FreePBX / PBX in a Flash
From VoIP.ms Wiki
FreePBX is a web-based open source GUI (graphical user interface) that controls and manages Asterisk (PBX), an open source communication server. FreePBX is licensed under the GNU General Public License (GPL), an open source license. FreePBX can be installed manually or as part of the pre-configured FreePBX Distro that includes the system OS, Asterisk, FreePBX GUI and assorted dependencies.
Contents |
Important Security Information
A critical vulnerability has been discovered that can affect FreePBX versions between 13.0.12 and 13.0.26. An unauthenticated remote attacker can run shell commands as the Asterisk user of any FreePBX machine with ‘Recordings’ This has been fixed in Recordings 13.0.27.
You can read more about this vulnerability including how to fix this here: http://wiki.freepbx.org/display/FOP/2016-08-09+CVE+Remote+Command+Execution+with+Privileged+Escalation
We are also aware of an important and critical exploit related to all FreePBX versions prior to 12. This Zero-Day Remote Code Execution and Privilege Escalation exploit allows users to bypass authentication and gain ‘Full Administrator’ access to the FreePBX server when the ‘FreePBX ARI Framework module/Asterisk Recording Interface (ARI)’ is present on the system. This vulnerability may offer to any non authorized user full remote code execution access as the user running the Apache process. This exploit can be present also for users who have updated to version 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
Here are some recommendations for their product from the freepbx.org website for protection against this issue: http://www.freepbx.org/critical-freepbx-rce-vulnerability-all-versions/
Creating a Trunk
To connect your FPBX server with ours, you need to create a trunk. To achieve this, once you are into your FBPX's GUI, follow this path: Connectivity >> Trunks >> Add SIP (chan_sip) Trunk.
Once you are there, you will see a list of options, create a SIP or IAX trunk (depending on your needs)
SIP Trunk
From here, use the following example to configure your SIP trunk:
General Settings
- Trunk name: Set your trunk name, a recommended one could be voipms, remember that you can manage more than 1 DID number with the same trunk (using your inbound routes).
- Outbound CallerID: The 10 digit valid caller ID number that you will pass with this trunk for Outbound calls. This can be override from your extension's settings.
Dialed number Manipulation Rules
You can set here your outbound rules. These rules can manipulate the dialed number before sending it out this trunk. If no rule applies, the number is not changed. (Optional)
Outgoing Settings
This section is very important, below you'll find a sample, please replace the dummy information with yours and delete the comments. The information after the semicolon (;) is considered a comment and must be deleted for the trunk to work properly on some PBX versions.
canreinvite=nonat nat=yes context=from-trunk host=atlanta.voip.ms ; (one of our multiple servers, you can choose the one closer to your location) username=100000 ; (Replace with your 6 digit Main SIP Account User ID or Sub Account username, i.e. 123456 or 123456_sub) fromuser=100000 ; (Replace with your 6 digit Main SIP Account User ID or Sub Account username, i.e. 123456 or 123456_sub) secret=***** ; (password associated with the Main or Sub-account. Please avoid using the '#' character in the password as it will cause authentication issues) type=peer disallow=all allow=ulaw ; allow=g729 ; uncomment if you purchased g.729 from Digium trustrpid=yes sendrpid=yes insecure=invite qualify=yes
Incoming Settings
Please delete the default settings you'll find here, this section must be blank.
IMPORTANT
On your VoIP.ms portal, you will need to head into Main Menu, Account Settings, Inbound Settings tab, make sure to select SIP (or IAX) and change 'Inbound Settings to IP PBX Server,m Asterisk or Softswitch
Registration
At this section you'll set your register string, this is needed when you use "registration" as authentication method (If you use IP Authentication leave this in blank)
It is formed with your SIP username, password, server and registration port as below:
YourAccountNumber:[email protected]:5060, for example:
100000:[email protected]:5060
Finally, click on Submit changes, after that you'll see a Red button in the top "Apply config", do not forget to click it to apply the changes.
TLS
In order to use TLS along with FreePBX please follow these steps:
1. Make sure your Main account or sub-account has "Encrypted SIP Traffic" enabled. Bear in mind, if this setting is enabled and you use UDP/TCP you will be rejected with error code 488. Enable this for the Main Account at Main Menu>> Account settings>> Advanced tab and for a sub-account at Sub accounts>> Manage sub-accounts and by clicking on the orange icon with a pen and click at "Advanced Options Click here to display"
2. Now that your account/sub-account has this setting enabled, your device only needs to send TLS and SRTP.
In freepbx make sure your peer details are:
host=atlanta1.voip.ms username=your account/sub account fromuser=your account/sub account secret=your password transport=tls encryption=yes qualify=yes qualifyfreq=50 nat=yes type=peer directmedia=no context=from-trunk insecure=invite sendrpid=yes trustrpid=yes disallow=all allow=g729&ulaw&gsm
Register String
tls://Username:[email protected]:5061~300
Note: When using TLS is very important to specify the number of the server, in case the name you have chosen doesn't use the number 1 you need to add it, at least when using TLS
Finally, in your freepbx go to Settings>> Asterisk SIP settings>> Chan SIP settings and at "TLS/SSL/SRTP Settings"
*Enable TLS: Yes
*Don't verify server: Yes
IAX2 Trunk
From here, use the following example to configure your IAX2 trunk:
General Settings
- Trunk name: Set your trunk name, this is different from SIP trunks and it must be voipms, otherwise you could experience issues with your registration and calls.
- Outbound CallerID: The 10 digit valid caller ID number that you will pass with this trunk for Outbound calls. This can be override from your extension's settings.
Dialed number Manipulation Rules
You can set here your outbound rules. These rules can manipulate the dialed number before sending it out this trunk. If no rule applies, the number is not changed. (Optional)
Outgoing Settings
This section is very important, below you'll find a sample, please replace the dummy information with yours and delete the comments. The information after the semicolon (;) is considered a comment and must be deleted for the trunk to work properly on some PBX versions.
type=friend username=100000 ; (Replace with your 6 digit Main SIP Account User ID or Sub Account username, i.e. 123456 or 123456_sub) secret=***** ; (password associated with the Main or Sub-account. Please avoid using the '#' character in the password as it will cause authentication issues) context=from-trunk host=atlanta.voip.ms ; (one of our multiple servers, you can choose the one closer to your location) disallow=all allow=ulaw insecure=port,invite requirecalltoken=no qualify=yes
Incoming Settings
Please delete the default settings you'll find here, this section must be in blank.
Registration
At this section you'll set your register string, this is needed when you use "registration" as authentication method (If you use IP Authentication leave this in blank)
It is formed with your SIP username, password, server and registration port as below:
YourAccountNumber:[email protected]:4569, for this example:
100000:[email protected]:4569
Finally, click on Submit changes, after that you'll see a Red button in the top "Apply config", do not forget to click it to apply the changes.
Outbound routes
Once you have your trunk configured, you will need an outbound route to make calls.
To create an outbound route go to "Connectivity" menu and then select "Outbound routes".
Route Settings
- Route Name: Name of this route. Should be used to describe what type of calls this route matches (for example, 'local' or 'longdistance').
- Route CID: If set, this will override all CIDS specified except:
- Extension/device EMERGENCY CIDs if this route is checked as an EMERGENCY Route
- Trunk CID if trunk is set to force it's CID
- Forwarded call CIDs (CF, Follow Me, Ring Groups, etc)
- Extension/User CIDs if checked
Dial Patterns
A Dial Pattern is a unique set of digits that will select this route and send the call to the designated trunks. If a dialed pattern matches this route, no subsequent routes will be tried. If Time Groups are enabled, subsequent routes will be checked for matches outside of the designated time(s).
Rules:
- X: matches any digit from 0-9
- Z: matches any digit from 2-9
- [1237-9]: matches any digit in the brackets (example: 1,2,3,7,8,9)
- . : wildcard, matches one or more dialed digits
- Prepend: Digits to prepend to a successful match. If the dialed number matches the patterns specified by the subsequent columns, then this will be prepended before sending to the trunks.
- Prefix: Prefix to remove on a successful match. The dialed number is compared to this and the subsequent columns for a match. Upon a match, this prefix is removed from the dialed number before sending it to the trunks.
- Match patterns: The dialed number will be compared against the prefix + this match pattern. Upon a match, the match pattern portion of the dialed number will be sent to the trunks.
- Caller ID: If CallerID is supplied, the dialed number will only match the prefix + match pattern if the CallerID being transmitted matches this. When extensions make outbound calls, the CallerID will be their extension number and NOT their Outbound CID. The above special matching sequences can be used for CallerID matching similar to other number matches.
Recommended Dial patterns are: * 1NXXNXXXXXX * NXXNXXXXXX * 4XXX (This one to be able to test our echo test and DTMF test)
Trunk Sequence for Matched routes
The Trunk Sequence controls the order of trunks that will be used when the above Dial Patterns are matched.
Select there your voip.ms' trunk.
Inbound routes
If you have DID numbers with us and route calls to your trunks, you need inbound routes to manage them. To create an inbound route, go to "Connectivity" menu, option "Inbound routes"
Add Incoming Route
- Description: Provide a meaningful description of what this incoming route is.
- DID number: Define the expected DID Number if your trunk passes DID on incoming calls. Set your voip.ms DID number with only 10 digits (Without dots, commas, spaces or the 1 in front of the number).
Set Destination
Set here the destination for your incoming calls received at the DID you configured as DID number (an extension, IVR, recording, voice mail, etc).
Once you have finished the basic configuration of your PBX server, do not forget to click on the red button "Apply Config"
Configuration Using a PJSIP Trunk
Please see our wiki article for the configuration here.
Whitelisting VoIP.ms IPs in FreePBX
With FreePBX, it is quite easy. Simply proceed into FreePBX, head into System Admin, Intrusion protection and then Whitelist. From there, you can whitelist VoIP.ms points of presence IPs.
For more information on the IPs related to our servers, click here
For more information on the FreePBX setting, click here
