Archive for Security

Installing FusionPBX successfully — Part 2: Installing FusionPBX

Continued from Installing FusionPBX successfully — Part 1: Installing Debian Linux

I apologize that these are so hard to read unless you click on them, but I’ll try to put the pertinent points in text.

This is the login screen you get once the Debian installation is complete and the system reboots:

To get the FusionPBX install started, enter

sudo apt-get install subversion

Since this is the first time you are using sudo, you’ll be asked to enter your password:

When that operation finishes, enter

sudo svn checkout https://fusionpbx.googlecode.com/svn/trunk/scripts/install/ubuntu/ /usr/src/install_fusionpbx

sudo chmod 755 /usr/src/install_fusionpbx/install_fusionpbx.sh

sudo ln -s /usr/src/install_fusionpbx/install_fusionpbx.sh /usr/local/bin/

sudo /usr/local/bin/install_fusionpbx.sh install-both user |tee /tmp/install_fusion.log

IMPORTANT: Instead of that last line, if you want to have fewer pauses in the script than the number shown below, you might want to try this instead, but if you use this option, you need to manually change the variables in the script (use sudo nano /usr/local/bin/install_fusionpbx.sh and look at the top of the file; the variables to be edited are quite obvious.  For the database I strongly suggest that you select SQlite, which is the default, unless you want a botched installation — see my comments below).  You might also add more modules (if you need/want them) in the defines section. See the comment by soapee01 in the comments section:

sudo /usr/local/bin/install_fusionpbx.sh install-both auto |tee /tmp/install_fusion.log

I’m told that by using “auto” instead of “user“, the script will have fewer pauses where you are asked to press “ENTER”, but you do have to manually edit the script first. I didn’t know that at the time, so I went with the first option:

When you get to this point, you might question whether you are running the wrong script. You aren’t; there’s only one script for both Ubuntu and Debian, so answer y:

If you are doing a brand new install as we are doing here, then you just downloaded the latest install script, so answer y when asked if you want to continue. Otherwise the script will abort and you will just need to start over:

This is the first of several places where the script will stop and ask you to press ENTER. Presumably you won’t see most such screens if you run the script in auto mode:

This is the part that got me. “Press ENTER to continue (check for errors)” — you see this a lot, and honestly I probably wouldn’t know an error unless it printed blinking red text saying “THIS IS AN ERROR”.

“Press ENTER to continue (check for errors)” again…

And again…

And again…

And again…

And again…

And again, after some attempt to display something unreadable in large ASCII art…

And again…

And again (by about this point you start to wonder if it will ever end)…

And again…

And again (just shoot me now)…

FINALLY, an actual question, asking if you prefer Apache or Ngnix.  When I did this, I couldn’t care less, and Ngnix is the default, so I accepted that. But now I realize that this may have been the wrong choice, if only because you can’t use .htaccess files to secure Ngnix.  If I ever do this again, I’ll choose Apache:

Oh no, we are back to this again…

Aaaaaaarrrrrrrggggggghhhhhhh…….

Can I get a robot that will just press ENTER for me?

And finally another actual question, asking whether you want to use MySQL, PostgreSQL, or SQlite. Since SQlite is already installed and required, why would I want a second database? Well, I might if I were running a system with a higher number of users or phones (see soapee01′s comment in the comments section), or if I plan on adding any software that depends on MySQL.  The default is to use SQlite, so I accepted it, but there have been a couple of times when I wished I had chosen MySQL.  Then again, when I tried doing a reinstall and choosing MySQL, it turned into a disaster that basically meant I had wasted a couple hours of my life (see Oh, FusionPBX, how you vex me for the details, but I’ll warn you ahead of time that I was not in particularly good humor when I wrote that).  If you don’t need anything more than SQlite, pick that, but if you do need something more than SQlite then I would personally avoid FusionPBX until they can get their documentation and the instructions given in the install script to match reality, unless you don’t mind the frustration of doing the installation process multiple times until you get it right.

Finally you get to the point where you need to go to the web-based GUI and enter some information. It will display this message, and wait for you to use the browser to complete the installation:

When you get to this screen on your browser, the Username and Password are probably the only things you need to fill in (and maybe change the Database Type if you selected something other than SQlite). BE CAREFUL when you fill these in – if you make a typo and don’t notice it, you will not be able to access the GUI and will probably need to restart the installation from scratch! So take a careful look at what you have entered, and make use that you actually typed what you think you’ve typed before clicking on “Next”:

On this screen, you will most likely only want to click “Next”, which completes the installation:

The install is finished, and you are returned to a command prompt:

The browser will go to a login screen:

And that completes the FusionPBX installation. It’s not difficult, but there is sometimes a considerable amount of time between the prompts to press ENTER, so most people would tend to wander off and do something more interesting, only to come back later and find it sitting on the next prompt to press ENTER. In my opinion, the Wiki page containing the instructions should advise inexperienced users to run the script in auto mode rather than user mode. I was going to go in and add something to that effect, but something is broken in the registration process and I could not complete a registration for the Wiki. I’m told the Wiki was recently moved to a new server, and apparently the configuration got messed up a bit.

After completing the installation this way, FusionPBX actually seems to run without errors. Configuration via the web-based GUI doesn’t appear to be difficult, although there are a couple of “gotchas” if you are attempting to connect to an Asterisk server (it works, but the configuration involves a couple of non-obvious things that are probably just differences between FreeSWITCH and Asterisk). Since I am just getting started with this and only working on it in my spare time, I’ll try to cover those in my next article.

By the way, if you ever want to upgrade FusionPBX to the latest version and you have installed it essentially the same way I did, there are a couple ways to do it. Probably the easiest way is to go to the Linux command prompt and issue these commands:

cd /var/www/fusionpbx
sudo svn update

It should show you a list of added and updated files, followed by “Updated to revision nnnn.” (where nnnn is the revision number).

The other option is to run this command:

sudo /usr/local/bin/install_fusionpbx.sh upgrade-fusionpbx auto

If you ever want to upgrade FreeSWITCH, you can do this, BUT AT YOUR OWN RISK. I temporarily broke a working system doing this, so if you don’t have the skills to troubleshoot a broken installation then don’t do this, at least not without making a full system backup first. That said, if things don’t work immediately after the upgrade (or even after a system reboot, for that matter), don’t immediately panic – it seems that it may take a few minutes for everything to start working again.

sudo /usr/local/bin/install_fusionpbx.sh upgrade-freeswitch auto
sudo /usr/local/bin/install_fusionpbx.sh fix-permissions auto
sudo service freeswitch restart

Note that the use of “auto” at the end of the above lines will skip many of the pauses and prompts to press ENTER.  If you really want those, substitute “user” for “auto“.

A word about firewalls:

The Easy Install script did not appear to install a firewall, though in theory it probably should have. It does install Fail2Ban, but if there’s no firewall that doesn’t help much. To see if the firewall is running, enter

ufw status

from the Debian or Ubuntu Linux command prompt. If it shows you a list of firewall rules, then it is installed. But if you get a “command not found” message, then you will need to install it using:

apt-get install ufw

Then you need to add the firewall rules. Go to the Ubuntu Firewall page on the FusionPBX wiki and enter the lines in both text boxes, in the order shown, except for the last one (don’t enter the ufw delete 3 line).

If you know what you are doing you can modify those rules as necessary. In my experience, after making any changes to the firewall you may need to restart Fail2Ban (service restart fail2ban). I’m still not quite sure how all this works, since my experience with Linux firewalls is entirely with iptables on CentOS, and even then I generally use Webmin to do my firewall configuration. So, if you see any holes in this strategy, or anything else that needs to be done to tighten up the firewall or make Fail2Ban work as it should, please leave a comment in the comments section!

Configuring E-mail if you elected to install a mail server during Debian installation in part 1:

To configure e-mail if you elected to install a mail server when installing Debian, from a Linux command prompt run:

sudo dpkg-reconfigure exim4-config

How you answer the questions will depend on your installation, and what you want the mail server to do. If you only want to use it to send mail to the Internet (for example, voicemail notifications/recordings), AND your server is on a fixed IP address, you can probably select “internet site; mail is sent and received directly using SMTP” on the first screen, and pretty much accept the defaults from there (this may or may not work if you are on a dynamic IP address — some hosts will reject your mail in that situation). I don’t advise using your PBX server to also handle general e-mail traffic but I suppose that if you have low volumes of voice and mail traffic, you might get away with it.

Limiting access to Apache:

If you installed Apache as I suggested, perhaps you would not like the entire world to be able to get to the login screen of your PBX.  There is a way to limit access to certain IP address, but I will tell you right now that most of the methods you see on the web won’t work.  In particular, using a .htaccess file won’t work (there may be a way to make it work, but I have read those are rather insecure anyway) and in my experience, modifying httpd.conf (which has nothing in it to begin with) doesn’t work (you will either block everyone including yourself, or no one).  What DID work for me was adding lines similar to these to the top of /etc/apache2/apache2.conf (before the initial comments):

<Location />
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
   <— localhost address
Allow from 192.168.0.111   <— an individual IP address
Allow from 192.168.1.0/24   <— a range of IP addresses
</Location>

The above took me THREE hours to figure out, primarily because most of the pages obtained from Google gave other advice that did not work. And people wonder why I do not enjoy trying to figure out these puzzles. All you Linux people who would say that doing something like this “builds character” or “is a good learning experience” can go stick your heads in a bucket of shit and then go jump off a high cliff!

Comments (12)

If you are a Ubuntu user and you value your privacy or security AT ALL, go read this NOW!

This is a REALLY big deal for anyone that is the slightest bit protective of their privacy or security, or that doesn’t want to be a potential victim of identity theft.  Seriously, if you use Ubuntu version 12.10, don’t do another single thing on your system before you go read this.  And if you use an earlier version, do NOT upgrade to 12.10, at least not until this situation is rectified.  I’d say now is a very good time to check out other popular Linux distributions (feel free to leave suggestions in the comments).

Ubuntu has a bigger problem than its Amazon blunder (InfoWorld)

Comments (7)

Follow

Get every new post delivered to your Inbox.

Join 136 other followers

%d bloggers like this: