Comments on: The Incredible PBX: Adding Remotes, Preserving Security

By: Joe McGuirl

Joe McGuirl — Tue, 15 Mar 2011 21:00:36 +0000

Ward, I think I am missing something here... TravelingMan does work as advertised except for one thing. It does not seem to remove the previous IP associated with the extension from the white list. And before anyone else says it, I know it does change the IP in the associated .inc file. [WM: See this thread on the PIAF Forum for more information.]

By: ward

ward — Tue, 18 Jan 2011 22:05:35 +0000

A major SIP security vulnerability was discovered in all versions of Asterisk today. You can read all about it here.

We have developed a script for Asterisk 1.8.x which will quickly patch your system and eliminate the problem. Log into your server as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/sipfix
chmod +x sipfix
./sipfix

Please apply this patch immediately to protect your server!

By: Jeff

Jeff — Mon, 27 Dec 2010 21:26:07 +0000

I have spent the better part of a day trying to get external clients to be able to log into my SIP server (yes, I fully understand the risks). The whole reason I am using PIAF is to have a server for my SIP clients on my phones and tablet, connected from anywhere and everywhere. This became eminently more useful with the addition of the direct connection to Google Voice now available in PIAF. The above instructions over-simplify what is actually required to enable full network access. In addition to allowing your hardware firewall, you need to edit the IPtables firewall (I edited the WHITELIST rule, effectively whitelisting the internet for testing purposes) and ensure that the extension you are attempting to use isn't limited to only the local network. After all of that, I was able to get full access to PIAF across the internet. Hope that helps someone else out who is having similar problems. [WM: Our Travelin' Man app makes the necessary modifications to both Asterisk and IPtables if you are using the current version.]

By: Joel

Joel — Wed, 16 Jun 2010 05:32:29 +0000

Long story short, I also had to go to Tools > System Administration > Asterisk SIP Settings and enter my dyndns info to get audio to work.
Hope this helps anyone with audio problems.

By: Joel

Joel — Tue, 15 Jun 2010 03:12:43 +0000

I believe everywhere you typed -dport you really should type --dport (with two hyphens) correct? WM: Yes. It's a formatting bug in WordPress. We fixed it in the article, but there's no fix in comments. Sorry.

By: Joel

Joel — Mon, 14 Jun 2010 15:38:53 +0000

I believe the address block for t-mobile is located here:

https://developer.t-mobile.com/loadKbaseEntry.do?solutionId=1154

By: Lee

Lee — Mon, 14 Jun 2010 06:27:02 +0000

Since I use a Nokia N95, I followed through on the article’s recommendation to find a VPN client for this phone. Nokia offers a sort of red herring for my purposes, called "Nokia Mobile VPN Client" which a requires an IPsec router (like a Ci$co) or either OpenSwan or FreeSwan doing the job on a linux box. I use DD-WRT for my routing purposes, which only offers OpenVPN/PPTP VPN service easily. SO, in order to connect Symbian devices to something like a DD-WRT box, it is possible to use a $30 client called SymVPN from http://www.telexy.com.

FWIW, the VPN version of DD-WRT also offers a Milkfish SIP firewall-thingy. In real-life, this Milkfish sorted out my SIP NAT voice issues having a DD-WRT in a subnet behind another DD-WRT, (which might be common in a well-networked multi-tenet building sharing a common internet connection.)

By: Scott

Scott — Fri, 11 Jun 2010 19:28:46 +0000

Ward,

Are there any problems with using Apple’s Extreme N Router? I haven’t seen any comments for or against. TIA

By: ward

ward — Thu, 10 Jun 2010 14:37:28 +0000

Another example of why opening SIP access to your server is a bad idea… from a user in Atlanta:

> FYI —
> Had ‘209.76.47.13’ attempt to access a box this afternoon..
> [Jun 9 15:03:10] NOTICE[3216] chan_sip.c: Registration from
> ‘"1831848281″‘ failed for ‘209.76.47.13’
> – No matching peer found
> [Jun 9 15:24:47] NOTICE[3216] chan_sip.c: Registration from
> ‘"487739648″ ‘ failed for ‘209.76.47.13’ –
> No matching peer found
> In 21 Mins had 77,464 attempts.
> JMS…

By: Paul

Paul — Thu, 10 Jun 2010 14:05:00 +0000

Hi Ward--Why was my question/post removed? [WM: It wasn't. But we don't stay up all night moderating comments. :roll: Details here.]

By: Naser

Naser — Thu, 10 Jun 2010 09:27:44 +0000

what about IAX client ? As you know the IAX is NAT friendly more than SIP. can the next article be about connecting IAX client ?

By: Michael

Michael — Thu, 10 Jun 2010 06:36:59 +0000

"Then register your phone number on e164.org and others can call you at no cost using your traditional phone number" - Well that's certainly not how enum works. Obviously these "others" would need to be calling through an enum trunk. [WM: The context was that others would also be using an Incredible PBX. And it would work as advertised.]

By: daj

daj — Thu, 10 Jun 2010 03:53:56 +0000

I’ll second Trousle’s request

By: Paul

Paul — Thu, 10 Jun 2010 02:07:57 +0000

HI Ward--great article. I have a hardware firewall and have port 5060 open. Your article implies that it's possible to leave this closed and still receive phone calls (perhaps I'm reading it wrong). As a test I disabled 5060 and dialed my home number from my cell: busy signal. How is it possible to receive calls with 5060 closed? [WM: Use the recommended firewalls, and there won't be a problem. Details here.]

By: Curious

Curious — Mon, 07 Jun 2010 22:48:49 +0000

The risk of bulk international calling obviously exists, but in Google Voice’s case, doesn’t Google Voice not connect an international call unless there is a sufficient balance in the account?

Also, assume my SIP provider allows me to turn off international calling, would that also protect me?

I’m an absolute newbie in the field and I’m not entirely sure where to begin my googling.

By: Trousle

Trousle — Mon, 07 Jun 2010 15:22:35 +0000

Since this article is about remote clients, can the next article (or one in the next couple of weeks) be about adding remote servers or connecting servers using SIP or IAX?