FreePBX 16 - Housekeeping and Security


(Lorne Gaetz) #1

We are pretty close now to releasing an early beta of the FreePBX 16 ISO. Two of the primary goals of this release have been to get to a supported version of PHP and and OS refresh, this is the housekeeping part of the release. The FreePBX Distro has always been derived from CentOS, and we had been working toward a Centos 8 Distro OS when CentOS abruptly changed course for version 8. Luckily several projects appear to be working toward filling the void vacated by CentOS 8, but while we wait for that to happen, we are proceeding with a FreePBX 16 ISO based on SNG7 (CentOS 7). CentOS 7 still has several years of full support.

Here are the housekeeping highlights of what’s to come for the FreePBX 16 Distro ISO

  • PHP 7.4
  • Based on SNG7 (Centos 7.8) with SNG8 OS to come later
  • Obfuscation engine for commercial modules changes form Zend to ionCube
  • chan_sip disabled by default (enabled in advanced settings)

Another primary goal was an emphasis on security improvements. Some of the security features planned for 16 are already done and have been backported to FreePBX 14/15, others are still in progress. Some of which are:

  • Major overhaul to the Firewall module and Intrusion detection (backported)
  • Allow admin to enable/disable insecure SSLprotocols in System Admin https config (backported)
  • user password complexity validation for userman (in progress)
  • improvements to UCP login page (backported)
  • AMI default bind settings (in progress)

Another goal of FreePBX 16 is more integration flexibility, evidence of which have been revealed in recent forum and blog posts. The engineering team has been busily adding GraphQL API methods and documenting them on the API wiki page. We have also recently announced a beta integration with Zapier and have a few other integration projects in the pipeline but not ready to announce yet.

There are things I am undoubtedly forgetting, but all will be revealed in the formal announcements and blogs that will follow the 16 beta release.


Discussion: Open ports and asterisk
#2

(reading between the lines, given zend -> Ioncube , pi users could maybe expect arm support and thus commercial modules sometime soon)


(Lorne Gaetz) #3

Official support is not a project goal at this point, but you’re correct that it’s no longer impossible.


(Simon Telephonics) #4

Great news.

I think the major benefit of having chan_sip disabled by default isn’t about retiring the deprecated chan_sip, it’s about not having two SIP drivers (and thus, two SIP listening ports) active at once, which seemed to be a trap for a number of admins.


(Lorne Gaetz) #5

Standardizing on a single driver (and thus single port) will reduce some confusion. But for every newb who breezes thru their first device registration, I fear there will be another user following a dated internet tutorial which describes how to set up a chan_sip trunk/ext. I’m confident the correct decision has been made here, but it will probably be a while before the chan_sip confusion is entirely behind us.


#6

And keep in mind all the VSP’s who currently categorically state that pjsip is “not supported” :wink:


#7

And thus presumably any restriction to SNGX.Y, (for me a good thing, as that surely will make your tent bigger and you would no longer need to build and maintain your own OS which must have been a resource hog :slight_smile: )


#8

They’re telling me it won’t work with pjsip …


(Lorne Gaetz) #9

I forgot to include a note about the recent API work already done and underway, and have updated post #1

Another goal of FreePBX 16 is more integration flexibility, evidence of which have been revealed in recent forum and blog posts. The engineering team has been busily adding GraphQL API methods and documenting them on the API wiki page. We have also recently announced a beta integration with Zapier and have a few other integration projects in the pipeline but not ready to announce yet.


#10

Please provide (and update) an installer tarball at the normal location (http://mirror.freepbx.org/modules/packages/freepbx/freepbx-16.0-latest.tgz) as has been the norm for past beta’s so those of us maintaining alternate distributions can get to work on necessary changes also.


(TheJames) #11

There is no magic to the tarball… note 16.0.10.6 was the latest tag on github

wget https://github.com/FreePBX/framework/archive/refs/tags/release/16.0.10.6.tar.gz
tar -xzvf 16.0.10.6.tar.gz
mv framework-release-16.0.10.6 freepbx
tar -czvf freepbx-16.0-latest.tgz freepbx

With those commands…
image tarfile :slight_smile:


#12

You‘re still staying with CentOS? I had hoped the recent chaos with RHEL/CentOS would be the final nail in the coffin and the (overdue) switch to something predictable and reliable like Ubuntu LTS would finally be announced :frowning:

CentOS with its aging PHP components and constantly shifting release timeframes has been troublesome for the FreePBX distro multiple times if I recall correctly…


(TheJames) split this topic #13

8 posts were split to a new topic: Discussion: Open ports and asterisk


Discussion: Open ports and asterisk
(TheJames) split this topic #16

A post was merged into an existing topic: Discussion: Open ports and asterisk


#21

Is there a way to remotely (from a script) determine what the latest release available is in?:

https://github.com/FreePBX/framework/archive/refs/tags/release/


(Matthew Fredrickson) #22

Hey,

Sorry I missed this question.

For now, We’re still sticking with CentOS 7.x as the release base for FreePBX. It was not without much thought and concern that that decision was made.

We originally wanted to target CentOS 8.x but the whole Streams thing messed around with that goal and so until one of the CentOS 8.x based forks gets a little more stable we’re going to stick with CentOS 7.x but add updated versions of PHP and other necessary packages for the PHP 7.x upgrade.

Matthew Fredrickson


#23

Are you also updating the mariadb version?

For us non-distro users, we have to dumb-down the db defaults of “modern” mariadb installs to match the distro’s MariaDB v5.5 default settings.


#24

Thx for this heads-up. Good to know.
We also wish there was better support for postgres, since thats the standard database in our realm.


(Tom Ray) #25

How about some actual QA? I know there is supposed to be QA but too many simple things are being either ignored or not checked. From Advanced Recovery and the Warm Spare a few months back to now.

The Chan_SIP to Chan_PJSIP mass convertor has a pretty big bug. It is generating the outbound_proxy setting wrong. Per the Asterisk WIKI and the PJSIP configuration the outbound proxy should be a FULL SIP URI with the ;lr tag at the end (\ is needed to escape ; ) instead it is just the IP:port.

Things like this should not be something QA is missing, at all. It seems to happen way too much.


(Lorne Gaetz) #26

I don’t remember seeing this reported, what is the ticket number?