Help, I’ve been blocked from my PBX!

[HOW TO] Help, I’ve been blocked from my PBX!

Note: This post assumes you’re running FreePBX Distro 13 or higher

If your FreePBX instance has suddenly become unreachable, chances are you’ve been blocked by one of the included network security mechanisms in FreePBX. The good news is that it’s working! The bad news is now you have to somehow work out a way to get yourself unblocked, figure out how you got blocked, and stop it from happening again.

What Blocked Me?

Intrusion Detection (fail2ban)

If you’ve suddenly lost access to the server, this is the most likely culprit. Intrusion Detection scans log files and looks for failed login attempts and other types of unauthorized access, and then temporarily bans the IP of the “attacker”. Continue reading

Virtualmin Server Configuration on Vultr VS

Initial Configuration

In your Vultr Control Panel, set up a Ubuntu or Debian Server instance and SSH into it. Then add a repository that will provide your server with multiple PHP versions and update. If you need to you can change the hostname in /etc/hostname and FQDN in /etc/hosts.

For CentOS Install
Change selinux to disabled in /etc/selinux/config and save and reboot.
# yum install centos-release-scl setroubleshoot-server bzip2 -y
# yum update -y
# yum install rh-php71 rh-php71-php-fpm rh-php71-php-cgi rh-php71-php-mysqlnd rh-php71-php-imap rh-php71-php-curl rh-php71-php-gd rh-php71-php-xmlrpc rh-php71-php-xsl rh-php71-php-mbstring rh-php71-php-zip rh-php71-php-cli rh-php71-php-dom rh-php71-php-pdo rh-php71-php-soap rh-php71-php-json rh-php71-php-xml rh-php71-php-pear rh-php71-php-bcmath rh-php71-php-pecl-apcu rh-php71-php-pecl-apcu-devel rh-php71-php-intl -y
# yum install rh-php72 rh-php72-php-fpm rh-php72-php-cgi rh-php72-php-mysqlnd rh-php72-php-imap rh-php72-php-curl rh-php72-php-gd rh-php72-php-xmlrpc rh-php72-php-xsl rh-php72-php-mbstring rh-php72-php-zip rh-php72-php-cli rh-php72-php-dom rh-php72-php-pdo rh-php72-php-soap rh-php72-php-json rh-php72-php-xml rh-php72-php-pear rh-php72-php-bcmath rh-php72-php-pecl-apcu rh-php72-php-pecl-apcu-devel rh-php72-php-intl -y
# yum install rh-php73 rh-php73-php-fpm rh-php73-php-cgi rh-php73-php-mysqlnd rh-php73-php-imap rh-php73-php-curl rh-php73-php-gd rh-php73-php-xmlrpc rh-php73-php-xsl rh-php73-php-mbstring rh-php73-php-zip rh-php73-php-cli rh-php73-php-dom rh-php73-php-pdo rh-php73-php-soap rh-php73-php-json rh-php73-php-xml rh-php73-php-pear rh-php73-php-bcmath rh-php73-php-pecl-apcu rh-php73-php-pecl-apcu-devel rh-php73-php-intl -y
# systemctl enable rh-php73-php-fpm
# systemctl start rh-php73-php-fpm
# systemctl enable nginx
# systemctl start nginx

For Ubuntu Install
# add-apt-repository ppa:ondrej/php
# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
# apt install php5.6-cgi php5.6-mysql php5.6-curl php5.6-gd php5.6-imap php5.6-mcrypt php5.6-tidy php5.6-xmlrpc php5.6-xsl php5.6-mbstring php5.6-zip php5.6-cli
# apt install php7.1-cgi php7.1-mysql php7.1-curl php7.1-gd php7.1-imap php7.1-mcrypt php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring php7.1-zip php7.1-cli
# apt install php7.2-cgi php7.2-mysql php7.2-curl php7.2-gd php7.2-imap php7.2-tidy php7.2-xmlrpc php7.2-xsl php7.2-mbstring php7.2-zip php7.2-cli

For Debian Install
# apt-get update
# apt-get -y install curl wget gnupg2 ca-certificates lsb-release apt-transport-https
# wget https://packages.sury.org/php/apt.gpg && apt-key add apt.gpg
# echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php7.list
# apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade
# apt-get -y install php7.1 php7.1-cgi php7.1-mysql php7.1-curl php7.1-gd php7.1-imap php7.1-mcrypt php7.1-tidy php7.1-xmlrpc php7.1-xsl php7.1-mbstring php7.1-zip php7.1-cli php7.1-common php7.2 php7.2-cgi php7.2-mysql php7.2-curl php7.2-gd php7.2-imap php7.2-tidy php7.2-xmlrpc php7.2-xsl php7.2-mbstring php7.2-zip php7.2-cli php7.2-common php7.3 php7.3-cgi php7.3-mysql php7.3-curl php7.3-gd php7.3-imap php7.3-tidy php7.3-xmlrpc php7.3-xsl php7.3-mbstring php7.3-zip php7.3-cli php7.3-common php7.4 php7.4-cgi php7.4-mysql php7.4-curl php7.4-gd php7.4-imap php7.4-tidy php7.4-xmlrpc php7.4-xsl php7.4-mbstring php7.4-zip php7.4-cli php7.4-common
# update-alternatives --set php /usr/bin/php7.3
# php -v

Now download the Virtualmin install script and run the install. The command shown below will install a minimal version of Virtualmin using the Nginx server instead of Apache which should consume less memory:

# wget http://software.virtualmin.com/gpl/scripts/install.sh
# sh install.sh -m -b LEMP

When you first log in to Virtualmin, it will run the Install Wizard. make sure to use Vultr’s DNS servers when it asks for a primary and secondary DNS. Also, under System Settings > Virtualmin Configuration click on SSL Settings and choose yes for “Request Let’s Encrypt certificate at domain creation time?” and “Redirect HTTP to HTTPS by default?” and save the changes. Next, go to Webmin -> Others -> PHP Configuration and edit the default PHP configuration being used so that users can upload larger files. This can be done by increasing the Maximum file upload size and Maximum HTTP POST size. Now go to Webmin -> Hardware -> System Time and configure your timezone and synchronize with a time server (pool.ntp.org). Then go back to your Vultr Control Panel and click on “Server Details” for your Server instance. Then click on “Settings” and change the Reverse DNS to your servers full host name (i.e. host.yourcompany.com).

Creating a Virtual Server

Within Virtualmin, click on “Create Virtual Server”. Enter the domain name and a user password and then click on “Enabled Features” and make sure that the box next to “Setup SSL website too?” is checked, then click on the “Create Server” button. Before the server will work, you need to add the domain to your DNS settings in your Vultr Control Panel. A sub-server can be created by clicking on “Create Virtual Server” and then selecting the sub-server button at the top of the page next to “New virtual server type”. Also a redirect can be created by going to Server Configuration > Website Redirects and clicking on the “Add a new website redirect” button, then adding “/” for the source URL path and the redirect URL for the destination. After creating a new Virtual server for your primary domain, create a mail alias by creating a new virtual and selecting ‘Alias’. Then go to Server Configuration > SSL Certificate and click the “Copy” buttons to copy it to all the services that it will be used for. Now go to Virtualmin > Email Settings > DomainKeys Identified Mail. You probably won’t have DKIM filter installed on your server. Virtualmin will give you an option to install it. Do it and then enable ‘Signing of outgoing mail’. Enter the current year for the selector and click on save. Add your primary domain with the “mail” prefix to the “additional domains to sign for” section (i.e. mail.yourcompany.com). Also, make sure that your domain name is listed in there (i.e. yourcompany.com). You will also need to make sure that both ‘Signing of outgoing mail enabled?‘ and ‘Reject incoming email with invalid DKIM signature?‘ are set to yes. Next, go to Server Configuration > DNS Options under your domain name and make sure that the IP address isn’t repeated in ‘Allowed sender IPv4 addresses‘. Change “Action for other senders” to “Discourage”, “DMARC record enabled?” to “Yes”, and “DMARC policy for emails that fail SPF or DKIM” to “Quarantine email”. Last, go to Virtualmin > Email Settings > Mail Client Configuration and enable mail client autoconfiguration. You can set a default domain by logging into Virtualmin, choosing your desired domain from the drop-down on the left, then clicking Server Configuration -> Website Options, and setting “Default website for IP address” to “Yes”. You can also set the default PHP execution mode to FPM under System Settings -> Server Templates and selecting PHP Options from the drop-down list.

Configure Baikal CalDAV/CardDav Server used for Calander/Addressbook Syncing

In Virtualmin, create a new virtual server using the steps above which will be used to host the Baikal CalDAV/CardDAV server. Download the latest release here. Copy all of the files in the “html” folder of the zip file into the “public_html” folder of your virtual server. The rest of the files get copied into the parent folder. Make sure that the “Specific” folder is writable by your webserver process. Now you should be able to run the server installer by accessing this virtual server from a browser.

Configure Roundcube

In Virtualmin, click on “Install Scripts” and choose “Roundcube”. After it installs, add the CardDAV plugin manually by uncompressing it in the plugins folder and adding ‘carddav’ to the config.inc.php file. Until an official CalDAV Calendar plugin is developed, we will just have to go without a calendar for a while…. Set up the CardDAV plugin by having it connect to your Baikal CardDav server at https://dav.yourcompany.com/dav.php/addressbooks/username/addressbookname. Now you can test out your mail server configuration by going to mail-tester.com. If DKIM is failing then try editing /etc/opendkim.conf and make sure that the line beginning with ‘Socket’ has ‘inet:8891@localhost’ after it.

Configure Scheduled Backups

In Virtualmin, click on “Scheduled Backups” and click on the “Add a New Backup Schedule” button. Select the virtual servers and features that you want to backup. Next select your destination server and path. You can use “%Y-%m-%d” in the path to show the date. Last, you will need to select when the backup will run and then click on the “Save Schedule” button.

Network Booting LibreElec to Raspberry Pi’s from a Synology NAS

Work Environment

NAS: Synology DS216+II with DSM 6.1.7-15284

Netgear WNDR3700v2 Router Running Gargoyle Firmware version 1.10.0 or DD-WRT v3.0-r40559 std (08/06/19)

Raspberry Pi’s

Before you begin

Enable SSH on the NAS.

If you have a battery backup unit then enable UPS.

Download LibreElec image files for all architectures of Raspberry Pi’s on the network (i.e. RPi1, RPI3)

If your router acts as the DHCP server in your network then it will need to support network booting (most do not) if you want to continue to use it as the DHCP server, otherwise you will need to disable DHCP on your router and setup a DHCP server on your NAS. An alternative is to install a Linux firmware to your router if it’s possible (i.e. OpenWRT, DD-WRT, etc.) which is the scenario used for this guide.
Continue reading

Building a TV Server on a Synology NAS (Updated)

Work Environment

NAS:  Synology DS216+II with DSM 6.1.7-15284

Before you begin:

Enable SSH.

If you have a battery backup unit then enable UPS.

You will need to donate $20 to http://mc2xml.awardspace.info to get a version of the software that will run on your Synology if it uses an ARM processor and won’t run the standard x86 version that you can download from the site. The DS216+II in this tutorial has an Intel x86 / x64 processor so the standard x86 version will work just fine.

You will also need a subscription to Schedules Direct.

Add SynoCommunity to your package sources. Install the latest version of Tvheadend. You might need to enable beta versions to get the latest version of the software.

Create a Windows Share folder on your Synology called “public” and make sure the “sc-media” user has read/write access to it.
Continue reading

Setting Up MythTV on an Odroid C2

passwd root
apt-get update
apt-get upgrade
apt-get dist-upgrade
apt autoremove
reboot
apt-get install nano mariadb-server apache2 open-iscsi
nano /etc/apt/sources.list.d/webmin.list

deb http://download.webmin.com/download/repository sarge contrib
deb http://download.webmin.com/download/repository sarge contrib

wget http://www.webmin.com/jcameron-key.asc
apt-key add jcameron-key.asc
apt-get update
apt-get install webmin
Continue reading

Launchpad Configuration

  1. Import your PGP Keys
  2. Install dput, dh-make, devscripts, & config-package-dev packages.
  3. Open /etc/dput.cf file and change Launchpad section to:
    [testppa]
    fqdn            = ppa.launchpad.net
    method            = ftp
    incoming        = ~[LaunchpadID]/testppa/ubuntu
    login            = anonymous
    allow_unsigned_uploads  = 0
  4. The following are the commands used to build source and upload to Launchpad.
    cd test-x.x.x.x
    dh_make –single –native –copyright apache –email [LaunchpadEmail]
    rm debian/*.ex debian/*.EX
    debuild -S -k[LaunchpadEmail] –buildinfo-option=”-O”
    dput testppa ../test_x.x.x.x_source.changes

Moving/Copying your PGP Keys

Once you’re using PGP, you may want be able to sign email from more than location, or you may switch computers. There’s a few ways to accomplish this.

Copy All GnuPG Data

Your first choice is to copy all of your GnuPG data. This is a lot more data than just your key, but is still likely to be under 5MB. This method will copy all of your keys, everyone’s key you have, and your entire trust database. It’s ideal for backup, or for moving to a new computer. Simply copy all the contents of your GnuPG data directory, which would be as follows:

  • Windows: C:/Documents and Settings/username/application Data/GnuPG
  • Unix/Linux/Mac: ~/.gnupg

Where username is your windows username. Just simply copy the entire contents of that directory from one machine to the other and you will be set. There are many ways to move this data, which I won’t cover. Some examples might be zipping the data up and copying it to a disk.

This will also work between different operating systems.
Continue reading

Configuring Syncthing in Windows, Linux, and on a Synology NAS

Syncthing is a useful open source tool to keep all of your files in sync over multiple computers. It works like Dropbox, but it’s a peer-to-peer system instead of having a central repository to host all of your files.

Windows Set Up

  1. Download the windows client from the Syncthing website.
  2. Copy the EXE file to a folder on your Windows machine.
  3. Create a Batch file in the same folder with the following:
    • start “Syncthing” syncthing.exe -no-console -no-browser
  4. Create a shortcut to the batch file and copy it to the startup folder. The startup folder can be accessed by entering “shell:startup” in the run dialog box.
  5. Admin interface is located at http://127.0.0.1:8384.

Update: SyncTrazor is a small stand-alone browser that automatically runs, restarts, updates etc. Syncthing for you.

Continue reading

Configuring Syncevolution to Sync via CalDAV/CardDAV

Open up a terminal window and enter the following replacing {hosturl}, {emailaddress}, and {password} with your own credentials:

$ syncevolution --configure --template webdav syncURL=https://{hosturl}:2080/ username={emailaddress} password={password} target-config@webdav
$ syncevolution --print-databases syncURL=https://{hosturl}:2080/ username={emailaddress} password={password}

The above command will show you the database URL’s. Since my addressbook wasn’t Continue reading