PIONEERS Living the Ubuntu Dream

[dogma1]

What I am saying is that after the command line comes up on the machine it takes that long before I am able to login to SSH or the web interface. This is because of Ubuntu 14.04 not Asterisk as I have had the same problem on my router which is Ubuntu 14.04 machine.

 

[wardmundy]

Yeah, Ubuntu does seem to do some background whirring for a bit. Not that noticeable on a VM or in the Cloud. Starting to remind me of Windoze.

 

[wardmundy]

Today on Nerd Vittles...

Meet Ubuntu: An Exciting New Frontier for Asterisk and the VoIP Community

 

[tycho]

Shutdown issues are typically due to bad sequence.

*** Worse case the server opens up a portal to haties and everyone gets sucked in.

Made me chuckle. "Haties" s/b "Hades," but I think I like "Haties" better in context.

 

[jeff.h]

Oh no!!!! I've been quoted!!! LOL

 

[jeff.h]

Just sit back and cash those royalty cheques.

To quote the famous Jayne Cobb "...

Ten percent of nothing is—let me do the math here. Nothing into nothin'. Carry the nothin'... "​

​

 

[jeff.h]

Ok so decided to do a new install today and keep getting this error every time.

root@UbuntuPIAF:~# ./incredible*
-bash: ./incredible-installer.sh: /usr/bin/expect: bad interpreter: No such file or directory

 

[jeff.h]

root@UbuntuPIAF:~# cd /root
root@UbuntuPIAF:~# wget http://incrediblepbx.com/incrediblepbx11.4.ubuntu14
--2014-06-30 12:55:22-- http://incrediblepbx.com/incrediblepbx11.4.ubuntu14
Resolving incrediblepbx.com (incrediblepbx.com)... 74.86.213.25
Connecting to incrediblepbx.com (incrediblepbx.com)|74.86.213.25|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3846 (3.8K) [text/plain]
Saving to: ‘incrediblepbx11.4.ubuntu14.1’

100%[===================================================================================>] 3,846 --.-K/s in 0s

2014-06-30 12:55:22 (247 MB/s) - ‘incrediblepbx11.4.ubuntu14.1’ saved [3846/3846]

root@UbuntuPIAF:~# chmod +x incredible*
root@UbuntuPIAF:~# ./incredible*
-bash: ./incredible-installer.sh: /usr/bin/expect: bad interpreter: No such file or directory
root@UbuntuPIAF:~#

 

[jeff.h]

It's working again now

 

[wardmundy]

Looks like the Ubuntu repo may have been down. That first script (incrediblepbx11.4.ubuntu14.1) attempts to install expect and then pulls down the other tarball with the incredible-installer.sh script. It looks like the following command must have failed in the first script. After that, it gets ugly.

apt-get install expect -y

 

[jeff.h]

Is ext 701 required for Incredible or is it just an example extension?

 

[tycho]

Is ext 701 required for Incredible or is it just an example extension?

Just a pre-baked sample. You can change it as you wish. I've never once used that extension in any of my dozens of PIAF/IncrediblePBX incarnations...

 

[jeff.h]

Just a pre-baked sample. You can change it as you wish. I've never once used that extension in any of my dozens of PIAF/IncrediblePBX incarnations...

Ok thanks. That's what I thought, I've been using regular PIAF without Incredible for a few years now. This is my first serious install with Incredible.I assume that is the same with the Lenny extension, 53669?

 

[jeff.h]

Ok so I have been playing around with the halt/reboot issue and have found something that works 100% of the time.

Log in as root or su then nano /etc/default/grub file to reflect the following:

GRUB_CMDLINE_LINUX_DEFAULT=""
Change to
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi=force"

Then do sudo update-grub and reboot. It took the command the first time immediately after and I thought it was a done deal... not so fast.

After the reboot and logging back in I noticed that it looked like it was still hanging after getting the shutdown message. I hit enter again, it took me back to the CLI prompt and I typed reboot again and this time it worked.

So in short after the above mod to grub if you type in reboot or halt you will get a message that the system is going down like normal, but it still doesn't

Hit enter again and you will now be back at the CLI prompt, type in halt or reboot again and this time it will work.

 

[wardmundy]

Installer has been updated. Thanks, jeff.h. For existing systems, these commands will do the heavy lifting for you:

sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=""|GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi=force"|' /etc/default/grub
update-grub
reboot

 

[markieb]

Seriously Dudes!
I feel positively stupid next to geniuses like you!
When I grow up I wanna be clever just like you guys lol

 

[wardmundy]

Port Knocker for Ubuntu

UPDATE: Nerd Vittles tutorial now available here.

This is an add-on to let you open one or more server ports on the fly for remote access using your smartphone, tablet, or computer to send 3 knocks to random ports. If the "knocks" are sent to the proper ports in the correct order, this triggers Port Knocker to modify IPtables for your IP address, and you gain access to the ports specified for a certain period of time or until a series of knocks closes the port(s).

Begin your adventure by reading this post. The original post was for RedHat/CentOS so the Ubuntu install is a little different. Nerd Vittles tutorial coming shortly.

NOTE: This is already set up in the latest Incredible PBX for Ubuntu builds. Just write down your secret port knocking sequence when the install is finished. Your knock credentials also are saved in /root/knock.FAQ. As configured, successful knocks get you an hour of access to all ports on your server from your current IP address. You can send the codes in several ways. From a remote location, if your cellphone is on WiFi and shares the same public IP address as one or more computers on the same WiFi network, then use the smartphone app for iOS or Android to send the "knocks" to your server. For iPhones (PortKnock is $0.99) and for Android devices (PortKnocker is free).

You could also send the knocks with the nmap utility from any computer with nmap. The sequence you would send looks like this using the 3 ports provided (8683, 6304, 7371 in example) AND your server's (public) IP address (123.4.5.67 in example). These were provided when your install completed. Also saved in /root/knock.FAQ.

nmap -p 8683 123.4.5.67 && nmap -p 6304 123.4.5.67 && nmap -p 7371 123.4.5.67

Once the door is opened, you can log in from any computer with the same public IP address. You could also make SIP calls, etc. The door stays open for ONE HOUR as configured! Use /root/add-ip to create a more permanent IPtables rule. Or modify the time limit (cmd_timeout) as outlined below.

IMPORTANT: If your server is sitting behind a hardware-based firewall, you must map the 3 TCP ports from your hardware firewall to the private IP address of your server!

WARNING: Be very careful with your Port Knocker credentials. Anybody that obtains the sequence basically gets access to attack your server just as if they were sitting at a login prompt for your server. They still need your passwords, but it's one step closer to a compromised server. So treat the port sequence just like a password. It is!

To manually install on previous installations...

First, you'll need to know whether you're running 32-bit or 64-bit OS. Then, log in as root and...

cd /root
apt-get install libpcap* -y
# for 32-bit, enable the next line by removing #
# wget http://ftp.us.debian.org/debian/pool/main/k/knockd/knockd_0.5-3_i386.deb
# for 64-bit, enable the next line by removing #
# wget http://ftp.us.debian.org/debian/pool/main/k/knockd/knockd_0.5-3_amd64.deb
 
dpkg -i knockd*
 
nano -w /etc/knockd.conf
# Make your config look like what's shown in the knockd.conf example below
# But make up 3 magic numbers of your choice and choose tcp, udp as desired
# Save the file after making your changes: Ctrl-X, Y, then Enter
 
nano -w /etc/default/knockd
# change START_KNOCKD=0 to START_KNOCKD=1 and save file
# above file is /etc/sysconfig/knockd on RedHat/CentOS systems
# if using wlan0 wireless interface instead of eth0, add: KNOCKD_OPTS="-i wlan0"
 
/etc/init.d/knockd start

knockd.conf should look like the following example. Be sure to substitute your 3 magic numbers for 2, 4, and 6!! You can mix and match tcp and udp as desired. The setup below keeps SSH port 22 open for 1 hour (3600 seconds) on the IP address of any successful knock (15-second timeout on the sequence) using one of the knock clients from the dev web site.

Remember to map the three ports to your server from your firewall if it's behind a hardware-based firewall. Otherwise, you do NOT have to open any ports in IPtables for this to work.

[options]
        logfile = /var/log/knockd.log
 
[opencloseSSH]
        sequence      = 2:udp,4:tcp,6:udp
        seq_timeout  = 15
        tcpflags      = syn,ack
        start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
        cmd_timeout  = 3600
        stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT

You can review your successes and failures and automatic port closings in /var/log/knockd.log.

NOTE: Always turn off knockd before making changes in your configuration. Then start it again.

/etc/init.d/knockd stop
nano -w /etc/knockd.conf
/etc/init.d/knockd start

Once you get the hang of it, there are lots of magic tricks you can perform with the start_command and stop_command. For example, if you wanted to open up full access to your server for a specific IP address after a successful knock, substitute the following in /etc/knockd.conf:

[opencloseSSH]
        sequence      = 2:udp,4:tcp,6:udp
        seq_timeout  = 15
        tcpflags      = syn,ack
        start_command = /sbin/iptables -A INPUT -s %IP% -j ACCEPT
        cmd_timeout  = 3600
        stop_command  = /sbin/iptables -D INPUT -s %IP% -j ACCEPT

Or you could just open up SIP access (e.g. for remote users) by changing:

/sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT

to:

/sbin/iptables -A INPUT -s %IP% -p udp --dport 5060:5069 -j ACCEPT

 

[james]

It should go without saying but very little does these days... Set your own ports Dont use the ones in the PUBLIC example

 

[wardmundy]

Latest release has Port Knocker included with randomized ports for the knock. Let us know if it smokes.

 

[jeff.h]

Haven't messed with port knocker, but I have had this running on a Foxconn box for a few days now and its been fine. No call issues and the web interface is noticeably faster.