SOLVED Several issues with fresh install of IncrediblePBX 2020 on Centos 7

T

tine

Member
Joined
Jan 6, 2012
Messages
147
Reaction score
5
Hi All,
I have a fairly fresh install of IncrediblePBX 2020 but having several issues. The first is firewall issues. Pbxstatus shows that iptables is on, but "firewalld" status shows that i is not running. If I start "firewalld" then I am unable to access the server via the GUI. I can still SSH to the server. At one point I was receiving a complaint on a"symlink" something. Any ideas?
 
Did you run the Incredible PBX install through Ssh? Or you used the console? It must be done through a Ssh connection to the server. Otherwise you will get firewall issues. Ssh connection assures the IP you install from is whitelisted.
 
Yes I had ran the install through a SSH connection. I should have mentioned that this problem probably stared when I change the location and different LAN IP. I used ./add-ip to whitelist my new IP subnet, so not sure why Im still having firewall issues.
 
Follow the tutorial with "improvements." Firewalld should not be enabled or active.
 
Ok. I disabled Firewalld. Thah issue seem to be resolved.

Next problem is that the "Asterisk Logfiles" is not loading. When I click on that item, a screen comes up , but a swirling circle just come on. It seems to be trying to load twice.
 
Check the log file settings in FreePBX. This has been discussed many times recently.
 
The CDR is also showing serveral lines of " congestion s [from-sip-external]" . How do I resolve this issue?
 
Just about to get back on this one. Would it be ok to allow only my local Network and the IP address of the SIP trunk provider I use through my IncrediblePBX2020 iptables?
 
tine said:
Would it be ok to allow only my local Network and the IP address of the SIP trunk provider
Click to expand...
Probably OK but you might finish up breaking something by going it 'on your own' and then have to fix it yourself; the fact is there is not any point to disabling the 'trusted list' of SIP providers as they all have (tongue in cheek) fairly secure systems to protect your, their and our $.

If the tables are standard you won't need to set them up again. iptables changes over time may need updates and depend on the specific platform; and you will probably want the update scripts to just work on your server.
 
This system is not connected through a real firewall. It sits behind a DD-WRT router, that is allowed to pass all traffic. Maybe I should tweak that router. The reason I had asked that last question is because before the "Asterisk Logfiles" stopped working, I was seeing several foreign attempts at connecting to the PBX. I believe that was also causing the "congestion" problem I was having. What's the better approach, adjust the router's firewall or both, router and PBX firewall?
 
tine said:
This system is not connected through a real firewall. It sits behind a DD-WRT router, that is allowed to pass all traffic. Maybe I should tweak that router. The reason I had asked that last question is because before the "Asterisk Logfiles" stopped working, I was seeing several foreign attempts at connecting to the PBX. I believe that was also causing the "congestion" problem I was having. What's the better approach, adjust the router's firewall or both, router and PBX firewall?
Click to expand...
A full install of IncrediblePBX2020 has its own firewall(iptables and fail2ban) which will allow connections only from registered IP and/or FQDN. For this reason you can install safely IncrediblePBX2020 in the cloud. IncrediblePBX is very secure out of the box. I guess you installed IncrediblePBX in a DMZ.
 
This was a full install of IncrediblePBX2020 on Centos 7. I just followed the instructions provided by the Nerdvittles site. The firewall is partially working because when I changed LAN address, I had to whitelist the new network. No DMZ involved.
 
tine said:
This was a full install of IncrediblePBX2020 on Centos 7. I just followed the instructions provided by the Nerdvittles site. The firewall is partially working because when I changed LAN address, I had to whitelist the new network. No DMZ involved.
Click to expand...
As far as i know a full install IncrediblePBX2020 is secured, of course you will have attempts to breakin from port scanners but this it the job of IncrediblePBX2020 design to block them. If you messed up with the firewall then you could have a problem. The only secure way to add IP is to use ./add-ip or FQDN is to use./add-fqdn. Ward specifically states not to modify iptables in any other ways.
If your DD-WRT allows all connections then it means you placed IncrediblePBX2020 in a DMZ.
 
I had used ./add-ip to whitelist the IP I wanted. I can check the DD-WRT firewall to verify, but actually I don't think it allowing everything because I had to allow the port through to setup a VPN. In any case this PBX firewall doesn't seem to be fully functional and I guess I need to fix it.
 
tine said:
I had used ./add-ip to whitelist the IP I wanted. I can check the DD-WRT firewall to verify, but actually I don't think it allowing everything because I had to allow the port through to setup a VPN. In any case this PBX firewall doesn't seem to be fully functional and I guess I need to fix it.
Click to expand...
If you do not have much already setup then just start over with a fresh install.
 
Tried to upgrade to Asterisk ver 17 using the Ward's script and eve that did not work. Everthing remained the same after the upgrade attempt. At this point I had already done all my config. I will do a backup and attempt a fresh install since I'm having so much problems.
 
That is probably the best thing you can do at this point if it was working before you decided to change ip and what ever else you did. I have set-up several systems on CentOS 7 and have also upgraded multiple systems to Asterisk 17 using Ward's script without any issues. I have even upgraded some systems to the Atserisk 18rc and have not had any issues. I also suggest you make another backup as soon as you have the basic system operational and before you start making any changes.
 
@tine: If you're seeing hack attempts in your log, please post sanitized snippets. Unless on the whitelist, nobody should be making it to your PBX. They can't even see it.
 
tine said:
It sits behind a DD-WRT router, that is allowed to pass all traffic
Click to expand...
DD-WRT is fine, but your traffic should generally be secured by default. You do not need to port forward any ports to your incrediblePBX_IP ports (unless you are accepting calls from dynamic IPs. perhaps from mobiles but that is not a good idea.).

Your trunks should be sending to register with your ITSPs which will keep open the SIP and /or PJSIP ports as necessary; and will open the return RTP ports as necessary. You do not need to forward these either.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 56 (members: 0, guests: 56)

Latest Posts

Forum statistics

Threads
26,688
Messages
174,412
Members
20,259
Latest member
Fadeek86
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top