1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
  3. A serious FreePBX vulnerability has been reported. Update your Framework Module immediately. Click here for details.
  4. Critical FreePBX vulnerability! Update your server immediately. Details here.

TIPS why my pbxinaflash server cannot be pinged

Discussion in 'Help' started by gzpxyj, Nov 3, 2009.

  1. gzpxyj Member

    My pbxinaflash server phone works. But I could not ping my server from the lan. What is the reason for that. I just build the pbxinaflash server using the google voice version. Any idea?
  2. madberry New Member

    Is there any other server or router or switch or maybe hardware firewall on the network that might be prefenting you from pinging?

    Remember to forward the sip ports to your PiaF box.
  3. jroper Guru

    IPTables prevents pings on Piaf, as the type of server can be identified by the ping reply, and hence the potential hacker knows which toolbox to reach for.

    if you type service iptables stop, then you will be able to ping, and service iptables start with start them up again, and they will come back up on reboot.

    Joe
  4. madberry New Member

    That makes sence.
  5. gzpxyj Member

    That is OK. But I have the ftp connection no route to host. Is that associated with IPTables with this too? I am unable to use the ftp to store my mondo backup on another server. It complains the no route to host. I believe it is due to my pbxinaflash server iptables issue. I have been looking for solution for days and could not figure out. Can you share with me your solution how I can get the mondo backup to be saved to another server?
  6. wardmundy Nerd Uno

    Follow jroper's advice above and temporarily turn off IPtables. Then try your FTP request. That will tell you whether it's an IPtables problem... It isn't, by the way.
  7. gzpxyj Member

    So you know what is the problem, right? Any idea how to solve it?
    I did the test and the ftp still shows no route to host. So it is not the iptables issue. Have no idea where to look for now.
  8. jroper Guru

    ftp still shows no route to host......

    almost certainly a network configuration of a DNS issue, normal rules apply to debugging that one.

    Joe
  9. gzpxyj Member

    Just let you know that I have two servers on the same lan. The pbx server is 192.168.1.150 while another linux server is 192.168.1.2. I really do not understand why on the same lan that my pbx server is not being able to use the ftp to put file on my other server. The reason for the no route to host I guess is with the pbx server, not the other server. First, if I use the sftp instead of ftp, it works both ways. But if I use the ftp, I can login from pbx to other server with ftp, but could not upload the file because no data connection, showing no route to host. If I from other server to ftp to my pbx server, it got refused. So I could not start ftp at all.
    Is it possible for mondo backup to use the sftp instead of ftp? Where is the command specified. I looked at the configuration file for the weekly backup, there is no way for me to specify the ftp command.
    Also, under the same lan, I have not specify any domain name to associate with IP address. So DNS name translation should not be an issue. And I only use IP address for the ftp.
    Greatly appreciate your help.
  10. wardmundy Nerd Uno

    Put your backups in a safe place... off site! If you want to use FTP, you'll have to set the server up yourself and add the necessary exception to the firewalls.
  11. gzpxyj Member

    I know that. At least I have to get something working before I put those to somewhere else. My office lan and home lan are bridged through vpn in two routers so if I can get this working, I can put the pbx backup at home within the same lan. But I need to understand why my pbxinaflash server was refusing to connect with other server through ftp.
  12. wardmundy Nerd Uno

    No FTP server running = No FTP
  13. gzpxyj Member

    I don't know what you mean. Do you suggest me to give up setting up the ftp server for the mondo backup?
  14. darmock PIAF Developer

    The clue is " My office lan and home lan are bridged through vpn in two routers" so the next logical question is are you trying to access a ftp server across your vpn routers?

    From piaf - cli type

    ping ipaddress of ftp server
    ^^^^^^^^^^^^^^
    {replace with proper ip address of server}

    What happens

    if it asks for a username you can connect to the ftp server. If you get no route to host try

    tracert ipaddress of ftp server

    This should show you if you can even get to the ip address of the ftp server


    If you cant get to it I bet it stops at the vpn-routers. If it does get thru to the ftp server and no login then there is something wrong with your ftp server.


    Enjoy

    tom
  15. gzpxyj Member

    No, my pbx server and ftp server are all located in my office. I bridged office and home lan together with WRT54GL routers with DD-WRT installed so I can work at home and at office without any issue. So my IP phones at home and office are all on the same local lan- 192.168.1.x and are all working fine.
    As I said, there is no issue ping my ftp server. The tracert is working without problem too for my ftp server.
    The problem is my pbx server. I cannot ping it from my ftp server or from any PC on the net. I can use sftp to access both ftp server and pbx server without issue. Transfer files are OK with sftp. I can initiate ftp login from my pbx server to my ftp server successfully but cannot establish the data connection and showed no route to host. But from my ftp server, I cannot even establish connection from my ftp server to my pbx server - connection refused. So my suspicion is the problem of my pbx server, not my ftp server.
  16. darmock PIAF Developer

    So Have you done the following in order?

    1. ran update-scripts
    2. ran update-fixes
    3. ran disable-fail2ban
    4. ran disable-iptables

    This should enable ping responses from PIAF to whatever you are using to ping it. A quick check in the development lab confirmed that this works on both 1.4 and 1.6 asterisk based versions of PIAF V1.2 to 1.5B (Yes I tested them all that is why the PIAF dev team has a lab)

    Also do you have webmin installed on your PIAF box? if so go into System-Bootup and Shutdown and scroll down and find vsftpd and ensure that it is running if not start it up then try to log into your piaf box from another system via standard ftp and see what happens

    welcome to linux

    Tom
  17. jmullinix Guru

    As I understand it, Mondo creates a disk image, which is probably a very large file. You are going to have trouble transferring this over a WAN connection due to the file size.

    I would contend that you would want to look at Rsync to accomplish this. Rsync only moves the changed portions of a file and not the whole thing. I proved this to some folks at Fonality one day. I downloaded their current version of green to my web server. I renamed my local copy of an older version to the current version's name. I then ran rsync to update my local file to the new version. Instead of downloading a 650 meg ISO, I only moved about 195 meg of data.

    It will take some work, but I think you would be happier moving your mondo backup file using rsync.
  18. All I need is an ip address and I can tell you an amazing amount about your system without access to ping.
    http://www.nessus.org/nessus/

    Only reason to prevent pings now a days is to reduce ping traffic IMHO which is probably reason enough for VoIP.
  19. jroper Guru

    Hi

    I would agree with you to a degree.

    I believe that the main threat is from script kiddies, and people wanting to set up Spam servers. I imagine that the way that potential targets are located is by pinging one IP address after another.

    The idea of stopping pings is so that hopefully the attacker passes quickly over our servers, not realising there is one there, and moves on to the next one.

    But ... once having found your server, then tools such as the one you link to then become useful, and then Fail2Ban, (or OSSEC) IPTables, passwords, and the robustness of the underlying OS then come into play.

    However, it would be interesting to see how effective this is by putting up two servers, one which can be pinged, and one which cannot be, and see which one gets the more attacks.

    If the results are broadly similar then my supposition is incorrect, and we can debate whether to allow Pings.

    Joe
  20. Giovanni New Member

    Sorry to bump an old thread but thought I may help. If all you want is to allow your INTERNAL network to be able to ping your ipbx box (not from the outside). You can use my example below and add it to your /etc/sysconfig/iptables file

    Code:
    iptables -A INPUT -p icmp --icmp-type 8 -s 192.168.64.0/18 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p icmp --icmp-type 0 -d 192.168.64.0/18 -m state --state ESTABLISHED,RELATED -j ACCEPT
    Basically anything in the 192.168.64.0/18 block will allow RECEIVING and RESPONDING to imcp/ping requests. Hope it helps :)
    wardmundy likes this.

Share This Page