R.I.P. Wable: Fun While It Lasted

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We fully expect to add wable-repo to the Incredible PBX GUI repository shortly. Works like a champ. For now, it's our "second aquarium" to test whether new module updates break anything (which they do, by the way). Shocker! :frown2:

Have already deployed several Incredible PBX builds which have terrific performance thus far.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
More good news on wable. Now you can create snapshots (for a nickel) that get stored on two remote servers. Storage cost adds another nickel each month for wable-repo. Or you can delete the snapshots on the last day of the month and pay no storage fees. Just pay another nickel on the first of the next month to create a new snapshot.

You can use these snapshots to create additional servers at the same or any other location in a couple of minutes. Very nice to manage expansion while also providing backups. Also would be perfect for a PBX on which you stake your business!

CGfXXuNXEAAc8rg.jpg
 

Dave Gray

Guru
Joined
May 22, 2013
Messages
150
Reaction score
60
Make damn sure you choose a strong root password. In the 30 minutes between setting up my server, and installing my pbx (which, of course added the firewall settings) there were almost 500 SSH authentication failures from a single IP address in China. They're brute forcing the passwords...
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Which PBX? I think the new Incredible build uses whitelist to not even give them the opportunity.
 

Dave Gray

Guru
Joined
May 22, 2013
Messages
150
Reaction score
60
IncrediblePBX. The point is, there is a period of time (about 1/2 hour in my instance) between spinning up the box, and actually having a working firewall. 500 hits in that 30 minutes.

I wonder if they're blanketing the address space, or if I was unlucky and got someone's old IP address.
 

Trimline2

Guru
Joined
May 23, 2013
Messages
524
Reaction score
96
Dave - I had the same issue using ipsystemsltd - by the time I had done an OS refresh, there were 100's of attempts. It's a good thing the system is fast.. about 20 mins for a full install, but I believe there are bots running 7/24 trying to crack these boxes.

After the install, I run these two scripts from the root directory. I only startit when I need access to the GUI. CHMOD these to 775 and you are good to go.

stopit
Code:
service httpd stop
/etc/webmin/stop
echo "Stopped httpd & Webmin"

startit
Code:
service httpd start
/etc/webmin/start
echo "Started httpd & Webmin - Please remember to run stopit when you are done."
 

lrosenman

Guru
Joined
Oct 17, 2014
Messages
221
Reaction score
30
on ANY ip block you will see thousands of ssh/etc attacks ALL DAY LONG from CN and other places. I'm truly amazed at what my FW blocks EVERY DAY on /24 I have.
 

w1ve

Guru
Joined
Nov 15, 2007
Messages
819
Reaction score
218
I understand the attack before everything is installed. I have some questions about the security in incredible PBX...

1> What ever happened to the code where you could lock out by country? Was that found to be flawed? It seemed to work very well for me..
2> I've had an older, production PIAF at RentPBX since they started the business. I have a lot of users, all over the country. I use VERY strong passwords. Yeah, I get a lot of SSH attempts. I run the web server on an odd port. Since I've started, I had one security breach -- not on the PBX -- on a forgotten temp subaccount on voip.ms. Luckily, their alarms and caught it within a few minutes, and I got rid of the account. You have to be extremely diligent with passwords! Anyway, my point being is I have no port knocker or extremely locked down PBX and it's been great.
3>So, is there a way to set up Incredible PBX so it is not so locked down? I'm not a firewall expert, but I'm sure I can edit the rules.
What i'd like is: no anonymous access, if still available, the geo-based ip locking.

The purpose being: I want to send a ip phone or ATA to a customer/family/fried and not have to know what IP they will be accessing from. Sometimes the client is mobile/laptop around the world (except China) and I'd still like to provide that access.
 

Trimline2

Guru
Joined
May 23, 2013
Messages
524
Reaction score
96

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Problem is the new implementation won't work on OpenVZ platforms such as wable because of the shared kernel architecture.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Why would it care the kernel architecture? Doesn't it just say ban IP's that meet this criteria?
 

w1ve

Guru
Joined
Nov 15, 2007
Messages
819
Reaction score
218
So, Ward, back to my original thought... I want to use IncrediblePBX on wable. I want to be able to send folks ip phones and plug-n-play.
What, if any, is the solution?
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
run OpenVPN on the server
use Yealink or another phone that has a built in OpenVPN Client
configure it, mail it, done
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
So, Ward, back to my original thought... I want to use IncrediblePBX on wable. I want to be able to send folks ip phones and plug-n-play.
What, if any, is the solution?


I think its all built around the IPtables. If you like your IPtables setup better than the standard setup that Ward's got on IncrediblePBX, just replace it with yours (make a copy of it first though, just in case). I have a need to try this out as well, but haven't had time yet.
 

w1ve

Guru
Joined
Nov 15, 2007
Messages
819
Reaction score
218
IslandTech -- love the Yealink phones but prefer choice. I guess I'll have to start mucking with IPTables more.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
To have a secure platform with IPtables, you either have to use Dynamic DNS updating on the client side or use a VPN on the client devices. PortKnocker will work, but it means there's an extra step before the phones will work, and then they only work until the IP address changes.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
To have a secure platform with IPtables, you either have to use Dynamic DNS updating on the client side or use a VPN on the client devices. PortKnocker will work, but it means there's an extra step before the phones will work, and then they only work until the IP address changes.


You know .... there might be another method, only talking philosophically, as I've never tried it. Most phones (and ATA's) have a auto-provisioning tab. I think you could have this setup to do essentially a port knock to open the hole to properly register.
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top