NEW Incredible 16-15.2 for CentOS 7

Joined
Oct 26, 2013
Messages
69
Reaction score
23
Just a heads up that, if you use OVZ7 at anyNode, you'll need to open a ticket to get IPtables functioning properly. This is apparently an issue with the SolusVM Control Panel using OVZ7 VPSs.

To add to this list, OpenVPN is unable to create the tun interface, and I have a ticket open and believe that Matthew is working to fix. However, he did get my iptables stuff working, except the GeoIP stuff. So commands such as "iptables -m geoip" will fail.

On a positive note, it appears that ipset is working, so I can use the bad guy blacklist. I would also suspect that NeoRouter might have an issue if it has to create a virtual interface device.
 

dallas

Active Member
Joined
Oct 21, 2007
Messages
844
Reaction score
247
I've downloaded the latest IncrediblePBX16-15.1.tar.gz and the code below is in IncrediblePBX16-15.sh. Is it correct? (/usr//sbin/iptables)

Code:
echo "[options]" > /etc/knockd.conf
echo "       logfile = /var/log/knockd.log" >> /etc/knockd.conf
echo "" >> /etc/knockd.conf
echo "[opencloseALL]" >> /etc/knockd.conf
echo "        sequence      = 7:udp,8:udp,9:udp" >> /etc/knockd.conf
echo "        seq_timeout   = 15" >> /etc/knockd.conf
echo "        tcpflags      = syn" >> /etc/knockd.conf
echo "        start_command = /usr//sbin/iptables -I INPUT -s %IP% -j ACCEPT" >> /etc/knockd.conf
echo "        cmd_timeout   = 3600" >> /etc/knockd.conf
echo "        stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT" >> /etc/knockd.conf
chmod 640 /etc/knockd.conf
 
Last edited:
Joined
Jul 6, 2013
Messages
82
Reaction score
28
This is interesting. Speech-to-Text that actually works locally without having to send audio out to Google for processing. Would love to see this in action on Incredible 16-15.

 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
This is interesting. Speech-to-Text that actually works locally without having to send audio out to Google for processing. Would love to see this in action on Incredible 16-15.


Great idea... once we get the training wheels off. :)
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
I just followed the tutorial from the nerdvittles. MariaDB setup instruction are missing, the missing part was the default password for the MariaDB
 

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
I just followed the tutorial from the nerdvittles. MariaDB setup instruction are missing, the missing part was the default password for the MariaDB

@Eliad If you would read through this thread, I discussed this issue in the second post of the thread and Ward replied. Its 'passw0rd' with a zero instead of the letter 'o'.
 

Eliad

Active Member
Joined
Aug 13, 2017
Messages
619
Reaction score
127
@Eliad If you would read through this thread, I discussed this issue in the second post of the thread and Ward replied. Its 'passw0rd' with a zero instead of the letter 'o'.
Yes, i recalled I saw this in this thread and used it. It would have been nice to be included in the install instructions.
Now I run into another issue. I can not log into the FreePBX web interface. Does not accept my password. I also tried to fix it by running admin-pw-change first, no luck then, apache-pw-change, still no luck.
This is a local VM install not a cloud provider.
 

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
Yes, i recalled I saw this in this thread and used it. It would have been nice to be included in the install instructions.
Now I run into another issue. I can not log into the FreePBX web interface. Does not accept my password. I also tried to fix it by running admin-pw-change first, no luck then, apache-pw-change, still no luck.
This is a local VM install not a cloud provider.
I had to drop the VM and resintall, making a point to use the correct password on the next MariaDB installation process.
 
Joined
Jul 6, 2013
Messages
82
Reaction score
28
Hey. The missing password is not really missing. If you read the text up above where it prompts you then you'll see that it tells you "passw0rd".
By the way, I've got this running on an Atom Z8350 with Centos 7. Only two watts of power consumption, verified, measured! For example:
If you use the above you may want to reduce swapfile thrashing of the EMMC disk drive:

cat /proc/sys/vm/swappiness
echo vm.swappiness=10 >> /etc/sysctl.conf
# do the above only ONCE on the system!
sysctl vm.swappiness=10
 
Last edited:
Joined
Jul 6, 2013
Messages
82
Reaction score
28
BUG Report, sort of: My PC's clock battery died and this caused the motherboard to revert to 2014 after a reboot, which trashed my database!

Suggesting therefore that the installer include the following command for CentOS 7 installations:

systemctl enable chronyd

This will ensure that the clock will never revert to a time prior to the timestamp on the drift-file, and if networking is available then it will set true time via NTP. If fake NTP servers are entered then it will simply protect you via the drift-file and won't otherwise mess with your clock. see the -s option for farther details.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Just a heads up that the bad guys have managed to get the IP address of incrediblepbx.com on one of the blacklists we block so... you'll need to add a whitelist 0 entry on PUBLIC servers or pbxstatus will hang:
Code:
/root/add-fqdn incrediblepbx incrediblepbx.com
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
For those testing the 16-15-PUBLIC implementation, I hate to say it, but... start over. This morning's release tightens up the firewall design and should make the deployment much more secure.

Under the new design, with the exception of your secret SSH port, nobody can access your server without either knowing one of your server's FQDNs or being whitelisted in iptables-custom (providers + your add-ip and add-fqdn entries).

Give me one hour a couple hours to run a final test before you begin.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Still not quite right with the firewall. Stay tuned.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Testing new firewall. Will update on status in a couple hours.

Just want to put in a good word for CrownCloud, one of our low-cost providers with KVM and a snapshot for $25/year. The snapshots have been a godsend in working out the kinks in this.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Finally. Incredible PBX 16-15.1-PUBLIC awaits.

D_27pZOXoAMFtuV.png


Start with Incredible PBX 16-15.1 install. Be sure to log out of any registered extensions on your existing 16-15.1 server before proceeding. Also make sure to change the registration domain of ALL extensions to point to the FQDN of the server, NOT its IP address. Otherwise, those extensions will get banned by Fail2Ban either during or after the PUBLIC install below. See previous tutorial for details. Bugs in FAX implementation. Don't do it yet.


Code:
cd /root
wget http://incrediblepbx.com/go-public-16-15.tar.gz
tar zxvf go-public-16-15.tar.gz
rm -f go-public-16-15.tar.gz
./GO-PUBLIC-16-15
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
The Way This Works

With the exception of whitelisted IP addresses in /usr/local/sbin/iptables-custom including whitelisted SIP providers and your add-ip and add-fqdn entries, ALL incoming SIP traffic to the IP address of your server gets blocked. You cannot register a SIP phone to the IP address of your PBX! SIP traffic and registrations to the FQDN(s) of your server are allowed. You can have one FQDN for SIP registrations and a second one for SIP invites/calls, if desired. SSH connections are hidden behind a port number of your choice. We recommend disabling all SSH ports after you have carefully tested and deployed SSH Public Key Authentication. Web access is only available to whitelisted IP addresses just like TM3 deployments. Use admin-pw-change and apache-pw-change to set the admin passwords for web access.
 

kyle95wm

Phone Genius Owner
Joined
Apr 16, 2016
Messages
520
Reaction score
90
Just a heads up that the bad guys have managed to get the IP address of incrediblepbx.com on one of the blacklists we block so... you'll need to add a whitelist 0 entry on PUBLIC servers or pbxstatus will hang:
Code:
/root/add-fqdn incrediblepbx incrediblepbx.com
Might wanna put this in the installer for all current and future versions of IPBX
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Already have but it only affects PUBLIC servers. Others don’t use blacklists.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Further tightening of the IPtables firewall this morning with a few more (fairly major) changes to block more types of attacks. Special thanks to last night's hackers for pointing us in the right direction. :shuriken:
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top