TIPS Troubleshoot Incredible PBX200 Public

[tine]

I had set up an Incredible PBX2020 Public and configured two extension. The PBX is on a VPS, so everything is remote to the server. I have an inbound route that points to an extension, that shows up as being registered, but when I place a call to one of my trunks there is no sign the it even reached the extension. The trunk show up as being registered also.

Do I need to whitelist the external IP of my extensions an trunk provider?

 

[kenn10]

What does the CLI show when you are calling the number into the system? Is the call even getting into the PBX? Look at your logs for clues in /var/log/asterisk/full.

 

[Eliad]

I had set up an Incredible PBX2020 Public and configured two extension. The PBX is on a VPS, so everything is remote to the server. I have an inbound route that points to an extension, that shows up as being registered, but when I place a call to one of my trunks there is no sign the it even reached the extension. The trunk show up as being registered also.

Do I need to whitelist the external IP of my extensions an trunk provider?

If you see no activity it could be your firewall

 

[tine]

My woes have now been compounded. It seems that my ISP for my home recently changed the IP of my internet connection so I cant not get to the web interface of the PBX. I can SSH to the PBX but I can not "add-ip". When I CD to /root and run that command I get response: -bash: add-ip: command not found. I'm sure I am in the /root folder and a "ls" show the command in the folder.

 

[Eliad]

My woes have now been compounded. It seems that my ISP for my home recently changed the IP of my internet connection so I cant not get to the web interface of the PBX. I can SSH to the PBX but I can not "add-ip". When I CD to /root and run that command I get response: -bash: add-ip: command not found. I'm sure I am in the /root folder and a "ls" show the command in the folder.

you have to run it ./add-ip and make sure you are the root user
it is a bit odd you can access through the SSH but not the web interface. IncrediblePBX blocks both of them if the IP changes and the new IP is not registered in the IncrediblePBX firewall.
For dynamic IP addresses you will have to use a FQDN. To do that you have to use one of the services which can provide FQDN for dynamic IP. To make it work your local firewall needs to have a client to update the IP when is changed. Some of those services are DDNS, NOIP, it all depends on what your firewall can handle

 

[wardmundy]

If it is the PUBLIC version, you need to adjust the IP address associated with your FQDN since only FQDN access to your server is permitted except for SSH.

Let me add that you probably should NOT be running a PUBLIC version of Incredible PBX. Your comments above suggest this is a new experience for you, and you would be better served by the traditional installation of Incredible PBX which has a much more secure firewall.

 

[tine]

Ok my syntax was wrong. I had to add my new IP address to be able to access the web interface. After doing that my inbound route started to work also.

@wardmundy
I had been running the traditional version of IncrediblePBX for a couple years until recently when I decided to switch to the Public version after seeing several attempts and breaking in to my system. I followed the instructions on your Nervittles site to "go public". I have a domain Name that I created an "A record" linking my the IP address of of my VPS to a name on my domain. I am able to access the PBX by both IP address and by FQDN. This is the first time I'm whitelisting an IP address but was still able to access it from the IP i has used to install it before. So maybe the firewall is not 100% functional as @Eliad suggested.

 

[tine]

@wardmundy
I thought that the Public version is more secure. Maybe I misinterpreted what I read. Is there a way to revert without re-installing?

 

[Eliad]

Ok my syntax was wrong. I had to add my new IP address to be able to access the web interface. After doing that my inbound route started to work also.

@wardmundy
I had been running the traditional version of IncrediblePBX for a couple years until recently when I decided to switch to the Public version after seeing several attempts and breaking in to my system. I followed the instructions on your Nervittles site to "go public". I have a domain Name that I created an "A record" linking my the IP address of of my VPS to a name on my domain. I am able to access the PBX by both IP address and by FQDN. This is the first time I'm whitelisting an IP address but was still able to access it from the IP i has used to install it before. So maybe the firewall is not 100% functional as @Eliad suggested.

SSH will work when you access from the IP you used for the install, that IP is whitelisted during the install.
Is my understanding the regular IncrediblePBX is actually very secure as a standard install as long as there is no messing around with the IPTABLES.
Adding the PUBLIC, if you make a mistake it could potentially open security holes. As far as I understand a well configured PUBLIC install doesn't have any better security than a regular install.
@ward is the master on this

 

[tine]

That's the strange thing. Before I did the "add-ip" I was able to access the server from both of my locations via SSH. I am sure that those IPs were not in the firewall because I not not "messed with the Firewall". So it seems that it is wide open.

 

[Eliad]

That's the strange thing. Before I did the "add-ip" I was able to access the server from both of my locations via SSH. I am sure that those IPs were not in the firewall because I not not "messed with the Firewall". So it seems that it is wide open.

This SSH behavior makes me really nervous. If you could get access from an IP that is not whitelisted then potentially anybody can use brute force to get into your server using SSH. As far as I know SSH is one of the most scanned ports for vulnerability.

 

[tbrummell]

Check /var/log/secure for SSH attempts, then you'll know for sure. Fail2ban is probably banning the failures anyway. iptables -vnL will show you anybody who's been banned (at the bottom of the output).

 

[tine]

Iptables does not show any IP addresses being banned. I also did not see anything in /var/log/secure other than my IP address being allowed.

 

[wardmundy]

@tine: I'd strongly recommend you start over.

 

[tine]

Start over and do what? Install the regular IncrediblePBX 2020? I followed the tutorial, but something may have gone wrong during install?

 

[Eliad]

Start over and do what? Install the regular IncrediblePBX 2020? I followed the tutorial, but something may have gone wrong during install?

most likely the issues you have are related to adding PUBLIC to a regular IncrediblePBX install. The regular install is pretty much bullet proof unless you start messing with the IPTABLES. @wardmundy said it numerous times, don't touch the IPTABLES.
How did you determine your old regular IncrediblePBX install had a problem with breakin? What version was it?

 

[tine]

I guess you misunderstood me, or I did not explain well. This is a fresh install of Incredible PBX2020 Public.. On the old regular IncrediblePBX I saw in the log files several attempts at breaking in to the system to the point that i think someone had configured an extension on the system. I quickly got rid of that system. If I remember correctly it was Incredible PBX 13.

 

[Eliad]

I guess you misunderstood me, or I did not explain well. This is a fresh install of Incredible PBX2020 Public.. On the old regular IncrediblePBX I saw in the log files several attempts at breaking in to the system to the point that i think someone had configured an extension on the system. I quickly got rid of that system. If I remember correctly it was Incredible PBX 13.

Then you have to follow http://nerdvittles.com/?p=31290. This is a regular IncrediblePBX install without Public bells add on. This is the one you want, this one is very secure out of the box. If you decide to try again adding Public I recommend to do a snapshot of the regular install, this way you can easily reverse to it in case Public is giving you problems.
The above link is for Centos7. You might have noticed this forum is moving from Centos install to Debian due to changes in Centos. You might want to do a Debian install.