Building a more secure communications platform

Network security is expected to be an almost $200 Billion dollar industry by the year 2020. In a world where everything is connected, securing everything can be big business. There are thousands of security researchers working daily to find the next big exploit. We have seen some huge exploits in the last few years such as “Heartbleed”, “Shellshock” and “Poodle” from exploited code that has been around for years.  

A blessing and sometimes a curse in open source software is that no matter how vigilant you are if you slip once someone will find it.  We’ve always taken security very seriously and have employed many approaches to ensuring FreePBX is secure.

FreePBX goes through continuous human and automated scanning looking for various attack vectors. From a human standpoint, we utilize internal developers who are passionate about security in both our software and the software they use. They do code reviews and code audits to ensure new code is up to par. We also work with independent security researchers who review our entire code base looking for things that may have been in the code for years.  We complement the human audits with automated tools including the RIPS scanner from ripstech.com.

RIPS, a static code analysis tool, does what would be impossible for a human to do. It looks at all 400,000+ lines of FreePBX code and does automated checks for Cross-Site Scripting, Code Execution, Command Execution and many other exploitable vectors. From that, it generates a report detailing potential vulnerabilities that may lie in our codebase. That seems like quite a lot, but it’s really only the start with RIPS which then details how to patch the vulnerability to minimize the risk moving forward. The reason we bring this up is because the RIPS utility has found many code issues that we may not have found in a manual review of the FreePBX code base and has helped us to strengthen the security of FreePBX.  

With these approaches, we aim to make your PBX secure so it’s one less issue you have to worry about.

“If you’re the smartest one in the room, you’re in the wrong room.” – Richard Tirendi

It is ultimately a battle of knowledge and someone out there is always smarter than you. This is why some vulnerabilities sit dormant for a decade (Such as Heartbleed). It took that long for someone to come along and see the code in a different way. When they ultimately release the exploit it often seems obvious.

We always welcome fresh eyes to review our code. Whether human or through machine automation we are happy to work with anyone who wants to make the world a more secure place.

Our policy on responsible reporting can be seen at http://wiki.freepbx.org/display/FOP/Security+Reporting and we appreciate all the security researchers that use their time to make the world more secure.

A special thanks to the https://www.ripstech.com team for analyzing our code and helping make FreePBX a more secure project.

FreePBX Distro 7 Beta Release

We are pleased to announce the beta release of the next FreePBX Distro. This is a huge leap forward in our distro releases. We would like to encourage early adopters to play with it and test it to ensure we have a solid platform to build FreePBX upon in the future. The new FreePBX distro is built on top of the Sangoma 7 distro, which is derived from CentOS 7.  

Some significant highlights of the new distro include:

  1. No more FreePBX Distro Updater scripts. It’s just ‘yum update’. Always. You can also ‘yum downgrade’, too. (This, of course, doesn’t change FreePBX’s module versions, as usual. This is just Distro, and replaces the previous complexity of having to run multiple sequential upgrade scripts.) A forthcoming module will make this even simpler, removing the dependence on Sysadmin to do operating system upgrades.
  2. Complete UEFI support for installation and operation.
  3. Serial and USB installs are now much easier! In fact, it’s much faster to install from USB than from ISO! So much so that – depending on your feedback – installing from USB may become the recommended method of installation, with ISOs as the secondary installation method.
  4. A better development environment. If you want to develop FreePBX, you can just run ‘yum install freepbx-devel’ to prepare most of the development environment.
  5. Behind the scenes, all package updates are automated. This makes it a lot easier for us to rapidly and reliably push out fixes without needing to run multiple different steps to replicate to all the CDNs.
  6. PHP 5.6.24 and FreePBX 14

This is being shipped with FreePBX 14, as one of the features of 14 is complete support of modern PHP versions. FreePBX 14 is in early alpha. Several new features are unreleased and under development. At this stage in development, updates may come multiple times per day and things may break without notice. FreePBX 14 is not under the “Edge release system” during the alpha stage, so releases are not staggered. We welcome OS level bug reports, but FreePBX 14 issues should wait until FreePBX 14 reaches beta. (If you want to become involved in the FreePBX 14 development process, you are welcome to join us on IRC in the #freepbx-dev IRC channel!)

You can download the ISO directly from our mirrors, or via BitTorrent for fastest downloads using this magnet link, or, this torrent file.

If you find issues with the distro, you can report a bug at issues.freepbx.org. Select the “FreePBX Distro 7” project, or simply click on this link to go there directly.

Please note: We are tracking installations as part of this ISO. We are recording how long it took to install, the CPU type, speed, and the number of CPU cores, the amount of RAM, and the size of the disks. We are doing this so we know where to spend more effort in the development of FreePBX and the FreePBX Distro. These statistics are anonymized. No personally identifiable information is available. If you do not wish this data to be collected, please do not connect your machine to the internet while installing.

ccentxuuyaeyidt
Please join us at FreePBX World and give us your feedback on both the distro and FreePBX face-to-face. Visit http://freepbxworld.com for more information and to register.

Sangoma’s Commitment to Open Source

In January of 2015, the FreePBX project became part of the Sangoma family. Being a commercial entity charged with maintaining an open source project can be a challenging endeavor at times. Furthermore, the fact that major open source projects are normally in the care of commercial organizations is usually not given much thought.

Before Sangoma, FreePBX was overseen by Schmooze Com Inc., before that Bandwidth and before that Coalescent Systems Inc. These companies have all done their parts to ensure the survival of the FreePBX project. Sangoma has been dedicated to the open source community, including FreePBX, for many years. In the last year, the FreePBX project has seen great strides, including the release of FreePBX 13 with accelerated development and bug fixes.

Sangoma has also empowered FreePBX with new open source features such as: synchronizing Active Directory with user manager, a complete rewrite of Sound Recordings, the overhaul of the FreePBX interface, playback of recordings in your browser, the addition of the firewall module, sound languages module and so much more.

More recently we’ve kicked off development on FreePBX 14, our next major release. One of the major new open sourced features we are bringing to the table is a calendaring system which will become a replacement for many of the scheduling components you use today, like Time Conditions. But we’ll be able to talk more about that in a few weeks.

FreePBX has historically been funded through professional training, professional support services, and commercial modules. These commercial modules tend to enhance the already provided open source functionality. These modules usually require special development or maintenance considerations, so they become paid modules. Over time, we constantly review our collection of commercial modules to see if any meet the requirements to become open sourced.

Thus, we have decided to release several of these commercial modules under the AGPLv3 as open sourced. Some of these modules have been unmaintained for a few years and will be put into the contributed repository to allow community members to build off of the code and revive or enhance the functions for the open source community.

We have also thrown in a few actively maintained modules such as XMPP, RESTapi and Text-To-Speech Engines that will allow broader use and community contributions. Moving forward these modules will still be maintained by Sangoma. In the coming months, we hope to have some great new features regarding RESTapi.

We hope the release of this code will inspire users to take FreePBX to the next level!

The code for these modules is now available at (or Github Respectively):

 

With these changes there is no longer a license requirement for XMPP, RestAPI or Text-To-Speech Engines, you can download these modules straight away in FreePBX 13 from Module Administration.

 

Github:

  • Core: https://github.com/freepbx
  • Contributed: https://github.com/FreePBX-ContributedModules

 

Thank you for being part of the FreePBX community!

Introducing the edge track

Starting with FreePBX Framework 13.0.96 we are improving our release process to make things more stable.  Currently we update modules fairly regularly. It is our goal to get fixes to the users as fast and easy as possible.  We are consistently closing out bugs as they are reported and closing out bugs from our backlog.  Our full time development team is always working to improve the user experience with FreePBX. These updates can be a blessing or a curse.  While it is good to be such an active project, having daily updates on your PBX can be a hassle.  

Starting with this release, modules will be released into an “edge” track.  For those who want every update as they happen you can enable the edge track and the modules will come in as they do now.  This is a great idea for your test or development environments.

For production systems the updates will be on a scheduled release.  With the exception of Security releases stable module releases will happen Every Tuesday. Once a module meets the time and testing requirements to be released from edge status they will be promoted as scheduled.  This will give administrators a predictable and regular update process they may implement.  

If you would like to set a server running FreePBX Framework 13.0.96 or newer to Edge mode go to “Advanced settings and set “Set Module Admin to Edge mode” to “Yes”.

Note all users will benefit from this new process even without updating as all FreePBX installs use the stable repository by default.

Currently Framework 13.0.96 is released under Beta in module admin. Switch framework to the Beta track to try out edge mode as modules become available.

 

If you find any bugs please let us know at http://issues.freepbx.org

 

Thank you for using FreePBX!

Happy New Year, FreePBX 13 out of RC

Happy-New-Year

2015 was a great year for FreePBX with over 6,300 commits from 50 contributors. Through the contributions of the community and with the strong backing of Sangoma, FreePBX has made great strides to being the best PBX platform and a great open source project.   

 

We started working on FreePBX 13 over a year ago and have touched almost every aspect of the GUI. We have also made great strides in the internal plumbing.  We have made FreePBX faster and more secure.   Internally we have been “dogfooding” FreePBX 13 and from a development standpoint we have treated it as release.  We have watched the adoption of FreePBX 13 grow to over 11,000 installs and have caught and fixed many small edge case bugs.  We are happy to remove the RC badge and make FreePBX 13 officially stable.  Users running FreePBX 13 don’t need to do anything. Users of FreePBX 12 can use the FreePBX Upgrade tool to update to FreePBX 13 automatically.

As adoption grows there may be things we missed. If you find any issues please open a bug at http://issues.freepbx.org.

Thank you for using FreePBX and we look forward to what develops through 2016