Speed Improvements, Security Fixes, Fax

Check the downloads page for the latest RasPBX image dated Jan 19th. It is upgraded with kernel and firmware version 3.6.11+, which gave us a considerable speed improvement compared to the previous image, even without overclocking! Very convenient, especially when working with the FreePBX GUI.

This image also features the latest Asterisk 11.1.2, fixing a DoS vulnerability that was present in all Asterisk versions. Read here for details. If you are already running Asterisk 11, you can upgrade to 11.1.2 by calling

raspbx-upgrade

or alternatively also with apt-get dist-upgrade. Asterisk 11.1.2 has been added to the RasPBX repository on January 10th. To see the version running on your RPi call

asterisk -r

Finally RasPBX has recently added fax capabilities with HylaFAX. An easy-to-use configuration script provides you with fax to email. Print to fax is available with any compatible HylaFAX client. See the documentation page for details.

P.S.: The image from Jan 16th has been replaced with an updated version due to a bug in the CDR reports. If you downloaded it, read instructions for fixing the bug here.

28 thoughts on “Speed Improvements, Security Fixes, Fax

  1. Hi Guys,

    I am in a sort of problem. My carrier requires me to forward ports 5060 and the RTP ports in order to make and receive calls (as I am not registering with the provider). I have done this and setup fail2ban. For security I forwarded 5060 only for my carriers IP (Using Filter in my modem). But I just received my second email as follows:

    “Hi, The IP X has just been banned by Fail2Ban after 3 attempts against Asterisk.”

    I don’t allow SIP Guests and don’t allow anonymous sip calls either. I checked port 5060 on my IP using http://www.yougetsignal.com/tools/open-ports/ and 5060 is closed.

    I have used deny/allow fields for extensions so they can’t register with my pbx unless they are inside the network, and each extension is setup with long secure passwords.

    Is there a security/hacking risk? (I trust my provider, so other then them). I tried to register using my external IP and Fail2ban blocked me, but obviously that may be due to deny/allow ips not changed, just confused?

    • It looks to me port 5060 is in fact open to all IPs, and not only open to your provider’s IP as you have configured your router. Especially if the IPs in the Fail2Ban messages are public ones and not known to you.
      Fail2Ban is active before Asterisk, you will still get blocked IP messages despite having the deny/allow fields configured. This is normal.
      I suggest you open port 5060 on your router for all IPs (no additional filtering here). Then have Fail2Ban monitor the breakin attempts (some 50-100 Fail2Ban messages per day are normal). Then further lock down access with deny/allow rules in Asterisk to your private network IPs as well as the IPs of your providers. I think this is pretty secure and you are quite safe with your setup.

      • In advanced sip settings, I’ve changed the useragent and realem to something random so at least I can make things abit confusing for a intruder :)

        I’ve set alwaysauthreject=yes also. In extensions put allow/deny there, is there anything else I can do to make it more secure.

        The system only has internal extensions, so is it possible to lock it all down to internal specified extensions using iptables?

        At the moment I’m not getting flooded with emails, only one attempt today and one yesterday, but I just want to make it as hard as possible for them to hack into it.

        Any other ideas to lock it down?

        Thanks

        • Please have a look at Razvan’s tutorial here, he wrote some good tips at the bottom of his article.

  2. Hi,
    I installed the latest image and in FreePBX UI Settings menu the General Setting sub-menu is missing. What should I do to put it back. Thank you.

  3. So I copied the settings from the old conf to the new and all my phones suddenly sprang to life :) HA! he thinks. He’s beaten it.
    Alas, go into the GUI and there are no extensions listed event though the phones can call each other….
    Ah well, off to do a bulk load :)

    • Exactly. FreePBX keeps all settings in it’s Mysql database, and when clicking the red Apply Config button, the config files in /etc/asterisk are generated new and overwritten. Asterisk takes it’s config from there.

  4. Alas, that did not seem to fix it. I again ran out of space and traced it down to /tmp/ being full of core.raspbx.[timestamp] files. It’s creating 1000s of them. I delete them all and every few seconds there is a new one. Each are about 6MB so does not take long…

    • Oops! There is something completely wrong on your RPi. This looks like coredumps of some process.
      I would not continue working with this setup anymore, better reinstall it. If you still can login to FreePBX you could try to make a backup with the Backup and Restore module. In any case, have a look at the file /etc/asterisk/sip_additional.conf, it contains all settings of your extensions (including passwords in plain text) as well as your trunks. If you are not using IAX or someting else this should be all you need to re-create your setup.
      You should also consider trying a different SD card, because it looks to me this could have been a card failure problem. Check the official supported cards list here: http://elinux.org/RPi_SD_cards

      • Thanks. I’ve already copied all the conf files off. Glad to know it _might_ be as easy as copying it back.

        The card worked fine up until I broke it so will take another chance on it with a re-install. If it barfs again then I’ll get another card.

        Onwards and upwards 😉

        Thanks for the help!

        • You cannot just copy back the files from /etc/asterisk, they are generated by FreePBX. But you can take the contents as reference and create the setup again in FreePBX.

          • Ah, noted, thanks. Less than ideal but at least I have it all in front of me :)

  5. Hi,

    I upgraded last night to the newest version and it’s not gone well :(
    During the upgrade my disk ran out of space. I cleaned up the logs and using gparted, I expanded the rootfs partition to be 6GB instead of the default. I continued the upgrade and it seemed to work ok.

    Now, logginf on to the GUI I get a message:The module was unable to connect to the Asterisk manager.
    Make sure Asterisk is running and your manager.conf settings are proper.

    If I run asterisk -r via ssh it connects but then a few seconds later I get kicked out. I assume it is crashing because the pid keeps changing as well.

    I’ve checked the manager.conf file and the settings look ok. Not that many options in there and the ones that are there look fine to me. Not conclusive though. (*nix semi-noob)

    Having a look for the log files in /var/logs/asterisk only shows the pbx logs, there is no “full” file.

    All the phones are reporting no-service as well.

    Any tips on what might be happening or how I can find out what is wrong?

    Thanks
    Crispin
    p.s.
    This is a home installation used to keep a geographically dispersed family in touch – The world will not end if I have to reinstall. (albeit plan B)

    • First of all: Did you eventually install a new config file /etc/apache2/envvars during the upgrade? Read here for more details.
      If the disk became full during the upgrade it is possible that one or more packages are now broken. It seems something is wrong with Asterisk itself. It is possible one of the Asterisk modules is broken, and when Asterisk starts and trys to load this module it crashes.
      I assume you are running Asterisk11? Try to uninstall Asterisk first:

      apt-get remove asterisk11

      Now have a look at the directory /usr/lib/asterisk/modules. If there are still files in this directory delete them. Then reinstall Asterisk:

      apt-get install asterisk11

      If you are forced to do a complete reinstall in the end, have a look at the directory
      /var/spool/asterisk/backup/Default_backup/
      of your current installation. The Backup and Restore module is installed by default on the images, and makes a backup every month here. Copy this file to your new installation and you will be able to get all FreePBX settings again using Restore from the Backup and Restore module.

      • Thanks for the reply.

        I did answer no to all those questions (3 IIRC?) except the mysql one where I said yes without thinking (Do’h)

        I’ll uninstall now and try your suggestions.
        As for the backup, there is no such directory on my card. I do have a backup (need to find it though) from some time ago but was thinking, all I _really_ care about are the extensions. if I copy extensions.conf (or whatever the correct name is) will that not be ok?

        Will try the un-install and reinstall now.

        Cheers,
        Crispin

  6. Hi. I got this working well but the only thing is Music on Hold. I uploaded it through the MOH in freepbx but (while it uploads fine) it doesn’t actually play if I deleted the other moh files through the gui. If I delete all the moh files through ftp, it plays nothing.

    I also tried creating a MOH category and uploaded it there. Yet the other default music plays.

    Any ideas?

    • You are right, this seems to be a bug. I could make this work by removing all old moh files from the command line:

      cd /var/lib/asterisk/moh
      rm *.alaw *.g729 *.gsm *.ulaw *.wav

      Uploaded wav files need to be in the right format, otherwise they do not play. You can upload any wav file and then convert it manually:

      apt-get install sox
      cd /var/lib/asterisk/moh
      sox input.wav -c 1 -b 16 -r 8000 -t wav output.wav
      rm input.wav

      This worked for me, uploaded moh was then playing properly.

      If you also want to upload mp3 files, install mpg123:

      apt-get install mpg123

      This enables automatic conversion of mp3 files to wav on upload.

      • Hi Gornot, I uploaded it as a mp3 file and it did the trick. You need to have MP3 to WAV enabled and mpg123 installed before it will work. I never managed to get the MOH Volume adjustment working in WAV or MP3 so I suggest you use Auducity to change the volume.

        Thanks for your help :)

  7. 1
    If one’s Pi is trapped behind a less than stellar NAT (not cisco, not juniper) what remediation other than being in front of NAT or NAT upgrade do you suggest?

    2
    is there a bundled feature to tunnel all magic via some VPN flavor? as is/proposed in PIAF?

    2b
    this would address razvan’s “My 3G provider does not allow SIP though his data network” also. Especially since not all providers (none of mine) provide SIP TLS option. Clients of raspbx can easily SIP TLS, but raspbx to VSP may not.

    • 1) It is definitely NOT a good idea to give your RPi a public IP and leave it exposed to the internet. You do not need expensive router hardware, most commonly used routers do completely fine. Concerning operation behind a NAT, please follow the First steps after installation guide, chapter 5: Asterisk SIP settings.

      2) VPN is not directly bundled with RasPBX, as in most setups where VPN is needed it is already handled by the router. The router is usually the better place to provide VPN services. But you can install services such as OpenVPN on the RPi. OpenVPN is available with apt-get.

      2b) In the meantime, Razvan has successfully managed to run SRTP, check the forum. If your SIP providers do not support TLS, you need to check if they support any VPN technology if you want to use this instead as a workaround. But most probably don’t.

  8. Hi,

    I have installed the latest version of raspbx (with asterisk 11.2.1) and it works great. I have a a problem: My 3G provider does not allow SIP though his data network, so as a workaroud this problem I used TLS as transport and SRTP on my old Asterisk (1.8.xxx that came with the defaul raspian.) I have compiled the “res_srtp.so” module myself on the raspbx but Asterisk fails to load it because: ” Module ‘res_srtp.so’ was not compiled with the same compile-time options as this version of Asterisk.” so:
    1. what shoud I do to meed the compile-time options of the original Astersik that comes with raspbx?
    2. are you planning to include SRTP support in the near future?

    Thanks

  9. SupayOSHI,

    This has been answered to you over 5 times in the IRC channel and by Gernot at least two times. The answer is no

  10. Installed it, works great! JUst want to load the Zend Guard Loader

    Hi im trying to install System Admin and Web Callback, however when I try to install System Admin i get the following errors:

    Errors with selection:

    System Admin cannot be installed:
    PHP Component Zend Guard Loader is required but missing from you PHP installation.
    File /usr/sbin/incrond must exist.
    Please try again after the dependencies have been installed.
    No actions to perform

    Please select at least one action to perform by clicking on the module, and selecting an action on the “Action” tab.

    Could you please tell me how to load the ZendGuardLoader, I tried it by downloading it, including the path in php.ini etc. /etc/php5/apache2/php.ini but nothing wants to work. Please help 😉

    Also the second error, I dont’t have a clue yet? Please help :) THnx