PIONEERS Ready: Incredible PBX 13-13 LEAN

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Here is the fix to permanently turn off Module Signature Checking (also included in latest install):
Code:
sed -i 's|"SIGNATURECHECK", true|"SIGNATURECHECK", false|' /var/www/html/admin/libraries/modulefunctions.class.php

I think we are finally nearing the finish line. Let us know if new surprises pop up.
 

krzykat

Telecom Strategist
Joined
Aug 2, 2008
Messages
3,145
Reaction score
1,235
Now that you have Centos 7 working, will that be the recommended OS ?
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
yes asterisk:asterisk 0664
[admin2]
secret = xxxxxxxxxxxxx
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
write = system,call,log,verbose,command,agent,user,config,command,dtmf,reporting,cdr,dialplan,originate,message
writetimeout = 5000
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
Well, my system is broke after using Module Admin.
Selected config edit from module admin.
Downloaded and installed, clicked return after the installation and this is the result.Screen Shot 2017-10-24 at 9.00.01 PM.png
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
reread this thread and ran
Code:
cd /
wget http://incrediblepbx.com/13-13-patch1.tar.gz
tar zxvf 13-13-patch1.tar.gz
rm 13-13-patch1.tar.gz

which fixed the gui

then noticed the tampered files warning
ran
Code:
sed -i 's|"SIGNATURECHECK", true|"SIGNATURECHECK", false|' /var/www/html/admin/libraries/modulefunctions.class.php
which did not correct the warning.
I might have to reinstall due to running module admin before applying the patch
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@islandtech: I think you'd be better server by loading a fresh install. We just tested a fresh build and loaded configedit without issue. So... somewhere along the pioneering road, it appears your system got hosed. We've learned the hard way to experiment with new builds using VirtualBox or Vultr, and then move on from there once things settle down. We've got less than 25 cents invested in dozens of builds at Vultr, and it has reduced the stress level by roughly 99%. :aureola:
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Noticed today that, on bootup, Asterisk is running as root user instead of asterisk user. This is addressed in today's release of the installer. To fix previous installs, add the following line in /etc/rc.local just above the exit 0 line and then reboot:
Code:
fwconsole restart

You can test whether it worked with this command which will show safe_asterisk running as root and asterisk running as the asterisk user:
Code:
ps aux | grep asterisk
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Here is the new Package Download Script to retrieve packages from the FreePBX GitHub repository that are suitable for install with Module Admin:
Code:
wget http://incrediblepbx.com/gpldownload13.tar.gz
tar zxvf gpldownload13.tar.gz --directory /var/www/html
rm -f gpldownload13.tar.gz

To use the script, always change to the /var/www/html directory first. You can read the brief instructions here:
Code:
cd /var/www/html
./gpldownload

Code:
# Visit the FreePBX GPL repo on GitHub and find name of package: https://github.com/FreePBX
# Download the desired package: cd /var/www/html && ./gpldownload packagename
# This creates a tarball in /var/www/html, e.g. packagename.tar.gz
# Open the Incredible PBX GUI with your browser and then Admin:Module Admin
# Click Upload Modules button
# Fill in the web address for your new package => http://server-IP-address/packagename.tar.gz
# Click Download (From Web) button
# Once downloaded, you will be redirected to Module Admin where you can upgrade or install the new package

### WARNING: Do NOT update core, framework, dashboard, or firewall packages or you may destroy your server. ###

WE STRONGLY RECOMMEND TESTING NEW PACKAGES AND UPDATES ON A SEPARATE, NON-PRODUCTION SERVER BEFORE INSTALLING THEM ON A PBX UPON WHICH YOU ACTUALLY DEPEND!
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Travelin' Man 3, release 2 for Incredible PBX 13-13 with CentOS 6 or 7

We've got the second release of Travelin' Man 3 reworked for Incredible PBX 13-13 now. This brings the firewall in line with the Issabel and Wazo builds. The main advantage is that it separates out FQDNs when IPtables is loaded. If you didn't know, if you get an unresolvable FQDN when IPtables starts or restarts with the original release, IPtables crashes and burns leaving you with no firewall protection. Unfortunately, this was/is a design flaw in IPtables. Our workaround is to load a basic whitelist of IP addresses first which gets IPtables running. Then we individually load each additional whitelist rule. Those that fail will still fail, but they won't bring down the whole house of cards. If a site is down, there's no need to have it in your whitelist anyway since it is not operational. Basic rules are in /etc/sysconfig/iptables. Most rules now are in /usr/local/sbin/iptables-custom.

DNExsN3WkAEB4Wj.jpg


Here's how to update your existing Incredible PBX 13-13 server. Run the install from a desktop machine that you regularly use to manage your PBX. This gets its IP addresses whitelisted.

Step #1: From the desktop PC, start by removing any custom whitelist entries you've previously added using add-ip or add-fqdn. You can do this with the /root/del-acct script.

Step #2: Then install the new release with the commands below.

Step #3: Then reload your custom whitelist entries with add-ip or add-fqdn.

We will incorporate the new TM3 firewall into the Incredible PBX 13-13 installer on or after 5:15 pm EDT today.
Code:
cd /tmp
mkdir tm3
cd tm3
wget http://incrediblepbx.com/TM3-13-13.tar.gz
tar zxvf TM3-13-13.tar.gz
rm TM3-13-13.tar.gz
./install*

UPDATED 11/5/2017 to add (optional) create-fail2ban-whitelist script in /root. When run, it will add all of the non-routable IP addresses and your server's and PC's private and public IP addresses to the default fail2ban whitelist: /etc/fail2ban/jail.conf.
 
Last edited:
Joined
Oct 26, 2013
Messages
69
Reaction score
23
In applying the SRTP patch to enable AES-256 and AES-GCM one of the hunks fails. Specifically the one that attempts to patch main/sdp_srtp.c.

It fails because the line it is looking for in sdp_srtp.c is slightly different. The version of Asterisk is 13.17.2 and it is line 263 that looks like this:

if (sscanf(tag, "%30d", &crypto->tag) != 1 || crypto->tag < 0 || crypto->tag > 999999999) {

The patch is actually looking for:
if (sscanf(tag, "%30d", &crypto->tag) != 1 || crypto->tag <= 0 || crypto->tag > 999999999) {

So the compare operation with the variable crypto->tag is less than 0 in the actual Asterisk source, but the patch is looking for less than or equal to 0.

Not really sure how much difference this makes as this is for Secure RTP, which I don't know how many people actually use.

The question, do we edit the patch file to look for the correct compare operation?

Ultimately the patch replaces that line with:
if (sscanf(tag, "%30d", &tag_from_sdp) != 1 || tag_from_sdp <= 0 || tag_from_sdp > 999999999) {

I see in newer versions of Asterisk, that code is actually moved to res_srtp.c.

Thanks
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Thanks for the fix, @David Foxworth. I just patched the patch using your fix for the time being which makes things work. I've updated the installer and tested it out. Seems to compile in fine now... until the next "improvement."
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Incredible Fax 13 Addition

DNUgIIZX0AEiHEz.jpg


New installs now include incrediblefax13.sh script to install and configure HylaFax/Avantfax.

After the reboot, be sure to set your Avantfax password with /root/avantfax-pw-setup.

In the GUI, be sure to add a new Custom Destination. This becomes the extension to use for incoming faxes.

Code:
target   -> custom-fax-iaxmodem,s,1
descrip  -> Fax (Hylafax)
return   -> no

For existing systems, the incrediblefax11.sh script doesn't work. Don't try it. Instead:
Code:
cd /root
rm -f incrediblefax11.sh
wget http://incrediblepbx.com/incrediblefax13.tar.gz
tar zxvf incrediblefax13.tar.gz
rm -f incrediblefax13.tar.gz
./incrediblepbx13.sh

If you'd prefer to patch the existing installer, here's the fix for incrediblefax11.sh:
Code:
sed -i 's|joshnorth|wardmundy|' /root/incrediblefax11.sh

Never run the fax installer more than once!
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@wardmundy when you patch these bugs, are they also pushed down to existing servers?

Not currently. The SRTP bug in particular would require a complete rebuild of Asterisk. You can download the current installer and search it for srtp to find the necessary patch if you want to DIY... but I'd start over if you really need SRTP support.
 
Last edited:

jeff.h

Guru
Joined
Dec 1, 2010
Messages
502
Reaction score
71
Got some more time to play with this today. Are we still following the install instructions for the lean version in post #21 of this thread?
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top