ALERT Wazo on WootHosting VPS

[peterbata]

Hello all. I have followed the Nerd Vittles tutorial on installing Wazo at WootHosting. After installing it approx a week ago I was able to access / configure Wazo via a hostname, Putty SSH, and the Woot provided IP address. A day or two later my server was totally inaccessible. I contacted support and was asked to re-install. Which I did successfully a few days ago. I accessed my server last night and frankly all I did was to add an extensio or two. A few minutes ago I thought that I would log into the server but once again it is not accessible. I cannot ping my IP address either. The request times out. I have logged into my control panel and the server status reads "online". I was wondering if anyone else has been having the same issue(s). It seems ridiculous to have to re-install Wazo every other day. It is not mission critical for the time being so I am not going to panic. However, it is worriesome. Thank you

 

[smarks]

If you cannot even ping the IP that sounds more like OS or firewall to me. I would try disable the firewall/fail2ban for troubleshooting. Also make sure selinux is disabled.

 

[DavidBer]

This is a VERY IMPORTANT concept to understand about PBX In a Flash.

Ward and company take security very f____ing seriously. I mean VERY F_____ing seriously. That is the 2nd item on their mission.

Because of that, everything in the world to be 'tight' is done.

When you install PIAF it installs/configures three things:

iptables
fail2ban
PortKnocker


Iptables is a firewall that runs on the server. It is set to NOT allow ANY TRAFFIC on ANY PORT except from a few known SIP providers and the machine's IP address that you installed from. Read that sentence a few times. If you are on an ISP that changes your IP address that you installed from, you cannot get back on your machine.

fail2ban reads attempts to login from locations you are not allowed to from and BANS that IP from logging in for a period of time. IT READS the values in IPTABLES and updates IPTABLES to BAN your bad IP.

Portknocker - this is YOUR LIFELINE. It is YOUR BACKDOOR into YOUR system. What portknocker does is if YOU send traffic to a series of ports, it will then update iptables with that machines IP address and let you in.

Now let's put this in practice.

You have an ISP at your house that changes your IPs a lot. You host at woot and you have assigned the IP to pbx.mypbx.com

Day 1 - your ip is 123.123.123.123 - you install and configure.
Day 2 - your ISP changed your IP to 123.231.231.231 - you try and log in. Nope, iptables doesn't know that IP address. You can't get in. Now you use nmap and the string that was in your /root/portknocker.faq - Your IP is now added to iptables and you can log in.

Now how do you solve this long term? There are a few ways.

One way is to add a block of ips to iptables. Most ISPs stay within a block. Generally a /16 would work, so you could do: /root/add-ip MyIsp 123.123.123.0/16 - then hit enter, then hit enter again, then choose option 0 for all traffic.

Another way is to spend the money for a dedicated ip.


------------

Yes, I find this security VERY annoying. However, I truly understand it. If I had a call center with 500 phones and was spending thousands a month at a sip provider, this is the ONLY way I would run the system.

 

[peterbata]

If you cannot even ping the IP that sounds more like OS or firewall to me. I would try disable the firewall/fail2ban for troubleshooting. Also make sure selinux is disabled.

First off, thank you for chiming in. I appreciate it. Would that include logging into my server via Putty SSH as well?

 

[peterbata]

Update. Woot moved me over to the New York facility a few minutes ago. Also provided me with a new IP address. Will attempt the Wazo install again. also have my stopwatch going. Last install took approx 12 hours to complete.

 

[peterbata]

Thanks so much for that very informative response DavidBer. Much appreciated. Definitely a keeper. In MY particular case, my IP remains the same until I either experience a power outage or a modem reset is necessary. Have a great weekend. Peter

This is a VERY IMPORTANT concept to understand about PBX In a Flash.

Ward and company take security very f____ing seriously. I mean VERY F_____ing seriously. That is the 2nd item on their mission.

Because of that, everything in the world to be 'tight' is done.

When you install PIAF it installs/configures three things:

iptables
fail2ban
PortKnocker


Iptables is a firewall that runs on the server. It is set to NOT allow ANY TRAFFIC on ANY PORT except from a few known SIP providers and the machine's IP address that you installed from. Read that sentence a few times. If you are on an ISP that changes your IP address that you installed from, you cannot get back on your machine.

fail2ban reads attempts to login from locations you are not allowed to from and BANS that IP from logging in for a period of time. IT READS the values in IPTABLES and updates IPTABLES to BAN your bad IP.

Portknocker - this is YOUR LIFELINE. It is YOUR BACKDOOR into YOUR system. What portknocker does is if YOU send traffic to a series of ports, it will then update iptables with that machines IP address and let you in.

Now let's put this in practice.

You have an ISP at your house that changes your IPs a lot. You host at woot and you have assigned the IP to pbx.mypbx.com

Day 1 - your ip is 123.123.123.123 - you install and configure.
Day 2 - your ISP changed your IP to 123.231.231.231 - you try and log in. Nope, iptables doesn't know that IP address. You can't get in. Now you use nmap and the string that was in your /root/portknocker.faq - Your IP is now added to iptables and you can log in.

Now how do you solve this long term? There are a few ways.

One way is to add a block of ips to iptables. Most ISPs stay within a block. Generally a /16 would work, so you could do: /root/add-ip MyIsp 123.123.123.0/16 - then hit enter, then hit enter again, then choose option 0 for all traffic.

Another way is to spend the money for a dedicated ip.


------------

Yes, I find this security VERY annoying. However, I truly understand it. If I had a call center with 500 phones and was spending thousands a month at a sip provider, this is the ONLY way I would run the system.

 

[krzykat]

One thing I have done is created a domain name for the remote site: remote.myco.com - Then a machine on remote.myco.com checks its IP address every so often and if it finds its public IP address has changed, it changes the IP address so that remote.myco.com always points to the right place. Then in the iptables, we whitelist remote.myco.com - and we check via a cron job and reload the IPtables every x amount of time so that your server always knows the IP address of the remote extensions.

 

[peterbata]

One thing I have done is created a domain name for the remote site: remote.myco.com - Then a machine on remote.myco.com checks its IP address every so often and if it finds its public IP address has changed, it changes the IP address so that remote.myco.com always points to the right place. Then in the iptables, we whitelist remote.myco.com - and we check via a cron job and reload the IPtables every x amount of time so that your server always knows the IP address of the remote extensions.

Interesting. Thank you for that info.

 

[peterbata]

Well, there is only one way to put this: Woothosting Sucks. I have had nothing but problems since signing up for their crappy service. Up for a day, down for a day. On September 23, 2016 they switched me back to their New York node (so they say). I saw an increased improvement in the installation and overall performance of Wazo. And then it was right back to normal. Today, September 26, 2017 I began seeing the Page cannot display browser message. Basicall, I had just about had it so I asked for a full refund. A whopping 18.00 USD. This is the response that I received a few minutes ago.

Unfortunately, we cannot issue a refund on your current Plan as you have exceeded our 3 day money >>back period.
I can however issue a $17 prorated refund to your account credit - is that OK?

How convenient. Had me going like a roadrunner for three days and then it was back to the Pony express. Buyer beware. I fail to believe that I am the only one having these difficulties.

 

[wardmundy]

Not as bad as CloudAtCost, but WootHosting is turning out not to be an ideal platform for Wazo, to put it charitably. They are definitely oversubscribed for an app like Wazo. Wazo requires a lot of horsepower and is better suited for some of the other providers such as Vultr and OVH. They actually disabled one of our Wazo servers saying it was using too many resources. Didn't see that in the fine print. Issabel and Incredible PBX 13 servers seem to be doing just fine. As the old saying goes, "you get what you pay for."

 

[peterbata]

Good morning Ward and thank you for the prompt reply. Actually, I would go as far as saying that Woot is not suitable for any platform. Even before I installed Wazo I was having trouble SSH'ing into my Debian 8 minimal instance. I have contacted PayPal and hope that I can recoup my 18.00 USD. It's not a boat load of money, but it is MY money. Have a wonderful day! Peter

 

[phonebuff]

As the old saying goes, "you get what you pay for."

Okay, I have to ask. Why is this hobby / industry becoming, like so many other things in our world today, a race to the bottom?

As Uncle Ward said cheap is not the best answer. My RentPBX, about $15/Month, is very reliable and I have no issues three years latter..

 

[wardmundy]

Part of this depends upon the actual purpose of your PBX. We mostly explore, build, and test stuff. So breakage isn't that important. We usually break more things than the provider.

If, on the other hand, you use your PBX to run your business or to accept million dollar job offers, this would not be the place to cut corners. As @phonebuff said, RentPBX is not only a sponsor of ours but also a premium provider that still manages to undercut most of the competition by up to 50%.

 

[AndyInNYC]

I'm running a fully loaded mail server on woothosting - anti-virus, spam assassin, etc. on woothosting's $18/year server. It ain't the fastest (even though they claim 4 CPU), but so far (fingers crossed) it's working great.

I have another instance in another location set up as a minecraft server for my son and his friends. He says the speed is 'good enough'.

Sorry you had difficulties, but I'm happy that Ward & Co,. suggested the service.

Andrew

 

[Hometech]

I to Have had some strange issues. Had a tough time installing it and had to start over 5 or more times to get it installed That was more my fault not understanding the instructions fully and woothosting having two interfaces to managed the instance I was only aware of one when I started and could not find how to start over and reinstall the os. But soon was given access to that by Woothosting.

I have Wazo 17.13 and notice at different times of the day if I try to bring up the web interface or ssh for WAZO takes for ever ...it does come up but it takes so long it makes you think its going to fail. other times it pops up quickly. It makes me thing something is going to sleep or resources are not available to process requests quickly...what do I know just what I see. Luckily I am just testing it. I only have GV account set up for now. But with the performance I am seeing I cant see me using this for a production. I am not sure if its Woothosting slowing it down or this is normal for WAZO software. I will need to test on local computer hardware to verify.

my 2 cents

 

[wardmundy]

It's time slicing with overcommitted server resources.

 

[peterbata]

If their service was so great, why would they be contacting me with this information. And it wouldn't have been the first time either. I just told them to stop bothering me. I received this communique yesterday:

Dear Peter,

I spoke with our Support team about this issue.
They told me that the file system on your server has completely crashed.
And there is no way to recover the data.
I'm sorry about that.
Shall we rebuild the server for you?

 

[peterbata]

For what it's worth. I was issued a full refund today. Next!

 

[wardmundy]

The price you pay for cheap is the same recommendation we made with CloudAtCost. If your installed server is not stable, blow it away and do it again. We actually have very stable servers running at WootHosting with Wazo, Issabel, and Incredible PBX 13. Only one of them had to be rebuilt. But, yes, it can be a royal pain. And with platforms like Vultr, OVH, and Digital Ocean, you don't have to endure the pain... but it costs more.

 

[hawk#1]

I to Have had some strange issues. Had a tough time installing it and had to start over 5 or more times to get it installed That was more my fault not understanding the instructions fully and woothosting having two interfaces to managed the instance I was only aware of one when I started and could not find how to start over and reinstall the os. But soon was given access to that by Woothosting.

I have Wazo 17.13 and notice at different times of the day if I try to bring up the web interface or ssh for WAZO takes for ever ...it does come up but it takes so long it makes you think its going to fail. other times it pops up quickly. It makes me thing something is going to sleep or resources are not available to process requests quickly...what do I know just what I see. Luckily I am just testing it. I only have GV account set up for now. But with the performance I am seeing I cant see me using this for a production. I am not sure if its Woothosting slowing it down or this is normal for WAZO software. I will need to test on local computer hardware to verify.

my 2 cents

@Hometech,

I have run and currently running Wazo on a local machine, using Ward's guides without any performance issues. I am in the process of setting up Wazo on Ovh. I'm confident in stating that the issues you mentioned are caused from woot hosting. I was having performance issues on the systems I ran at woot hosting

PS
Another possibility is that they recently over sold servers that they did not have the resources for in the New York site.and had to have my servers moved to either Miami or LA.