Now that FreePBX Asterisk is installed, it’s time to take a few more steps. I will show you how to update the system and modules from the browser’s GUI, as well as using SSH. We will also check the network and SIP settings. Let’s get started.
Applying the Configuration
Important: After changing many FreePBX parameters, you will need to apply the configuration. Without this, the changes will not be saved. When a parameter change requires saving these settings, a red “Apply Config” button will appear in the top right corner. Only after clicking it will the changes take effect. However, remember that if you need to make many changes at once, you do not have to click this button after every function change. Only after making all the setting changes can you press this button to apply all changes at once.
Updates
For our telephone exchange to work efficiently and be secure, we must not forget about system and module updates. We can perform updates from a web browser, the terminal, or SSH. FreePBX updates can be divided into two types:
- Updating the Linux system on which FreePBX is installed. If you installed FreePBX from the ISO image from their official website, your exchange is based on the Sangoma Linux (SNG) operating system, which is based on CentOS and RedHat.
- Updating the FreePBX application and modules.
Updating from the Browser GUI
Before we start using our telephone exchange, it’s worth checking if the system and all our exchange’s modules are up to date. To update the modules, log in to your FreePBX in your browser, then click the “Admin” button at the top of the page, followed by “Updates” and “Module Updates”.
To start the update process, click “Upgrade all,” and then “Process.” A new window will appear with a list of modules requiring an update. To confirm, scroll down and click “Confirm.”
A pop-up window will appear with the progress status. It is important to wait patiently for the update to finish and not to refresh the window.
Note: The problem with updates via the browser GUI is that if dependencies between modules and applications are not met, some modules may not update on the first attempt. Therefore, repeat these steps until all modules and applications are updated.
Updating System Files
Updating system files is done similarly to updating modules, but system file updates require activation. If you haven’t done it yet, go to the “Admin” tab, “System Admin,” then click “Activate” and fill out the activation form. Activation is completely free.
After activation, go to the “System Updates” tab and click “Check online” and “Update system.”
Updating Modules and System from SSH
In my opinion, updating FreePBX from SSH is faster and more convenient, especially since after installing FreePBX Asterisk, SSH is already installed by default. If you are using macOS or Linux, simply launch the terminal and type:
ssh root@your_freepbx_ip_address
So, in my case:
ssh root@192.168.1.178
If you are logging in via SSH for the first time, you will be asked to approve the SSH key – just type “yes.”
If you are using Microsoft Windows to log in via SSH, you will need to download additional software, for example, PuTTY, SolarPutty, Xshell, or many others.
Updating the Linux System
After logging into FreePBX via SSH, just type the command yum upgrade and after refreshing the packages, confirm with the ‘y’ key.
This method of updating via SSH is much faster than updating through the browser GUI, as all modules and applications are updated simultaneously.
Updating FreePBX Application and Modules – fwconsole
fwconsole is an extremely useful application available from the FreePBX console or via SSH. It allows you to perform and restore backups, update modules, manage certificates, calendars, contacts, and much more. The available options for this application are numerous, but the most useful is moduleadmin, invoked by the command fwconsole ma, which has many available sub-options. For example, the command fwconsole ma upgradeall allows for a quick update of all modules. It is worth getting acquainted with the complete documentation of the fwconsole application on the manufacturer’s website.
Admin – Updates – Scheduler and Alerts
In the “Scheduler and Alerts” tab, you will find several useful settings. In the “Email Address” field, you can enter your email address to receive notifications about available updates. The other options are:
- Automatic System Updates
- Automatic Module Updates
- Automatic Module Security Updates
- Send Security Emails For Unsigned Modules
- Check for Updates every – When to check for updates.
I suggest setting automatic updates only for critical security patches, and for other updates, set it to only send email notifications, as in the example below. Every update is an intervention in the Linux operating system and, like any software intervention, carries the risk of damaging the system or causing unforeseen application behaviour. Therefore, I allow automatic updates for critical security patches, but I prefer to install other updates manually after making a backup.
Admin – Updates – System Updates
In the “System Updates” tab, you can update your Linux operating system on which FreePBX is based. First, you should click “Check Online” so that FreePBX can refresh the information about available system updates.
Firewall
Securing your FreePBX system is extremely important. There are many people in the world who use scripts to scan unsecured SIP ports to gain access to telephony used in companies. The Firewall installed in FreePBX is a really effective tool for securing our system against unauthorised access, but it requires proper configuration.
Network Settings – Firewall
To begin, we will set up secure networks and IP addresses from which we will connect to our FreePBX. Go to “Connectivity,” then “Firewall” -> “Networks.” In this window, you can set the IP address of the computer, phones, and devices from which you will be connecting, or you can add your entire local network to the firewall exceptions at once.
Note: In the network settings, you have several options to choose from, including “Local” and “Trusted.” How do they differ?
- Local: In this zone, only ports used by FreePBX are open. You can add your IP phones to this zone.
- Trusted: Devices added to the “Trusted” zone completely bypass the firewall on any port. Only add truly trusted devices as “Trusted.” For example, your private computer from which you connect to FreePBX via SSH must be added to “Trusted” because the SSH port is not open in the “Local” zone.
Note: You must enter IP addresses in CIDR format. If you are not sure how to do this, familiarise yourself with the article on this topic on Wikipedia. In short, if you want to add a single IP address of a device to the zone (e.g., 192.168.1.21), add a slash and the number 32 at the end of the address. It will then be 192.168.1.21/32. If you want to add all 256 IP addresses of your local network, then after the IP address (ending with the number 0), add the number 24. For example, you add all IP addresses from the range 192.168.1.0 to 255 by entering: 192.168.1.0/24.
Network Settings and Dynamic IP Address – Firewall
If we manage and log in to our FreePBX exchange exclusively on the LAN, we can easily set up static IP addresses. But what if we log in to FreePBX over the Internet, and our provider assigns us dynamic (variable) IP addresses? Then we can use something called DynamicDNS (DDNS). Dynamic DNS changes our variable IP address to a constant hostname. There are many free DDNS providers, for example, Dynu. After registering, we will get a constant hostname for our computer, which we enter in the “Networks” tab instead of the IP address.
Dynamic IP Address – Responsive Firewall
If we have dynamic IP addresses, instead of DynamicDNS, we can use the Responsive Firewall. How does it work?
The Responsive Firewall allows devices from any IP address to send a small data packet to authorise the device – for example, sending a login and password, or a key. If authorisation fails within this short time because, for example, a person trying to break into our server does not enter the correct login and password, then that IP address is temporarily added to the blocked list. After some time, this IP address will be unblocked. If the attacker tries to break into our FreePBX exchange again, then this IP address will be blocked for a little longer, and if the attacks continue, even longer, and so on.
If you have dynamic IP addresses, enabling the Responsive Firewall is a very good idea because it handles Brute Force attacks really well. However, if you have static IP addresses, disabling the Responsive Firewall is even safer, as all untrusted IP addresses will be automatically blocked.
Interface Settings – Firewall
For all the settings in the “Networks” tab to make any sense, make sure that the interface (it will most likely be the eth0 interface for you, unless you are using a WiFi card) in the “Interfaces” tab is correctly set to the “Internet” zone. If you set your interface to the “Trusted” zone, for example, then all the rules saved in the “Networks” tab will be ignored because the “Interfaces” tab has priority over the “Networks” tab.
If you do not have a hardware firewall that would manage the opening and closing of your FreePBX ports, leave the interface in the “Internet” zone.
I’ve blocked my ports and can’t get into FreePBX!
Sometimes, through carelessness, you can block the IP of your own computer from which you connect to FreePBX. Then you will not be able to log into the administrative cockpit of your telephone exchange. The FreePBX developers foresaw such a scenario and there is an easy way to fix it. All you have to do is restart your computer with the FreePBX system twice within five minutes, and the Firewall will be disabled for 5 minutes so you can unblock the IP addresses you need.
Firewall – Context Menu
While on the Firewall page, on the right side of the screen, we have access to a context menu. We will find a lot of useful information and settings there. For example:
- Status – here we will see statistics of addresses blocked by the Responsive Firewall.
- Services – here we can manage SSH, HTTP, HTTPS, Samba, FTP services and many others.
- Advanced – here you will find information about the ports used by FreePBX, and an explanation of how the individual firewall zones work.
System Admin
By clicking on “Admin” and then “System Admin,” we will be taken to a window where we can manage the most important FreePBX settings. On the right side of the screen, a frame with individual system settings will appear. You can also purchase the System Admin Pro version, where you will have a few additional functions:
- DDNS – built-in Dynamic DNS server.
- Email setup – convenient management of the mail server from the browser.
- Provisioning protocols – management of the FTP and TFTP server.
- DHCP server – management of the DHCP server that assigns IP addresses on our network.
- UPS server – you can enter the parameters of your UPS, if you have one, so that FreePBX can shut down correctly in the event of a power failure.
- Support VPN – useful if you need IT support and want to provide them with a secure tunnel to your FreePBX so they can fix any faults.
- VPN server – built-in Virtual Private Network server.
Activation – System Admin
If you have not yet activated your FreePBX, it is worth doing so. You can find more on this topic in the previous part of our guide: FreePBX installation of your own telephone exchange part 1.
DNS – System Admin
The DNS system allows you to convert human-friendly website addresses (for example, https://phonesrescue.co.uk) into computer-understandable IP addresses: for example, the IP address of CloudFlare servers: 172.67.160.126.
There are many different DNS servers, for example:
- 1.1.1.1 – CloudFlare
- 1.1.1.2 – CloudFlare
- 1.0.0.2 – CloudFlare with malware protection
- 8.8.8.8 – Google
- 8.8.4.4 – Google
- 208.67.222.222 – OpenDNS
- 9.9.9.9 – Quad9
Remember to add at least two different DNS servers. In the event of a failure of one of them, the other will take over the duties of converting www addresses to IP addresses. It is worth remembering that the choice of an inappropriate DNS can affect the speed and performance of our FreePBX. If we choose some exotic DNS server at the end of the world, it may slow down our exchange. If you are not very familiar with DNS servers and do not have any of your own trusted servers, choosing one of the DNS servers listed above is a good solution.
Intrusion Detection – System Admin
You also have access to Intrusion Detection from the Firewall level, as it works on a similar principle. It detects login attempts, for example, via SSH. But how does it work exactly? Look at the picture below. If you enter the wrong password 8 times (Max Retry) within 600 seconds (Find Time), you will be blocked for 1800 seconds (Ban Time). You can freely modify the individual parameters as needed. If you enter your address in the e-mail field, you will receive a notification after an IP address is blocked. In the Whitelist field, you can enter the IP addresses of your trusted private computers, then they will not be blocked regardless of how many times you enter the wrong password.
Network Settings – System Admin
In this window, you can set a static IP address for your FreePBX on the local network. Be sure to do this so that after a power failure at home or in the office, your FreePBX telephone exchange will still have the same IP address. However, when entering a static IP address, pay attention that it is outside the pool of addresses assigned by your router’s DHCP server. Otherwise, after a power failure, you may have IP address conflicts on your network. If you have changed the IP address and confirmed the changes by clicking “Save interface,” remember to enter the new IP address in the browser window.
Hostname – System Admin
The hostname is the name of your FreePBX server visible on the local network. The default name is freepbx.sangoma.local, but there is nothing to prevent you from changing it to your own name. Just remember not to have spaces in the name; it will be safest to use dots, for example, CreativeArt.FreePBX. After clicking “Update Hostname,” from now on, instead of the IP address on the local network, you can type CreativeArt.FreePBX.
PNP configuration – System Admin
PNP configuration is only useful if you use IP phones from Sangoma. This allows for the detection of these phones and their automatic configuration. If you do not have any Sangoma phones, you can safely disable this unnecessary option.
Time Zone – System Admin
Be sure to set the correct time zone. Imagine a situation where your company is open from 8:00 to 17:00 and during these hours FreePBX normally connects calls, and outside of working hours it informs callers that you are already closed and records calls on voicemail. What will happen if your company is in Poland, and in FreePBX you have the time zone set to Australia? Then FreePBX will redirect all incoming calls to voicemail during business hours, and at night the phones will ring. You probably wouldn’t want that, would you? That is why it is so important to set the correct time zone. Our company is located in Great Britain. If your company is located in Poland, set: Europe – Warsaw.
Note: If you have changed the time zone, simply confirming the changes with the “Submit” button is not enough; you must restart the FreePBX system for the changes to take effect. You can do this via “System Admin” – “Power Options” – “Reboot.”
Summary
In this part, we discussed the most important functions of FreePBX, activated the system, updated the system and modules, and also initially secured our system with a firewall. We will discuss the remaining functions in the next instalments.
Leave a Reply