Hello! I'm thinking of "defecting" here from FreePBX land

[thetanningman]

Hi folks,
Sorry if this is a long first post, I hope it elicits some deep conversation though on how this project is run versus others (and hopefully does not lead to flame wars) and helps with advice on how to move forward.

I'm investigating switching to PBX In a Flash, Elastix, FreeSWITCH, 2600hz's stuff or something else. I have a lot of questions!

First, some background. I am a long-time FreePBX user that switched to their distro but I think it was a mistake and I think I've finally reached the end of my rope. For a brief back-story I was recently burned by a security bug that I found out was actually known about by the FreePBX team but they were hush-hush about it while I was busy being defrauded. I first read about this post on the FreePBX forums, but then I found that the post had been removed! I assume this was so they could fix it, but even so, I really wished I had a heads up. Specifically, the 2.9 release (and maybe others) on the FreePBX Distro apparently allowed access to my admin root password by very simply browsing to admin/modules/framework/bin/gen_amp_conf.php . Boom, no password required. After browsing my Apache logs I found that, sure enough, someone kept logging in after I'd change my password and simply grabbed the new one.

This has lead me to a review of the FreePBX picture in general (prompted mostly by my very angry boss). I started thinking back to when I first installed FreePBX a couple years ago. It has served me well and was such a steal - I only paid for support a handful of times through donations and the new formal method and otherwise have had few problems. That said, I remember it having a vibrant community and feeling like it was really cutting edge. Now when I look at it, I feel like I'm running a rusty old car. To do a reality check of where things are at and to make sure I'm not crazy, I started digging into the Trac commit log and there really are only two people left who seem to commit to the project - Philippe and Moshe Brevda. While I appreciate that, I think they are both Schmooze or bandwidth.com employees which means that this isn't really a community-driven project anymore, especially with banner ads from bandwidth.com for Phonebooth now littering the FreePBX.org site. Even long-time contributor Mikael Carlsson seems to have quietly disappeared.

All this said, I have actually always come here (or stumbled here from Google) for general support requests and troubleshooting, and that got me thinking, it seems like PBX In a Flash has the most vibrant and sincere community around this stuff. But it also seems like FreeSWITCH has the faster pace at this point, too, for development of new features and stability. The Google Voice integration is particularly appealing as it seems stable in FreeSWITCH and is anything but in Asterisk. Although our business probably can't use that as a trunk replacement, it's a neat idea.

So, I am at a cross-roads. Here come the questions!

1) Based on past experience, is there a formal security policy in place for PBX In a Flash when a security bug is noticed?

2) Is there any formal testing for security? If not, would it be possible to contribute time to creating some? How is PBX In a Flash different then other distros for security, if at all?

3) Is there any likelihood we will see adoption of FreeSWITCH by the PBX In a Flash community? Does it make sense? Or is Asterisk 10 the answer to a more stable PBX? We still have regular problems with Asterisk though a cronjob to restart Asterisk weekly has fixed most issues but seems like a lame solution.

4) Elastix is another project I've been looking at, it seems like they are adding a ton of features into the system that aren't just PBX-centric. Are there plans in PBX In a Flash world for such features? Do they make sense / does anyone really want/use them?

5) If you were in my shoes, what would you do? I literally have a CFO who's reasonably irritated with me and blaming me for the security breach, and a CEO who's claiming "this wouldn't have happened on Cisco". I've convinced them that it could have happened on any switch, but they're insisting I change to something new, and for reasons other then security (all listed above) I am thinking that is actually a good idea. But I'm not sure where to go next.

6) Should I just move to a hosted solution? Those seem to be the hot ticket at this point. I have always felt like they are a fad and a bad idea, but I don't know - they don't seem to be going away.

Any honest help would be appreciated. I realize this is the PBX In a Flash forum so the responses may be biased! But that's OK. It's easy to read through that most of the time.

Thanks all in the meantime. I do appreciate your efforts and openness.

 

[rossiv]

1) Based on past experience, is there a formal security policy in place for PBX In a Flash when a security bug is noticed?

2) Is there any formal testing for security? If not, would it be possible to contribute time to creating some? How is PBX In a Flash different then other distros for security, if at all?

3) Is there any likelihood we will see adoption of FreeSWITCH by the PBX In a Flash community? Does it make sense? Or is Asterisk 10 the answer to a more stable PBX? We still have regular problems with Asterisk though a cronjob to restart Asterisk weekly has fixed most issues but seems like a lame solution.

4) Elastix is another project I've been looking at, it seems like they are adding a ton of features into the system that aren't just PBX-centric. Are there plans in PBX In a Flash world for such features? Do they make sense / does anyone really want/use them?

5) If you were in my shoes, what would you do? I literally have a CFO who's reasonably irritated with me and blaming me for the security breach, and a CEO who's claiming "this wouldn't have happened on Cisco". I've convinced them that it could have happened on any switch, but they're insisting I change to something new, and for reasons other then security (all listed above) I am thinking that is actually a good idea. But I'm not sure where to go next.

6) Should I just move to a hosted solution? Those seem to be the hot ticket at this point. I have always felt like they are a fad and a bad idea, but I don't know - they don't seem to be going away.

Any honest help would be appreciated. I realize this is the PBX In a Flash forum so the responses may be biased! But that's OK. It's easy to read through that most of the time.

Thanks all in the meantime. I do appreciate your efforts and openness.

Welcome! I will do my best to try and answer your questions.

1. What do you mean by "formal"? There is an RSS feed on the main interface for PIAF before you get to FreePBX, etc. that is updated with any security concerns. It would also be posted here in the forums as an announcement that would appear at the top of every page, IIRC. Is that what you mean?

2. While I have never personally used the FreePBX distro, I know a few that have and I have since converted them to PIAF. I don't think the FreePBX distro has Fail2Ban or as advanced of an IPTables firewall configuration as PIAF does. PIAF also has a whitelist method that can be implemented that can work hand-in-hand with the TravelinMan remote access add-on. (For more info about those, see NerdVittles) As for formal testing, Ward and Tom do that to a degree. I don't know 100% what they do, but they are certainly making sure that PIAF is VERY secure. As I mentioned above, between IPTables, Fail2Ban, a *RELIABLE HARDWARE FIREWALL*, decent length secrets (20 or more for extensions, 30 for trunks if you have a choice), and strong web interface passwords, PIAF seems to me to be the leader in security for Asterisk distros. Again, just my opinion. Not trying to offend anyone from other distros.

3. It has come up before, and in my perspective I don't see it in the too near future. Ward and Tom may see otherwise. There hasn't been any formal mentioning to my knowledge. Asterisk 10 is certainly not at this point the "answer" to a more stable PBX. It is still considered by the PIAF team to be beta. The supported release by PIAF at the moment is 1.8 which is a balance of recency and stability. What kind of "regular problems" are you experiencing?

4. What kind of features is Elastix implementing? PIAF has scripts for provisioning phones, hotel PBX integration, wake up calls, appointment reminder system, and many many others in the Incredible PBX v2 (soon to be v3) package. See NerdVittles for more details on that.

5. If I were you, I would go back and look and see where the point of failure really was. Why did you have the PBX exposed to the internet in the first place? That is not a good idea for the reasons you have mentioned because once they get your password, your entire system (extensions, calls, trunks, everything) is in their hands. You said that you found out how they were getting in - why at that point didn't you immediately shut off web access? I'm not blaming you because I'm sure you were going crazy with the superiors going crazy, but keep that in mind. As for the "wouldn't happen on Cisco" point, while that may be true, look at the cost difference. Cisco == $$$$$. PIAF == $-$$. PIAF has VERY good security if you utilize all of the features to their fullest potential.

6. I personally am not too much of a fan of hosted solutions because to have access to administer them and to use them at all, they *must* be directly exposed to the internet at all times. If you don't have remote workers or any reason to access the box outside of the LAN, it should be *much* cheaper and easier to implement locally. Plus locally the security is SO much better *if you do it right*.

Hopefully I have answered your questions to your satisfaction. I did throw a couple questions in there for you, so if you wouldn't mind posting back and letting us know so that we can help you decide where to go next.

Again, Welcome!

Ross

 

[thetanningman]

Welcome! I will do my best to try and answer your questions.

Thanks! Can't believe you replied already with all this info. +1 for PIAF.

1. What do you mean by "formal"? There is an RSS feed on the main interface for PIAF before you get to FreePBX, etc. that is updated with any security concerns. It would also be posted here in the forums as an announcement that would appear at the top of every page, IIRC. Is that what you mean?

That will work. But I guess I'm thinking that a lot of big companies have formal Errata they issue even without spelling out the security bug itself so that people like me know the severity and have instant abilities to defend themselves. Had I known just how bad this bug was, I would have done what you advised - pulled the plug from Internet access to the GUI. I feel like hiding the problem until it's fixed and still not being forthright with the bug's severity until it's fixed is... well, I dunno, it feels dishonest.

2. While I have never personally used the FreePBX distro, I know a few that have and I have since converted them to PIAF. I don't think the FreePBX distro has Fail2Ban or as advanced of an IPTables firewall configuration as PIAF does. PIAF also has a whitelist method that can be implemented that can work hand-in-hand with the TravelinMan remote access add-on. (For more info about those, see NerdVittles) As for formal testing, Ward and Tom do that to a degree. I don't know 100% what they do, but they are certainly making sure that PIAF is VERY secure. As I mentioned above, between IPTables, Fail2Ban, a *RELIABLE HARDWARE FIREWALL*, decent length secrets (20 or more for extensions, 30 for trunks if you have a choice), and strong web interface passwords, PIAF seems to me to be the leader in security for Asterisk distros. Again, just my opinion. Not trying to offend anyone from other distros.

The IPTables and fail2ban pieces are pretty critical, I agree. So you have me there. I appreciate the details. What else is there in PIAF?

3. It has come up before, and in my perspective I don't see it in the too near future. Ward and Tom may see otherwise. There hasn't been any formal mentioning to my knowledge. Asterisk 10 is certainly not at this point the "answer" to a more stable PBX. It is still considered by the PIAF team to be beta. The supported release by PIAF at the moment is 1.8 which is a balance of recency and stability. What kind of "regular problems" are you experiencing?

We get hung channels still or have audio quality problems. These have actually subsided in recent upgrades but we still do the reboots I guess because we're not sure what actually fixed the stability problems.

4. What kind of features is Elastix implementing? PIAF has scripts for provisioning phones, hotel PBX integration, wake up calls, appointment reminder system, and many many others in the Incredible PBX v2 (soon to be v3) package. See NerdVittles for more details on that.

Screen sharing, fax services, more of this "Unified Communications" stuff that seems to finally actually be becoming important. They have a revised operator panel coming, too, which is big for us.

5. If I were you, I would go back and look and see where the point of failure really was. Why did you have the PBX exposed to the internet in the first place? That is not a good idea for the reasons you have mentioned because once they get your password, your entire system (extensions, calls, trunks, everything) is in their hands. You said that you found out how they were getting in - why at that point didn't you immediately shut off web access? I'm not blaming you because I'm sure you were going crazy with the superiors going crazy, but keep that in mind. As for the "wouldn't happen on Cisco" point, while that may be true, look at the cost difference. Cisco == $$$$$. PIAF == $-$$. PIAF has VERY good security if you utilize all of the features to their fullest potential.

I know this is lame, and I agree with your point. We were using the Flash Operator Panel and we also had a few users who logged into the FreePBX panel remotely for vacation triggering and changing forwarding of our after-hours support line. But in hindsight, yes, this was stupid, although I'm still feeling like I can't turn it off completely because we still need those features. And frankly I don't feel like I should be scared to put such an old and theoretically hardened product on the internet. It's not *that* scary a place after basic precautions. I should have changed the port number. But I also feel the distro should have hardened much of this if it's to be "the new best thing."

6. I personally am not too much of a fan of hosted solutions because to have access to administer them and to use them at all, they *must* be directly exposed to the internet at all times. If you don't have remote workers or any reason to access the box outside of the LAN, it should be *much* cheaper and easier to implement locally. Plus locally the security is SO much better *if you do it right*.

I am more worried about bandwidth / call quality. Maybe some success or fail stories here would help, if anyone has them. Seems like letting someone else manage my phones is finally cheaper and more attractive but I worry we'll degrade call quality and I guess I'm a control freak and like that the box is under my control, including it's data. We have sensitive voicemails, so that may be reason enough not to do this.

Hopefully I have answered your questions to your satisfaction. I did throw a couple questions in there for you, so if you wouldn't mind posting back and letting us know so that we can help you decide where to go next.

Again, Welcome!

Ross

You did, brilliantly! Thank you!


Is there a PIAF feature roadmap?

 

[atsak]

We get hung channels still or have audio quality problems. These have actually subsided in recent upgrades but we still do the reboots I guess because we're not sure what actually fixed the stability problems.

On analog business lines you get hung channels? Or on SIP? I've only ever once seen a hung SIP channel and it was a meetme conference.

I am more worried about bandwidth / call quality. Maybe some success or fail stories here would help, if anyone has them. Seems like letting someone else manage my phones is finally cheaper and more attractive but I worry we'll degrade call quality and I guess I'm a control freak and like that the box is under my control, including it's data. We have sensitive voicemails, so that may be reason enough not to do this.

I like having logs I can look at. I also prefer to have many extensions behind NAT, not on the other side of it. Big headaches.

If you need to conserve bandwidth pay the license for some g729 codec channels. In my experience it is virtually imperceptible for audio quality and uses a lot less.

Also, for operator panel use FOP2. Very useful.

And for goodness sake don't open your firewall to the outside for a business system you have billable trunk lines on. Get VPN installed for your end users (Sonicwall and Juniper both have VERY simple SSL VPN's you can use if you don't want the hassle of configuring a PPTP or OpenVPN free one, and they're not all that expensive).

 

[MichiganTelephone]

We were using the Flash Operator Panel and we also had a few users who logged into the FreePBX panel remotely for vacation triggering and changing forwarding of our after-hours support line. But in hindsight, yes, this was stupid, although I'm still feeling like I can't turn it off completely because we still need those features. And frankly I don't feel like I should be scared to put such an old and theoretically hardened product on the internet. It's not *that* scary a place after basic precautions. I should have changed the port number. But I also feel the distro should have hardened much of this if it's to be "the new best thing."

The approach to security I have taken is a variation on what Ward recommends. He would have you lock everything down tight as a drum and then require your users to use something like "Travelin' Man" when they want to get access from an outside location. If I had a different type of user that might be acceptable, but for reasons I won't go into here that would simply never fly on my system (please don't argue the point with me, it just won't).

But the idea of using iptables to lock down your system so that just anyone on the wide open Internet can't access it is a good one. The question, then, is how do you allow authorized users to access it (in effect making a hole in the firewall just for them) without requiring them to take any extra steps they would not normally need to take?

What I've found works best FOR ME is to get a DynDNS account for each user and have them use the update client that is built into their routers (most recent vintage routers have this capability) or run the software client if their router doesn't have the capability. I then use a Perl script that looks up their current IP address once every five minutes and if it has changed, it rewrites the rule in iptables that allows them access.

I'm not saying this is the best solution for everyone, but with your requirements (remote access for a few key people, some of whom may need to access the Web interface) it might work for you. If these were VoIP-only users (no web access required) then I might suggest a different approach, such as knock-based approach. In some situations, Ward's "Travelin' Man" software is a perfectly fine solution; it might well be in yours. But the bottom line is that you have to have iptables working (and it's also a very good idea to have fail2ban running as well) so that as far as anyone randomly accessing your server's IP address knows, there's no web server there at all. Only people coming in from an "approved" IP address should even be able to see the login screen, or anything else on your system.

Having said that, I will also say that there has been talk about the possibility of a project based on FreeSWITCH. Other than those who may be actually working on it, I don't think anyone know what the status actually is. But when I asked two or three months ago, the word was that it is still under development, though whatever may be actually happening is stil pretty hush-hush as far as I know. I am also squarely in the camp of those who would like to see a project based on FreeSWITCH — I just think Asterisk has reached the end of its "shelf life", so to speak (and their inability or reluctance to fix the bugs in their Google Voice channel driver is certainly one factor in that, though not the only one. Yes, I know they probably have all kinds of excuses as to why they are not fixing it).

There are two projects similar to FreePBX but based on FreeSWITCH - FusionPBX and blue.box. I posted few comments about blue.box here but can't really say how well it is working today. I don't know if the PBX in a Flash folks are planning on building a distro based on either of those, and even if they are working on it they probably don't want to commit to any particular date when it might be ready.

Anyway, please rest assured that you are not alone in feeling as you do. And that's all I'll say, because if I get to talking specifics I have a tendency to go into full rant mode, and at this point I just really don't want to do that.

 

[darmock]

"I have an image of Tom looking like a mad scientist, frantically toiling away night and day in his lair. More along the lines of a benevolent genius than evil genius."



I kind of like to follow the path of enlightened absolutism,,,,


Tom

:alucardb:

 

[darmock]

Yes and I will name you the pundit to the royal court.


Tom

 

[blanchae]

My experience in evaluating distributions is out of date, but here goes anyways: about 3 or 4 years ago, I evaluated all of the distributions of asterisk and none were ready for my purpose: post secondary telecommunications program except for PiaF. I needed something that a total noob to telephony and VoIP could quickly setup and get working plus have the option to adding more capabilities. On the last part, I'm still learning something new everyday about Asterisk and what it can do.

It had what I was looking for in a complete package. The PiaF team had already created the same roadmap for a VoIP distribution that I was looking for: ease of installation, complete package, supporting software like Webmin, security (firewall scripts, fail2ban), module administration, updates, areas of growth, etc..

A huge "selling" point is the friendly responsive forum where the developers and users have almost an urgency in responding to questions and finding solutions to problems. The other distribution's forums (excluding FreePBX) had a "holier than thou" attitude and would just point you to the manual. Abusive postings on this forum are strongly discouraged and in the past 3 years, there have been almost nil.

There is a strong sense of community here which provides excellent support. In addition, developers from Digium, FreePBX and FOP2 are members and frequently participate in this forum.

 

[darmock]

Just some comments from one of the developers of PBX in a Flash.

"1) Based on past experience, is there a formal security policy in place for PBX In a Flash when a security bug is noticed?"

We respond to every verifiable problem we can duplicate that poses a risk to our distro. Realize that all distros are a complex ecosystem that integrates 100's of different software packages and makes them work together. If you upgrade a single program (aka pee in the pool) it can make the whole thing fail. That being said we have had a number of "cry wolf" security incidents that could never be verified or duplicated so we are somewhat cautious today about these reports. We have a number of mechanisms in place that allow for us to rapidly push out fixes as needed (update-fixes) If the problem is in asterisk we rarely patch it. Usually we recommend people upgrade the version of asterisk.


"2) Is there any formal testing for security? If not, would it be possible to contribute time to creating some? How is PBX In a Flash different then other distros for security, if at all?"

We test it constantly. We always accept contributions. Some of our best dev team people submitted some additions and are now developing for us. As for how is it different... I am NOT a sales guy and we dont have any. To use an outdated term "our record speaks for itself". Install a copy and get familiar

"3) Is there any likelihood we will see adoption of FreeSWITCH by the PBX In a Flash community? Does it make sense? Or is Asterisk 10 the answer to a more stable PBX? We still have regular problems with Asterisk though a cronjob to restart Asterisk weekly has fixed most issues but seems like a lame solution."

It is odd that you have problems. On the commercial installs I help maintain (some with 1000+ extensions) I dont have to reset asterisk ever at least using out distro. Can't speak for the other guys.

Freeswitch --- RSN (http://catb.org/jargon/html/R/Real-Soon-Now.html point 2) We are in discussion with several developers.



"4) Elastix is another project I've been looking at, it seems like they are adding a ton of features into the system that aren't just PBX-centric. Are there plans in PBX In a Flash world for such features? Do they make sense / does anyone really want/use them?"

We generally add features that people actually want and coincide with our developers schedules. The real problem is that we are an unfunded project unlike some of the other distros. This means that we add features as time permits. If you want something that we have ignored due to lack of time on our part then a good way to try to get it is start a bounty.

"5) If you were in my shoes, what would you do? "

I use our distro on any number of commercial sites with few problems. Most of our developer pool do the same. Not sure what your background is however if you are not a hard code linux techie type you may run into problems with any distro.

"6) Should I just move to a hosted solution? Those seem to be the hot ticket at this point. I have always felt like they are a fad and a bad idea, but I don't know - they don't seem to be going away."

I prefer rentpbx and they have been very good to our project. But local or remote pbx's each have their own problems and solutions.

"7) That will work. But I guess I'm thinking that a lot of big companies have formal Errata they issue even without spelling out the security bug itself so that people like me know the severity and have instant abilities to defend themselves. "

Generally between Ward and I we let the community know if there is a real and verifiable problem with our distro. Generally a solution is posted in the forums first. Then gets publicized on Nerd Vittles and then gets integrated into our distro. Generally 24 - 48 hours.

You want stuff beyond that? We are not funded or a big company. I wish we could all give up our day jobs and concentrate on PIAF. Anybody with some venture capital say 2-3 mil want to invest?


Tom

 

[Sacrilego]

My own experience with PIAF and the community has been very pleasant.

The forums are always filled with great information.
There is no sense of "fear" for me to post a question because I know I always get good answers.

The no open ports from outside approach that PIAF implements is great as it pretty much secures the box from the get go, allowing me to only modify rules if I really need to give someone access from outside.

Ward and the rest of the PIAF team are great!

IncrediblePBX adds a lot of useful features to PIAF, compiled from source, choice of diffrent asterisk and freepbx versions on install, Security is very high on the list of priorities, ease of installation and use, very friendly forum and more.

These are just some reasons I chose PIAF over other distros or even rolling my own from scratch.

I've tried other distros and PIAF just made me feel right at home.

I never expose my boxes due to security concerns, but I tested your issue on a couple of my PIAF boxes, and they all asked for the maint username and password before it allowed me to view the config. So if you had PIAF, it might have saved you there.

 

[gregc]

To add to the discussion... I have never seen authoritarian attitudes from the mods/devs in this forum. They don't delete or shut down discussion over issues, even if things get heated (which is very rare - pun intended).

As far as security, with what you are looking to do, I would get some form of vpn setup. We use tomato (firmware) flashed routers that have Openvpn integrated which have worked flawlessly.

My current PBX uptime is over 12 weeks. I think it was rebooted back then for a backup. I use clonezilla to image the drive then put onto our backup box (for quick swap out if needed) as well as an off site copy.

-Greg

 

[wardmundy]

I wanted to chime in on the security issues since this has become a hot topic again today with yet another Asterisk system being compromised.

First, our security model differs from every other Asterisk distro. We strongly recommend that you not expose any ports on your PIAF server to the Internet. We also recommend that all PIAF servers be placed behind a secure, hardware-based firewall with no pass through ports. We also provided a software-based firewall (IPtables) as well as Fail2Ban which can catch some brute force attacks.

For outside access to your server, our only exceptions are either a VPN or a WhiteList which enables a specific port for access from a specific (safe!) IP address. Travelin' Man or the MichiganTelephone approach of checking a FQDN and updating IPtables programmatically can ease the pain. Here's a quick and dirty bash command to extract an IP address by pinging a fully-qualified domain name:

ping -c 1 pbxinaflash.com | head -1 | cut -f 2 -d "(" | cut -f 1 -d ")"

Second, when vulnerabilities are reported, we address them promptly (usually within a day or two). We also notify everyone on this forum and also via the RSS Feed which is integrated into the PIAF GUI of every PIAF server.

Over the past 3 years, I cannot recall a single vulnerability which would have compromised a PIAF server IF you heeded our security model as outlined above.

 

[darmock]

To add to the discussion... I have never seen authoritarian attitudes from the mods/devs in this forum. They don't delete or shut down discussion over issues, even if things get heated (which is very rare - pun intended).

-Greg

Much as I hate to correct anybody ever......

There have been a number of times when we have closed a thread and it is even rarer that we have to ban someone. The exceptions have generally been fanboy muckrakers from elsewhere. Everyone is entitled to their opinion as long as it does not differ from mine.... whoops my benevolent despot personality speaking...

Really we try to balance things and only eject the noisome ones who really dont contribute constructively and only whine about "you need to do it this way cuz I said so". I can even deal with them if they can prove they are right! We try to subscribe to the programmers paradigm

If - Then - Else

proven=false
If [ Opinion = true ]; then
echo "Prove what you are saying is true"
proven=true
else
echo "Go Away until you can prove it"
proven=false
fi

Of course this applies to topics like "Your distro is full of security holes" or "Using program XXX is better than YYY".

Also we ban anyone who spams and remove all their postings. I have seen some who "demand" that all posts NEVER be removed EVER (usually the spammers). But then again is not a democracy rather it is a place that operates under enlightened absolutism. Oddly enough it seems to work just fine with this philosophical model, although there are always ones who want to kill the king... long live the king....(isnt that a line out of DukeNukem?)


All of the moderators whine to each other on a private channel long before a consensus is reached about banning/deleting unless it is things like threats/porno/etc those just get deleted by whoever sees them first. Some get forwarded to the authorities


Tom

 

[SkykingOH]

I don't post here often as I have no desire to instigate nor propagate flame wars however I felt compelled to comment.

I want to start with the point that the opinions expressed are my own and I am not speaking on behalf of the FreePBX team or the commercial sponsors.

I find the inflammatory negativity very demoralizing for the developers for all intents you are accusing them of "covering up" potential security issues. Philippe, Moshe and Bryan deeply care about the project and go far and beyond their obligations. Expressing gratitude is far more productive for the project than concocting conspiracy theories.

WRT the comment that Cisco Call Manager is immune from these issues is simply not correct. Cisco does not recommend nor will they support exposing the provisioning interface on the Public Internet. Call Manager natively does not support SIP NAT. In fact I can't think of any commercial IP PBX that supports Internet connections.

We are all part of the FreePBX community, let's try and be objective.

 

[darmock]

SkykingOH Long time no hear. Good to see you are lurking here. While the OP language is provocative how would you suggest we proceed?

He was asking specific questions about PIAF which after reviewing all the posts in this thread the questions were answered without maligning freepbx. Indeed PIAF and Schmooze/Freepbx have long cooperative history and indeed we work closer together now than in the past. I speak to Tony via phone or IM all the time......

I can't seem to find anyone who commented on the "problem" he raised with the freepbx distro. Nor did anyone see fit to bash the freepbx disto. Unless you are referring to some general comments that ALL distros have problems including PBX in a Flash, TB, Elastix, Freepbx, AsteriskNow.... This list is endless. Each one have their strengths and weaknesses.

So what would you have us do? Be responsible for everybody's thoughts and not allow differing opinions. Censor anyone who has a differing opinion? I kind of think prefacing a thread with "I have no desire to instigate nor propagate flame wars however..." is kind of questionable in itself.

You are right in that (paraphrasing) "you catch more files with honey instead of vinegar".


Tom

 

[SkykingOH]

Hey Tom - The implication that someone was maliciously not disclosing the info was a bit unsettling.

As far as next steps.

1 - The security issue he mentioned is fixed.
2 - We need to continue to educate why exposing the management interface to the Internet is a bad idea.
3 - If users do decide to make the big leap and expose SIP we need to educate them so they are using the security tools included in the respoective distro's effectively. This would include better documenting the FreePBX sysadmin fail2ban tool.
4 - Educating on secure options for remote VPN's including:

- SSH Tunnels with Putty using a SOCKS proxy
- SSL VPN's
- Access lists
- Preshared certs

Haev a great day!

 

[darmock]

Could not agree more.

One of the real problems that users don't understand that if there is a problem in a common piece of software irrespective of the distro then it affects all distros. Bad security practices like opening port 80 to the outside world makes ALL DISTROS LOOK BAD. It comes down to you can't be responsible for what users do and what they perceive. We love freepbx and the contributions that schmooze has made to all distros.

We would not be offering freepbx 2.8/2.9/2.10X if we did not think they were secure and outstanding products. In fact in our 2.0.6.X distro we install the freepbx/schmooze commercial support modules by default when you install freepbx 2.10. Beyond that this thread is moving away from the original question which was (paraphrasing) "why should i use the PIAF distro?"

So to sum it up

1. OP -- Bad person for opening port 80!

2. Blaming freepbx was wrong as someone exposed port 80. Freepbx/schmooze/piaf/tb/elastic/asterisk now has no control over what you do with your box.

3. Dont expose your box period.

4. I think we answered all the other questions regarding PBX in a Flash (which was the primary question)

5. Conspiracy theories need to be taken elsewhere. This is a TROLL FREE ZONE


Best regards to all


Tom

 

[thetanningman]

Wow!

I can not believe how many awesome replies there have been since I first posted this. Thanks everyone for posting your stance. I think I will be spinning up PIAF this afternoon to give it a whirl.

So, a few quick notes.

I truly want to make sure I'm very clear that I'm not attempting to slight the PROGRAMMERS for their hard work. What I'm upset about is two very simple points (and NOT a "conspiracy theory!"):

1. What I perceive as improper handling of a critical security flaw. This is more of a community management issue and less of a programmer issue.

2. My concern that the influence Schmooze and Bandwidth.com are having on the FreePBX community outweigh the value of the true community that used to exist around, and contribute to, the project.

"7) [...] I guess I'm thinking that a lot of big companies have formal Errata they issue even without spelling out the security bug itself so that people like me know the severity and have instant abilities to defend themselves. "

Generally between Ward and I we let the community know if there is a real and verifiable problem with our distro. Generally a solution is posted in the forums first. Then gets publicized on Nerd Vittles and then gets integrated into our distro. Generally 24 - 48 hours.

This is the real answer I think that gives me comfort. A real timeframe for how you address these sorts of incidents. That's precisely what I feel is lacking in the FreePBX core community - it seems to be that Schmooze/bandwidth.com know about these issues (I mean, someone deleted that post!) but then hide them until they have resolution. In this case there were several weeks that elapsed during the time the post was made and the time a corrective patch was found. I find that completely unacceptable considering the bug was so large that it allowed access to the entire system - confidential voicemails, root access potentially, etc.. So this is a big exploit!!!

I find the inflammatory negativity very demoralizing for the developers for all intents you are accusing them of "covering up" potential security issues. Philippe, Moshe and Bryan deeply care about the project and go far and beyond their obligations. Expressing gratitude is far more productive for the project than concocting conspiracy theories.

Well, I'm not sure my words were as strong as the way you are taking them. But, yes, I am upset that there was a known security exploit that was "covered up." If it wasn't covered up, then I guess I'd love an explanation on why a post alerting people to this problem was deleted from the forums and then nothing mentioned about the exploit for weeks. I'm all for giving the developers kudos (and paying for support and supporting the project) but when a mistake is made of this magnitude, no, I'm not going to put lipstick on a pig! Deleting the post was a bad decision and this flaw, which is a recent introduction it appears, resulted in fraud on my system.

I'm a pretty reasonable guy. I can understand that you don't want people to show how to actually execute the vulnerability, but to just hide it's existence altogether? This just didn't sit right with me - it doesn't feel like "community" it feels like "corporate." And that's the real root of my concern - since FreePBX has been acquired by bandwidth.com and managed by Schmooze it seems we are on this downward spiral of less community and more control exerted by the few people who are contributing.

In retrospect, the post could have simply been modified to remove the instructions on how to perform the exploit while still acknowledging the exploit, alerting people about it and advising them to apply additional restrictions to their port 80 access. In addition, the fix took me about an hour to do manually once I knew about it, so honestly the level of technical aptitude required was not very high.

Instead of either of these actions being taken, the exploit was not acknowledged or corrected for WEEKS and the post was deleted. I am absolutely not OK that the course of action as the sole response to a major exploit which exposed my box (and my company network potentially) to fraud and hacking.

2. Blaming freepbx was wrong as someone exposed port 80. Freepbx/schmooze/piaf/tb/elastic/asterisk now has no control over what you do with your box.

That is the flipside of this coin and I agree with some of this falling on my shoulders. I do fault myself for not putting in stricter HTTP access rules myself, though, and validating this free software's security on my own. This was a junior, obvious flaw. I fault both myself AND the FreePBX team for not passing the "Security 101" test, here. This is really a very basic set of problems:
1) Plain text passwords (really? in 2012?)
2) Open .htaccess rules
3) "Runnable" config files (adding a php header to kill the script if run directly would have still prevented this)

I am going to try and patch these items myself actually. They are easy patches.

So, no, I'm not unappreciative of the work of the FreePBX team, and I'm aware that PBX In a Flash is dependent on it. That said, I think the community with PIAF has a greater belief in responding to the needs of the community, and this forum post basically proves it.

1. OP -- Bad person for opening port 80!

On a different note, I really don't agree with closing port 80. Or maybe I should move to port 443, but even so... While it's obviously effective to close the port, we live in the days of the "Cloud" which, as annoying as a term it is, leads to the expectation from my staff that anything plugged into the Internet should allow them to login and check voicemails/etc. from anywhere. Is the core FreePBX software generally really this flawed in terms of security that the only solution is padlocks on the door? Most other software I run exists happily on port 80, port 25, port 443 without incident. Wordpress has had it's issues but they've never impacted me and are rare. SugarCRM has been fine. I dunno, I just don't seem to have this issue with other software.


Well, I'm rambling... I really am very appreciative of the responses on this post and people's positivity around the PIAF project. From this forum post and my own hunting, I am going to place my bets on trusting the PBX In a Flash team going forward.

This is my opinion, but it seems this community is more responsive, more structured and more committed to ensuring my experience is a good one. There is no question in my mind that the fact that PBX In a Flash is NOT backed by corporate sponsors allows for greater, non-biased responsiveness and more open policies then what is happening elsewhere.

I'll let you guys know how my install goes! I'm very excited.

 

[darmock]

Aye Carummba!

1. I suspect that if it were not for schmooze/bandwidth freepbx would not be where it is today. Have you ever read any of the original code as compared to the schmooze stuff?

2. This is NOT the place to make egregious comments about freepbx/schmooze/bandwidth.com! If you have a problem with them you need to take it up with them. They are very responsive to questions and dont have the usual snippy attitudes found in elsewhere.

3. If PIAF finds something internally we also dont tell everybody until we have the solution in hand and can publish this. I cant think of an instance we deleted something in the public forums however if it was serious enough I suspect we would do the same thing and then restore the post after we have published the solution.

4. What makes you think that freepbx is responsible for setting all the security parameters of your computer? I really dont think they failed security 101. They provided a product (for free) and it is up to you to ensure security is correct. Generally this is done by the distro as an integrated whole.

5. None of my commercial installs have port 80 enabled on outward facing nics except on virtual nics that connect through a vpn. Thus you have limited your exposure somewhat. When the users are local their phones are on local NIC subnet. The actual NIC that points out through the hardware firewall allows nothing except certain IP access and then never to port 80.

Beyond that I am going to close this thread as it seems to be counter productive. When you get your new PIAF install up please start a new thread and let us know how it went

regards

Tom

BTW if this makes you unhappy you can always PM me.