FreePBX
FreePBX is an open source browser-based graphical front-end to an Asterisk telephony system.
When you install the FreePBX on your machine, you get a working Asterisk system, plus the web front end, ready to use.
It seems to take a surprisingly long time to perform the installation (compared to my experience of installing Debian etc on the same machines), but wait long enough and it'll get there.
However, there are a few oddities about it once it's installed, not least of which is:
- The very first screen after the first reboot may well reject your email address
Once you've got past that one, there's the question of:
- Some of the menu arrangements are weird (or at least non-intuitive) too
- How do I turn off faxing?
- Rather confusing configuration examples
- Don't assume that URLs in the configuration files are up to date, even for a new installation
- Mail Queue: "NNN messages are queued on this machine, and have not been delivered"
Security
- Almost as soon as you've installed Asterisk on any machine accessible on a public IP address, you'll get people trying to register to accounts on the machine, and place calls through it without registering. Aside from any potential fraud risk, this sort of thing clutters up your Asterisk logs with stuff that's nothing to do with what it's supposed to be doing.
- Disable anonymous (and guest) SIP access
- These are designed to allow remote users to dial in to accounts hosted on your server (eg: by following SIP: URLs), but if you don't have any of these, just disallow the facility by default:
- System - Asterisk SIP Settings - General SIP Settings - "Allow Anonymous Inbound SIP Calls" = No and "Allow SIP Guests" = No
- You'll still get stuff like
NOTICE[1826]: chan_sip.c:28633 handle_request_register: Registration from '"12"<sip:12@your.IP.addr.ess>' failed for '89.163.146.226:5040' - Wrong password
but you just have to live with that unless you disable SIP entirely (which probably doesn't make much sense on a FreePBX server).
- Do install fail2ban and tell it to block people who keep doing this sort of thing.
- MySQL (or probably MariaDB, but that's not important right now) is installed with passwordless access for the root user
- Make sure you're sitting down for this bit - Sangoma's Andrew Nagy, Director of Software Engineering, says (22nd February 2013) "Changing the mysql password isn’t recommended and it won’t do anything to help with security"
- He claims that "The default mysql server setup in the FreePBX distro is bound to localhost. No outsiders can login to it.", which is clearly complete bollocks, as shown from this fresh (February 2018) install of FreePBX 14:
# netstat -lptn | grep 3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 729/mysqld
Yeah, right, "bound to localhost" only…
- Oh, wait, maybe he really means that the FreePBX firewall rules prevent outside access?
- No:
# iptables -L -nvx | grep 3306 #
- No:
$ mysql -h 203.0.113.42 ERROR 1045 (28000): Access denied for user 'antony'@'cable-24-100-51-198.myprovider.tld' (using password: NO)
(I couldn't log in, but not because MySQL wasn't listening to external connections, as claimed.)
- The only thing that prevents external access to your FreePBX MySQL/MariaDB instance is the MySQL/MariaDB user security itself:
MariaDB [mysql]> select host,user,password from user; +-----------+-------------+-------------------------------------------+ | host | user | password | +-----------+-------------+-------------------------------------------+ | localhost | root | | | 127.0.0.1 | root | | | ::1 | root | | | localhost | | | | localhost | freepbxuser | *800039504732B1D51CAEA6D8E5B529F7F32E3DD0 | +-----------+-------------+-------------------------------------------+ 5 rows in set (0.00 sec)
You can see there that the only host entries are 'localhost' or the IP equivalent.
So much for "security in depth".
Differences from a standard Asterisk system
Obviously, anyone creating an Asterisk-based PBX system is going to have their own ideas about how to do things, and sometimes these will be different from the normal way in which Asterisk does those things out-of-the-box.
So, here are a few of the things you might unexpectedly run up against if you start treating FreePBX just like a normal Asterisk installation.
- Call Detail Records are no longer in the 'cdr' table under the 'asterisk' database
- FreePBX maintains the 'asterisk' database name (unlike some other Asterisk-based PBXs I've come across), but it moves the 'cdr' table to a completely new database called 'asteriskcdrdb', so if you need to inspect or manipulate it, that's where you'll find it.
Module updater gets stuck and offers no assistance
I had a FreePBX system which was running Asterisk 11.25.3 and I wanted to update the entire system to the current FreePBX version.
No matter whether I used the web GUI or the command-line updater, the system simply told me "Your Asterisk version of 11.25.3 is NOT supported. You must have a version higher than or equal to 13", and offered no way to upgrade it to a point where I could make any progress.
The module manager (which you use to upgrade the various parts of the system) does not even list Asterisk, so there's certainly no way to upgrade it there.
This is very bad user experience, Sangoma.
Solution: SSH to the machine and run the command asterisk-version-switch (thanks for the documentation, Sangoma; I found this by doing a Google search for any other poor souls who found themselves stuck in this situation).
Tip: when presented with the menu, asking you to enter the number of the version you want, read it very carefully - it says "Press 1 for Asterisk 13", and it literally does just mean "press 1". Don't be tempted to press return afterwards, as you would expect with any normal command, because that will simply accept the default "no" option to the "confirm" question, and you're back where you started.
Very bad user experience, Sangoma.
Once you've done that, you can return to the GUI module manager and get the error message "Warning: Cannot connect to online repository(s) (http://mirror1.freepbx.org,http://mirror2.freepbx.org). Online modules are not available."
I've not worked out what to do about that yet.
If you go back to the command line and try fwconsole versionupgrade --upgrade, the system spends ages doing a file system check and then tells you "The system is unable to connect to either of the remote mirror servers to upgrade. Reason: cURL error 28: Operation timed out after 30001 milliseconds with 0 out of -1 bytes received".
Thanks, Sangoma.
Addendum: it appears that Sangoma's online mirror servers are simply shit. Try the same command again (GUI or CLI) a few minutes later, and it may well work.
https://status.sangoma.com/ doesn't give any clues as to whether Sangoma knows that the mirrors are shit - there isn't any obvious status check for them.
CLI updater simply can't cope
If you get fed up with the GUI updater telling it can't connect to any mirrors, you might try the CLI updater instead. Beware:
# fwconsole versionupgrade --upgrade
Running checks (checking filesystem, this might take awhile)...Passed
Stage 1
Bumping FreePBX to version 15...Done
Turning off MODULEADMINWGET...Done
Checking online servers...Done
Download and Install Framework
Updating tables admin, ampusers, cronmanager, featurecodes, freepbx_log, freepbx_settings,
globals, module_xml, modules, notifications, cron_jobs...
Done
No directory /var/www/html/admin/modules/framework/amp_conf/htdocs, install script not needed
Framework Detected, Setting FreePBX Version to 14.0.13.40
Generating CSS...
Done
In Versionupgrade.class.php line 324:
Division by zero
versionupgrade [--upgrade] [--check]
[root@FreePBX yum.repos.d]#
(The "Division by zero" message is highlighted in a bright red box.)
I suspect at this point there is no option to upgrade, and you have to do a fresh install of the latest system instead.
Go up
Return to main index.