1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.

PIAF-OpenVZ with CentOS 5.7

Discussion in 'Add-On Install Instructions' started by wardmundy, Sep 15, 2011.

  1. wardmundy Nerd Uno

    We've completed work on a new OpenVZ template (871.20 MB) for PIAF-Purple with CentOS 5.7, Asterisk 1.8.6.0, and the latest modules for FreePBX 2.8 including tm1000's Google Voice GUI update from this past week. You can build virtual machines in under 2 minutes flat. And they boot up in about 1 minute. We've also installed Tom King's latest Apache, PHP, PHPMyAdmin modules on top of CentOS 5.7. This should address all known exploits... for today. The template also includes EndPoint Manager, CallerID Superfecta, AsteriDex, Telephone Reminders, and Hotel WakeUp Call FreePBX modules. We need a few testers for this latest upgrade to CentOS 5.7 and would welcome your suggestions/additions/deletions.

    If you're using this with Proxmox, be sure to run your Proxmox server behind a secure hardware-based firewall with no Internet port exposure. Reportedly, any current version of Proxmox with OpenVZ is extremely vulnerable to a root exploit because of the kernel being used. Once an attacker takes over your Proxmox server, ALL of your virtual machines are 100% vulnerable! If you need Internet access to a Proxmox server, do it only with a WhiteList of safe IP addresses or a VPN. For details on the web vulnerability, read this thread and this one.

    Because of Tom's Apache and PHP patches, we think the actual OpenVZ virtual machines created with this new template are safer for Internet exposure individually; however, we ALWAYS recommend not exposing any virtual machine to wholesale Internet access. It is NOT necessary to make or receive phone calls! If you do need Internet access for admin or a remote phone, use IPtables on the virtual machine to create a WhiteList!!!

    [IMG]

    PROXMOX INSTALL INSTRUCTIONS:

    To load the new PIAF-OpenVZ template with CentOS 5.7 on your Proxmox server, log into the server as root and issue these commands:



    To load the new PIAF-OpenVZ template with CentOS 5.5 on your Proxmox server, log into the server as root and issue these commands:



    UPDATE: Both the CentOS 5.5 and 5.7 templates now are also available from SourceForge.


    To create a new OpenVZ virtual machine using the new template, use the Proxmox browser interface: Virtual Machine, Create:



    Here's a sample of what the Create VM form should look like:

    [IMG]


    SECURING IPTABLES FIREWALL:

    As mentioned, we recommend running all of your virtual machines behind a secure, hardware-based firewall with NO Internet exposure. If your virtual machine is actually running on a hosted server on the Internet, this may not be possible. You still can make your virtual machine rock-solid secure with the included IPtables firewall. Here's how.

    Log into your server as root. Edit /etc/sysconfig/iptables:

    1. Remove existing access to the dangerous ports

    2. Add WhiteList IP addresses for the locations where you need access for admin or remote phone access


    To remove access to dangerous ports, change:



    to this:



    To add WhiteList IP addresses for sites from which you need access to the server for admin or phones, find the section of the file that looks like this:



    Add entries just below the existing series that look like this using your actual IP addresses:



    FINAL IMPORTANT STEPS:

    1. Be sure you have added a WhiteList entry for the IP address you're using to access your server, or you will lock yourself out!

    2. Then, restart your firewall to load the new settings: service iptables restart

    3. Verify that your new settings are working and are what you expected to see: iptables -nL

    4. Attempt to access your virtual machine's web interface using the browser on your cellphone (assuming it is not in your WhiteList). This will validate that the firewall is working properly by denying you access.

    KNOWN QUIRKS:

    The status display isn't quite right. This is what displays on a Proxmox VM with IPtables up and running. The third step above will verify it for you:

    [IMG]
  2. wardmundy Nerd Uno

    New template now includes CentOS 5.7. :smile5:
  3. mainenotarynet Not really a Guru - Just a long time user

    Mr Ward, I thought we've had an OpenVZ template for Purple for a while (64-bit only I think) as it is how I run mine on my VPS through my hosting company -- they got the template for me.

    Is this a new one for 32-bit maybe? and do you have any plans for Red yet?

    I would love to use your new one but still cant figure out the backup module so I don't have to recreate the wheel -- extensions-easy DIDs-easy but Queues, ring groups, conferences -- not so easy as they don't have the modules for the export of the data.

    The system backup may but I can't figure that out to save my life.
  4. wardmundy Nerd Uno

    This one is still 64-bit. Much newer CentOS. Much more secure. Much newer Asterisk 1.8 which is more reliable particularly with Google Voice.

    No plans for Asterisk 10 at the moment. Wouldn't be hard to do it yourself. Just follow along in one of the EXPERIMENTAL threads for details.
  5. wardmundy Nerd Uno

  6. wardmundy Nerd Uno

    Newly updated OpenVZ template is now available. See above.
  7. darmock PIAF Developer

    Actually status has been fixed for the new template. Has not been pushed out to everyone else yet as it is a work in progress. Once complete it will be available by the usual update-programs. Please be patient.

    Also for the moment the N/A * means not available running under proxmox.

    Tom


    [IMG]
  8. robfantini New Member

    i had to do this after the wget:

    mv nFhdxG centos-5.7-purple1.8.6-piaf_1.7.5.5.5-2_amd64.tar.gz

Share This Page