PIONEERS Ready: Incredible PBX 13-13 LEAN

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
PIONEERS: I think we're ready for a few brave souls. What you get: Asterisk 13.17.2 with the latest open source FreePBX 13 GPL modules. No commercial modules.

DISCLAIMERS:

1. This should be considered ALPHA code and should not be used in production environments. DO NOT RUN WITHOUT THE PRECONFIGURED TRAVELIN' MAN 3 FIREWALL WHICH IS INSTALLED AND CONFIGURED BY DEFAULT.

2. This has only been tested with a minimal install of 64-bit CentOS 6.9 and 7. 32-bit is not yet supported. CentOS 7 installs currently fail. Incredible Fax reportedly broken now fixed.

3. SIP ports have changed. Chan_SIP is now default at UDP 5060. PJsip is UDP 5061.

4. This is the LEAN version of Incredible PBX to get the kinks ironed out. No Incredible PBX apps or preconfigured extensions, trunks, routes are provided.

5. There probably will NOT be an upgrade path from previous releases of Incredible PBX, and you will not be able to use your settings in this version to move to the full Incredible PBX implementation of Incredible PBX 13-13 at a later date.

6. Google Voice plain text and OAuth 2 passwords are supported. OAuth2 has been tested and works fine. Same code as in previous Incredible 13-12 releases so plain text should also work with the usual caveats covered in the NV tutorials.

7. A module repository is not yet now in place for updates or adding new modules using Module Admin. If you delete a module, it's gone permanently in this build.

8. If you need a particular module that is not included, let us know and we'll add it in next build. GPL modules can also be added from GitHub. Tutorial here. NOTE: Be sure to modify script to access FreePBX 13 GPL modules instead of FreePBX 12!!!

9. FreePBX module signature checking has been turned off, and error messages will not display on the Dashboard, i.e. no critical issues will ever be found whether they exist or not. Hence the reason you need your firewall to protect your server.

10. Feedback encouraged. Just post a note in this thread.

INSTALLATION:

1. Begin by installing 64-bit, CentOS 6.9 minimal.

2. Login as root and download and untar the Incredible PBX installer.
Code:
cd /root
yum -y install net-tools nano wget tar
wget http://incrediblepbx.com/incrediblepbx-13-13-LEAN.tar.gz
tar zxvf incrediblepbx-13-13-LEAN.tar.gz
rm -f incrediblepbx-13-13-LEAN.tar.gz
3. If you're on a low-memory (under 1GB) platform, run the script to create a swapfile:
Code:
./create-swapfile-DO
4. Kick off the install:
Code:
./IncrediblePBX-13-13.sh
5. After CentOS is brought up to specs for Incredible PBX, your server will reboot.

6. Log back into your server as root, and run the installer a second time. Be sure SSH/Putty window is at least 85 x 25, or Asterisk compile may fail!!!
Code:
./IncrediblePBX-13-13.sh
7. Reboot.

8. Set your admin password for web GUI access:
Code:
/root/admin-pw-change
9. Use a browser to login to the GUI as admin at your server's IP address and begin your adventure.

 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
hey ward -- are you including the freepbx responsive firewall?
Did you read Disclaimer #1? Why would we want to do that? You could add it from GitHub at your own risk, of course.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,579
Reaction score
427
Location
South Florida
I'll install on Vultr tomorrow. Why not have PJsip on 5160 and SIP on 5060? I assume most people still use SIP as their stable sip?
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
I'll install on Vultr tomorrow. Why not have PJsip on 5160 and SIP on 5060? I assume most people still use SIP as their stable sip?
I agree. I've switched things back to what we're used to: ChanSIP=5060, PJsip=5061. That leaves the existing firewall setup as it's always been.
 
Last edited:
  • Like
Reactions: jerrm

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
More changes just released. Trying to get CentOS 7 working now, but it's still a work in progress.
 

wa4zlw

Member
Joined
Feb 14, 2008
Messages
845
Reaction score
22
Location
Blandon, PA
Did you read Disclaimer #1? Why would we want to do that? You could add it from GitHub at your own risk, of course.
Yes it's not a commercial module and this would be a test PBX. I really need a seamless way for soft phones to communicate on wifi or cellular without a VPN and without know what their source IP is. That firewall plus the 3cx firewall handles it. unfortunately 3cx smartphone clients dont work with IPv6 on T-mobile and they were not interested in fixing.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,579
Reaction score
427
Location
South Florida
Yes it's not a commercial module and this would be a test PBX. I really need a seamless way for soft phones to communicate on wifi or cellular without a VPN and without know what their source IP is. That firewall plus the 3cx firewall handles it. unfortunately 3cx smartphone clients dont work with IPv6 on T-mobile and they were not interested in fixing.
I've got that working with Ward's IPtables.

Code:
# Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
*mangle
:PREROUTING ACCEPT [1275:156963]
:INPUT ACCEPT [1275:156963]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1204:242951]
:POSTROUTING ACCEPT [1204:242951]
COMMIT
# Completed on Fri Dec 25 22:54:33 2015
# Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
*raw
:PREROUTING ACCEPT [1275:156963]
:OUTPUT ACCEPT [1204:242951]
COMMIT
# Completed on Fri Dec 25 22:54:33 2015
# Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
*nat
:PREROUTING ACCEPT [5:371]
:POSTROUTING ACCEPT [23:1384]
:OUTPUT ACCEPT [23:1384]
COMMIT
# Completed on Fri Dec 25 22:54:33 2015
# Generated by iptables-save v1.4.7 on Fri Dec 25 22:54:33 2015
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:UAGENT - [0:0]
:OUTPUT ACCEPT [0:0]
:PROVISION - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --dport 9999:65535 --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
# Carriers
# Alcazar Networks
-A INPUT -p udp -m udp -s 162.212.218.11/32 --dport 5060:5069 -j ACCEPT
# Anveo Direct
-A INPUT -p udp -m udp -s 50.22.101.14/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 67.212.84.21/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 50.22.102.242/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 72.9.149.25/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s sbc.anveo.com --dport 5060:5069 -j ACCEPT
# CallWithUs
-A INPUT -p udp -m udp -s sip.callwithus.com --dport 5060:5069 -j ACCEPT
# V1-VoIP
-A INPUT -p udp -m udp -s 207.239.159.171/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 207.239.151.40/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 173.246.36.196/32 --dport 5060:5069 -j ACCEPT
# Endstream
-A INPUT -p udp -m udp -s 208.85.248.43/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 208.85.248.103/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 208.85.248.41/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 208.85.248.101/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 208.85.248.40/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 208.85.248.100/32 --dport 5060:5069 -j ACCEPT
# 3C UKDDI
-A INPUT -p udp -m udp -s 87.117.74.1/32 --dport 5060:5069 -j ACCEPT
# FutureNine
-A INPUT -p udp -m udp -s sip.future-nine.com --dport 5060:5069 -j ACCEPT
# T-38Fax
-A INPUT -p udp -m udp -s sip.t38fax.com --dport 5060:5069 -j ACCEPT
# VoIP Innovations - Inbound Origination
-A INPUT -p udp -m udp -s 64.136.173.31/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.174.30/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.174.20/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 209.166.154.70/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 192.240.151.100/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.173.65/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.174.65/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.174.21/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 209.166.154.71/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 192.240.151.101/32 --dport 5060:5069 -j ACCEPT
# VoIP Innovations - Outbound Termination
-A INPUT -p udp -m udp -s 64.136.174.30/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.173.22/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 209.166.128.200/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 192.240.151.100/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.174.65/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 64.136.173.23/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 209.166.128.201/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 192.240.151.101/32 --dport 5060:5069 -j ACCEPT
# Vitelity - I think they own the whole C class, so we're letting them in
-A INPUT -p udp -m udp -s 64.2.142.1/24 --dport 5060:5069 -j ACCEPT
# VoiceTrading
-A INPUT -p udp -m udp -s sip.voicetrading.com --dport 5060:5069 -j ACCEPT
# V1 VoIP
-A INPUT -p udp -m udp -s 207.239.159.171/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 173.246.36.196/32 --dport 5060:5069 -j ACCEPT
-A INPUT -p udp -m udp -s 207.239.151.40/32 --dport 5060:5069 -j ACCEPT
# Provisioning Private IP's allowed - not applicable to our cloud servers
-A INPUT -p tcp -m tcp --dport 12255 -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
# PROVISION[START]
-A INPUT -j PROVISION
-A PROVISION -p udp --dport 5060 -m string --string "REGISTER sip.myfqdn-name.com" --algo bm -j UAGENT
# PROV:BRIA
# UAGENT[START]
-A PROVISION -p udp --dport 5060 -m string --string "User-Agent: Bria" --algo bm -j ACCEPT
# PROVISION[END]
COMMIT
 
  • Like
Reactions: wardmundy

tbrummell

Guru
Joined
Jan 8, 2011
Messages
643
Reaction score
72
I've got that working with Ward's IPtables.
Ditto! But slightly different...
Code:
-I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
-I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm
-I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --set
-I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 3600 --hitcount 100 -j DROP
-I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 600 --hitcount 20 -j DROP
-I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 300 --hitcount 10 -j DROP
-I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 180 --hitcount 5 -j DROP
-I INPUT -p udp --dport 5060 -i eth0 -m state --state NEW -m recent --rcheck --seconds 60 --hitcount 3 -j DROP
And of course I opened 5060UDP.

I tried, at one time, dropping the register if the string did not contain my FQDN but couldn't make that work. The above rules work for me and logs/F2B have been quiet ever since.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,579
Reaction score
427
Location
South Florida
New Server successfully installed on Vultr - Centos 6.9 Minimal + above instruction set. That was a 1 Gig Ram version. I can try later this evening on 512Mb
 
  • Like
Reactions: wardmundy

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,579
Reaction score
427
Location
South Florida
New Server successfully installed on Vultr - Centos 6.9 Minimal + above instruction set. That was a 1 Gig Ram version. I can try later this evening on 512Mb
512 fired up OK as well, although getting Centos to Config Eth0 with no gui (512Mb) meant using VI which I had forgotten commands on so it took me a few minutes.
 

krzykat

Guru
Joined
Aug 2, 2008
Messages
1,579
Reaction score
427
Location
South Florida
Could I recommend a facelift to IPtables to include dropping the known attacker clients such as sipsak, sipvicious, etc? Also, I think to break up the carriers with their names on them such as I showed earlier is great for managing the table easier and adding or removing carriers as user sees fit.
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
Could I recommend a facelift to IPtables to include dropping the known attacker clients such as sipsak, sipvicious, etc? Also, I think to break up the carriers with their names on them such as I showed earlier is great for managing the table easier and adding or removing carriers as user sees fit.
Once we get these new releases out the door, I'm going to work on IPtables setup. We've already done considerable work on it for Wazo and Issabel. One important change is to separate out the FQDNs in the whitelist from the initial install. The reason is that a single FQDN resolve failure will kill IPtables. By separating the FQDNs into individual startup commands, this is avoided. If one fails to resolve, that rule just doesn't get loaded.

Also, I like the idea of whitelisting the FQDN of the server with algo so that all incoming SIP traffic to that FQDN avoids blocking. This string matching requires netfilter in the kernel which rules out most of the OpenVZ platforms except the very latest which most providers haven't implemented. This also probably needs to be optional, but it certainly works and is pretty safe especially if the FQDN of the server isn't obvious, e.g. xyz5843.yourdomain.com. For SIP traffic, it probably makes sense for organizations to create an obfuscated subdomain and then whitelist that subdomain rather than yourdomain.com.
 
Last edited:
  • Like
Reactions: krzykat

jeff.h

Guru
Joined
Dec 1, 2010
Messages
482
Reaction score
70
Ok sorry, I am late, been crazy busy, will spin on up on DO today.
 

wa4zlw

Member
Joined
Feb 14, 2008
Messages
845
Reaction score
22
Location
Blandon, PA
RIght I did too but that means I have to dig around and get IP addresses for various networks. We also have endpoints out on various FiOS and dynamic ISP connections. ANd I really dont want to run a VPN. THe phones (old Grandstreams) don't have them and I can't ask the users to run a vpn on the soft phone. It needs to be seamless.

Leon
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
OK. I think we've got the kinks out of the CentOS 7 install this morning. New installer has been uploaded for the pioneers.

 

jeff.h

Guru
Joined
Dec 1, 2010
Messages
482
Reaction score
70
LOL ok well I can confirm that if you use the built in module to back up the settings from an Incredible 12.0.70 PBX and restore them to this build it will break all kinds of stuff :D
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,234
Reaction score
2,667
LOL ok well I can confirm that if you use the built in module to back up the settings from an Incredible 12.0.70 PBX and restore them to this build it will break all kinds of stuff :D
See Disclaimer #5. :death:
 

Members online

No members online now.

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,449
Messages
138,027
Members
14,613
Latest member
roshan2019