use:

Name
Type: Person, Provider, Server, Phone
IP Address Type: Static or Dynamic
FQDN or IP Address
Services Desired: SIP, IAX, Web, FTP, SSH, etc.

Step #3: Adding Authorized Users. Now take your list and add each account to your server while logged in as root and positioned in the /root directory. For static IP addresses, use add-ip. For dynamic IP addresses and FQDNs, run add-fqdn and plug in the FQDN for each account. When one of your accounts needs to be removed, just run del-acct from the /root folder on your server and plug in the name of the account to delete. If a user changes from a static IP address to a dynamic IP address or vice versa, just delete the user and then add them again with the new IP address or FQDN. All of the accounts are stored in /root and have names like this: name.iptables.

Step #4: Setting Up DynDNS Client Updates. There are actually two pieces in the Dynamic DNS update puzzle. At the end-user side, you need to deploy a DynDNS update client on the same subnet as the phone of your user. See the links above to download the update software you prefer. In the case of cellphones with SIP phone capability, this could be as simple as installing the DynDNS update client directly on the phone itself. Plug in your DynDNS credentials as well as the FQDN associated with the particular phone, and the rest is automatic.

Step #5: Setting Up IPtables Auto-Refresh. Finally, we need a way for your server to discover when a refresh of FQDNs becomes necessary because someone's IP address has changed. The simplest way to do this is to automatically run a simple script (ipchecker) that polls the DNS authoritative server to determine whether the dynamic IP address associated with an FQDN has changed. If so, we'll update the account.iptables file to reflect the new IP address and then restart IPtables. This will refresh all IP addresses associated with FQDNs. If all or most of your users spend time sleeping each day, you may wish to run the script only during certain (waking) hours of the day so your server has less of a load. The other consideration is how often to check. The guideline here is how long can any user live without their SIP phone being connected to your server. 10 minutes may be reasonable for some. 60 minutes may suffice for others. For us, it's 3 minutes. It's your choice. The way Travelin' Man 3 works is, whenever at least one account has an IP address change, it will trigger a restart of IPtables to do an IP address refresh for all of the FQDNs.

The top of the ipchecker script in /root looks like this:

#!/bin/bash

# Insert the account filenames to be checked below
# Remember to increment the account[#] for new entries

account[0]=larry.iptables
account[1]=curly.iptables
account[2]=moe.iptables

# ipchecker (c) Copyright 2012, Ward Mundy & Associates LLC.

You'll need to edit the script (nano -w /root/ipchecker) and modify the section in bold to reflect the actual FQDN account names you've created on your server that are associated with dynamic IP addresses only. You don't want to monitor accounts with static IP addresses or FQDNs that never get updated. When those extensions are off-line, it's not because their IP address changed, and restarting IPtables won't really help to improve the situation. Be sure to increment the account[n] array for each new account that you want to monitor and use the exact format shown in the example above. Before you enter an account in the script, display the contents of the file using cat /root/accountname.iptables. Make certain that the file includes BOTH an FQDN, then a space, and then an IP address. If not, delete the account (del-acct) and add it again using add-fqdn.

Once you've entered all of your accounts with dynamic IP addresses, save the script: Ctl-X, Y, then Enter. Run the script manually now to be sure it works as you intended: /root/ipchecker. Be advised that typos that list accounts that don't exist will cause problems. Error checking consumes processing cycles by requiring additional queries so we've left it out. That means it's solely up to you to check your account names for accuracy. And, remember, only include accounts that have dynamic IP addresses with FQDNs.

Step #6: Automating FQDN Refreshes with Cron. Finally, you'll need to add an entry to the bottom of /etc/crontab using nano. If you wanted the script to run 24 hours a day at 10 minute intervals, here's the command:

*/10 * * * * root /root/ipchecker > /dev/null

If you wanted the script to only run between the hours of 8 a.m. and 9 p.m. (server time zone) at 10 minute intervals, then you'd use something like this:

*/10 8-21 * * * root /root/ipchecker > /dev/null

On our RentPBX complimentary account which we use while traveling, we actually set the interval to 3 minutes. Since the DNS lookups use dig, changes on Android phones using the DynDNS client are almost instantaneous even with automatic switching between WiFi and cellular service. Finally, be sure to type date on your server and verify which time zone your cloud server thinks it's in! Adjust the times in /etc/crontab accordingly.

Be sure to check back here periodically for updates and follow the latest happenings about Travelin' Man 3 in this thread on the PIAF Forums. Enjoy!

Originally published: Thursday, March 29, 2012   Updated: April 19, 2014

UNLESS YOU DISCONTINUE USING FQDN'S WITH IPTABLES, IT IS ABSOLUTELY ESSENTIAL THAT YOU MONITOR YOUR SERVER DAILY IF YOU ARE RELYING EXCLUSIVELY UPON IPTABLES AS YOUR FIREWALL PROTECTION MECHANISM AND YOU ARE USING FQDN'S AS PART OF YOUR CENTOS SECURITY METHODOLOGY!



Need help with Asterisk? Visit the NEW PBX in a Flash Forum.


whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest...

FreePBX Backdoor Passwords Pose Asterisk Security Threat

Whether it’s forgetting to change a default password or not removing an additional password that you didn’t even know existed, some new revelations this week about FreePBX security are worth a minute of your time. There’s more disappointing news. The bad guys are getting smarter and much more dangerous.
 

If you’re new to Asterisk®, FreePBX® is the terrific, web-based graphical user interface that turns Asterisk into a user-friendly PBX that even mere mortals can use. It is bundled as part of every Asterisk aggregation including PBX in a Flash, trixbox, Elastix, and Asterisk Now. With the exception of PBX in a Flash, you may not know it’s there, but it is.

Years ago when FreePBX was in its infancy, the developers set up a way that administrators could still get into their system even if they forgot their administrator password. Typing admin:admin as the username:password combination basically gave you the keys to the castle in the default FreePBX install. That worked great in the days before folks exposed their systems to direct Internet web access which is a really BAD IDEA by the way.

Some of the aggregations shipped with a default username and password combination of maint and password. And for visually-impaired users, an automatic installer was crafted which set a default password of passworm. While users were encouraged to change these default passwords, many unfortunately didn’t heed the advice. According to one unnamed provider that recently saw a spike in illegal calling activity, his attempt to log in to some of his customer’s systems using password as the administrator password yielded a list of 50 vulnerable systems in under an hour!

And then there was this week’s Elastix revelation that the developers had embedded an additional backdoor password in their distribution that very few knew about… except the bad guys unfortunately. According to Xorcom:

It recently came to our attention that it is possible to login to the Elastix server unembedded FreePBX Web interface (http://address/admin) with user name ‘asteriskuser’ and password ‘eLaStIx.asteriskuser.2oo7’. The user name and password are the same user name and password used by FreePBX to access the ‘asterisk’ MySQL database. They are defined in the parameters AMPDBUSER and AMPDBPASS in the /etc/amportal.conf file.

What could possibly go wrong? Well, everything! Over the past few years, what typically happened with these vulnerable systems was that the buy guys obtained an extension password and began making free calls on your nickel until you checked your FreePBX call log or received your phone bill. That was then.

Here’s the latest bad guy scenario. The intruder logs into your FreePBX GUI using the default administrator password using a very sophisticated script which extracts all of your extension numbers, all of your trunk credentials, and, of course, all of your passwords. The script then hides a BOT on your server that "phones home" whenever any change is made in your account names or passwords. Finally, rather than using your server to make calls, the bad guys now use their own servers with your provider credentials to make free calls. So the first notice you receive of the intrusion is when your credit card is maxed out because you stupidly chose credit card auto-replenishment when you set up your VoIP account with your favorite provider.

SO… how do you fix it? Well, first you need to check whether your system is vulnerable. Using a browser, attempt to log into FreePBX at http://yourIPaddress/admin and use the following username:password combinations:

admin:admin
admin:password
admin:passworm
maint:admin
maint:maint
maint:password
maint:passworm
wwwadmin:password
wwwadmin:wwwadmin
wwwadmin:admin
asteriskuser:eLaStIx.asteriskuser.2oo7

Be aware that on some systems using Fail2Ban such as PBX in a Flash, three consecutive failed logins may lock you out of your system for a lengthy period of time. On these systems, we recommend you first stop Fail2Ban: service fail2ban stop. Don’t forget to restart it after your testing: service fail2ban start.

If you gain access to your system using any of the above credentials and the web interface your server is exposed to the Internet, then you’ve got a problem. Do NOT just change your password thinking all is well. As mentioned, your new credentials are likely being transmitted to the bad guys before you can say "I’m S-C-R-E-W-E-D." Instead, you should reformat your drive, contact all of your trunk providers and change your credentials. Then reinstall a NEW system using your new credentials AND new extension passwords. DON’T FORGET TO CHANGE YOUR DEFAULT PASSWORD! On PBX in a Flash and Incredible PBX systems, it’s easy. Just log into your server as root, enter the command passwd-master, and answer the prompts. Think up a very secure password… as if your bank account depended on it. It does! Finally, read our Primer on Asterisk Security. Be safe!

Originally published: Friday, April 15, 2011


Changes in PBX in a Flash Distribution. In light of the events outlined in our recent Nerd Vittles article and the issues with Asterisk 1.8.4, the PIAF Dev Team has made some changes in our distribution methodology. As many of you know, PBX in a Flash is the only distribution that compiles Asterisk from source code during the install. This has provided us enormous flexibility to distribute new releases with the latest Asterisk code. Unfortunately, Asterisk 1.8 is still a work in progress to put it charitably. We also feel some responsibility to insulate our users from show-stopping Asterisk releases. Going forward, the plan is to reserve the PIAF-Purple default install for the most stable version of Asterisk 1.8. Currently, we think that dubious title belongs to Asterisk 1.8.3.3 even though it has its own share of surprises. Other versions of Asterisk 1.8 (newer and older) will be available through a new configuration utility which now is incorporated into the PIAF 1.7.5.6.2 ISO.

Here’s how it works. Begin the install of a new PIAF system in the usual way by booting from the CD and pressing Enter to load the most current version of CentOS 5.6. When the CentOS install finishes, your system will reboot. Remove the CD, accept the license agreement, and choose the PIAF-Purple option to load the default version of Asterisk 1.8. Or exit to the Linux CLI if you want a different version. Log into CentOS as root with your root password. Then issue a command like this: piafdl -p 184 (loads Asterisk 1.8.4), piafdl -p 1833 (loads Asterisk 1.8.3.3), or piafdl -p 1832 (loads Asterisk 1.8.3.2). If there should ever be an outage on one of the PBX in a Flash mirrors, you can optionally choose a different mirror for the payload download by adding piafdl -c for the .com site, piafdl -d for the .org site, or piafdl -e for the .net site. Then add the payload switch of your choice, e.g. piafdl -c -p 184.

Bottom Line: If you use the piafdl utility to choose a particular version of Asterisk 1.8, you are making a conscious decision to accept the consequences of your particular choice. We would have preferred implementation of a testing methodology at Digium® before distribution of new Asterisk releases; however, that doesn’t appear to be in the cards. So, as new Asterisk 1.8 releases hit the street, they will be made available through the piafdl utility until such time as our PIAF Pioneers independently establish their reliability.


Need help with Asterisk? Visit the PBX in a Flash Forum or Wiki.
Or Try the New, Free PBX in a Flash Conference Bridge.



whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 


Some Recent Nerd Vittles Articles of Interest…

Avoiding a $100,000 Phone Bill: VoIP WhiteList for IPtables

It’s been almost a year since we last wrestled with VoIP security for Asterisk®. With Christmas just around the corner, it seemed like a fitting time for a report card. Suffice it to say, the bad guys have not stood still. Attacks have become much more frequent and more sophisticated as VoIP systems have proliferated. A year ago we saw brute force attacks with thousands of password attempts on VoIP servers. These attacks could easily be detected by Fail2Ban. What we are seeing today are one and two hit drive-bys that usually are initiated from Windows zombies or hosted accounts established with stolen credit cards. These VoIP attacks fly under the radar unless you review your logs every day. Have the creeps gotten more patient? No, just smarter. They now understand the VoIP security model that has been deployed on systems like PBX in a Flash, and they simply work around it. Two hits per server, and they’re off to the next IP address only to return in a few hours to try two more. Are these attempts successful? Well, here’s the latest recipient of a $100,000 phone bill so the answer would appear to be affirmative.

We continue to wrestle with new security approaches to better protect Asterisk VoIP systems, and we’ve stumbled upon another golden arrow for your security quiver. Our Incredible PBX platform continues to offer the very best security solution because it is designed to sit safely behind a hardware-based firewall with virtually no exposure to the Internet. But such deployments assume that both your server and your phones are all safely ensconced behind a hardware-based firewall. If it turns out that you want to deploy a SIP phone for use by grandma or you’ve decided you’d like to try hosted PBX service from a provider such as rentpbx.com,1 then there either need to be holes opened in the firewall or there is no hardware firewall protection in the case of hosted service.

Over the past few weeks, we’ve explored a number of new security approaches to better protect your Asterisk server. These include The SunshineNetworks Knock as well as VoIP Black Lists and VoIP White Lists. If you’re technically savvy, you’ll want to carefully consider "The Knock" for all of your SIP phones exposed to the Internet.

We spent a good bit of time considering various VoIP BlackList solutions. As the name implies, a list of the bad guys’ IP addresses is fed into IPtables which then blocks access to your server from these addresses. Sounds good, right? One approach with a BlackList is to block all IP addresses from "problem countries." The methodology to implement this solution can be found in this thread on the PIAF Forums. The problem, of course, is identifying the "problem countries." Another option was to implement an IPtables Blacklist based upon the work of the VoIP Blacklist Project. Perhaps ironically, the VoIP Blacklist Project actually blocks the IP addresses of both Nerd Vittles and PBX in a Flash, and emails requesting removal of our IP address were ignored. To save time, the VoIP Blacklist Project employs CIDR Masks which can blacklist hundreds of thousands of IP addresses in one fell swoop. Problem is that a lot of innocent people get caught in the net, and there’s no easy way out without maintaining the blacklist yourself. The final dagger in the black list approach is zombies. Insecure Windows machines have been compromised by the droves worldwide and particularly in the United States. So identifying all of these now-malicious systems is not unlike playing Whack-a-Mole. When you block one of them, six more pop up. So, after giving it the good old college try, our view of VoIP Blacklists should be obvious. No, thanks. There are very real risks that the bad guys can and have poisoned existing blacklists with safe IP addresses, and the number of Windows zombies grows geometrically making it all but impossible to have or maintain a blacklist that affords any real protection.

These results with black lists led us to the conclusion that the only real security mechanism that could protect many VoIP servers today was a VoIP WhiteList for IPtables. As the name implies, we want to identify the IP addresses of every SIP and IAX trunk and extension on your server and then feed those addresses into IPtables so that the only access to VoIP resources on your server is from these addresses. Today’s VoIP WhiteList for IPtables consists of two bash scripts: one queries the MySQL database in which FreePBX stores all of the trunk and extension information for your server and the other populates IPtables with the results of the queries. We would hasten to add that a similar white list is equally important for SSH access to your server although we think it is better to implement an SSH WhiteList on your hardware-based firewall. In this way, you can adjust the SSH white list via web browser while traveling without locking yourself out of your Asterisk server.

Prerequisites. To use today’s VoIP WhiteList for IPtables, you’ll need either a current version of PBX in a Flash or Incredible PBX. Other aggregations will also work provided your system is FreePBX-based (version 2.6 or later), has IPtables already installed and functioning properly, and has an /etc/sysconfig/iptables configuration file that closely matches the stock PBX in a Flash design. We’ll leave it to you to make that call after reviewing the scripts.

VoIP WhiteList Design. We’ve designed the VoIP WhiteList for IPtables to be modular. There’s a firewall-whitelist-gen.sh script which extracts from MySQL the list of IP addresses used by your trunks and extensions. This text-based list is stored in /etc/firewall.whitelist. You can manually add and delete entries from the list once it is populated.You also can rerun the script at any time to generate a fresh catalog of WhiteList IP addresses based upon your current trunk and extension settings. This script also enables access to your server from the public IP address of your server as well as all non-routable IP addresses. Finally, it modifies /etc/sudoers slightly so that Travelin’ Man can be used to add dynamic IP addresses on the fly. We’ll cover that below.

The second script is firewall-whitelist.sh, and it is used to actually implement your new VoIP WhiteList in IPtables. The changes take effect immediately. It also can be run again to update these entries if you manually add or delete IP addresses in /etc/firewall.whitelist. This script always creates a backup copy of your previous /etc/sysconfig/iptables file and names it iptables.timestamp where the timestamp is the date and time of your last update, e.g. iptables.12012010-083841 was created on Dec. 1, 2010 at 08:38:41. If you should ever shoot yourself in the foot, simply copy one of the iptables backup files to /etc/sysconfig/iptables and then restart IPtables: service iptables restart.

WARNINGS: In order to implement the WhiteList, the script removes the existing IPtables entries which permit SIP and IAX access from anywhere using UDP ports 4569 and 5000 to 5082. If you have edited these entries in any way, you’ll need to remove them and restart IPtables before running firewall-whitelist.sh. Otherwise, your more general firewall entries will leave your system vulnerable to access from IP addresses not in your VoIP WhiteList.

If your system is running on a hosted server, you’ll need to make a couple of additions to /etc/sysconfig/iptables and restart IPtables (service iptables restart) before running firewall-whitelist.sh, or you may lock yourself out of your own server. Be sure to add the public IP address of your server, and also add the IP address from which you are making changes to your server. Each entry should look like the following example using your actual IP addresses. And the entries should be added above the COMMIT line in the same section of the iptables file as the existing UDP 10000:20000 ACCEPT entry:

-A INPUT -s 222.222.222.222 -j ACCEPT

Installing the VoIP WhiteList for IPtables. Installation is easy. Just log into your server as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/firewall-whitelist.tar.gz
tar zxvf firewall-whitelist.tar.gz
./firewall-whitelist-gen.sh
./firewall-whitelist.sh

If you installed one of the beta versions of the VoIP WhiteList from the PIAF Forums, then you’ll need to do a little housecleaning before actually running either of the scripts. Just edit /etc/sysconfig/iptables and clean out all of the entries that contain 5000:5082 as well as any entries nearby that include the non-routable IP addresses, e.g. 192.168.0.0. Finally, if there are entries beginning with -A WHITELIST, delete those as well. Then restart IPtables: service iptables restart. Thank you for your testing and feedback!

Deploying Remote SIP Phones. What remains is some method for connecting remote SIP phones with dynamic IP addresses. Our Travelin’ Man application was specifically designed to provide this support although the initial version only opened the necessary IP address for Asterisk access. The latest release also provides the necessary IPtables support. You have two options: either remove the old version and supporting directories under /var/www/travelman or edit the index.php file in each subdirectory you’ve created and make the change shown in this post on the PIAF Forums. Enjoy!



Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 


Some Recent Nerd Vittles Articles of Interest…

  1. We gratefully acknowledge the contributions of rentpbx.com to the PBX in a Flash Development Team. In addition to hosted accounts to test PBX in a Flash in the hosted environment, rentpbx.com also has contributed technical assistance particularly as it relates to our Google Voice-Asterisk integration efforts. []

The Incredible PBX: Meet the New Kid on the Block

As much as we loved the moniker, the Orgasmatron build was in desperate need of a name change to more accurately describe its true heritage. We didn't look too far for just the right name. Meet The Incredible PBX!

Thanks to the Zero Internet Footprint™ design, it's the most secure Asterisk®-based PBX around. What this means is Incredible PBX™ has been engineered to sit safely behind a NAT-based, hardware firewall with no port exposure to your actual server.1 And you won't find a more full-featured Personal Branch Exchange™.

NEWS FLASH: Incredible PBX is now available for Asterisk 1.8! Go here.

Coming January 19: Incredible PBX 11 & Incredible Fax for Asterisk 11 and FreePBX 2.11

The Incredible PBX is much more than just a name change. In addition to all of the Orgasmatron magic including free calling in the U.S. and Canada courtesy of Google Voice, you now get some terrific new features tailored to meet the needs of the individual: randomly generated passwords for all of your extensions, free Skype support and a new backup module both of which we'll introduce over the next few weeks. And CallerID Superfecta now is preconfigured to work out of the box with support from dozens of providers worldwide.

The Incredible PBX Inventory. For those wondering what's included with The Incredible PBX, here's a feature list of components you get in addition to the base install of PBX in a Flash with CentOS 5.4, Asterisk 1.4, FreePBX 2.6, and Apache, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin. Please note that A2Billing, Cepstral TTS, Hamachi VPN, and Mondo Backups are optional and may be installed using provided scripts.

Prerequisites. Here's what you'll need to get started:

  • Broadband Internet connection
  • $200 PC3 on which to run The Incredible PBX or a Proxmox VM
  • dLink Router/Firewall. Low Cost: $35 WBR-2310  Best: DGL-4500
  • Free Google Voice account (Available in U.S. without an invite at this link)
  • Free SIPgateOne residential account (U.S. cell to get SMS invite) OR
  • Free IPkall IAX account (recommended for international users)

Installing The Incredible PBX. The installation process is simple and straight-forward. Just don't skip any steps. Here are the 5 Steps to Free Calling, and The Incredible PBX will be ready to receive and make free U.S./Canada calls:

1. Install the latest version of PBX in a Flash
2. Download & run The Incredible PBX installer
3. Set up your two provider accounts
4. Configure a softphone or SIP telephone
5. Run the configure-gv credentials installer

Installing PBX in a Flash. Here's a quick tutorial to get PBX in a Flash installed. We recommend you install the latest 32-bit version of PBX in a Flash. This new build works much better with newer hardware including Atom-based computers and newer network cards. Unlike other Asterisk aggregations, PBX in a Flash utilizes a two-step install process. The ISO only installs the CentOS 5.5 operating system. Once installed, the server reboots and downloads a payload file that includes Asterisk, FreePBX, and many other VoIP and Linux utilities. We use virtually identical payloads for all versions of PBX in a Flash.

Download the 32-bit, PIAF 1.6 version from Google, SourceForge, Vitelity, Cybernetic Networks, or AdHoc Electronics. The MD5 checksum for the file is e8a3fc96702d8aa9ecbd2a8afb934d36. Or, if you are feeling really adventurous or if you have new, bleeding edge hardware, try our new 32-bit, PIAF 1.7 build which features CentOS 5.5. This new release is available from SourceForge or Google Docs. The MD5 checksum for the PIAF 1.7 build is 184cdb00142ccdd814b11de23fb00082.

Download the brand-new 32-bit PIAF 1.7.5.5. from SourceForge or one of our download mirrors. Burn the ISO to a CD. Then boot from the installation CD and type ksalt press the Enter key to begin.

WARNING: This install will completely erase, repartition, and reformat EVERY DISK (including USB flash drives) connected to your system so disable any disk you wish to preserve! Press Ctrl-C to cancel the install.

On some systems you may get a notice that CentOS can't find the kickstart file. Just tab to OK and press Enter. Don't change the name or location of the kickstart file! This will get you going. Think of it as a CentOS 'feature'. 🙂

At the keyboard prompt, tab to OK and press Enter. At the time zone prompt, tab once, highlight your time zone, tab to OK and press Enter. At the password prompt, make up a VERY secure root password. Type it twice. Tab to OK, press Enter. Get a cup of coffee. Come back in about 5 minutes. When the system has installed CentOS, it will reboot. Remove the CD promptly. After the reboot, choose A choose PIAF-Silver option. Have a 10-minute cup of coffee. After installation is complete, the machine will reboot a second time. Log in as root with your new password and execute the following commands:

update-scripts
update-fixes
status

When prompted, change the ARI password to something really obscure. You're never going to use it! You now have a PBX in a Flash base install. On a stand-alone machine, it takes about 30 minutes. On a virtual machine, it takes about half that time. Write down the dynamic IP address assigned to your server after running the status command. You'll need it shortly.

NOTE: So long as your system is safely sitting behind a hardware-based firewall, we do NOT recommend running update-source with The Incredible PBX. The version of Asterisk installed from our payload file is very stable.

Running The Incredible PBX Installer. Log into your server as root and issue the following commands to download and run The Incredible PBX installer:

cd /root
wget http://incrediblepbx.com/incrediblepbx.x
chmod +x incrediblepbx.x
./incrediblepbx.x

Have another 15-minute cup of coffee. It's a great time to consider a modest donation to the Nerd Vittles project. You'll find a link at the top of the page. When the installer finishes, READ THE SCREEN!

Here's a short video demonstration of the Incredible PBX installer process:

Either a free SIPgate One residential phone number or an IPkall number is a key component in today’s project. If you are eligible, we strongly recommend a SIPgate One residential account for The Incredible PBX. However, you may elect to use an IPkall account as an alternative. Both are free; however, you cannot register The Incredible PBX to IPkall's servers so you'll need to punch a hole in your firewall to receive incoming calls from Google Voice and IPkall. This step is not necessary with SIPgate accounts since there is a permanent registered connection between The Incredible PBX and SIPgate's servers!

One final word of caution is in order regardless of your choice of providers: Do NOT use special characters in any provider passwords, or nothing will work! Continue reading whichever section below applies to you.

Configuring SIPgate. If you live in the U.S. and have a cellphone, we'd recommend the SIPgate option since no adjustment of your hardware-based firewall is required. Otherwise, skip to the IPkall setup below. Step #1 is to request a SIPgate invite at this link. You'll need to enter your U.S. cellphone number to receive the SMS message with your invitation code. Don't worry. You can erase your cellphone number from your account once it is set up and working properly. Once you receive the invite code, enter it and choose the option to set up a residential account. Next, choose a phone number and write it down. The area code really doesn't matter because Google Voice is the only one that will be calling this number after we get things set up. For now, leave your cellphone number in place so that you can receive your confirmation call from Google Voice in the next step. After that, you'll want to revisit SIPgate and remove all parallel calling numbers. Finally, click on the Settings link and write down your SIP ID and SIP Password. You'll need these in a few minutes to complete the configuration of The Incredible PBX. Now place a call to your new SIPgate number and make certain that your cellphone rings before proceeding.

Configuring IPkall. If you're using IPkall as your intermediate provider, first log in to your hardware-based firewall/router and map UDP port 45694 to the private IP address that you just wrote down. This tells your firewall to pass all IAX2 traffic from the Internet directly to your new server. Don't worry. We have severely restricted which IP addresses can actually send IAX data through the PBX in a Flash IPtables firewall which is an integral part of this build. And, remember, no hardware firewall adjustments are necessary if you're using SIPgate instead of IPkall.

After your firewall is properly configured, you'll need to register for a free IPkall number. This is actually a two-step process. Set it up as a SIP connection when you first register. Then we'll change it to IAX once your new phone number is provided. So your initial IPkall request should look like this:

We recommend area code 425 for your requested number because IPkall appears to have lots of them. If they don't have an available number, your request apparently goes in the bit bucket. You'll know because IPkall typically turns these requests around in a few minutes. Don't worry about the mothership entry. We'll change it shortly. The other issue here is your public IP address. If you have a dedicated IP address, no worries. Just plug in the IP address for SIP Proxy. If it's dynamic, then you'll need to set up a fully-qualified domain name (FQDN) with a provider such as dyndns.com. Once you've got it set up, enter your credentials in the Dynamic DNS tab of your hardware-based firewall to assure that your dynamic IP address is always synchronized with your FQDN. Then enter the FQDN for your SIP Proxy address in the IPkall form. Be sure to make up a VERY secure password. Now send it off and wait for the return email with your new phone number.

When you receive your new phone number, you'll need to revisit the IPkall site and log in with your phone number and the password you chose above. Make the changes shown below using your actual IPkall phone number instead of 4259876543:

It's worth stressing that these settings are extremely important so check your work carefully. Be sure the IAX option is selected. Be sure there are no typos in your two phone number entries. And be sure your FQDN or public IP address is correct. Then save your new settings.

TIP: Be aware that IPkall cancels an assigned phone number after 30 consecutive days of inactivity. If you will be using your number infrequently, it's a good idea to schedule a Weekly Reminder to call the number with a prerecorded message. This will assure that your number stays functional.

Configuring Google Voice. Google Voice no longer is by invitation only so, if you're in the U.S. or have a friend that is, head over to the Google Voice site and register. After you've chosen a telephone number, plug in your new SIPgate or IPkall number as the destination for your Google Voice calls and choose Office as the Phone Type.

Google places a test call to your number so you'll have to delay it a bit for IPkall. If you're using SIPgate, go ahead and tell Google to place the test call which will be forwarded to your cellphone. Enter the two-digit code that's displayed when you're prompted to do so. With IPkall, wait until we finish running the credentials configurator below.

While you're still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call Screening - OFF
  • Call Presentation - OFF
  • Caller ID (In) - Display Caller's Number
  • Caller ID (Out) - Don't Change Anything
  • Do Not Disturb - OFF

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

If you're using SIPgate and you've confirmed your number, revisit SIPgate and remove all parallel calling numbers including your cell number.

Adding Your Credentials to The Incredible PBX. We're ready to insert your credentials and SIPgate/IPkall information into The Incredible PBX. You'll need several pieces of information: your 10-digit Google Voice phone number, your Google Voice account name (which is the email address you used to set up your GV account), your GV password (no spaces!), and your 10-digit SIPgate or IPkall RingBack DID. You'll also need to reenter your passwd-master password which is used to configure CallerID Superfecta. Finally, you'll need to tell the configurator whether you're using a SIPgate or IPkall account. In the case of SIPgate, you'll also be prompted to enter your SIP ID and SIP password. These are NOT the same as your account credentials!!

Log back into your server as root and issue the following command to kick off the configurator: ./configure-gv.x. Check your entries carefully. If you make a typo in entering any of your data, press Ctrl-C to cancel the script and then run it again!! Once you've checked and double-checked your entries, press Enter and The Incredible PBX setup will be completed. You'll need to press Enter again when the script finishes to reboot your PBX. After the reboot, your system will have randomly-generated passwords for every extension and voicemail box that is preconfigured on your system. The DISA password also has been changed. We generate five-digit passwords. If you will sleep better with longer passwords, be our guest. They are easily reset using the FreePBX web interface described elsewhere in this article.

Finally, log back into your server as root and issue the following command to obtain the password for extension 701 which we'll need to configure your softphone in the next step:

mysql -uroot -ppassw0rd -e"select id,data from asterisk.sip where id='701' and keyword='secret'"

The result will look something like the following where 701 is the extension and 18016 is the randomly-generated extension password exclusively for your Incredible PBX:

+-----+-------+
id         data
+-----+-------+
701      18016
+-----+-------+

Configuring a SIP Phone. There are hundreds of terrific SIP telephones and softphones for Asterisk-based systems. Once you get things humming along, you'll want a real SIP telephone, and you'll find lots of recommendations on Nerd Vittles. For today, let's download a terrific (free) softphone to get you started. We recommend X-Lite because there are versions for Windows, Mac, and Linux. So download your favorite from this link. Install and run X-Lite on your Desktop. At the top of the phone, click on the Down Arrow and choose SIP Account Settings, Add. Enter the following information using your actual password for extension 701 and the actual IP address of your Incredible PBX server instead of 192.168.0.251. Click OK when finished. Your softphone should now show: Available.

If you're using SIPgate as your provider with Google Voice, you're ready to place a test call. If you're using IPkall, we still need to verify your IPkall number with Google Voice. Return to Google Voice and tell it to place the test call to your IPkall number which you've already entered as your destination number. Your softphone will ring momentarily. Enter the two-digit code provided by Google Voice, and you're all set.

Incredible PBX Test Flight. The proof is in the pudding as they say. So let's try two simple tests. First, from another phone, call your Google Voice number. Your softphone should begin ringing shortly. Answer the call and make sure you can send and receive voice on both phones. Hang up. Now let's place an outbound call. Using the softphone, dial your cellphone number. Google Voice should transparently connect you. Answer the call and make sure you can send and receive voice on both phones. If everything is working, congratulations!

Here's a brief video demonstration showing how to set up a softphone to use with your Incredible PBX, and it also walks you through several of the dozens of Asterisk applications included in your system.

Solving One-Way Audio Problems. If you experience one-way audio on some of your phone calls, you may need to adjust the settings in /etc/asterisk/sip_custom.conf. Just uncomment the first two lines by removing the semicolons. Then replace 173.15.238.123 with your public IP address, and replace 192.168.0.0 with the subnet address of your private network. Save the file and restart Asterisk with the command: amportal restart.

Learn First. Explore Second. Even though the installation process has been completed, we strongly recommend you do some reading before you begin your VoIP adventure. VoIP PBX systems have become a favorite target of the hackers and crackers around the world and, unless you have an unlimited bank account, you need to take some time learning where the minefields are in today's VoIP world. Start by reading our Primer on Asterisk Security. We've secured all of your passwords except your root password and your passwd-master password, and we're assuming you've put very secure passwords on those accounts as if your phone bill depended upon it. It does! Also read our PBX in a Flash and VPN in a Flash knols. If you're still not asleep, there's loads of additional documentation on the PBX in a Flash documentation web site.

Choosing a VoIP Provider. For this week, we'll point you to some things to play with on your new server. Then, in the subsequent articles below, we'll cover in detail how to customize every application that's been loaded. Nothing beats free when it comes to long distance calls. But nothing lasts forever. So we'd recommend you set up another account with Vitelity using our special link below. This gives your PBX a secondary way to communicate with every telephone in the world, and it also gets you a second real phone number for your new system... so that people can call you. Here's how it works. You pay Vitelity a deposit for phone service. They then will bill you $3.99 a month for your new phone number. This $3.99 also covers the cost of unlimited inbound calls (two at a time) delivered to your PBX for the month. For outbound calls, you pay by the minute and the cost is determined by where you're calling. If you're in the U.S., outbound calls to anywhere in the U.S. are a little over a penny a minute. If you change your mind about Vitelity and want a refund of the balance in your account, all you have to do is ask.

The VoIP world is new territory for some of you. Unlike the Ma Bell days, there's really no reason not to have multiple VoIP providers especially for outbound calls. Depending upon where you are calling, calls may be cheaper using different providers for calls to different locations. So we recommend having at least two providers. Visit the PBX in a Flash Forum to get some ideas on choosing alternative providers.

A Word About Security. Security matters to us, and it should matter to you. Not only is the safety of your system at stake but also your wallet and the safety of other folks' systems. Our only means of contacting you with security updates is through the RSS Feed that we maintain for the PBX in a Flash project. This feed is prominently displayed in the web GUI which you can access with any browser pointed to the IP address of your server. Check It Daily! Or add our RSS Feed to your favorite RSS Reader. Be safe!

Kicking the Tires. OK. That's enough tutorial for today. Let's play. Using your new softphone, begin your adventure by dialing these extensions:

  • D-E-M-O - Incredible PBX Demo (running on your PBX)
  • 1234*1061 - Nerd Vittles Demo via ISN FreeNum connection to NV
  • 17476009082*1089 - Nerd Vittles Demo via ISN to Google/Gizmo5
  • Z-I-P - Enter a five digit zip code for any U.S. weather report
  • 6-1-1 - Enter a 3-character airport code for any U.S. weather report
  • 5-1-1 - Get the latest news and sports headlines from Yahoo News
  • T-I-D-E - Get today's tides and lunar schedule for any U.S. port
  • F-A-X - Send a fax to an email address of your choice
  • 4-1-2 - 3-character phonebook lookup/dialer with AsteriDex
  • M-A-I-L - Record a message and deliver it to any email address
  • C-O-N-F - Set up a MeetMe Conference on the fly
  • 1-2-3 - Schedule regular/recurring reminder (PW: 12345678)
  • 2-2-2 - ODBC/Timeclock Lookup Demo (Empl No: 12345)
  • 2-2-3 - ODBC/AsteriDex Lookup Demo (Code: AME)
  • Dial *68 - Schedule a hotel-style wakeup call from any extension
  • 1061*1061 - PBX in a Flash Support Conference Bridge
  • 882*1061 - VoIP Users Conference every Friday at Noon (EST)



Click above. Enter your name and phone number. Press Connect to begin the call.


Homework. Your homework for this week is to do some exploring. FreePBX is a treasure trove of functionality, and The Incredible PBX adds a bunch of additional options. See if you can find all of them. Also check out Tweet2Dial which uses Twitter to make Google Voice calls, send free SMS messages, and manage your Incredible PBX.

Be sure to log into your server as root and look through the scripts added in the /root/nv folder. You'll find all sorts of goodies to keep you busy. s3cmd.faq tells you how to quickly activate the Amazon S3 Cloud Computing service. And, if you've heeded our advice and purchased a PogoPlug, you can link to your home-grown cloud as well. Just add your credentials to /root/pogo-start.sh. Then run the script to enable the PogoPlug Cloud on your server. All of your cloud resources are instantly accessible in /mnt/pogoplug. It's perfect for off-site backups which we'll cover in a few weeks.

Don't forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number. Finally, try out the included Stealth AutoAttendant by dialing your own number and pressing 0 while the greeting is played. This will reroute your call to the demo applications option in the IVR.

Originally published: Monday, April 19, 2010

VoIP Virtualization with Incredible PBX: OpenVZ and Cloud Solutions

Adding Skype to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Adding Remotes, Preserving Security with The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Part II.

Continue reading Part III.

Continue reading Part IV.

Support Issues. With any application as sophisticated as this one, you're bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It's the best Asterisk tech support site in the business, and it's all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won't have to wait long for an answer to your questions.

Coming Soon. We haven't forgotten. We'll cover setting up multiple Google Voice accounts for simultaneous calling on multiple channels very soon. And the new (free) Skype Gateway to Asterisk for The Incredible PBX is now available. The FreePBX components already are in place to support inbound and outbound calling via Skype. You can even try a test call to our Aspire One Revo today by dialing nerdvittles from your favorite Skype client. Beginning today, this article will be available on http://IncrediblePBX.com. Then Nerd Vittles will return to our (almost) weekly schedule of new articles. Enjoy!



Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 


Some Recent Nerd Vittles Articles of Interest...

  1. Requires a SIPgate One account. []
  2. For Asterisk 1.6 or for 64-bit systems with Asterisk 1.4 or 1.6, use the Cepstral install procedures outlined in this Nerd Vittles article. []
  3. If you use the recommended Acer Aspire Revo, be advised that it does NOT include a CD/DVD drive. You will need an external USB drive to load the software. Some of these work with CentOS, and some don't. Most HP and Sony drives work; however, we strongly recommend you purchase an external DVD drive from a merchant that will accept returns, e.g. Best Buy, WalMart, Office Depot, Office Max, Staples. []
  4. Mapping a port on your firewall to a private IP address unblocks certain Internet packets and allows them to pass through your firewall directly to an IP device "inside" your firewall for further processing. []

The Incredible PBX: Adding Remotes, Preserving Security

Unlike most Asterisk®-based PBXs which are insecure as installed and leave it to you to implement sufficient safeguards to preserve the integrity of your system, the Incredible PBX is delivered with rock-solid, air-tight security already in place. Because it is designed to operate behind a hardware- based firewall, what you'll be doing when you want to add functionality with the Incredible PBX is loosening security rather than tightening it. The trick, of course, is to do it in a way that doesn't compromise the overall integrity of your system. As delivered, the Incredible PBX relies upon four layers of network security: a hardware-based firewall of your choice1, a preconfigured IPtables software-based Linux firewall, preconfigured Fail2Ban to monitor your logs for suspicious activity and to block specific IP addresses when abuse is detected, and random passwords for all extensions and DISA connections.

If you installed the Incredible PBX using SIPgate as the intermediate provider with Google Voice, then your hardware-based firewall should have no ports opened and forwarded to your server. If you used IPkall, then only UDP 4569 has been opened and forwarded to your server. And the Incredible PBX IPtables setup for IAX restricts access to just a few IP addresses to support IPkall.

There are obviously situations in which you will want or need additional connectivity. The most likely one involves activation of SIP telephones at remote locations, such as a branch office, or Grandma's house or a relative in college. The other obvious use is with cellphones and PDAs that support SIP clients such as Android phones, iPhones, and iPads.2

What we'd recommend you not do is open the SIP floodgate to your PBX by providing unrestricted inbound SIP access, but we'll show you how if you really want or need this functionality. As desirable as this can be, it is accompanied by an array of security issues that really are not worth the risks unless you know what you're doing and you're willing to stay on top of security updates and keep your system patched.

Let's first tackle how to provide limited inbound SIP functionality without selling the farm. If the remote site has a fixed IP address, the procedure to allow remote access to your server is fairly straight-forward: just map the SIP ports on the hardware-based firewall to your server (UDP 5000:5082 and UDP 10000:20000) and then restrict SIP access using IPtables to the remote IP address as well as the subnet of your private LAN. You can decipher your private subnet by running status. If your server's IP address is 192.168.0.123, then your private subnet would be 192.168.0.0. The IPtables firewall settings are stored in /etc/sysconfig/iptables. Edit that file and find the line that looks like this:

-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT

Delete or comment out this entry with a leading # and insert new entries that look like the following using the public IP address(es) you wish to add plus the private subnet:

-A INPUT -p udp -m udp -s 141.146.20.10 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 141.146.20.11 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT


After making the changes, save the file: Ctrl-X, Y, then Enter. Then restart IPtables: service iptables restart.

Unfortunately, in many situations, the remote phone or cellphone uses an Internet connection with a dynamic IP address. So we don't know the actual IP address that will be assigned. There are a number of solutions to this problem, and we'll rank them in our order of preference. First, spend the $200 and install another Incredible PBX at the remote site. Then the two servers can be linked with IAX connections between the servers making connectivity between the systems totally transparent. Second, install VPN routers at both sites and use a private IP address to establish connectivity with the host system. In this situation, you will have the equivalent of a fixed IP address for the remote device which makes it the equivalent of the fixed IP address solution above. Third, install OpenVPN on your host system and purchase a SIP phone or cellphone that supports VPN connectivity. Most of the high-end SNOM SIP phones have this functionality as do Android phones, iPhones, and iPads. With this setup you also have the equivalent of a fixed IP address, even though it's on a virtual private network. Fourth, talk to the Internet service provider at your remote site and obtain the range of IP addresses that DHCP hands out to those using their services... or just make an educated guess.3

BEFORE Activating Full SIP Connectivity. OK. We hear you. You travel for a living, and the IP address of your cellphone changes hourly, all day, every day of the year. Then, yes, you are a candidate for a full-fledged Asterisk server with unlimited SIP access. Before covering how, let's review what responsibilities go with running such a server. Bear in mind that one compromised SIP password or otherwise vulnerable application on your server (including Asterisk, FreePBX, SSH, and hundreds of others), and you may very well be the proud owner of a whopping phone bill. And we're not talking hundreds of dollars. It could very well be tens of thousands of dollars. And it doesn't take weeks or months. It could be a few hours.

Baker's Dozen SIP Security Checklist

1. Keep Asterisk Current & Patched
2. Keep FreePBX Current & Patched
3. Make Frequent Backups
4. Visit PBX in a Flash Forums Regularly
5. Subscribe to PBX in a Flash RSS Feed
6. Secure Alphanumeric Extension Passwords
7. Secure DISA, VMail, Root, FreePBX Passwords
8. Lock Down Extensions with Deny/Permit
9. Turn Off Recurring Payments with Providers
10. Restrict Trunks to 1-2 Simultaneous Calls
11. Tighten Dialplan by Removing Wildcards
12. Eliminate Intl & Toll Calls With Providers
13. Check FreePBX Call Logs Daily for Abuse

Baker's Dozen SIP Security Checklist. Before opening the floodgates, let's review what you need to do. First, you'll need to run the very latest version of Asterisk... all the time. This means you need to monitor asterisk.org, and keep your system up to date by running update-scripts, update-source, and update-fixes regularly. The default version of Asterisk on current PBX in a Flash and Incredible PBX builds is extremely reliable, but it contains SIP and IAX vulnerabilities which should not be exposed directly to the Internet! Second, you need to run the latest version of FreePBX and apply all patches as they are released. Third, you need to make frequent backups appreciating that sometimes the Asterisk and FreePBX developers get things horribly wrong, and stuff that used to work no longer does. Believe it or not, they're human! Fourth, you need to visit the PBX in a Flash Forums daily and keep abreast of security alerts and bug reports on CentOS, Asterisk, and FreePBX. Fifth, you need to subscribe to the PBX in a Flash RSS Feed which provides regular security alerts when there are reported problems. Sixth, you need to really secure your extension passwords with very long, complex alphanumeric passwords. Ditto for your root and FreePBX passwords! Seventh, for DISA and voicemail, these passwords need to be numeric, complex, and extra long. Eighth, you need to lock down as many of your extensions as possible with deny/permit settings to restrict the IP addresses of those extensions. If you only have one or two remote SIP extensions with dynamic IP addresses, then all of the rest should have deny/permit entries! Ninth, turn off recurring payments with all of your telephony providers and keep minimal funds available in all of your accounts. This means you'll have to monitor these accounts to make sure they are not deactivated for lack of funds. Tenth, restrict all of your trunks to one or at most two simultaneous calls to reduce your call exposure in the event someone breaks into your system. Eleventh, tighten up your Trunk Dial Rules and eliminate any entries that would permit calls to anywhere in the world! If you don't regularly make international calls, there's absolutely no reason to have such entries in your dialplan. If you still have Ma Bell PSTN lines, this is even more important. In fact, consider eliminating long distance access to all of these trunks. Twelfth, where possible, configure your provider accounts to eliminate international and toll calls of all varieties. Finally, check your FreePBX call log every day to make certain no one is making calls on your nickel.

If you are unwilling or unable to perform these Baker's Dozen steps while continuing to monitor the sites provided and recheck your setup regularly (at least every week), don't activate unrestricted SIP access to your server.

Other Options. Consider using an intermediate provider such as voip.ms to provide SIP URI access to your server. Keep in mind that having a registered connection between your server and a VoIP provider alleviates the need to punch a hole in your firewall. So the idea here is to sign up for an inexpensive voip.ms account and set up the trunk connection with your server as either an IAX or SIP account with an always-on connection. Then voip.ms gives you the option of activating a SIP URI as part of a subaccount setup. Just create an internal extension on their server, and this will generate a SIP URI, e.g. 123456666@sip.us4.voip.ms where 12345 is your voip.ms account number and 6666 is the internal extension you created. This lets you connect directly with your server through the SIP URI from anywhere once you map this subaccount to an extension or IVR on your server. The charge for SIP URI calls is only $.001 per minute. The last step is to use this SIP URI in your remote SIP phone to connect back to your server. You can take advantage of the full range of Asterisk functions once these calls reach your server including IVRs and DISA. The approach is not only simple to implement, but it's also safe and economical.

There are some other alternatives as well. Use something like Google Voice or Ooma to redirect calls to your cellphone when you're traveling. Or buy an Ooma for Grandma or a MagicJack for Joe College. These options also are safe, secure, and quite inexpensive.

Just Released: Remote Phone Meets Travelin' Man

Activating Inbound SIP on Your Server. If you still are hell-bent on opening SIP access to your server, the Incredible PBX already is preconfigured to support it. Just map the SIP ports on your hardware- based firewall to your server (UDP 5000:5082 and UDP 10000:20000). Once activated, anyone can reach you through the following SIP URI using the actual public IP address of your server: mothership@12.34.56.78. You also can adjust the e164 trunk in FreePBX to route inbound calls to any destination desired. Then register your phone number on e164.org and others can call you at no cost using your traditional phone number. Enjoy!


The Incredible PBX: Basic Installation Guide

Adding Skype to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Basic Installation Guide, Part II.

Continue reading Basic Installation Guide, Part III.

Continue reading Basic Installation Guide, Part IV.

Support Issues. With any application as sophisticated as this one, you're bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It's the best Asterisk tech support site in the business, and it's all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won't have to wait long for an answer to your questions.



Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 


Some Recent Nerd Vittles Articles of Interest...

  1. We, of course, continue to recommend a dLink Router/Firewall. Low Cost: $35 WBR-2310  Better: DIR-825  Best: DGL-4500 []
  2. We recommend the free SipAgent client for Android devices and the commercial Acrobits Softphone for iPods and iPads. []
  3. Adding an entry like the following would dramatically reduce the likelihood of a SIP attack: -A INPUT -p udp -m udp -s 141.146.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT []

Orgasmatron 5.2: The Secure Swiss Army Knife for Asterisk

It’s been an exciting couple of weeks watching the overwhelmingly positive response to our release of Orgasmatron 5.1. With this version, we introduced a new Asterisk® security model that took into account the ever-increasing security risks posed by exposing web and telephony servers to direct Internet access. The bottom line is this. If your telecom requirements still can be accomplished by placing a server securely behind a $35 hardware-based Internet firewall with no Internet exposure, then it makes absolutely no sense to dangle such a tempting target in front of the world’s most nefarious creeps.

News Flash: Incredible PBX 4.0 is now available with FreePBX 2.10 support!

Coming January 19: Incredible PBX 11 & Incredible Fax for Asterisk 11 and FreePBX 2.11

Our experience suggests that the only trade off with this new approach is the inability to receive anonymous SIP calls… a small price to pay considering the potential financial and computer risks involved. You still can place outbound VoIP calls as well as placing and receiving calls using any of the phone numbers registered on your new PBX in a Flash server. And, thanks to Google Voice, SIPgate, and IPkall, all inbound calls are free, and all outbound calls to numbers in the U.S. and Canada are free as well.

If a SIP URI and your own Freenum/ISN number are simply features you can’t live without, sign up for a voip.ms IAX account, and you’ll get a SIP URI for free. Inbound SIP URI and Freenum/ISN calls will set you back $1 for every 1,000 minutes billed in 6 second increments.

Or you can sign up for a free IP Freedom CallCentric account and configure a new SIP trunk in FreePBX by following these directions. Once configured, your new server SIP URI will be 1777xxxxxxx@in.callcentric.com where xxxxxxx is your assigned 7-digit CallCentric number.

Keep in mind that a new security vulnerability has been found with either Asterisk or FreePBX almost monthly. The chart below tells you why. With virtually limitless attack surfaces because of the number of interrelated components in CentOS, Asterisk, and FreePBX comes enormous and recurring potential for remote compromise of these systems. Rather than play this cat-and-mouse security game with the underworld, the Orgasmatron design changes the paradigm. It lets you use any (secure or insecure) version of Asterisk and FreePBX without worrying about any outside attacks. Do passwords on your new server matter? Not really… unless there is someone inside your firewall that you don’t trust. 🙄 Are we going to secure them anyway? Absolutely. But instead of the constant worry over new security vulnerabilities, Orgasmatron 5.2 lets you enjoy exploring the world of Asterisk and VoIP telephony with an incredibly rich feature set that you won’t find anywhere else, period! We’ll resist making any other device analogies, but the idea here is to protect the good guy (you!) while keeping the bad guys out. No penetration. No worries. Simple as that.

In our former life working for a living, we actually procured and managed multimillion dollar PBXs as part of our "other duties as assigned." Without qualification, we can tell you that the feature set that Orgasmatron 5.2 brings to the table for free runs circles around anything you could buy (then or now) in the commercial marketplace. And, at one time or another, we purchased every Nortel feature good money could buy. There’s one other difference. Orgasmatron 5.2 runs swimmingly on a $200 Atom-based PC that you can purchase at any Best Buy as well as hundreds of other stores including Amazon, NewEgg, and Buy.com. We paid more than $200 to provision an additional extension on our Nortel switch! You, of course, can add as many extensions as you like. De nada.

So, why a new version of Orgasmatron in only a few weeks? Well, it’s not security-related. In fact, there is nothing wrong with continuing on with Orgasmatron 5.1. Unfortunately, it relied exclusively upon SIPgate to make free Google Voice calls in the U.S. and Canada. And SIPgate required an invite using an SMS message from a U.S.-based cellphone. That pretty well knocked out all of our friends living outside the United States. Today’s version fixes that by letting anyone sign up for a free IPkall phone number in Washington state. All you need is a valid email address. The setup process is a bit more complex because IPkall doesn’t support registered connections to their servers. But we’ll walk you through the additional steps and, once completed, your server will be just as secure as the SIPgate approach we set up with Orgasmatron 5.1. And few, if any, Linux skills are required to set up or manage Orgasmatron 5.2. As we’ve noted previously, if you can handle slice and bake cookies, you’ve got the necessary skillset! Be aware this is about a one-hour project, and you need to track through the article carefully, or the entire house of cards comes down.

New Asterisk Security Model. Orgasmatron 5.2 maintains our design goal of running an absolutely secure Asterisk PBX from behind a hardware-based firewall with either NO INBOUND PORTS exposed to the Internet with SIPgate or an IP-address-restricted IAX port for IPkall. Don’t defeat this security mechanism by exposing additional ports on your PBX in a Flash server to Internet access. And choose your NAT-based firewall/router carefully. All of these devices are not created equally. Not only do some perform better than others, but certain models are notoriously bad at handling NAT-based routing tasks, a critical requirement in the Asterisk VoIP environment. In almost every case of problems with one-way audio, the real culprit can be traced back to a crappy router. For $35, you really can’t go wrong with the dLink WBR-2310. If you want traffic shaping functionality as well, take a look at dLink’s Gaming Router, our personal favorite.

As long as your router, Google Voice, SIPgate, and IPkall passwords are secure, you can sleep like a baby. We use an intermediate SIP provider for Google Voice to set up free outbound Google Voice calls in the U.S. and Canada because Google Voice actually places two calls to connect you to your destination. First, you get a call back. And then the party you’re calling is connected. The SIPgate or IPkall trunk is used by Google Voice to call you back so the inbound call is always free. We handle the interconnection magic with Asterisk transparently so your calls appear to be processed as if you were using a standard telephone to dial out. Just refrain from using extension 75 in Asterisk for personal conferencing!

The choice is yours. You can use SIPgate with no incoming ports exposed to your server from the Internet. Or you can use IPkall and map UDP port 4569 (IAX2) on your hardware-based firewall to the internal IP address of your new PBX in a Flash server. Even with the IPkall setup, we’ve locked down IPtables (our Linux firewall) to restrict IAX access to several specific IP addresses so your server remains absolutely secure. We’ve also included support for FonicaTec’s IAX offering for those that want a backup IAX provider. We’ll have much more to say about IPtables in coming weeks.

If you’ve already installed Orgasmatron 5.1 and it’s working for you, do you need to upgrade? NO. With the exception of the new IAX support for IPkall, the code in Orgasmatron 5.2 is identical.

We, of course, continue to recommend that you sign up with Vitelity so you have an alternate communications vehicle in the event of a problem with your free service. Vitelity also can provide 911 emergency service for your home or home office. You can save a little money while supporting the PBX in a Flash project by using the links at the end of this article.

Swiss Army Knife Inventory. There’s no need for a Swiss Army Knife if you don’t know what all the blades are for. So, for those that are wondering what’s included in the Orgasmatron 5.2 build, here’s a feature list of the components you get in addition to the base PBX in a Flash build with CentOS 5.4, Asterisk 1.4, FreePBX 2.6, and Apache, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin. Please note that A2Billing, Cepstral TTS, Hamachi VPN, and Mondo Backups are optional and may be installed using the scripts that are provided.

Prerequisites. Here’s what you’ll need to get started:

  • Broadband Internet connection
  • Rock-solid NAT router/firewall. Recommend: $35 dLink WBR-2310
  • $200 PC on which to run PBX in a Flash or a Proxmox Virtual Machine
  • Free Google Voice account (HINT: Under $2 on eBay)
  • Free SIPgateOne residential account (Use cell to get SMS invite) OR
  • Free IPkall IAX account

Learn First. Install Second. Even though the installation process is now a No-Brainer, you are well-advised to do some reading before you begin. VoIP PBX systems have become a favorite target of the hackers and crackers around the world and, unless you have an unlimited bank account, you need to take some time learning where the minefields are in today’s VoIP world. Start by reading our Primer on Asterisk Security. Then read our PBX in a Flash and VPN in a Flash knols. If you’re still not asleep, there’s loads of additional documentation on the PBX in a Flash documentation web site.

Today’s Drill. The installation process is straight-forward, but a little different than the Orgasmo 5.1 scenario because of the need to accommodate IPkall. Just don’t skip any steps. In a nutshell, here are the 6 Steps to Free Calling and an incredibly versatile, preconfigured Asterisk PBX:

1. Install the latest version of PBX in a Flash
2. Run the Orgasmatron 5.2 Installer
3. Configure a softphone or SIP telephone
4. Configure Providers for Orgasmatron 5.2
5. Enter your Google Voice and SIPgate/IPkall credentials
6. Change existing passwords to secure your system

Installing PBX in a Flash. Here’s a quick tutorial to get PBX in a Flash installed. We recommend you install the latest PIAF 1.6 beta on a new Atom-based PC. This beta is virtually identical to version 1.4 except it uses CentOS 5.4 instead of CentOS 5.2. This means it works better with newer hardware including Atom-based computers and newer network cards. Unlike other Asterisk aggregations, PBX in a Flash utilizes a two-step install process. The ISO only installs the CentOS operating system. Once installed, the server reboots and downloads a payload file that includes Asterisk, FreePBX, and many other VoIP and Linux utilities. We use the identical payload for versions 1.3, 1.4, 1.5, and 1.6 of PBX in a Flash. The beta label simply means we haven’t had time to sufficiently test CentOS. But this is not a Microsoft-style beta so fear not!

Download the 32-bit, PIAF 1.6 version from SourceForge, Vitelity, Cybernetic Networks, or AdHoc Electronics. The MD5 checksum for the file is e8a3fc96702d8aa9ecbd2a8afb934d36. Burn the ISO to a CD. Then boot from the installation CD and type ksalt to begin.

WARNING: This install will completely erase, repartition, and reformat ALL disks on your system! Press Ctrl-C to cancel the install.

On some systems you may get a notice that CentOS can’t find the kickstart file. Just tab to OK and press Enter. Don’t change the name or location of the kickstart file! This will get you going. Think of it as a CentOS ‘feature’. 🙂

At the keyboard prompt, tab to OK and press Enter. At the time zone prompt, tab once, highlight your time zone, tab to OK and press Enter. At the password prompt, make up a VERY secure root password. Type it twice. Tab to OK, press Enter. Get a cup of coffee. Come back in about 5 minutes. When the system has installed CentOS, it will reboot. Remove the CD promptly. After the reboot, choose A option. Have a 10-minute cup of coffee. After installation is complete, the machine will reboot a second time. Log in as root with your new password and execute the following commands:

update-scripts
update-fixes

When prompted, change the ARI password to something really obscure. You’re never going to use it! You now have a PBX in a Flash base install. On a stand-alone machine, it takes about 30 minutes. On a virtual machine, it takes about half that time.

NOTE: So long as your system is safely sitting behind a hardware-based firewall, we do NOT recommend running update-source on the Orgasmatron builds because of parking lot issues in the latest releases of Asterisk.

Running the Orgasmatron 5.2 Installer. Log into your server as root and issue the following commands to run the Orgasmatron 5.2 installer:

cd /root
wget http://pbxinaflash.net/orgasmo52.x
chmod +x orgasmo52.x
./orgasmo52.x

Have another 15-minute cup of coffee. It’s a great time to consider a modest donation to the Nerd Vittles project. You’ll find a link at the top of the page. When the installer finishes, READ THE SCREEN!

Now run passwd-master1. Set your FreePBX passwords to something very secure but different from your Linux root password.

Next, type status2 and press Enter. Write down the IP address of your new server.

If you’re using IPkall, now’s the time to log in to your hardware-based firewall/router and map UDP port 45693 to the private IP address that you just wrote down. This tells your firewall to pass all IAX2 traffic from the Internet directly to your new server. Don’t worry. We have severely restricted which IP addresses can actually send IAX data through the PBX in a Flash IPtables firewall which is an integral part of this build. And, remember, no hardware firewall adjustments are necessary if you’re using SIPgate instead of IPkall.

For good measure, we recommend you reboot your server at this point. The command to type is simple: reboot4

Configuring a SIP Phone. There are hundreds of terrific SIP telephones and softphones for Asterisk-based systems. Once you get things humming along, you’ll want a real SIP telephone, and you’ll find lots of recommendations on Nerd Vittles. For today, let’s download a terrific (free) softphone to get you started. We recommend X-Lite because there are versions for Windows, Mac, and Linux. So download your favorite from this link. Install and run X-Lite on your Desktop. At the top of the phone, click on the Down Arrow and choose SIP Account Settings, Add. Enter the following information using 82812661 as the password for extension 701 and the actual IP address of your PBX in a Flash server instead of 192.168.0.251. Click OK when finished. Your softphone should now show: Available.

Don’t Forget! After you change your extension passwords later in this tutorial, you will need to update the password entry in X-Lite, or you will no longer be able to place calls! In fact, you will get locked out of your server for 90 minutes after three failed password attempts. So put this on a sticky note so you don’t forget, or you’ll regret it in about 15 minutes.

Either a free SIPgate One residential phone number or an IPkall number is a key component in today’s project. And there’s really no reason you can’t use both if they’re available in your location. Do NOT use special characters in your provider passwords, or nothing will work! Continue reading whichever section below applies to you.

Configuring SIPgate. If you live in the U.S. and have a cellphone, we’d recommend the SIPgate option since no adjustment of your hardware-based firewall is required. Otherwise, skip to the IPkall setup below. Step #1 is to request a SIPgate invite at this link. You’ll need to enter your U.S. cellphone number to receive the SMS message with your invitation code. Don’t worry. You can erase your cellphone number from your account once it is set up. Once you receive the invite code, enter it and choose the option to set up a residential account. Next, choose a phone number and write it down. The area code really doesn’t matter because Google Voice is the only one that will be calling this number after we get things set up. For now, leave your cellphone number in place so that you can receive your confirmation call from Google Voice in the next step. After that, you’ll want to revisit SIPgate and remove all parallel calling numbers. Finally, click on the Settings link and write down your SIP ID and SIP Password. You’ll need these in a few minutes to configure PBX in a Flash. Now place a call to your new SIPgate number and make certain that your cellphone rings before proceeding.

Configuring IPkall. If you’ve opted to use IPkall, here’s the drill. First, you’ll need to register for a free IPkall number. This is actually a two-step process. Set it up as a SIP connection when you first register. Then we’ll change it to IAX once your new phone number is provided. So your initial IPkall request should look like this:

We recommend area code 425 for your requested number because IPkall appears to have lots of them. If they don’t have an available number, your request apparently goes in the bit bucket. You’ll know because IPkall typically turns these requests around in a few minutes. Don’t worry about the mothership entry. We’ll change it shortly. The other issue here is your public IP address. If you have a dedicated IP address, no worries. Just plug in the IP address for SIP Proxy. If it’s dynamic, then you’ll need to set up a fully-qualified domain name (FQDN) with a provider such as dyndns.com. Once you’ve got it set up, enter your credentials in the Dynamic DNS tab of your hardware-based firewall to assure that your dynamic IP address is always synchronized with your FQDN. Then enter the FQDN for your SIP Proxy address in the IPkall form. Be sure to make up a VERY secure password. Now send it off and wait for the return email with your new phone number.

When you receive your new phone number, you’ll need to revisit the IPkall site and log in with your phone number and the password you chose above. Make the changes shown below using your actual IPkall phone number instead of 4259876543:

It’s worth stressing that these settings are extremely important so check your work carefully. Be sure the IAX option is selected. Be sure there are no typos in your two phone number entries. And be sure your FQDN or public IP address is correct. Then save your new settings.

We’re going to be making some entries in FreePBX which is the web-GUI that manages PBX in a Flash. For now, we simply need to enter your new IPkall phone number so that incoming calls to your IPkall number will actually ring on your softphone. Later, we’ll make some further adjustments once we get Google Voice humming along.

Using a web browser from your desktop, log in to FreePBX 2.6 at the following link substituting your server’s private IP address for ipaddress: http://ipaddress/admin. You’ll be prompted for a user name (maint) and password (the one you just created with passwd-master).

When FreePBX loads, choose Setup, Trunks, ipkall (iax). In the USER Context field, enter your 10-digit IPkall phone number. Click Submit Changes, Apply Configuration Changes, Continue with Reload to save your settings.

TIP: Be aware that IPkall cancels an assigned phone number after 30 consecutive days of inactivity. If you will be using your number infrequently, it’s a good idea to schedule a Weekly Reminder to call the number with a prerecorded message. This will assure that your number stays functional.

Now let’s test your new phone number. Call your IPkall number from a cellphone or some other phone. Your softphone should ring. Answer the call, and be sure you have voice in both directions! Do not proceed without success here, or the rest of the adventure is a waste of your time.

Configuring Google Voice. Google Voice still is by invitation only so the first thing you’ll need is an invite. If you’re in a hurry, then stroll over to eBay where you’ll find lots of them for under $2. Once you have your invite in hand, click on the email link to set up your account. After you’ve chosen a telephone number, plug in your new SIPgate or IPkall number as the destination for your Google Voice calls and choose Office as the Phone Type. Trust us.

Google then will place a call to your number and ask you to enter a confirmation code that’s been provided. When your cellphone (SIPgate) or softphone (IPkall) rings, answer it and punch in the number. Wait for confirmation. Then hang up.

As we mentioned earlier, there’s no reason you can’t set up both SIPgate and IPkall forwarding numbers in Google Voice. Just repeat the drill with the other provider’s number if you wish to activate both numbers for use with Google Voice. They’re not both going to ring simultaneously as you will see in a minute.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

  • Call ScreeningOFF
  • Call PresentationOFF
  • Caller ID (In)Display Caller’s Number
  • Caller ID (Out)Don’t Change Anything
  • Do Not DisturbOFF

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued on your PBX.

Finally, place a test call to your new Google Voice number and be sure your cellphone or softphone rings. Don’t move forward until you’ve been able to successfully place a call to your phone by dialing your Google Voice number. Once this is working, revisit SIPgate and remove all parallel calling numbers including your cell number.

Adding Your Credentials to PBX in a Flash. We’re ready to insert your Google Voice credentials and SIPgate/IPkall number into PBX in a Flash. You’ll need four pieces of information: your 10-digit Google Voice phone number, your Google Voice account name (which is the email address you used to set up your GV account), your GV password (no spaces!), and your 11-digit SIPgate or IPkall RingBack DID (beginning with a 1). Don’t get the 10-digit GV number mixed up with the 11-digit SIPgate/IPkall RingBack DID, or nothing will work. 🙂

Log back into your server as root and issue the following command: ./configure-gv. Check your entries carefully. If you make a typo in entering any of your data, press Ctrl-C to cancel the script and then run it again!!

Configuring FreePBX. Now shift back to your Desktop and, using a web browser, log in to FreePBX 2.6 at the following link substituting your actual IP address for ipaddress: http://ipaddress/admin. You’ll be prompted for a user name (maint) and password (the one you just created with passwd-master). Depending upon which intermediate provider you’re using, do the following:

SIPgate Setup. When FreePBX loads, choose Setup, Trunks, sipgate. In Peer Details, replace both instances of sipID with your actual SipGate SIP ID. In Peer Details, replace sipPassword with your actual SipGate SIP Password. In Register String, replace sipID with your SipGate SIP ID, replace sipPassword with your SipGate SIP Password, and replace 3333333333 with your 10-digit SipGate Phone Number. When finished, the Register String should look something like the following:

7004484f0:B8TTW3@sipgate.com/4155201234

Click Submit, Apply Configuration Changes, Continue with Reload to save your changes.

SIPgate and IPkall Setup. While still in FreePBX with your browser, click Setup, Inbound Routes, gv-ringback. In DID Number, replace 3333333333 with your 10-digit SIPGate or IPkall Phone Number. In CallerID Number, replace 7777777777 with your 10-digit Google Voice Number.

Click Submit, Apply Configuration Changes, Continue with Reload to save your changes.

Securing FreePBX. You’re almost done. While still in FreePBX, choose each of the 16 preconfigured extensions on your new server and change the extension AND voicemail passwords. Here’s the drill: Setup, Extensions, 501, Submit. After changing secret and Voicemail Password, repeat with the next extension number instead of 501. Then Apply Config Changes, Continue when you’ve finished with all of them.

Now change the default DISA password: Setup, DISA, DISAmain, PIN, Submit Changes, Apply Config Changes, Continue.

Don’t forget to adjust your X-Lite password to match the password entry you made for extension 701!

Orgasmatron Test Flight. The proof is in the pudding as they say. So let’s try two simple tests. First, from another phone, call your Google Voice number. Your softphone should begin ringing shortly. Answer the call and make sure you can send and receive voice on both phones. Hang up. Now let’s place an outbound call. Using the softphone, dial your cellphone number. Google Voice should transparently connect you. Answer the call and make sure you can send and receive voice on both phones. If everything is working, congratulations!

Solving One-Way Audio Problems. If you experience one-way audio on some of your phone calls, you may need to adjust the settings in /etc/asterisk/sip_custom.conf. Just uncomment the first two lines by removing the semicolons. Then replace 173.15.238.123 with your public IP address, and replace 192.168.0.0 with the subnet address of your private network. Save the file and restart Asterisk with the command: amportal restart.

Choosing a VoIP Provider. For this week, we’ll point you to some things to play with on your new server. Then, in the subsequent articles below, we’ll cover in detail how to customize every application that’s been loaded. Nothing beats free when it comes to long distance calls. But nothing lasts forever. So we’d recommend you set up another account with Vitelity using our special link below. This gives your PBX a secondary way to communicate with every telephone in the world, and it also gets you a second real phone number for your new system… so that people can call you. Here’s how it works. You pay Vitelity a deposit for phone service. They then will bill you $3.99 a month for your new phone number. This $3.99 also covers the cost of unlimited inbound calls (two at a time) delivered to your PBX for the month. For outbound calls, you pay by the minute and the cost is determined by where you’re calling. If you’re in the U.S., outbound calls to anywhere in the U.S. are a little over a penny a minute. If you change your mind about Vitelity and want a refund of the balance in your account, all you have to do is ask.

The VoIP world is new territory for some of you. Unlike the Ma Bell days, there’s really no reason not to have multiple VoIP providers especially for outbound calls. Depending upon where you are calling, calls may be cheaper using different providers for calls to different locations. So we recommend having at least two providers. Visit the PBX in a Flash Forum to get some ideas on choosing alternative providers.

Kicking the Tires. OK. That’s enough tutorial for today. Let’s play. Using your new softphone, begin your adventure by dialing these extensions:

  • D-E-M-O – Nerd Vittles Orgasmatron Demo (running on your PBX)
  • 1234*1061 – Nerd Vittles Demo via ISN FreeNum connection to NV
  • 17476009082*1089 – Nerd Vittles Demo via ISN to Google/Gizmo5
  • Z-I-P – Enter a five digit zip code for any U.S. weather report
  • 6-1-1 – Enter a 3-character airport code for any U.S. weather report
  • 5-1-1 – Get the latest news and sports headlines from Yahoo News
  • T-I-D-E – Get today’s tides and lunar schedule for any U.S. port
  • F-A-X – Send a fax to an email address of your choice
  • 4-1-2 – 3-character phonebook lookup/dialer with AsteriDex
  • M-A-I-L – Record a message and deliver it to any email address
  • C-O-N-F – Set up a MeetMe Conference on the fly
  • 1-2-3 – Schedule regular/recurring reminder (PW: 12345678)
  • 2-2-2 – ODBC/Timeclock Lookup Demo (Empl No: 12345)
  • 2-2-3 – ODBC/AsteriDex Lookup Demo (Code: AME)
  • Dial *68 – Schedule a hotel-style wakeup call from any extension
  • 1061*1061 – PBX in a Flash Support Conference Bridge
  • 882*1061VoIP Users Conference every Friday at Noon (EST)


Click above. Enter your name and phone number. Press Connect to begin the call.


Homework. Your homework for this week is to do some exploring. FreePBX is a treasure trove of functionality, and the Orgasmatron build adds a bunch of additional options. See if you can find all of them. For starters, you’ll want to activate CallerID Lookups in FreePBX. Choose Setup, CID Superfecta, Default and enter the maint password you created with passwd-master. Then choose Tools, Module Administration, CallerID Lookup, Enable, Process and Save the Settings. Then edit each of the Inbound Routes and choose CallerID Superfecta as the CID Lookup Source. Save your changes. Finally, choose Setup, CallerID Lookup Sources, CallerID Superfecta and be sure your maint password created with passwd-master is correct here, too. If not, update it. For additional tips, visit the forums.

Be sure to log into your server as root and look through the scripts added in the /root/nv folder. You’ll find all sorts of goodies to keep you busy. s3cmd.faq tells you how to quickly activate the Amazon S3 Cloud Computing service. And, if you’ve heeded our advice and purchased a PogoPlug, you can link to your home-grown cloud. Just add your credentials to /root/pogo-start.sh. Then run the script to enable the PogoPlug Cloud on your server. All of your cloud resources are instantly accessible in /mnt/pogoplug. It’s also perfect for off-site backups!

Also check out Tweet2Dial which lets you use Twitter to make Google Voice calls, send free SMS messages, and manage your new Asterisk server. Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number. Finally, try out the included Stealth AutoAttendant by dialing your own number and pressing 0 while the greeting is played. This will reroute your call to the demo applications option in the IVR.

Continue reading Part II.

Continue reading Part III.

Continue reading Part IV.

Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches for Orgasmatron 5.1 and 5.2. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.

Coming Attractions. In our next episode, we’ll walk you through the process of adding a second, third, fourth, and fifth Google Voice line to your server so that you’ll never run out of free calling on your server. Enjoy!



Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 


Some Recent Nerd Vittles Articles of Interest…

  1. passwd-master is the PIAF utility for setting a master password for FreePBX access with the maint user account. []
  2. status is the PIAF utility program that displays the current status of most major applications running on your server. []
  3. Mapping a port on your firewall to a private IP address unblocks certain Internet packets and allows them to pass through your firewall directly to an IP device "inside" your firewall for further processing. []
  4. reboot is the Linux command for restarting your server. It’s functionally equivalent to shutdown -r now. []