芳草苑

Tag: freepbx

  • Do not run Asterisk as root user

    我用的 FreePBX 带的 Asterisk 是很久以前安装的,也没有关心过它是不是以 root 身份运行,直到最近被攻击。

    攻击的症状是有大量的流量访问,伴随流量不停在 /tmp 目录下生成 1-2 GB 的垃圾文件,产生文件的速度似乎跟流量大小相关。

    我不懂此次攻击的原理,但我发现原来一直以来 Asterisk 都是以 root 身份运行,我也知道这不合适。同时我也发现系统里早已有 asterisk 用户和 asterisk 组,程序、配置文件和文件夹的属主和属组都已是 asterisk 和 asterisk,也许攻击者对 Asterisk 做了提权。

    不管怎样,我得先把 Asterisk 改为非 root 身份运行。因为我的 Asterisk 以 service 方式启动,所以我在 /etc/init.d/asterisk 里增加了两行:

    AST_USER="asterisk"
    AST_GROUP="asterisk"

    重启就 OK 了。流量正常了,/tmp 下也不再生产垃圾文件,但不知道攻击有没有消失,至少漏洞堵上了。

    在堵漏洞的过程中还有个插曲:一开始还不清楚是不是操作系统层面的漏洞,我一上来就来一个

    yum update -y

    结果重启后发现系统瘫痪了,连 ssh 也进不去,只好用 console 登录,发现尝试用 service 启动任何服务时都会出现类似的错误信息。

    Error getting authority: Error initializing authority: Could not connect: Connection refused (g-io-error-quark, 44)

    据说这是 CentOS 在某个阶段升级特有的毛病。执行以下命令就好了:

    mv /var/run/dbus/system_bus_socket

    ln -s /run/dbus/system_bus_socket /var/run/dbus/system_bus_socket

  • Call to undefined function music_list()

    今天在 FreePBX 里试图编辑一个分机,点了编辑结果出现一个错误:Call to undefined function music_list()。

    好端端怎么有了这么个错误?后来发现是没有安装 Music On Hold 模块的缘故,安装并启用这个模块,错误就消失了。

    可是我不需要 Music On Hold 模块啊,记得之前也是为了应付一个错误安装了不需要的 Call Recording 模块。这样下去,模块越装越多,直到某一天 FreePBX 崩溃……

  • FreePBX 13 does not work on php 7.0.1

    前几天安装 Magento 2,竟然说要 php 5.5 以上版本。本不追新的我,想到反正要用到 remi repo,那就装个最新的 php 7.0.1。结果 Magento 2 倒是能运行,但 FreePBX 13 的 web UI 出不来了,显示成空白页。我估计是 FreePBX 所用的 php 语法不够规范,简单排查了一下,根本没看出是哪里的毛病。我估计对 php 7.0.1 来说,FreePBX 到处是毛病。虽然此时 asterisk 仍正常运行,但我不能让 web UI 长期瘫痪啊,赶紧找了个时间拆了 php 7.0.1,换上了 php 5.6。这是目前兼容性最好的版本,FreePBX 和 Magento 2 均能运行,证明对 php 环境不能过于追新。

  • Install Freepbx 13 on CentOS 7

    FreePBX Wiki 有一篇关于如何在 CentOS 7 上安装 FreePBX 13 详细的指导。我不想重复具体的步骤,只想说说如何解决在安装后出现的问题。

    我在 OpenVZ VPS 的 CentOS 7.0 minimal 环境下依次执行了 FreePBX 13 安装指导的各项命令,期间并没有发现问题,下载、编译都很顺利。安装完成以后,发现虽能访问 FreePBX web UI,但对 FreePBX 进行的第一项测试——添加一个分机,就卡住了——注册不了。这时 VPS 还未重启过,虽然指导上没有让重启,那就重启一下看看呗。重启之后,更糟,首先发现 FreePBX web UI 访问不了,然后发现 ssh 也登录不了,最后发现连 ping 也不响应。只好用 serial console 登录后排查,发现 network 服务没启动,手动重启 network 服务也失败。

    我只好把安装步骤分解,首先定位到是 yum groupinstall core 群组件造成 network 服务启动失败,然后再分解,发现是其中的 selinux* 和 NetworkManager 两个软件包的问题。定位这两个软件包花了我很长时间,这里按下不表。幸好这两个软件包也不是 FreePBX 所需要的,所以把它们卸载之后,network 服务就能正常启动了。FreePBX 安装指导提到需要将 SELinux 关闭,SELinux 也确实处于关闭状态,但它由 core 群组件安装后还是对 network 造成了困扰,卸载当然是最好的选择;NetworkManager 跟 network 冲突,似乎很久以前也碰到过,只是这次没有在第一时间想到是 NetworkManager 的问题,是地毯式排查中发现的。

    网络正常后,就能访问到 FreePBX web UI,但 dashboard 上提示无法连接到 asterisk 服务。我再回头看安装命令,其中一项是 chkconfig asterisk off。我其实挺不理解的,为什么特意不让 asterisk 自启动,当时以为安装过程中暂时将它关闭,会在后期的脚本里配置好,让 asterisk 自启动。可事实上是 asterisk 没有自启,因此我认为 chkconfig asterisk off 是原作者笔误,应该是 chkconfig asterisk on。

    另外,安装过程中特意执行了

    firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

    这是开放 80 端口。我就纳闷了——作为一个 VoIP server,仅开放 80 端口有什么用?!之后发现,5060 端口也是开放的,因此 SIP 分机注册没有问题。我没见哪条指令将它打开,估计是在某个脚本里了。但是,还有好些端口,比如 RTP 默认端口 10000-20000,不打开这些端口听筒里就没有声音。我试了一下,果然没有声音。FreePBX 安装指导没有提及更多的 firewall 的设置,这需要在安装完成后自行设置。

    执行到此,似乎就可以了,我添加了分机,并注册、互呼成功。但运行了大约半小时左右,再次添加一个分机,Apply Config 时,出现以下错误:

    Reload failed because retrieve_conf encountered an error: 1

    exit: 1
    Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)
    Exception: Unable to connect to Asterisk through the CLI in file /var/lib/asterisk/bin/retrieve_conf on line 24
    Stack trace:
    1. Exception->() /var/lib/asterisk/bin/retrieve_conf:24
    1 error(s) occurred, you should view the notification log on the dashboard or main screen to check for more details.

    这是因为 /var/run/asterisk/asterisk.ctl 在 asterisk 重启之后,属主、属组被修改为 root:root,而正常的应该是 asterisk:asterisk。为什么一开始的时候还能 Apply Config,一定时间后才出现问题?这个机理我搞不懂了。

    Updated 20/12/2015:这个机理我猜想是 asterisk 有一个守护进程,在异常时会重启 asterisk,用户通常不会觉察到 asterisk 已重启,但这时 Apply Config 就被拒绝。解决办法是在 /etc/asterisk/asterisk.conf 增加以下内容,可以让 /var/run/asterisk/asterisk.ctl 保持属主、属组都为 asterisk。

    [files]
    astctlpermissions = 0660
    astctlowner = asterisk
    astctlgroup = pbx
    astctl = asterisk.ctl

  • Change FreePBX default MySQL connection

    我可能吹毛求疵了:我感觉如果要修改 FreePBX 里默认的 MySQL 的连接位置好麻烦。

    我修改成 MySQL socket 方式连接,而且也修改了 socket file 的位置,然后要修改 FreePBX 好多个文件才能让 FreePBX 对接 MySQL。大部分文件属于 FreePBX 配置文件,还好办,象填表格一样填就是。但 /var/www/html/admin/modules/userman/DB_Helper.class.php 根本没为 MySQL socket 连接方式考虑,DSN 只兼容 host 连接,所以要大改 262 行(以FreePBX 2.11.0.39为例)。

    要改成多行:

    
if (preg_match('/^unix\((.+)\)$/', $amp_conf['AMPDBHOST'], $matches) === 1) {
	$ampdbsocket = $matches[1];
	$dsn = "mysql:unix_socket=".$ampdbsocket.";dbname=".$amp_conf['AMPDBNAME'];
}
else {
	$dsn = "mysql:host=".$amp_conf['AMPDBHOST'].";dbname=".$amp_conf['AMPDBNAME'];
}

    直接修改程序是我最不愿意的。FreePBX 似乎也没提供安全升级的办法,所以 User Management 模块一升级,上述修改就作废,FreePBX web portal 就出错。

  • Allow specific “anonymous” inbound SIP calls

    之前所有的 SIP 服务商都是提供 SIP 注册的帐号和密码。最近碰上一个新的 SIP 服务商,购买了一个电话号码,它只让我设置 Forward to SIP Server 或 Forward to SIP URI(当然也可以转发到普通电话号码,但那是要额外收费的,不在我考虑范围之内)。

    于是,碰到了新命题:我必须在 FreePBX 的 SIP Settings 里同时启用 Allow SIP Guests 和 Allow Anonymous Inbound SIP Calls 才能收到转发过来的 SIP calls。这两项都是我不愿意启用的设置,因为存在被 SIP hackers spamming 的风险。尽管单独启用 Allow SIP Guests 据说没有太大风险,但还是接不到电话,呼叫方会收到 FreePBX 给出的语音提示:The number you have dialed is not in service. Please check the number and dial again.

    怎样才能让来自 SIP 服务商的 anonymous calls 通过,而把其他的阻挡在外?我甚至想到了启用 Allow SIP Guests 和 Allow Anonymous Inbound SIP Calls ,但用防火墙规则只允许来自特定 host / IP 的流量。这个方法我自我评价是非常 dirty,我希望是 FreePBX 的问题在 FreePBX 内部解决。

    我几乎不带希望,搞了个试验,创建了一个 SIP trunk。它跟之前注册型的 SIP trunk 的区别就是省略了 PEER Details 项里的 username, password 和 Register String。然后,同时禁用 Allow SIP Guests 和 Allow Anonymous Inbound SIP Calls,这时 Forward to SIP URI 已经能工作;再添加一条 Inbound Route,Forward to SIP Server 也能工作了。

    这个事实推翻了我对 trunk 的原有理解—— trunk 只是一条进或出的通路。现在我知道 trunk 还能“命名”符合特定条件的“匿名”来电,起到过滤的作用。

    此外,我猜想,转发型的 SIP 服务比注册型的 SIP 服务更可靠,因为转发型的 SIP 只在有来电时把数据包转发到我的 FreePBX;而注册型的 SIP 则要不时地重注册保持连接,有时连接已经断开,而 FreePBX 不知道,要等到下个周期才重注册,于是会错过来电。不知我猜想对否?请教过路的 VOIP 专家。

     

  • Cure fail2ban on FreePBX

    不知从什么时候起,FreePBX 上的 fail2ban 不能启动了。amportal restart 时,其他项都是绿色的 OK,执行到最后是 fail2ban,两行:

    Stopping fail2ban [Failed]
    Starting fail2ban [Failed]

    两个红色的 Failed 触目惊心。

    看了看 /var/log/fail2ban.log,一头雾水。再说它不更新已经很久了,估计不能启动以后就没有更新。研究它的最后几行也不知对解决问题有没有帮助,总之我缺乏细看的耐心。问 Google 吧!有人说,

    yum remove fail2ban
yum install fail2ban

    就能重新工作了,就这么简单。一试,果然!

    问题虽然解决,但我对 FreePBX 软件质量的印象分有所降低——“不明原因、重装解决问题”似乎是 Windows 的特症,怎么 CentOS 下的 FreePBX 也染上了?!

  • Newbie’s experience in setting up an IPPBX

    I classify myself as a newbie as I have been diving into Asterisk / FreePBX for only 3 months. I am not familiar with 95% parameters of my IPPBX, and I try to avoid touching those parameters. However I can proudly say I have gained enough experience in setting up an IPPBX for a commercial environment, and I want to share it with you.

    Before I start, I have to make it clear what my goals are, so you know if my experience suits you.

    Firstly, I do not have massive users, say less than 100. We did not use any PBX, but once we launch IPPBX, it must be working very stably.

    Secondly, users should be able to pick up the calls in the office, at home or on the move. Myself is a typical user, who answer 1/3 calls in the office, 1/3 at home, 1/3 on the move.

    Thirdly, I want to save every pence possible on this first IPPBX. There are many IPPBX with Asterisk preinstalled and probably optimised on the market, whose prices start from £150. However I think at £150 it is an entry level product and geared for a SOHO enviroment. If I hunt for a proper commercial Asterisk IPPBX, I should look for something above £300.  I am a fanatical DIYer and I believe business can take advantage of open source. Free open source allows business to do the same things other highly priced product can do, and sometimes does better. Of course the price of open source is the learning time. I spent £100 on the hardware (Bought from China directly. I evaluate it as £190 for similar hardware on the UK market), and 3 months in learning. A commercial Asterisk IPPBX with the equivalent capacity should be priced at £500 or so.

    My 3 months’ learning only saved £400 which is a loss. Nevertheless, back to the topic – my gained experience in setting up an IPPBX.

    I do not need to connect IPPBX to a physical analogue (POTS) or digital (ISDN) telephone line. If you do, and the more lines to connect, the more worthwhile to buy a commercial IPPBX with FXO or BRI ports built in. None of analogue/digital cards or ATA or ISDN gateways are cheap.

    At the time of choosing a DIY IPPBX other than a commercial IPPBX, I was quite worrying about the stability. Now I can say software stability can be achieved by a newbie like me. But to make the whole system work reliably, I have to buy a decent hardware to run it on, and most importantly, a reliable network. My current ISP is horrible and due to be switched away in next month. It wasted me a lot of time debugging – barking at the wrong tree. I would not say “horrible” if I was only using their network browsing Internet. It looks like it can not afford VOIP traffic when it comes to host an IPPBX.

    I set port forwarding on the NAT router where IPPBX is. I forwarded SIP bind port and RTP ports. I did not do everything at client side router. The SIP client should traverse a router not in my control.

    I put NAT in Settings >> Asterisk SIP Settings to “route”, which instantly solved a lot of audio silence between various devices, i.e. high end SIP phone, entry level SIP phone, and several soft SIP phones installed on several Android based mobiles. I still can not understand the exact logical behavior of “yes”, “no”, “never”, “router” for NAT choice, but to me, “router” is the best choice.

    I totally understand many people says SIP behind NAT is a nightmare. My IPPBX is behind a NAT router in the office, and if I am at home, my extension is behind another NAT router. This is the worst scenario. With FreePBX Distro and the above simple configuration, but without help of any third party modules, proxy, stun server, SER, the most difficult problem I encountered is one way audio on some devices / soft phones. It is always the caller can not hear voice from the callee, but the callee can.

    Then I find enabling stun server on SIP client does not do anything good. Actually I find enabling Rport for signaling and media helps eliminating one way audio symptom if this choice is available. If your device does not have such a choice, but you have two devices at hand, you can dial out using one of them and transfer the call to the other one. This method makes both ends callees. So tricky. Do we really to do that? No. I have better way later on.

    Missing codecs may cause audio silence, but it has nothing to do with one way audio. If a required codec is missing, both ends will be silent. I have a weird SIP trunk provider supplying 2 lines. Both lines have an external number (connecting PSTN) and an internal number (extension number on his SIP server). It turned out he enables different codecs for these 2 lines. And even on the same line, he enables different codecs for external number and internal number. It took me a long time before I realised it was a codec problem.

    Although Android mobiles are widely available, it is worth buying SIP phones for office and home.  SIP phones can stay online much more stable than any of soft SIP phones on Android mobile. It may not be a fault of soft phones. They are restricted by Android power management. The advantage of Android devices is you can choose SIP apps to install. To get the best of both worlds, the best buy is an SIP desktop phone with Android OS.

    Among SIP apps, I recommend Zoiper (most stable, and support IAX2), CSipSimple (support video calls with CSipSimple video plugin), Samsung Galaxy built in SIP client (may be best choice in power saving), in turn.

    It is time to summarise how to tackle one way audio. I mentioned IAX2. Yes, for soft phone, use it as the first choice over SIP. (Sadly as a hardware, VOIP phone with IAX protocol are not widely available.) I am using Zoiper on the move. In the office, as it in the same subnet, SIP traversing is not a problem, so any SIP phones will do the job. At home, use a SIP phone which can enable Rport, or use Zoiper.

    I tried to achieve a stable IPPBX without having to periodically reboot it, but I could not. The IPPBX runs into a hanging state every a few days. For example, all trunks / extensions are disconnected. Even “amportal restart” can not solve the problem. A daily reboot is a must. Just choose a quietest time and use crontab to reboot. My IPPBX reboots in 34 seconds, which means the uptime is 99.96%. Normally the IPPBX will not hang within a day. But I set a monitoring script anyway to monitor if all trunks / extensions lose connection, reboot the IPPBX immediately. It never happened so far.

    I also find IPPBX daily rebooting is a usual practice. I have monitored two of my SIP trunk providers are rebooting their servers daily. I am going to test it on a third one. Besides, I will be very glad to see a future version of FreePBX can run without rebooting for years as Nginx, etc.

  • SIP requires very reliable network

    我的 SIP 服务器 FreePBX 暂时还放在一个非常不可靠网络环境下,这在前文《FreePBX working with an unstable router》有提及,一有 SIP 不正常的风吹草动,我就成了惊弓之鸟。

    今天早上我在家,发现 SIP 分机又出现单向语音的症状,测了多次,十次有九次是单向语音,主要是主叫方听不到对方声音。我在服务器上看来看去看不出原因,不管三七二十一,又重启了一次,仍没解决问题。

    单向语音是 SIP 很常见的问题,在用 FreePBX 之初,我曾花大力气去解决,找到一套行之有效的办法。怎么今天又出现了老问题了?我一阵头疼。

    我家的网络宽带路由器确实不太好,但一开始我没意识到是它的原因,因为浏览网页是正常的,再说 SIP 能注册,也能接通。我排查了很久,无意中将手机 Wi-Fi 连接关闭,用 3G 连接网络,手机的 SIP 客户端立刻就能双向语音,一切正常。我这才想到是网络宽带路由器的原因,把它重启了一遍,SIP 通话就正常了。

    看来 SIP 对网络的要求非常高,而且是服务端、客户端双方的要求都很高。

  • FreePBX auto reboot

    FreePBX 上线运行近一个月,被我观测到若干次所有 peers (包括 trunks 和 extensions)都失去连接的情形,但 FreePBX web 界面里还是显示 asterisk 正常绿色。

    目前我无法判断这究竟是 FreePBX 的硬件问题,抑或是 FreePBX 的软件问题,还是参数配得不对。我也没找到什么现成的命令可以判断 asterisk 是否在正常工作。

    好羡慕一些人说 FreePBX 几年都不用重启也跑得很稳定。我也不想经常重启我的 FreePBX,但我得面对现实的商业化环境。

    现实是我们不是 24 小时工作,电话也不会 24 小时响个不停,但工作时间我们不能容忍 FreePBX 无缘无故停止响应。所以我做了两项调整:

    1. FreePBX 每天在伦敦时间 6AM 重启一次 OS,保证它有活力运行在大部分人的工作时间。
    2. 我还写了一个每分钟检测一次的小程序。如果检测到所有 peers 失去连接,就重启 OS。如果重启没有解决问题,则不再重启,这是为了不为非 FreePBX 自身的原因(比如说网络原因)陷入重启循环;当然,如果重启解决了问题,也不用重启了。