Hi Bryan,
I am running 32Bit.
It was originally installed from FreePBX Net Distro 1.89.210.57
Can you ensure you have zend_extension=/usr/lib/php/modules/ZendGuardLoader.so in /etc/php.d/zendguard.ini and /usr/lib/php/modules/ZendGuardLoader.so exists for me?
I do have the entry: in /etc/php.d/zendguard.ini BUT with zend_extension=/usr/lib64/php/modules/ZendGuardLoader.so and I’m not running 64 bit.
I see the file for 64 bit is NOT installed, but the 32 Bit is
-rwxr-xr-x 1 root root 911404 Nov 22 2011 /usr/lib/php/modules/ZendGuardLoader.so
Should I change the ini file ?
FYI I confirmed 32Bit install:
uname -m results in i686
I also tried pointing the /usr/lib64/php/modules/ZendGuardLoader.so to /usr/lib/php/modules/ZendGuardLoader.so restarted the system and the resulted attempt to install system admin gave me this message and basically didn’t work:
Please wait while module actions are performed
Successfully copied LoadLicenseIfExists.php.
In the end, that doesnt work.
VoIPTek,
I’m not sure why the zendguard.ini is using lib64, on 32 bit, however I’m gonna try load up a system and see if I can recreate. However after you changed it to point to the correct location, you stated in the end it doesn’t work. In order for me to debug the issue further I need to know what exactly is showing after the install completes and you go to the System Admin Module. Also have you checked your apache error log to see if it’s erroring out somewhere?
So I reinstalled Zend & PHP with no luck via RPM’s.
In respect to the error log I find this entry when trying to install the module:
PHP Fatal error: Call to undefined function posix_getpwuid() in /var/www/html/admin/modules/sysadmin/functions.inc/vpn.php on line 0, referer: http://pbx.securitylamer.com:665/admin/config.php
Wow, how cool is that, you put the link to the system in an open post. Free Phone Calls!!!
Seriously, don’t do that. I edited your post for you.
Also, you changed the web server port, wonder if that has anything to do with.
VoIPTek,
The error you posted mean your are missing the php-process rpm. Run yum install php-process. The distro installs this so this could have been removed when reinstalling Zend and PHP depending on how you did it.
Thanks SkyKingOH, missed that one!
I usually modify those… I noticed it when I was testing the updates Bryan recommended and saw that in the error log, when I went back to check what I posted I saw your post.
One other note, the port hasn’t caused an issue on any of the other boxes.
The port was a small step in securing against some of the “script kiddies”
So that fixed it? You know my opinion on opening up HTTP.
A question’ how many users access the ARI and FreePBX from the Internet? Can you use ssh proxy or restrict access via iptables?
Yes, the bigger issue is when you are remote and need to access system for the client. We usually remote to our office and from there into the clients and through firewall rules restrict only our office IP’s. We add the port for those times where the clients wants the outside access to “try” to make it a little harder on the script scanners.
We restrict SSH via either client firewall or hosts.allow / hosts.deny rules and ACL’s.
Do you have any suggestions on securing tftp ? In some environments where the server is in the cloud I was thinking of using the hosts.allow concept, but hadn’t had a chance to test yet. Of course that also means the clients have a fixed IP within their remote locations.
Thanks for your help!
Thanks Bryan, that did the trick.
FYI the app was not installed as I scroll back through session history when I checked PHP files with rpm -qa | grep -i php and it wasn’t listed before either.
Very strange. That was an upgraded box and I did re-run the last 2 upgrade scripts to insure everything was installed properly.
As far as securing remote clients. The Juniper firewalls we use allow building policies based on FQDN so we can say permit tcp 5060 from phone1.joeblow.com
We are running our own dynamic DNS so this is easy to keep up with.
As far as accessing for maintenance, you are working way too hard:
1 - Change the SSH port to something else
2 - Secure SSH to not allow root logins
3 - You now have a reasonably secure SSH running
4 - Use putty client, connect to SSH.
5 - Click on Change Settings/SSH/Tunnels in Putty
6 - Click dynamic radio button
7 - Put an odd port in the source port field (like 8122)
8 - Now go to network settings in your browser (firefox let’s you do this without effecting other browsers)
9 - Choose a SOCKS proxy for port 80
10 - For the proxy address enter ‘localhost’
You now have remote access to the box, fully encrypted via the SSH tunnel.
Thanks, thats a good way to configure it. What about for the phones that are provisioning over the wire in order to restrict who can “read” that info since TFTP is insecure?
In some cases were the client server is in the cloud / rented we don’t have a firewall in front of the box so we resort to settings like I mentioned or as you have suggested.
we typically use an rsa 2048 bit key and disable clear text log in. whereever possible we also use firewalls that also use fqdn to limit access as much as possible.
I guess I would not run a PBX on a cloud rented box not designed for it.
Of course I am highly prejudiced, my company specifically offers hosted PBX’s behind Juniper SSG’s with peers to a half dozen IP’s. I sell “you get what you pay for” all day long.