TIPS Incredible for VitalPBX

piaftnt

Member
Joined
Jul 16, 2010
Messages
93
Reaction score
17
@piaftnt: Try mimicking the PJSIP setup for Skyetel. In the Advanced tab, you may need to add the following. Try one at a time until all is working:
Code:
NAT  Force,Comedia  Enabled
ice_support  yes  Enabled

Hi Ward,
Thanks for the suggestion.
I tried to setup a pjsip trunk as suggested but I am unsure of a couple of things.
1. Am I correct that the match line is supposed to be a list of ip addresses for callcentric hosts? If I put a comma separated list of ip addresses for callcentric in the match box the list gets truncated. Apparently there is some unspecified limit on how long that line can be. If I put too many entries in the match line I get a list of ip addresses in pjsip__50-1-trunks.conf that ends with the following
Code:
match=204.11.192.163
match=204.11.19
Shortening the list kind of fixes the problem.
2. In the advanced tab for the pjsip trunk there are no NAT settings.
I have Force,Comedia set in the network setup as suggested in your article. Is that what you are referring to?

I have never setup pjsip trunks before so I am unsure exactly how to do it.
Is there an equivalent pjsip command to sip show peers? I have not been able to find it of there is.

Regards,

Tom
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
In the Advanced tab, you have to manually add the entries as shown in my comment above.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
For me I only use the 3 below, but very importantly it's for outgoing calls as well as incoming, and most importantly needs to reflect on outgoing lookup in the CID reports.
Not asking for much I know........ ;)

1) Asterisk Phonebook
2) Superfecta Cache
3) UKPhoneInfo UK

OK. The trick to getting CNAM working with Outbound Calls is you have to find a "hook" on which to hang the CNAM dialplan code. I've found one, but it can only be 2 lines long. That means we could do something like posting the AstDB entry in ACCOUNTCODE field and the OpenCNAM result in CUSTOMER_CODE, but there aren't sufficient lines in the dialplan to insert all the logic to determine which to use and whether to skip OpenCNAM lookup because of an existing entry in AstDB. I've written the developers, and we'll see what they say. But this would give you something at least for the short term.

We'll write all of this up for Nerd Vittles next week.
 

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
OK. The trick to getting CNAM working with Outbound Calls is you have to find a "hook" on which to hang the CNAM dialplan code. I've found one, but it can only be 2 lines long. That means we could do something like posting the AstDB entry in ACCOUNTCODE field and the OpenCNAM result in CUSTOMER_CODE, but there aren't sufficient lines in the dialplan to insert all the logic to determine which to use and whether to skip OpenCNAM lookup because of an existing entry in AstDB. I've written the developers, and we'll see what they say. But this would give you something at least for the short term.

We'll write all of this up for Nerd Vittles next week.
While you're tinkering with the code, see if there is a hook so we can get the destination caller-id to show up in our displays on outbound calls. :sorcerer:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Uploading an ISO for Use in the Cloud (Vultr and CrownCloud)

Vultr appears to have tightened up the requirements for uploading your own ISO such as the new Incredible PBX for VitalPBX ISO.

Complete Vultr documentation is here.

We had a number of failed attempts trying to upload the VitalPBX ISO from various sources. What finally worked was creating another Vultr instance with a web server, downloading the ISO to var*www*html on that server using wget and then uploading the ISO to your Vultr account using a web link to that server. You then can use .the ISO to create as many VMs as desired, and you can remove the VM used for the upload.

The beauty of Vultr is the ability to spin up 1GB RAM VMs in minutes and pay less than a penny a minute or run them permanently from there for $5/month. And an extra $1/month buys you automatic backups. Performance is amazing.

Using our Vultr signup link helps support the Incredible PBX projects.

Another viable option that we use is CrownCloud at $25/year. They will mount an ISO for you to install and also provide a free snapshot with their 1GB KVM VPS.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Starting to put together a Cheat Sheet of Rules for a Public-Facing VitalPBX Server.

Current plan is to leave modified SIP ports and SSH port exposed. Feel free to add any that I've missed and I'll keep a running list here.

1. Modify SSH port
2. Modify SIP ports
3. Specify Domain in SIP Settings to block registration attempts by server IP address; set Allow External Domains and AutoDomain = No
4. Add VoIP Blacklist nightly using IPset with Firewalld
5. Whitelist friendly IP addresses in firewall and Fail2Ban
6. Disable HTTP and HTTPS port entries in firewall list
 
Last edited:

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
Starting to put together a Cheat Sheet of Rules for a Public-Facing VitalPBX Server.

Current plan is to leave modified SIP ports and SSH port exposed. Feel free to add any that I've missed and I'll keep a running list here.

1. Modify SSH port
2. Modify SIP ports
3. Specify Domain in SIP Settings to block registration attempts by server IP address; set Allow External Domains and AutoDomain = No
4. Add VoIP Blacklist nightly using IPset with Firewalld
5. Whitelist friendly IP addresses in firewall and Fail2Ban
6. Disable HTTP and HTTPS port entries in firewall list

Sounds amazing. I currently have IncrediblePBX 2.3.8-1 on a local server behind a router with standard ports forwarded but it is being attacked from all angles for sip registration and attempted http access. I look forward to the whitelists on the basic install as well!
 

piaftnt

Member
Joined
Jul 16, 2010
Messages
93
Reaction score
17
Starting to put together a Cheat Sheet of Rules for a Public-Facing VitalPBX Server.

Current plan is to leave modified SIP ports and SSH port exposed. Feel free to add any that I've missed and I'll keep a running list here.

1. Modify SSH port
2. Modify SIP ports
3. Specify Domain in SIP Settings to block registration attempts by server IP address; set Allow External Domains and AutoDomain = No
4. Add VoIP Blacklist nightly using IPset with Firewalld
5. Whitelist friendly IP addresses in firewall and Fail2Ban
6. Disable HTTP and HTTPS port entries in firewall list
How about setting up ssh keys and disabling passwords on root logins.
Accessing root accounts over the internet with passwords is just plain insecure.
I agree that moving the ssh port off of port 22 is a good idea but I can also tell you from experience the bad guys will eventually find your alternate port. I have had ssh on alternate ports for the last 20 years or so but in the last 2 or 3 years the bad guys are finding the alternate ssh ports much more frequently.

Regards,
Tom
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Sounds amazing. I currently have IncrediblePBX 2.3.8-1 on a local server behind a router with standard ports forwarded but it is being attacked from all angles for sip registration and attempted http access. I look forward to the whitelists on the basic install as well!

Drop this script in /etc and run it every night. It should solve most of the attack issues.
 

Attachments

  • voipbl-firewalld.tar.gz
    12.4 KB · Views: 11

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
Drop this script in /etc and run it every night. It should solve most of the attack issues.
@wardmundy I get a 403 Forbidden message when I try to download it with a wget command.

I dropped it on my desktop and then copied it to the PBX and untared it there and it worked.
 
Last edited:

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
I think you have to download it to your desktop and then copy over to the PBX. Sorry. I haven't put it on incrediblepbx.com yet.
That's what I did. When I ran it, it locked out everything except the console. I can't ssh in from the local network.
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@kenn10: Not sure the lockout is related. Nothing in the VoIP Blacklist would block private LAN addresses. Does iptables -nL show your address blacklisted?? To be safe, I'd whitelist your private LAN and public IP address in both the firewall and Fail2Ban: Admin.Security.Firewall.WhiteList and Admin.Security.Fail2Ban.WhiteList
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@kenn10: Just retested on a fresh VMware ESXi build and didn't get locked out so it appears something else came unglued.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
We now have an install script that can be used on CentOS 7 minimal platforms without having to resort to the ISO. You can download it here.

A word of warning. Be sure to select CentOS 7 platform on your VPS. Some, including Vultr, now support CentOS 8 which won't work. And don't run yum update either.

Code:
cd /root
yum -y install net-tools wget nano tar
wget http://incrediblepbx.com/incrediblepbx.sh
chmod +x incrediblepbx.sh
./incrediblepbx.sh
 
Last edited:

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
@kenn10: Just retested on a fresh VMware ESXi build and didn't get locked out so it appears something else came unglued.
I wiped the vm and reinstalled. Before running the new update-voipbl.sh, I added the local net and ip of my external address to VitalPBX as you advised. Then I ran the script and all seems well now.
 

Members online

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top