TIPS Incredible PBX for VitalPBX

piaftnt

Member
Joined
Jul 16, 2010
Messages
50
Reaction score
3
@piaftnt: Try mimicking the PJSIP setup for Skyetel. In the Advanced tab, you may need to add the following. Try one at a time until all is working:
Code:
NAT  Force,Comedia  Enabled
ice_support  yes  Enabled
Hi Ward,
Thanks for the suggestion.
I tried to setup a pjsip trunk as suggested but I am unsure of a couple of things.
1. Am I correct that the match line is supposed to be a list of ip addresses for callcentric hosts? If I put a comma separated list of ip addresses for callcentric in the match box the list gets truncated. Apparently there is some unspecified limit on how long that line can be. If I put too many entries in the match line I get a list of ip addresses in pjsip__50-1-trunks.conf that ends with the following
Code:
match=204.11.192.163
match=204.11.19
Shortening the list kind of fixes the problem.
2. In the advanced tab for the pjsip trunk there are no NAT settings.
I have Force,Comedia set in the network setup as suggested in your article. Is that what you are referring to?

I have never setup pjsip trunks before so I am unsure exactly how to do it.
Is there an equivalent pjsip command to sip show peers? I have not been able to find it of there is.

Regards,

Tom
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
In the Advanced tab, you have to manually add the entries as shown in my comment above.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
For me I only use the 3 below, but very importantly it's for outgoing calls as well as incoming, and most importantly needs to reflect on outgoing lookup in the CID reports.
Not asking for much I know........ ;)

1) Asterisk Phonebook
2) Superfecta Cache
3) UKPhoneInfo UK
OK. The trick to getting CNAM working with Outbound Calls is you have to find a "hook" on which to hang the CNAM dialplan code. I've found one, but it can only be 2 lines long. That means we could do something like posting the AstDB entry in ACCOUNTCODE field and the OpenCNAM result in CUSTOMER_CODE, but there aren't sufficient lines in the dialplan to insert all the logic to determine which to use and whether to skip OpenCNAM lookup because of an existing entry in AstDB. I've written the developers, and we'll see what they say. But this would give you something at least for the short term.

We'll write all of this up for Nerd Vittles next week.
 
  • Like
Reactions: markieb

kenn10

A lesser geek
Joined
Dec 16, 2007
Messages
1,045
Reaction score
225
OK. The trick to getting CNAM working with Outbound Calls is you have to find a "hook" on which to hang the CNAM dialplan code. I've found one, but it can only be 2 lines long. That means we could do something like posting the AstDB entry in ACCOUNTCODE field and the OpenCNAM result in CUSTOMER_CODE, but there aren't sufficient lines in the dialplan to insert all the logic to determine which to use and whether to skip OpenCNAM lookup because of an existing entry in AstDB. I've written the developers, and we'll see what they say. But this would give you something at least for the short term.

We'll write all of this up for Nerd Vittles next week.
While you're tinkering with the code, see if there is a hook so we can get the destination caller-id to show up in our displays on outbound calls. :sorcerer:
 
  • Like
Reactions: markieb

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
Uploading an ISO for Use in the Cloud (Vultr and CrownCloud)

Vultr appears to have tightened up the requirements for uploading your own ISO such as the new Incredible PBX for VitalPBX ISO.

Complete Vultr documentation is here.

We had a number of failed attempts trying to upload the VitalPBX ISO from various sources. What finally worked was creating another Vultr instance with a web server, downloading the ISO to var*www*html on that server using wget and then uploading the ISO to your Vultr account using a web link to that server. You then can use .the ISO to create as many VMs as desired, and you can remove the VM used for the upload.

The beauty of Vultr is the ability to spin up 1GB RAM VMs in minutes and pay less than a penny a minute or run them permanently from there for $5/month. And an extra $1/month buys you automatic backups. Performance is amazing.

Using our Vultr signup link helps support the Incredible PBX projects.

Another viable option that we use is CrownCloud at $25/year. They will mount an ISO for you to install and also provide a free snapshot with their 1GB KVM VPS.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
Starting to put together a Cheat Sheet of Rules for a Public-Facing VitalPBX Server.

Current plan is to leave modified SIP ports and SSH port exposed. Feel free to add any that I've missed and I'll keep a running list here.

1. Modify SSH port
2. Modify SIP ports
3. Specify Domain in SIP Settings to block registration attempts by server IP address; set Allow External Domains and AutoDomain = No
4. Add VoIP Blacklist nightly using IPset with Firewalld
5. Whitelist friendly IP addresses in firewall and Fail2Ban
6. Disable HTTP and HTTPS port entries in firewall list
 
Last edited:
  • Like
Reactions: kenn10

kenn10

A lesser geek
Joined
Dec 16, 2007
Messages
1,045
Reaction score
225
Starting to put together a Cheat Sheet of Rules for a Public-Facing VitalPBX Server.

Current plan is to leave modified SIP ports and SSH port exposed. Feel free to add any that I've missed and I'll keep a running list here.

1. Modify SSH port
2. Modify SIP ports
3. Specify Domain in SIP Settings to block registration attempts by server IP address; set Allow External Domains and AutoDomain = No
4. Add VoIP Blacklist nightly using IPset with Firewalld
5. Whitelist friendly IP addresses in firewall and Fail2Ban
6. Disable HTTP and HTTPS port entries in firewall list
Sounds amazing. I currently have IncrediblePBX 2.3.8-1 on a local server behind a router with standard ports forwarded but it is being attacked from all angles for sip registration and attempted http access. I look forward to the whitelists on the basic install as well!
 

piaftnt

Member
Joined
Jul 16, 2010
Messages
50
Reaction score
3
Starting to put together a Cheat Sheet of Rules for a Public-Facing VitalPBX Server.

Current plan is to leave modified SIP ports and SSH port exposed. Feel free to add any that I've missed and I'll keep a running list here.

1. Modify SSH port
2. Modify SIP ports
3. Specify Domain in SIP Settings to block registration attempts by server IP address; set Allow External Domains and AutoDomain = No
4. Add VoIP Blacklist nightly using IPset with Firewalld
5. Whitelist friendly IP addresses in firewall and Fail2Ban
6. Disable HTTP and HTTPS port entries in firewall list
How about setting up ssh keys and disabling passwords on root logins.
Accessing root accounts over the internet with passwords is just plain insecure.
I agree that moving the ssh port off of port 22 is a good idea but I can also tell you from experience the bad guys will eventually find your alternate port. I have had ssh on alternate ports for the last 20 years or so but in the last 2 or 3 years the bad guys are finding the alternate ssh ports much more frequently.

Regards,
Tom
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
Sounds amazing. I currently have IncrediblePBX 2.3.8-1 on a local server behind a router with standard ports forwarded but it is being attacked from all angles for sip registration and attempted http access. I look forward to the whitelists on the basic install as well!
Drop this script in /etc and run it every night. It should solve most of the attack issues.
 

Attachments

kenn10

A lesser geek
Joined
Dec 16, 2007
Messages
1,045
Reaction score
225
Drop this script in /etc and run it every night. It should solve most of the attack issues.
@wardmundy I get a 403 Forbidden message when I try to download it with a wget command.

I dropped it on my desktop and then copied it to the PBX and untared it there and it worked.
 
Last edited:

kenn10

A lesser geek
Joined
Dec 16, 2007
Messages
1,045
Reaction score
225
I think you have to download it to your desktop and then copy over to the PBX. Sorry. I haven't put it on incrediblepbx.com yet.
That's what I did. When I ran it, it locked out everything except the console. I can't ssh in from the local network.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
@kenn10: Not sure the lockout is related. Nothing in the VoIP Blacklist would block private LAN addresses. Does iptables -nL show your address blacklisted?? To be safe, I'd whitelist your private LAN and public IP address in both the firewall and Fail2Ban: Admin.Security.Firewall.WhiteList and Admin.Security.Fail2Ban.WhiteList
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
@kenn10: Just retested on a fresh VMware ESXi build and didn't get locked out so it appears something else came unglued.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,431
Reaction score
2,737
We now have an install script that can be used on CentOS 7 minimal platforms without having to resort to the ISO. You can download it here.

A word of warning. Be sure to select CentOS 7 platform on your VPS. Some, including Vultr, now support CentOS 8 which won't work. And don't run yum update either.

Code:
cd /root
yum -y install net-tools wget nano tar
wget http://incrediblepbx.com/incrediblepbx.sh
chmod +x incrediblepbx.sh
./incrediblepbx.sh
 
Last edited:
  • Like
Reactions: markieb

kenn10

A lesser geek
Joined
Dec 16, 2007
Messages
1,045
Reaction score
225
@kenn10: Just retested on a fresh VMware ESXi build and didn't get locked out so it appears something else came unglued.
I wiped the vm and reinstalled. Before running the new update-voipbl.sh, I added the local net and ip of my external address to VitalPBX as you advised. Then I ran the script and all seems well now.
 
  • Like
Reactions: wardmundy

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,583
Messages
138,985
Members
14,677
Latest member
cdmobile