PIONEERS Living the Ubuntu Dream

[dogma1]

Ward:
I don't mean to be argumentative, but in step 2 Ubuntu disables root so that hackers have one less thing to attack. What you should do if you want root privileges is when you login use the command sudo su it will ask for your password then you have root privileges with out making root.

Step 3: apt-get -y update && apt-get install ssh -y && apt-get -y dist-upgrade then edit /etc/ssh/sshd_config

I use dist-upgrade so that the new kernel is not left behind. Hope this helps

 

[dogma1]

After fix works grate!!!

I installed FOP2 and found that FOP2 Manager as issues. Working with them let know what I find out.

Here is a script that can install FOP2:

#!/bin/bash
CHIP=`uname -p`
echo "-----> Install FOP2 & Manager"
if [ "$CHIP" = "x86_64" ]
then
echo "----> This is a 64 bit system"
wget -q -t 3 --output-document=fop2.tgz http://www.fop2.com/file.php?file=23
wget -t 3 --output-document=fop2man.tgz http://www.fop2.com/file.php?file=29
wait
 
else
echo "----> This is a 32 bit system"
wget -t 3 -q --output-document=fop2.tgz http://www.fop2.com/file.php?file=22
wget -t 3 -q --output-document=fop2man.tgz http://www.fop2.com/file.php?file=29
wait
fi
 
tar -zxvf fop2.tgz > tar.log
tar -zxvf fop2man.tgz >> tar.log
cd fop2
make install
wait
cp -r fop2manager /var/www/html/fop2/
echo "ecallevents=yes" >> /etc/asterisk/sip_general_custom.conf
echo "[testqueue]" >> /etc/asterisk/queues.conf
echo "eventwhencalled=yes" >> /etc/asterisk/queues.conf
service asterisk restart > /home/asterisk
wait
cd ..
rm -fr fop2
rm -fr admin
rm README
service fop2 start
wait

This is designed so that you do not have to figure out what chip 32 bit or 64.

 

[Bob Helbush]

Sorry about that. Another "improvement" bites us in the butt. Try again. Should be fine now, but please start anew.

Working with Google Voice and Yate. I'll test some tomorrow. Thanks!

 

[jeff.h]

Woohoo!!!! It's working for me too! I followed your instructions just as I did earlier, but this time it works! I'll mess around with adding trunks and extensions tomorrow.

 

[wardmundy]

Thanks, dogma1. For those that don't know, let me introduce Eric Teeter, who was kind enough to send me an Ubuntu install script for Asterisk and FreePBX that got the ball rolling. We opted to go for compiled code rather than Eric's build with Ubuntu's flavor of RPMs because of the added flexibility... plus it got us the very latest versions of Asterisk. But we are most appreciative for Eric's terrific work and hope you'll join us in welcoming him to the forum. We also want to thank Billy Chia from Digium for his pioneering work and numerous Ubuntu tips as well. Finally, NONE of the Incredible PBX apps would have worked if not for the tireless efforts of Lefteris Zafiris (again), who single-handedly solved the bug that kept TTS from working at all on the Ubuntu platform. Latest installation tutorial available here.

 

[wardmundy]

Ward:
I don't mean to be argumentative, but in step 2 Ubuntu disables root so that hackers have one less thing to attack. What you should do if you want root privileges is when you login use the command sudo su it will ask for your password then you have root privileges with out making root.

Step 3: apt-get -y update && apt-get install ssh -y && apt-get -y dist-upgrade then edit /etc/ssh/sshd_config

I use dist-upgrade so that the new kernel is not left behind. Hope this helps

All of the Asterisk-based aggregations have traditionally used root logins rather than what you are accustomed to. We deal with crackers in various ways including locking down iptables so that they can't even see your server.

 

[wardmundy]

Just a few words on where we stand...

While you were sleeping, there was a major cleanup of the IPtables setup. The firewall now is pretty much locked down to your server's IP address as well as your public IP address where you installed everything and, of course, the 192.168 and 10.0 (non-routable) private subnets. SIP has been restricted to the Incredible PBX Trusted Providers List. IPv6 is locked down to localhost access only! If you attempt to connect to a provider and get nowhere, chances are they're not in "The List." Let me know and we'll add them. You can edit /etc/iptables/rules.v4 and add them yourself as necessary until we get Travelin' Man 3 reworked. Also be sure to add other safe IP addresses if you move around and need access from different IP addresses. You don't want to get locked out of your own server. And don't forget to restart IPtables to load your updates. The magic command:

/etc/init.d/iptables-persistent restart

If you add new rules, run the restart command above, and get a fail instead of OK, then you can debug the problem with the following commands for v4 and v6 rules:

iptables-restore < /etc/iptables/rules.v4
ip6tables-restore < /etc/iptables/rules.v6

If you need to verify whether IPtables is the culprit in blocking something you need, you can momentarily turn off IPtables with the following command. Don't forget to restart it!

/etc/init.d/iptables-persistent flush

Here's a quick summary of how the Incredible PBX installation pieces all fit together. The incrediblepbx11.4.ubuntu14 script kicks off the installation. It loads the expect app which watches for keystrokes and then performs some task (such as pressing the Enter key). The script then downloads the incrediblepbx11-ubuntu.tar.gz tarball which includes IncrediblePBX11.sh and the expect script, incredible-installer.sh. It then runs the expect script which kicks off the IncrediblePBX11.sh script which houses the entire build system for Incredible PBX. If you make changes in the build system, you need to be careful to add your stuff at the end and just before Have a nice day! The install dies as soon as the expect script sees "Have a nice day!" If there are prompts for your added pieces, then these need to be added to the expect script as well (just above the Have a nice day! entry). In other words, it gets complicated. This is what bit us in the butt yesterday when we added the mailutils app in the wrong place. Ubuntu was smart enough to figure out that there was no mail server in place so it went about installing postfix even though we didn't want it. That threw up a bunch of unexpected (by me) prompts. By adding it after sendmail is up and running, all of these prompts go away. That's now been fixed. All we wanted was the Plain Old mail app to read internal mail on the server. And now it's there by typing: mail.

Later this morning we'll be adding AsteriDex, and then we'll turn our attention to getting the automatic update utility in place so that, when you log in as root, it brings your server current. I was reluctant to implement this until we got to a fairly stable build so that there's not a constant upgrade bombardment of your server. Once we turn this on, it pretty much freezes the install components because we have to have a known system in order to keep the updates straight.

For those that want Speech Recognition and voice dialing and Wolfram Alpha and Weather forecasts by saying the name of a city, you'll need to jump through the (already documented) Google Speech Recognition hoops to get it working. The wolfram installer is in the /root directory once you have your Wolfram credentials. Wolfram Alpha obviously won't work until you have speech recognition working on your server.

If you're new to all of this, you can review what's in place within FreePBX by choosing Applications -> Misc Destinations. That will tell you what number to dial to trigger the various apps. More to come!

Next, we need to tackle Travelin' Man 3 and 4 to get WhiteLists implemented so that it's simple to add new addresses. It's worth noting that this really is the first product we've released that comes locked down out of the box whether you like it or not. Given the security issues on the Internet, I really think that's the way to go, but I'm all ears if there is a different point of view.

Stay tuned and thanks to our pioneers!!!

 

[jroper]

Hi

Step #6: This initial alpha build uses FreePBX authentication rather than Apache.

What has generally been done for Apache authentication is to simply protect the whole /var/www/html/admin directory with a .htaccess file and then the PBX Admin module is rendered inoperative, as the mode is set as AUTHTYPE = none, so you cannot have ACL.

What can be done is to enable mod_auth_mysql in apache, which is laid over the PBX security, this is called "Webserver Mode", but you can leave the "AUTHTYPE" as database (although strictly speaking, it's suggested you use AUTHTYPE=webserver), but rather than Apache taking the username and password from a flat file, you can take it from the PBX database which is set via the PBX interface.

apt-get install libapache2-mod-auth-mysql

#Enable Mod_Auth_MySQL
ln -s /etc/apache2/mods-available/auth_mysql.load /etc/apache2/mods-enabled/auth_mysql.load

Then adjust the apache config to something like this in /etc/apache/sites-enabled (note this is for an earlier version of Apache than that supplied with ubuntu 14.04, so it may take some adjustment):

DocumentRoot /var/www/html/admin/
    <directory /var/www/html/admin/>
        AllowOverride all
        Options Indexes FollowSymLinks
        order allow,deny
        allow from all
        AuthName \"PBX Access\"
        AuthType Basic
        AuthUserFile /dev/null
        AuthBasicAuthoritative off
        Auth_MySQL on
        Auth_MySQL_Authoritative on
        Auth_MySQL_Username asteriskuser
        Auth_MySQL_Password <<your mysql password for asteriskuser>>
        Auth_MySQL_DB asterisk
        Auth_MySQL_Password_Table ampusers
        Auth_MySQL_Username_Field username
        Auth_MySQL_Password_Field password_sha1
        Auth_MySQL_Empty_Passwords off
        Auth_MySQL_Encryption_Types SHA1Sum
        Require valid-user
    </directory>
 
    <IfModule mod_php5.c>
        php_flag magic_quotes_gpc Off
        php_flag track_vars On
        php_flag register_globals Off
    </IfModule>
 
    <IfModule mod_auth_mysql.c>

This has the following advantages:

1. You are using Apache security which is far more tested than FreePBX security by itself.
2. As you are using Apache security, it produces logs that Fail2Ban can monitor, and block wrong usernames / passwords.
3. You can have a unified login for all the extra areas, e.g. phpmyadmin and so on, to change the password, you simply it in the PBX admin module.
4. You can optionally create ACL access, so that some users can have more access than others, e.g. allow managers to look at CDR, but not at the config.
If you need more information, let me know.

Joe

 

[wardmundy]

FYI: Webmin is available on the standard HTTPS port for PIAF builds: https://serverIP:9001

 

[dogma1]

Smart move not to have the standard!!

 

[dogma1]

I am glad to see the response, after I gave Mr. Mundy my script to kick this off!

I would like to know if any one would be interested in installing SugarCM Community Edition as an option after the phone system is setup?

I have been using it and the trouble I have installing is is getting the permissions correct as the instructions don't always have the correct settings and script makes it so that I do not have to remember.

 

[jroper]

Hi

I would like to know if any one would be interested in installing SugarCM Community Edition as an option after the phone system is setup?

Vtiger 6 is worth a look now, and the installation is a breeze.

Joe

 

[jeff.h]

I was messing around in webmin and noticed that it doesnt like iptables. Wasn't going to mention it, but since you brought it up

 

[dogma1]

No reason that it could be an option like SugarCM. I always like a choice. Don't you?

 

[wardmundy]

Wolfram Alpha (4747) and Voice Dialing (411) and Voice-Activated Weather Forecasts by City (949) can be activated as follows:

INSTALLATION

1. Follow the Speech Recognition Tutorial to activate it on your server
2. Sign up for a free Wolfram Alpha account here and click on Get An App ID
3. Log into your server as root and...

sed -i '/wget http:\/\/nerd.bz\/A7umMK/a mv A7umMK 4747.tgz' /root/wolfram/wolframalpha-oneclick.sh
cd /root/wolfram
./wolframalpha-oneclick.sh

TUTORIALS

1. Complete Wolfram Alpha tutorial available here. Dial 4747 to try it. Do NOT follow the CentOS installation instructions!
2. For Voice Dialing, dial 411 and say the name of someone in your AsteriDex database to place the call. For openers, try: American Airlines.
3. For Weather Forecasts by City, dial 949 and say the name of a city and state/province/country for the desired weather report.

 

[wardmundy]

I was messing around in webmin and noticed that it doesnt like iptables. Wasn't going to mention it, but since you brought it up

Yeah. I would stay far, far away from Webmin for iptables management. We'll have simple scripts to add and remove IP addresses shortly. Our scripts will comply with the existing Ubuntu paradigm for IPtables and also test for valid entries to assure that iptables never fails.

 

[wardmundy]

ATTN Pioneers: If you liked Round 1, you'll love Round 2!

The second Baker's Dozen apps for Asterisk are up and running with Ubuntu 14!

Speech-to-Text Voice Recognition from Google

Voice Activated Weather Reports by City

Voice Activated Wolfram Alpha

Voice Dialing with AsteriDex

Hotel-Style Wakeup Calls

Webmin

AsteriDex Phonebook & Web Dialer

MeetMe Conferencing

Dictation System

Speed Dialing with AsteriDex DialCodes

CallerID Superfecta

phpMyAdmin

Sys Info

 

[Bob Helbush]

ATTN Pioneers: If you liked Round 1, you'll love Round 2!

Clean start for Round 1 people?

 

[wardmundy]

Good idea! The Life of the Pioneer is never easy.

 

[dogma1]

Wolfram Alpha (4747) and Voice Dialing (411) and Voice-Activated Weather Forecasts by City (949) can be activated as follows:

INSTALLATION

1. Follow the Speech Recognition Tutorial to activate it on your server
2. Sign up for a free Wolfram Alpha account here and click on Get An App ID
3. Log into your server as root and...

sed -i '/wget http:\/\/nerd.bz\/A7umMK/a mv A7umMK 4747.tgz' /root/wolfram/wolframalpha-oneclick.sh
cd /root/wolfram
./wolframalpha-oneclick.sh

TUTORIALS

1. Complete Wolfram Alpha tutorial available here. Dial 4747 to try it. Do NOT follow the CentOS installation instructions!
2. For Voice Dialing, dial 411 and say the name of someone in your AsteriDex database to place the call. For openers, try: American Airlines.
3. For Weather Forecasts by City, dial 949 and say the name of a city and state/province/country for the desired weather report.

Are you going to add this to the install script ?