PIONEERS Ready: Incredible PBX 13-13 LEAN

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Here is the fix to permanently turn off Module Signature Checking (also included in latest install):
Code:
sed -i 's|"SIGNATURECHECK", true|"SIGNATURECHECK", false|' /var/www/html/admin/libraries/modulefunctions.class.php
I think we are finally nearing the finish line. Let us know if new surprises pop up.
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
497
Reaction score
73
yes asterisk:asterisk 0664
[admin2]
secret = xxxxxxxxxxxxx
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
497
Reaction score
73
Well, my system is broke after using Module Admin.
Selected config edit from module admin.
Downloaded and installed, clicked return after the installation and this is the result.Screen Shot 2017-10-24 at 9.00.01 PM.png
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
497
Reaction score
73
reread this thread and ran
Code:
cd /
wget http://incrediblepbx.com/13-13-patch1.tar.gz
tar zxvf 13-13-patch1.tar.gz
rm 13-13-patch1.tar.gz
which fixed the gui

then noticed the tampered files warning
ran
Code:
sed -i 's|"SIGNATURECHECK", true|"SIGNATURECHECK", false|' /var/www/html/admin/libraries/modulefunctions.class.php
which did not correct the warning.
I might have to reinstall due to running module admin before applying the patch
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
@islandtech: I think you'd be better server by loading a fresh install. We just tested a fresh build and loaded configedit without issue. So... somewhere along the pioneering road, it appears your system got hosed. We've learned the hard way to experiment with new builds using VirtualBox or Vultr, and then move on from there once things settle down. We've got less than 25 cents invested in dozens of builds at Vultr, and it has reduced the stress level by roughly 99%. :aureola:
 
  • Like
Reactions: jeff.h

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Noticed today that, on bootup, Asterisk is running as root user instead of asterisk user. This is addressed in today's release of the installer. To fix previous installs, add the following line in /etc/rc.local just above the exit 0 line and then reboot:
Code:
fwconsole restart
You can test whether it worked with this command which will show safe_asterisk running as root and asterisk running as the asterisk user:
Code:
ps aux | grep asterisk
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Here is the new Package Download Script to retrieve packages from the FreePBX GitHub repository that are suitable for install with Module Admin:
Code:
wget http://incrediblepbx.com/gpldownload13.tar.gz
tar zxvf gpldownload13.tar.gz --directory /var/www/html
rm -f gpldownload13.tar.gz
To use the script, always change to the /var/www/html directory first. You can read the brief instructions here:
Code:
cd /var/www/html
./gpldownload
Code:
# Visit the FreePBX GPL repo on GitHub and find name of package: https://github.com/FreePBX
# Download the desired package: cd /var/www/html && ./gpldownload packagename
# This creates a tarball in /var/www/html, e.g. packagename.tar.gz
# Open the Incredible PBX GUI with your browser and then Admin:Module Admin
# Click Upload Modules button
# Fill in the web address for your new package => http://server-IP-address/packagename.tar.gz
# Click Download (From Web) button
# Once downloaded, you will be redirected to Module Admin where you can upgrade or install the new package

### WARNING: Do NOT update core, framework, dashboard, or firewall packages or you may destroy your server. ###
WE STRONGLY RECOMMEND TESTING NEW PACKAGES AND UPDATES ON A SEPARATE, NON-PRODUCTION SERVER BEFORE INSTALLING THEM ON A PBX UPON WHICH YOU ACTUALLY DEPEND!
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Travelin' Man 3, release 2 for Incredible PBX 13-13 with CentOS 6 or 7

We've got the second release of Travelin' Man 3 reworked for Incredible PBX 13-13 now. This brings the firewall in line with the Issabel and Wazo builds. The main advantage is that it separates out FQDNs when IPtables is loaded. If you didn't know, if you get an unresolvable FQDN when IPtables starts or restarts with the original release, IPtables crashes and burns leaving you with no firewall protection. Unfortunately, this was/is a design flaw in IPtables. Our workaround is to load a basic whitelist of IP addresses first which gets IPtables running. Then we individually load each additional whitelist rule. Those that fail will still fail, but they won't bring down the whole house of cards. If a site is down, there's no need to have it in your whitelist anyway since it is not operational. Basic rules are in /etc/sysconfig/iptables. Most rules now are in /usr/local/sbin/iptables-custom.



Here's how to update your existing Incredible PBX 13-13 server. Run the install from a desktop machine that you regularly use to manage your PBX. This gets its IP addresses whitelisted.

Step #1: From the desktop PC, start by removing any custom whitelist entries you've previously added using add-ip or add-fqdn. You can do this with the /root/del-acct script.

Step #2: Then install the new release with the commands below.

Step #3: Then reload your custom whitelist entries with add-ip or add-fqdn.

We will incorporate the new TM3 firewall into the Incredible PBX 13-13 installer on or after 5:15 pm EDT today.
Code:
cd /tmp
mkdir tm3
cd tm3
wget http://incrediblepbx.com/TM3-13-13.tar.gz
tar zxvf TM3-13-13.tar.gz
rm TM3-13-13.tar.gz
./install*
UPDATED 11/5/2017 to add (optional) create-fail2ban-whitelist script in /root. When run, it will add all of the non-routable IP addresses and your server's and PC's private and public IP addresses to the default fail2ban whitelist: /etc/fail2ban/jail.conf.
 
Last edited:
Joined
Oct 26, 2013
Messages
50
Reaction score
18
In applying the SRTP patch to enable AES-256 and AES-GCM one of the hunks fails. Specifically the one that attempts to patch main/sdp_srtp.c.

It fails because the line it is looking for in sdp_srtp.c is slightly different. The version of Asterisk is 13.17.2 and it is line 263 that looks like this:

if (sscanf(tag, "%30d", &crypto->tag) != 1 || crypto->tag < 0 || crypto->tag > 999999999) {

The patch is actually looking for:
if (sscanf(tag, "%30d", &crypto->tag) != 1 || crypto->tag <= 0 || crypto->tag > 999999999) {

So the compare operation with the variable crypto->tag is less than 0 in the actual Asterisk source, but the patch is looking for less than or equal to 0.

Not really sure how much difference this makes as this is for Secure RTP, which I don't know how many people actually use.

The question, do we edit the patch file to look for the correct compare operation?

Ultimately the patch replaces that line with:
if (sscanf(tag, "%30d", &tag_from_sdp) != 1 || tag_from_sdp <= 0 || tag_from_sdp > 999999999) {

I see in newer versions of Asterisk, that code is actually moved to res_srtp.c.

Thanks
 
  • Like
Reactions: wardmundy

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Thanks for the fix, @David Foxworth. I just patched the patch using your fix for the time being which makes things work. I've updated the installer and tested it out. Seems to compile in fine now... until the next "improvement."
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
Incredible Fax 13 Addition



New installs now include incrediblefax13.sh script to install and configure HylaFax/Avantfax.

After the reboot, be sure to set your Avantfax password with /root/avantfax-pw-setup.

In the GUI, be sure to add a new Custom Destination. This becomes the extension to use for incoming faxes.

Code:
target   -> custom-fax-iaxmodem,s,1
descrip  -> Fax (Hylafax)
return   -> no
For existing systems, the incrediblefax11.sh script doesn't work. Don't try it. Instead:
Code:
cd /root
rm -f incrediblefax11.sh
wget http://incrediblepbx.com/incrediblefax13.tar.gz
tar zxvf incrediblefax13.tar.gz
rm -f incrediblefax13.tar.gz
./incrediblepbx13.sh
If you'd prefer to patch the existing installer, here's the fix for incrediblefax11.sh:
Code:
sed -i 's|joshnorth|wardmundy|' /root/incrediblefax11.sh
Never run the fax installer more than once!
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,928
Reaction score
2,573
@wardmundy when you patch these bugs, are they also pushed down to existing servers?
Not currently. The SRTP bug in particular would require a complete rebuild of Asterisk. You can download the current installer and search it for srtp to find the necessary patch if you want to DIY... but I'd start over if you really need SRTP support.
 
Last edited:

jeff.h

Guru
Joined
Dec 1, 2010
Messages
482
Reaction score
70
Got some more time to play with this today. Are we still following the install instructions for the lean version in post #21 of this thread?
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,262
Messages
136,424
Members
14,501
Latest member
yeoldroundabout