I know this Distro is only a week old BUT what are the thoughts on Asterisk 1.8 and freepbx 2.9 as a production server.


From the reports I am seeing and all the support calls that come into FreePBX Paid Support it looks very solid. I would not worry about using the Distro in a production environment at all. It is built ontop of our solid PBXact platform so all should be good.

Thanks Tony for the reply,
I read in one of the posts that iptables is left empty. maybe I miss understand but does this leave the server somewhat unprotected. I honestly don,t completely now how to block what is needed in iptables but should this not have some kind of basic firewall settings from the start.


No most phone systems are behind a router. Forcing a IPtables to a user like you leaves it so you can even open ports or change things and gives a false sense of security since you are not sure what is being blocked and how to manage it.

There is only one distro that has firewall built in and the rest leave it wide open. We are one of the few that includes fail2ban and the only one that lets you manage fail2ban from a GUI.

Hey Tony will work on it for you, should have something within a fortnight.

We would need a good 50 GB and 512 Ram

Do you need???

No we would need a VM Instance of just centos so we can setup all of the tools for YUM repos, kickstarts and everything else.

The web or SSH is a different script than the SIP and IAX trunk.

BTW SkykingPH who has been helping you here is one of our BW sponsors in the US. He graciously gave us 10MB of data in Cleveland, OH.

What type of server do you need?? Just FTP? I have a Synology NAS (that is FTP capible) that I can give you some capacity on. It has a fiber commented 100Mb internet feed (10Mb international - 100Mb National if that will help???

Nope not at this time. If someone wants to donate a VPS and some bandwidth in AU I would be happy to add the server to our list of clusters.

Yes seems very odd, I do know from my own experience - if I try to login more than 3 or 4 times via SSH or the web portal with the incorrect details it defiantly locks me out.

On a side note, is it going to be possible to download the complete ISO for the FreePBX distro rather than the ISO that downloads as from NZ that takes a considerable amount of time :frowning:

I am not sure about the “spoof IP” comment. You can’t spoof a source IP to my knowledge. The host still has not know how to get back to who they are talking to. You can spoof at the application layer not at the transport layer that iptables looks at.

You need to look at all the specs of APF, it’s a firewall, Brute Force Detection and Fail 2 Ban (they both do the same thing) look for failed registrations and ban the IP by adding the offenders IP address to the “drop” action list in iptables.

Does this make sense?

Yep it makes sense, but what I can tell you is that at the moment we are using BFD and APF. We have sites continually getting attacked and the the IP address are NOT being added.

I have tested my install (as installed as per Engineer Tim’s docs and have found that it will add my IP address and stop me connecting, but somehow the attackers seem to be able to get around it…

Any ideas??

I would have to pore into the logs and find out.

What you need to do is make sure that you have both of the updated policy scripts and the tweaks to Asterisk log.

Watch the Asterisk log when one of the hackers registration fails. Then check the corresponding BFD log and against the logic in the rule.

If you get more than three hits from one IP it should add it to the deny list.

But the travel from New Zealand makes it a little expensive, any training planned for Australia?

Not at this time but if we can get 15-20 people interested in one I would love to come for a week and put one on.

Yes I guess that is a bit of a issue, the FOP2 thing is a good idea, is there going to be a way to replace FOP2 with the distributed FOP1. (Especially from the front menu)

I use APF on all our installs but have noticed it has become limited use of late as hackers seem to be able to spoof IP addresses very easily. What is the difference (from a functionality perspective between AFP and Fail2Ban)?

Also once again (being dumb) I herd mention of being able to simply install commercial options? Is this correct of have I got this wrong? Where is this done from??

Thanks Again

Guys to use FOP2 simply do this

yum install fop2*

It will replace fop with fop2 and install the fop2 freepbx configuration modules to manage fop2 inside freepbx.

The link on the main landing page for FOP will automatically direct your to fop2.