Thirdlane.com logo

Thirdlane PBX and PBX MTE CentOS 5.5 based ISOs with Asterisk 1.6.2.11 and Asterisk 1.4.35 are available

Posted by thirdlane on Wed, 08/25/2010
Forums
News and Announcements

This was in the works for quite some time, finally it is out. Thanks to Andrey, Erik and everyone who contributed!

Since this is a new release and has not been tested on a wide variety of hardware we really appreciate your feedback.

2010-08-24 PBX Manager GUI updated to 6.1.1.5
2010-08-21 Custom config rpms thirdlane-ast1X-pbxm-conf-sX has been removed in order to avoid conflicts with Asterisk and PBX Manager configs packaged with the Webmin module
2010-08-12 fail2ban secutiry daemon is installed by default - it looks at ssh and asterisk logs and in case when somebody tries to guess the password it will block his ip by iptables. You can disable this feature by 'service fail2ban stop' and 'chkconfig fail2ban off'
2010-08-11 All Thirdlane http addons were moved to the /var/www/html/maint for security reasons. Access to those addons from PBX Manager is done thru built-in http proxy and doesn't requre authorization. http service is now blocked on eth0 from outer world by iptables firewall. Please take into account that DocumentRoot of apache is /tftpboot so the best way to add your web app is to use separate config file at /etc/httpd/conf.d - look to the maint.conf as a sample.
2010-08-11 Asterisk is updated to Asterisk 1.4.35 and Asterisk 1.6.2.11
2010-08-10 CentOS is updated to the latest stage - kernel is 2.6.18-194.11.1
2010-08-09 All development rpms required to rebuild asterisk from source at the same environment as at the development server are now installed by default. In order to recompile asterisk your should 'yum install asterisk1x-source' or download source files from http://www.asterisk.org/downloads Please remove all current asterisk files if you try to build different version with 'rm -rf /usr/lib/asterisk/modules/*'
2010-05-18 OS updated to CentOS 5.5
2010-04-26 Version 2.0 RC1 released.
2010-04-26 Thirdlane repo is now mirrored for redundancy.
2010-04-26 Thirdlane distro is now DRBD/Heartbeat cluster aware.
2010-04-18 Sounds and moh are removed from asterisk1x rpms and will be installed from separate rpms. Sounds coded with ulaw/alaw can be installed by yum.
2010-04-18 Openfire and vtiger CRM are now removed from ISO in order to keep ISO size. You can install them later with 'yum install openfire' and 'yum install vtigercrm-ast-en'
2010-04-17 OS updated to CentOS 5.4
2010-04-17 http://xxx.xxx.xxx.xxx/ now points to /tftpboot so tftp and http provisioning is seemless. /munin and /maint are defined as virtual dirs and protected by maint/thirdlane password which can be changed by passwd-maint shell script
2010-04-17 iax2.conf - calltokenoptional=0.0.0.0/0.0.0.0 in order to allow iax registration without requirecalltoken=no
2010-04-17 All devel RPMs used while building asterisk and dahdi rpms are installed from ISO - now you can rebuild from sources at identical environment
2010-04-17 tos and cos values at sip.conf and iax.conf
2010-04-17 Default codecs: ulaw, gsm - without alaw
2010-04-17 allowguest=no at sip.conf to block anon access and mistakes due to wrong sip peers configuration
2010-04-17 Asterisk 1.6 updated to 1.6.0.26
2010-04-17 Asterisk 1.4 updated to 1.4.30
2010-04-17 Webmin port has been changed to standard 10000, SSL and SSL redirect is enabled by default - perl-Net-SSLeay is installed.

Submitted by mattdarnell on Thu, 08/26/2010 Permalink

The ISO is looking better & better! Looking forward to the new manuals.

If space is an issue, I wouldn't hesitate to move from a CD-R to a DVD-R image.

Roll your own is very nice, but to have a single install that people can standardize on, that is done right, is a powerful tool - with disaster recovery and new system roll outs.

-Matt

Submitted by mattdarnell on Tue, 08/31/2010 Permalink

We have used the ISO for a short while and here are some observations:
1. fail2ban jail time for an IP phone is 3 days, 60 minutes would be appropriate
2. Having pureftp on the ISO would be great, I can provide install instructions if needed. It can be a pain the first time you compile from source and look for a startup script

-Matt

Submitted by faktortel on Tue, 08/31/2010 Permalink

How do we upgrade to the latest version of the PBX manager if we have an older version installed?

Does it require a new install, as we currently have customers running on it at this time.

Chris.

Submitted by eeman on Wed, 09/01/2010 Permalink

faktortel - ISO's are for new installations, not for upgrade paths on existing hardware.

mattdarnell -

the missing ftp server has been resolved and will find its way into the next release candidate. We went with the VSFTP application as its part of the RHEL testing and design structure, relatively simple to install, and supports a chroot jailed environment.

Also the fail2ban times have been changed to 5min based on my feedback of general public use. While I typically set longer ban times, I pointed out that several customers that have asked me to install fail2ban were not able to connect the dots between a customer not able to connect when attempting to set up his own phone/device and the email notice that fail2ban had recently banned an IP address. I guess they assumed that fail2ban would somehow know that user A, who misconfigures an ATA with the wrong password and creates a dozen log entries of failed login attempts, should not be banned like user B, who runs a script trying to brute force his way into an account and creates a dozen log entries of failed login attempts. Now the ban times are light enough to allow for it to be on by default without a wake of complaints. For those that study up, extending those ban times is fairly simple and can be adjusted based on individual companies support policies (for us we would never make a customer wait 60 min so setting it to 3days or 60min makes no difference for support, we have to go in and lift the ban as soon as they call in)

Submitted by mattdarnell on Wed, 09/01/2010 Permalink

Erik,

With our pureftp setup we have to create a linux user and set the shell to /sbin/nologin. With the VSFTP setup can you authenticate to something similar to .htaccess?

We also had to add an exception for ftp in iptables, we just cloned the ssh rule and changed 'ssh' to 'ftp'

I looked for a few minutes and could not find where the jailed IP's are stored, I though it would update the iptables but I didn't see them in webmin module. I wanted to clear one. Where are they kept?

-M

Submitted by faktortel on Wed, 09/01/2010 Permalink

So is there an upgrade path for an existing server?

or is it, format, install new ISO.

or is there a method of backup users / settings, format, install iso, restore users into new version?

Chris.

Submitted by thirdlane on Wed, 09/01/2010 Permalink

Chris,

There are two options:

1) Backup your existing system (make sure that backup is complete and works - do a restore to a temporary box - compare). Install new ISO. Restore from your backup.

2) Simply upgrade PBX Manager Webmin module to the latest version. This won't give you everything that is on the new ISO ( improved HTTP/FTP/TFTP provisioning, fail2ban, improved rpm based management, more recent versions of Asterisk, etc).

Submitted by diffen on Tue, 09/07/2010 Permalink

Hello

Do you guys recommend to use this ISO in a production environment or should i install asterisk 1.6 and then webmin and at last thirdlane?

Submitted by mattdarnell on Tue, 09/07/2010 Permalink

We are not using it in production but have found it to be very stable. I wonder when the next version of the ISO will be released.

We are interested to see how the FTP provisioning is handled.

-Matt

Submitted by eeman on Tue, 09/07/2010 Permalink

ipfreely: the next version will have a combined directory for TFTP, FTP, HTTP, HTTPS to use for provisioning. Fail2ban will watch the vsftpd logs, and fail2ban's ban time will start at 5min so that inexperienced users dont have to worry about banned customers who misconfigure their devices. Advanced users can just up the bantimes.

Submitted by mattdarnell on Wed, 09/08/2010 Permalink

ipfreely - Right now we install pureftp on our boxes, it will save a step not having to compile from source. I don't think the functionality will be any different. The one thing on my list to do it secure provisioning with the Polycom phones.

diffen - right now we roll our own install and it is working very well for us. In the future I think our installs will be via the ISO. We might convert our MTE to the ISO in the future.

-Matt

Submitted by mattdarnell on Sun, 09/12/2010 Permalink

Loaded up the STE image and noticed it has VSFTP.

Is the preferred method to use the PlcmSpIp user? I am not able to login into the ftp server, I even tried to manually set the password to PlcmSpIp.


T 192.168.1.114:21 -> 192.168.1.126:64277 [AP]
220 (vsFTPd 2.0.5)..
#
T 192.168.1.126:64277 -> 192.168.1.114:21 [A]
......
#
T 192.168.1.126:64277 -> 192.168.1.114:21 [AP]
USER PlcmSplp..
##
T 192.168.1.114:21 -> 192.168.1.126:64277 [AP]
331 Please specify the password...
#
T 192.168.1.126:64277 -> 192.168.1.114:21 [A]
......
#
T 192.168.1.126:64277 -> 192.168.1.114:21 [AP]
PASS PlcmSpIp..
##
T 192.168.1.114:21 -> 192.168.1.126:64277 [AP]
530 Login incorrect...

Submitted by mattdarnell on Mon, 09/13/2010 Permalink

It is in /etc/passwd. I changed the shell trying to fix the issue.

PlcmSpIp:x:500:500::/home/PlcmSpIp:/bin/sh

This is from /etc/vsftpd/vsftpd.conf

# Uncomment this to allow local users to log in.
local_enable=YES

It looks like someone changed the default vsftpd config.

Submitted by mattdarnell on Mon, 09/13/2010 Permalink

This issue was with the password I was logging in with

I will use lower case to show the issue, the correct spelling of the user name is
plcmspip

In my browser, a lower case L and capitol i look the same

It should be:
P - Upper
L - Lower
C - Lower
M - Lower
S - Upper
P - Lower
I - Upper
P - Lower

-Matt

****Update
Just reloaded the ISO and can confirm that FTP works as I mentioned above with no modifications

Submitted by eeman on Mon, 09/13/2010 Permalink

good, i was going to recommend keeping the shell as /sbin/nologin so that they cant use that user to try and SSH into your machine.

Submitted by mattdarnell on Tue, 09/14/2010 Permalink

Ran into an issue with trying to run Queuemetrics with the install from the ISO.

When you install from the ISO Asterisk is not run as root, but as the user 'asterisk' - a very good thing.

The issue is that Queuemetrics produces call files for Asterisk to process for certain functions. because Asterisk is not run as root, it can not read the files.


[2010-09-13 16:26:24] WARNING[18138]: pbx_spool.c:437 scan_service: Unable to open /var/spool/asterisk/outgoing/QM-8555314148.call: Permission denied, deleting
[2010-09-13 16:26:24] WARNING[18138]: pbx_spool.c:486 scan_thread: Failed to scan service '/var/spool/asterisk/outgoing/QM-8555314148.call

I have a ticket with QM support but I don't think they will be able to do anything about it.

I see in the pbxportal that is starts safe_asterisk with the argument to run as the asterisk user, can you just delete that? pbxportal is a few places on the disk.

Submitted by eeman on Tue, 09/14/2010 Permalink

run asterisk as root, you're going to be a lot better off. The ass-hats that talk about security are idiots.. you have a 600lb gorilla in the room in the form of plain-text AMI interface in which you could steal hundreds of thousands of $$ in free calls but someone is worried that someone MIGHT elevate privileges to possible run SPAM off your box??? That's the Cauldron calling the kettle black. The only proven case had to be executed at the keyboard of an attached console terminal (which asterisk doesnt run with an attached console by default anyway). Use a good iptables implementation, restrict SSH to only places you trust, and make use of fail2ban and you wont have any exploit issues.

non-root users cannot access all the resources root can, including open files and sockets. Given the massive headache that non-root causes everywhere else, the trade-off just doesnt seem worth it. Ive been running and compiling asterisk as root on hundreds of boxes since 2005, long before thirdlane and trixbox were even a wet dream. Ive not had a single one get hacked as a result of running asterisk as root. The AMI is the biggest security hole there is. Its huge.

delete that pbxportal too.. i made that recombination about a 100times.. its copied trixbox script. When asterisk crashes it doesn't restart. When you use the systemV script that gets installed from 'make config' from source code it is run in a manner that creates a core file and then immediately respawns. A crash is bad, but sometimes it happens (like the fax module one that is in the process of getting fixed). A crash followed by 100 cell phone calls about the box being down for 5 min is worse. Most people think a respawn was just a dropped call, they hit redial and go on about their business.

Submitted by mattdarnell on Wed, 09/15/2010 Permalink

To make Asterisk run as root, comment out the two lines in asterisk.conf. It took a while to get to that simple solution.

Does Thirdlane use pbxportal when it issues a restart?

If I kill -9 'asterisk pid' safe_asterisk spawns a new process in about 5 seconds. It appears that the init scripts created with 'make config' start safe_asterisk the same way that pbxportal does.

-Matt

Submitted by gregshap on Sun, 09/19/2010 Permalink

Whenever I try to edit an user extension, I get the following error upon saving:

Error saving user : Failed to open /opt/isymphony/server/config/extensions.xml for writing : Bad file descriptor

I am not using Isymphony, so I do not see why it would have a problem.

MTE - new

Submitted by ipfreely on Sun, 09/19/2010 Permalink

Under Tenant Management>Create Operator Panel Configuration> Should be set to none. Not sure what PBX Default is

Thanks,
Chris A

Submitted by gregshap on Sun, 09/19/2010 Permalink

Thanks Chris,

it was set to "Use PBX Default", I am not sure what that has to do with the Isyphony setting but it fixed the issue.

Greg

Submitted by rfrantik on Thu, 12/23/2010 Permalink

Matt -

I noticed someplace in this thread you were looking for the MySQL root password... Did anyone ever send it to you?

I've got an app I'm trying to install and I need access to mysql... I'd prefer not to crack or reset the password...

If you could send it my way I'd appreciate it... rfrantik at rfcinc dot com

Thanks.

Submitted by rfrantik on Fri, 12/24/2010 Permalink

If you have a procedure that works, that sounds like a good place to start. Please post or email me... rfrantik at rfcinc dot com.

We built from ISO, do you know if anything already in the system uses that password?

Submitted by mattdarnell on Sat, 12/25/2010 Permalink

Here is our procedure:

Reset root MYSQL password:
• Stop mysqld and restart it with the `--skip-grant-tables` option.
• This enables anyone to connect without a password and with all privileges.
• Connect to the mysqld server with this command:
o shell> mysql
o Issue the following statements in the mysql client. Replace the password with the password that you want to use.
o mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root';
o mysql> FLUSH PRIVILEGES;
• You should now be able to connect to the MySQL server as root using the new password. Stop the server and restart it normally (without the --skip-grant-tables option).

edit the /etc/init.d/mysqld file