PIONEERS Ready: Incredible PBX 13-13 LEAN

Discussion in 'Today's Tech News & Events' started by wardmundy, Oct 16, 2017.

  1. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    PIONEERS: I think we're ready for a few brave souls. What you get: Asterisk 13.17.2 with the latest open source FreePBX 13 GPL modules. No commercial modules.

    DISCLAIMERS:

    1. This should be considered ALPHA code and should not be used in production environments. DO NOT RUN WITHOUT THE PRECONFIGURED TRAVELIN' MAN 3 FIREWALL WHICH IS INSTALLED AND CONFIGURED BY DEFAULT.

    2. This has only been tested with a minimal install of 64-bit CentOS 6.9 and 7. 32-bit is not yet supported. CentOS 7 installs currently fail. Incredible Fax reportedly broken now fixed.

    3. SIP ports have changed. Chan_SIP is now default at UDP 5060. PJsip is UDP 5061.

    4. This is the LEAN version of Incredible PBX to get the kinks ironed out. No Incredible PBX apps or preconfigured extensions, trunks, routes are provided.

    5. There probably will NOT be an upgrade path from previous releases of Incredible PBX, and you will not be able to use your settings in this version to move to the full Incredible PBX implementation of Incredible PBX 13-13 at a later date.

    6. Google Voice plain text and OAuth 2 passwords are supported. OAuth2 has been tested and works fine. Same code as in previous Incredible 13-12 releases so plain text should also work with the usual caveats covered in the NV tutorials.

    7. A module repository is not yet now in place for updates or adding new modules using Module Admin. If you delete a module, it's gone permanently in this build.

    8. If you need a particular module that is not included, let us know and we'll add it in next build. GPL modules can also be added from GitHub. Tutorial here. NOTE: Be sure to modify script to access FreePBX 13 GPL modules instead of FreePBX 12!!!

    9. FreePBX module signature checking has been turned off, and error messages will not display on the Dashboard, i.e. no critical issues will ever be found whether they exist or not. Hence the reason you need your firewall to protect your server.

    10. Feedback encouraged. Just post a note in this thread.

    INSTALLATION:

    1. Begin by installing 64-bit, CentOS 6.9 minimal.

    2. Login as root and download and untar the Incredible PBX installer.
    Code:
    cd /root
    yum -y install net-tools nano wget tar
    wget http://incrediblepbx.com/incrediblepbx-13-13-LEAN.tar.gz
    tar zxvf incrediblepbx-13-13-LEAN.tar.gz
    rm -f incrediblepbx-13-13-LEAN.tar.gz
    
    3. If you're on a low-memory (under 1GB) platform, run the script to create a swapfile:
    Code:
    ./create-swapfile-DO
    4. Kick off the install:
    Code:
    ./IncrediblePBX-13-13.sh
    5. After CentOS is brought up to specs for Incredible PBX, your server will reboot.

    6. Log back into your server as root, and run the installer a second time. Be sure SSH/Putty window is at least 85 x 25, or Asterisk compile may fail!!!
    Code:
    ./IncrediblePBX-13-13.sh
    7. Reboot.

    8. Set your admin password for web GUI access:
    Code:
    /root/admin-pw-change
    9. Use a browser to login to the GUI as admin at your server's IP address and begin your adventure.

    [​IMG]
     
    #21 wardmundy, Oct 18, 2017
    Last edited: Oct 29, 2017
  2. wa4zlw

    wa4zlw Member

    Joined:
    Feb 14, 2008
    Messages:
    840
    Likes Received:
    22
    hey ward -- are you including the freepbx responsive firewall?
     
  3. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    Did you read Disclaimer #1? Why would we want to do that? You could add it from GitHub at your own risk, of course.
     
  4. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,294
    Likes Received:
    309
    I'll install on Vultr tomorrow. Why not have PJsip on 5160 and SIP on 5060? I assume most people still use SIP as their stable sip?
     
    wardmundy likes this.
  5. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    I agree. I've switched things back to what we're used to: ChanSIP=5060, PJsip=5061. That leaves the existing firewall setup as it's always been.
     
    #25 wardmundy, Oct 19, 2017
    Last edited: Oct 19, 2017
    jerrm likes this.
  6. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    More changes just released. Trying to get CentOS 7 working now, but it's still a work in progress.
     
  7. wa4zlw

    wa4zlw Member

    Joined:
    Feb 14, 2008
    Messages:
    840
    Likes Received:
    22
    Yes it's not a commercial module and this would be a test PBX. I really need a seamless way for soft phones to communicate on wifi or cellular without a VPN and without know what their source IP is. That firewall plus the 3cx firewall handles it. unfortunately 3cx smartphone clients dont work with IPv6 on T-mobile and they were not interested in fixing.
     
  8. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,294
    Likes Received:
    309
    I've got that working with Ward's IPtables.

    Code:
    # Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
    *mangle
    :PREROUTING ACCEPT [1275:156963]
    :INPUT ACCEPT [1275:156963]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [1204:242951]
    :POSTROUTING ACCEPT [1204:242951]
    COMMIT
    # Completed on Fri Dec 25 22:54:33 2015
    # Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
    *raw
    :PREROUTING ACCEPT [1275:156963]
    :OUTPUT ACCEPT [1204:242951]
    COMMIT
    # Completed on Fri Dec 25 22:54:33 2015
    # Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
    *nat
    :PREROUTING ACCEPT [5:371]
    :POSTROUTING ACCEPT [23:1384]
    :OUTPUT ACCEPT [23:1384]
    COMMIT
    # Completed on Fri Dec 25 22:54:33 2015
    # Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [0:0]
    :UAGENT - [0:0]
    :OUTPUT ACCEPT [0:0]
    :PROVISION - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
    -A INPUT -m state --state ESTABLISHED -j ACCEPT
    -A INPUT -m state --state RELATED -j ACCEPT
    -A INPUT -p udp -m udp --dport 9999:65535 --sport 53 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
    -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
    -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
    -A INPUT -p udp -m udp --dport 123 -j ACCEPT
    -A INPUT -p udp -m udp --dport 69 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT
    -A INPUT -p udp -m udp --dport 5353 -j ACCEPT
    # Carriers
    # Alcazar Networks
    -A INPUT -p udp -m udp -s 162.212.218.11/32 --dport 5060:5069 -j ACCEPT
    # Anveo Direct
    -A INPUT -p udp -m udp -s 50.22.101.14/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 67.212.84.21/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 50.22.102.242/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 72.9.149.25/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s sbc.anveo.com --dport 5060:5069 -j ACCEPT
    # CallWithUs
    -A INPUT -p udp -m udp -s sip.callwithus.com --dport 5060:5069 -j ACCEPT
    # V1-VoIP
    -A INPUT -p udp -m udp -s 207.239.159.171/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 207.239.151.40/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 173.246.36.196/32 --dport 5060:5069 -j ACCEPT
    # Endstream
    -A INPUT -p udp -m udp -s 208.85.248.43/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 208.85.248.103/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 208.85.248.41/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 208.85.248.101/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 208.85.248.40/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 208.85.248.100/32 --dport 5060:5069 -j ACCEPT
    # 3C UKDDI
    -A INPUT -p udp -m udp -s 87.117.74.1/32 --dport 5060:5069 -j ACCEPT
    # FutureNine
    -A INPUT -p udp -m udp -s sip.future-nine.com --dport 5060:5069 -j ACCEPT
    # T-38Fax
    -A INPUT -p udp -m udp -s sip.t38fax.com --dport 5060:5069 -j ACCEPT
    # VoIP Innovations - Inbound Origination
    -A INPUT -p udp -m udp -s 64.136.173.31/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.174.30/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.174.20/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 209.166.154.70/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.240.151.100/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.173.65/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.174.65/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.174.21/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 209.166.154.71/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.240.151.101/32 --dport 5060:5069 -j ACCEPT
    # VoIP Innovations - Outbound Termination
    -A INPUT -p udp -m udp -s 64.136.174.30/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.173.22/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 209.166.128.200/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.240.151.100/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.174.65/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 64.136.173.23/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 209.166.128.201/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 192.240.151.101/32 --dport 5060:5069 -j ACCEPT
    # Vitelity - I think they own the whole C class, so we're letting them in
    -A INPUT -p udp -m udp -s 64.2.142.1/24 --dport 5060:5069 -j ACCEPT
    # VoiceTrading
    -A INPUT -p udp -m udp -s sip.voicetrading.com --dport 5060:5069 -j ACCEPT
    # V1 VoIP
    -A INPUT -p udp -m udp -s 207.239.159.171/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 173.246.36.196/32 --dport 5060:5069 -j ACCEPT
    -A INPUT -p udp -m udp -s 207.239.151.40/32 --dport 5060:5069 -j ACCEPT
    # Provisioning Private IP's allowed - not applicable to our cloud servers
    -A INPUT -p tcp -m tcp --dport 12255 -j ACCEPT
    -A INPUT -s 10.0.0.0/8 -j ACCEPT
    -A INPUT -s 127.0.0.0/8 -j ACCEPT
    -A INPUT -s 192.168.0.0/16 -j ACCEPT
    -A INPUT -s 127.0.0.1/32 -j ACCEPT
    # PROVISION[START]
    -A INPUT -j PROVISION
    -A PROVISION -p udp --dport 5060 -m string --string "REGISTER sip.myfqdn-name.com" --algo bm -j UAGENT
    # PROV:BRIA
    # UAGENT[START]
    -A PROVISION -p udp --dport 5060 -m string --string "User-Agent: Bria" --algo bm -j ACCEPT
    # PROVISION[END]
    COMMIT
    
    
     
    wardmundy likes this.
  9. tbrummell

    tbrummell Guru

    Joined:
    Jan 8, 2011
    Messages:
    499
    Likes Received:
    30
    Ditto! But slightly different...
    Code:
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
    -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
    -I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --set
    -I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 -j DROP
    -I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 -j DROP
    -I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 -j DROP
    -I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 -j DROP
    -I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 -j DROP
    
    And of course I opened 5060UDP.

    I tried, at one time, dropping the register if the string did not contain my FQDN but couldn't make that work. The above rules work for me and logs/F2B have been quiet ever since.
     
    wardmundy likes this.
  10. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,294
    Likes Received:
    309
    New Server successfully installed on Vultr - Centos 6.9 Minimal + above instruction set. That was a 1 Gig Ram version. I can try later this evening on 512Mb
     
    wardmundy likes this.
  11. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,294
    Likes Received:
    309
    512 fired up OK as well, although getting Centos to Config Eth0 with no gui (512Mb) meant using VI which I had forgotten commands on so it took me a few minutes.
     
  12. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,294
    Likes Received:
    309
    Could I recommend a facelift to IPtables to include dropping the known attacker clients such as sipsak, sipvicious, etc? Also, I think to break up the carriers with their names on them such as I showed earlier is great for managing the table easier and adding or removing carriers as user sees fit.
     
    wardmundy likes this.
  13. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    Once we get these new releases out the door, I'm going to work on IPtables setup. We've already done considerable work on it for Wazo and Issabel. One important change is to separate out the FQDNs in the whitelist from the initial install. The reason is that a single FQDN resolve failure will kill IPtables. By separating the FQDNs into individual startup commands, this is avoided. If one fails to resolve, that rule just doesn't get loaded.

    Also, I like the idea of whitelisting the FQDN of the server with algo so that all incoming SIP traffic to that FQDN avoids blocking. This string matching requires netfilter in the kernel which rules out most of the OpenVZ platforms except the very latest which most providers haven't implemented. This also probably needs to be optional, but it certainly works and is pretty safe especially if the FQDN of the server isn't obvious, e.g. xyz5843.yourdomain.com. For SIP traffic, it probably makes sense for organizations to create an obfuscated subdomain and then whitelist that subdomain rather than yourdomain.com.
     
    #33 wardmundy, Oct 20, 2017
    Last edited: Oct 20, 2017
    krzykat likes this.
  14. jeff.h

    jeff.h Guru

    Joined:
    Dec 1, 2010
    Messages:
    465
    Likes Received:
    67
    Ok sorry, I am late, been crazy busy, will spin on up on DO today.
     
  15. wa4zlw

    wa4zlw Member

    Joined:
    Feb 14, 2008
    Messages:
    840
    Likes Received:
    22
    RIght I did too but that means I have to dig around and get IP addresses for various networks. We also have endpoints out on various FiOS and dynamic ISP connections. ANd I really dont want to run a VPN. THe phones (old Grandstreams) don't have them and I can't ask the users to run a vpn on the soft phone. It needs to be seamless.

    Leon
     
  16. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    OK. I think we've got the kinks out of the CentOS 7 install this morning. New installer has been uploaded for the pioneers.

    [​IMG]
     
  17. krzykat

    krzykat Guru

    Joined:
    Aug 2, 2008
    Messages:
    1,294
    Likes Received:
    309
    OK - it'll have to be later this afternoon / evening. I'll hit up Vultr 512 and 1024 with Centos 7/64
     
    wardmundy likes this.
  18. jeff.h

    jeff.h Guru

    Joined:
    Dec 1, 2010
    Messages:
    465
    Likes Received:
    67
    LOL ok well I can confirm that if you use the built in module to back up the settings from an Incredible 12.0.70 PBX and restore them to this build it will break all kinds of stuff :D
     
    wardmundy likes this.
  19. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,012
    Likes Received:
    2,344
    See Disclaimer #5. :death:
     
  20. jeff.h

    jeff.h Guru

    Joined:
    Dec 1, 2010
    Messages:
    465
    Likes Received:
    67
    Oh I know... just confirming:biggrinjester:
     
    wardmundy likes this.

Share This Page