Categories
Asterisk Support Blog Elastix Support Knowledge Base Security

Shellshocked by Bash !

Well any one in IT and many people who never have anything todo with dirty working of *nix operating systems including Apples OSX cant have missed the news about the latest venerability. This is hot on the heels of teh OpenSSl one and the NTP one before that.

All these have different levels of risk, The NTP one was just a pain easily fixed and could cause little damage, The Openssl one was more of a risk as it allowed hackers to read the memory of systems using certain versions of OpenSSL nicknamed Heartbleed. Now the Bash one is fairly simple to exploit and has been now seen in the wild which in the case of Heartbleed it wasn’t really exploited in the wild.

So how do you test. simple , just type

env x='() { :;}; echo vulnerable’ bash -c “test”

and if it comes back saying Vulnerable update bash.

Great easy you say, well it was spent half a day checking 40 odd servers and updating bash. But then the update they rolled out want enough so today went back round updating again.

It has to be noted that some repositories were running slow and in teh case of one (SCHMOOZE) they hadn’t got the latest patch live by mid day.

It was pleasing how most suppliers were open and concise on what to check and how to fix. I was rather disappointed with  another Asterisk Based PBX distro who instead of publishing how to check and what to do, told users to download a script and run that, I don’t think its a good idea to hide security measures, If people deploy systems they need to know how to secure them.

I wonder whats next? , After spending 2 days on this now looking at setting up a Puppet server, This has cost me a day of my time and i’m meant to be installing a queuemetrics call center for a customer…

Categories
Asterisk Support Elastix Support FreePBX Knowledge Base

Using Gmail to send Voicemail emails

We have seen more and more ISPs blocking Port 25.  This means that sending emails natively from FreePBX or any Asterisk based IPBX for things such as voicemail notification can time out or be rejected.

To get round this you can send your email notifications via Gmail.

Firstly you need a Gmail account, once you have this jot down the user and password, you will need this later.

You now need to connect to your server via ssh as you have a couple of files to edit.

Firstly you need to enter the account details in sasl_passwd

vi /etc/postfix/sasl_passwd

and add

smtp.gmail.com:587 yourmailaddress@gmail.com:password

Save it, then edit main.cf

vi  /etc/postfix/main.cf

Then add at the end:

masquerade_domains = yourdomain.com
# The servers hostname below
myhostname = Asterisk.yourdomain.com
mydomain = Asterisk.yourdomain.com
# The email account its being sent from below
myorigin = voicemail@yourdomain.com

relayhost = smtp.gmail.com:587
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only
smtp_use_tls = yes
smtp_always_send_ehlo = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_generic_maps = hash:/etc/postfix/generic 
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Then enter the following commands at teh command line

postmap hash:/etc/postfix/sasl_passwd
/etc/init.d/postfix restart

Finally you need to make a change to your gmail account to “Allow users to manage their access to less secure apps” which is in the security section of the Gmail ‘Domain’ account setting if its a GSuite account then make sure “Less secure app access” is set to yes in the accounts ‘security section’ if you don’t do this you will see:

535-5.7.8 Username and Password not 
accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials  

or 

530-5.7.0 Authentication Required. Learn more at 530 5.7.0 h
ttps://support.google.com/mail/?p=WantAuthError

Most likely the 535 error if ‘Less secure app access’ is not enabled.

You should now be able to send email via the gmail account.

It’s worth making a couple of changes to the gmail account, firstly set and out of office sayings it’s only a sending mailbox and another to delete messages in the inbox.

Categories
Asterisk Support Elastix Support Knowledge Base Security

Keeping the Bots at bay out and allowing your friends in

Recently we have seen an upsurge in Bots attacking Asterisk servers, Interestingly its not good old sipvicious anymore but a Windows program called sipcli and originating mainly from the US and Germany.

Normally our iptables firewalls are updated but for some reason these keep getting through, So we have now based rules on the User-Agent in iptables as well

Here are a few examples to get rid of many of the favourites

-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: friendly-scanner" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipcli" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: VaxSIPUserAgent" --algo bm --to 65535 -j DROP

Also its worth adding these ranges as little good will ever come from them

# Ponytelecom ranges
-A INPUT -s 62.210.0.0/16 -j DROP
-A INPUT -s 195.154.0.0/16 -j DROP
-A INPUT -s 212.129.0.0/18 -j DROP
-A INPUT -s 62.4.0.0/19 -j DROP
-A INPUT -s 212.83.128.0/19 -j DROP
-A INPUT -s 212.83.160.0/19 -j DROP
-A INPUT -s 212.47.224.0/19 -j DROP
-A INPUT -s 163.172.0.0/16 -j DROP
-A INPUT -s 51.15.0.0/16 -j DROP
-A INPUT -s 151.115.0.0/16 -j DROP

# VITOX TELECOM
-A INPUT -s 77.247.109.0/255.255.255.0 -p udp -j DROP 
-A INPUT -s 185.53.88.0/24 -p udp -j DROP 
-A INPUT -s 185.53.89.0/24 -p udp -j DROP 
-A INPUT -s 37.49.224.0/24 -p udp -j DROP 
-A INPUT -s 37.49.230.0/24 -p udp -j DROP 
-A INPUT -s 37.49.231.0/24 -p udp -j DROP 
-A INPUT -s 77.247.110.0/255.255.255.0 -p udp -j DROP

For Freepbx format add following to /etc/firewall-4.rules

-A fpbxreject -s 37.49.231.0/24  -m udp -p udp -j DROP
-A fpbxreject -s 37.120.129.0/19   -p udp -j DROP
-A fpbxreject -s 185.53.88.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.89.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.90.0/24  -p udp -j DROP
-A fpbxreject -s 185.53.91.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.224.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.225.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.227.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.228.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.229.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.230.0/24  -p udp -j DROP
-A fpbxreject -s 37.49.231.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.108.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.109.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.110.0/24  -p udp -j DROP
-A fpbxreject -s 77.247.111.0/24  -p udp -j DROP
-A fpbxreject -s 62.210.0.0/16 -p udp -j DROP
-A fpbxreject -s 195.154.0.0/16 -p udp -j DROP
-A fpbxreject -s 212.129.0.0/18 -p udp -j DROP
-A fpbxreject -s 62.4.0.0/19 -p udp -j DROP
-A fpbxreject -s 212.83.128.0/19 -p udp -j DROP
-A fpbxreject -s 212.83.160.0/19 -p udp -j DROP
-A fpbxreject -s 212.47.224.0/19 -p udp -j DROP
-A fpbxreject -s 163.172.0.0/16 -p udp -j DROP
-A fpbxreject -s 51.15.0.0/16 -p udp -j DROP
-A fpbxreject -s 151.115.0.0/16 -p udp -j DROP

If you are still getting problems check out a sip trace and look for the contact part of the

Contact: <sip:100@xxx.www.rrr.zzz:5070>
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8                       <<<<<<<<<<<<<<<< here it is 
Content-Type: application/sdp
Below is a simple Bash script to create iptables entry for Linux. Create a script and paste the code in , if you just run it it created entries ready for Centos iptables id you run  ‘scriptname freepbx’ it created the entry for /etc/firewall-4.rules
#!/usr/bin/bash
SCANNERS='owenee Custom SIP gazllove pplsip sipcli sipvicious sip-scan sipsak sundayddr friendly-scanner iWar CSipSimple SIVuS Gulp sipv smap friendly-request VaxIPUserAgent VaxSIPUserAgent siparmyknife Test'
SYS=$1
if [ "$SYS" != "freepbx" ]
then
SYS=NOOP
fi
echo This is for a $SYS system
echo Copy and paste below
echo
PORTS='5060:5261'
PROTOS='udp tcp'
for scanner in $SCANNERS; do
for port in $PORTS; do
for proto in $PROTOS; do
if [ "$SYS" = "freepbx" ]
then
echo -A fpbxreject -p $proto -m $proto --dport $port -m string --string '"User-Agent:' $scanner'"' --algo bm --to 65535 -j DROP
else
echo -A INPUT -p $proto -m $proto --dport $port -m string --string '"User-Agent:' $scanner'"' --algo bm --to 65535 -j DROP
fi
done
done
done

In this case just set as we have in iptables and it will catch all versions.

Hope this helps you as much as it has helped us

Also this idea can be reversed to only allow user agents (phones) you want to accept.

Here are a few examples of common soft and hardphones

-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Yealink" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: FPBX" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Linphone" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: DX800" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: 3CX" --algo bm --to 65535 -j ACCEPT
-A ELASTIX_INPUT  -p udp -m udp --dport 5060 -m string --string "User-Agent: Grand" --algo bm --to 65535 -j ACCEPT

Again to find others just do a sip trace and note down the user agent.

This can also be extended to make you system more secure by only allowing in devices that register to you FQDN and not just ip address

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#ssh moved from 22 to random port
-A INPUT -m state --state NEW -m tcp -p tcp --dport 65432 -j ACCEPT
#Web interface moved to new port.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8765 -j ACCEPT
#drop sipvicious traffic
-A INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: sipvicious" --algo bm --to 65535 -j DROP
-A INPUT -i eth0 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p udp --dport 4569 -m state --state ESTABLISHED,RELATED -j ACCEPT
#only allow Yealink phones
-A ELASTIX_INPUT -p udp -m udp --dport 5060 -m string --string "User-Agent: Yealink" --algo bm --to 65535 -j ACCEPT
#That register to your domain name directly
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:yoursip.yourdomain.co.uk" --algo bm -j ACCEPT 
#only allow iax from known server
-A INPUT -s xxx.xxx.xxx.0/22 -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -j DROP
-A INPUT -i eth0 -p udp --dport 10000:20000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

The above example should keep you secure. (but things and methods change so keep your eye on the ball)

Categories
Asterisk Support Elastix Support Knowledge Base Technical

IAX2 Peers going unreachable.

In the past we have found that IAX@ peers have been reliable and solid.

But lately with the advent of bonded ADSL lines and other forms of aggregated lines we have seen issues where the IAX2 trunk will go down and a simple reload of Asterisk or even a restart doesn’t fix it.

Taken from Voip-info

A report of the problem by another user :

This is something I’ve run into myself and my VOIP IAX2 provider has this issue with many clients running Asterisk on TrixBox or other custom made systems behing a NAT (Linux) router.

If our PPPoE goes down, we have to reboot our Asterisk server to get our IAX2 trunk to re-register otherwise, it will try and just keep timing out. I have the 4569 forwarded internal (Pierre Belanger adds: in many cases, the 4569 port forwarding useless unless your Asterisk server provides service to IAX2 phones from the Internet, i.e. not on your local LAN).

I have a dirty script that avoids having to reboot the TrixBox and restore our service within 2 minutes of a blip automatically, and logs the ‘blips’ so i can see how ‘reliable’ our service is.

We have take the original script posted and made some changes, Notably it checks a defined peer name as we have seen that the problem doesn’t always affect all peers on a system.

======Code follows ======

#!/bin/sh
#We record the status of the IAX2 Trunk
cd /root/ # I have script live in root,
# Set the peer name to monitor here
# ******
peername="YOURIAX2PEERNAME"
# ******
date >> slap.log
echo "Testing $peername peer" >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 90;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername > reg_status
sleep 1
#We then Scan the Status and see if we're online or not...
TEST="OK"
if grep $TEST reg_status > /dev/null
then
echo "All OK Here" >> slap.log
exit #Abort, we are online, all is well...
fi
#IF we're this far down, we've lost IAX. Log the incident.
echo "we have a problem with $peername, Restarting it" >> slap.log
#Restart the IAX2 trunk. Delay required for some reason.
/usr/sbin/asterisk -rx 'module unload chan_iax2.so' >> slap.log
sleep 120;
/usr/sbin/asterisk -rx 'module load chan_iax2.so' > /dev/null
echo "Restarted it Now lets check status" >> slap.log
sleep 5;
/usr/sbin/asterisk -rx 'iax2 show peers' |grep -i $peername >> slap.log
#We record the status of the IAX2 Trunk

======Code ends======

This seems to do the trick and its cronned to run every night or hour in some cases.

UPDATE

on testing and speaking to suppliers. We would advise adding the following settings to your IAX2 peers

 

qualifysmoothing=yes
qualifyfreqnotok=30000
qualifyfreqok=120000
qualify=yes

With this added we have not seen any unexpected unreachables.

 

Categories
Elastix Support Knowledge Base Support

CallerID in Elastix systems.

We get calls regularly on where to set the callerid in Elastix IPPBX systems. There are 3 places it can be entered for external caller ID and some can overide others but not all. so here is a simple explanation

Firstly, You can set it in the Extension, Trunk and the Route, In the route there is a check  box as well.

1. If you set it in the Trunk and no where else it will send this out as the CLI.

2. If you set it in the Trunk and in the Extension it will send out the Extension external cli as the CLI.

3. If you set it in the Route, Extension and the Trunk and don’t tick the override it will send the Routes CLI

4.  If you set it in the route and the Extension and the Trunk and tick the override it will send the extensions CLI

5.  If you set it in the Route and the Trunk and tick the override it will still send the Routes CLI

I hope that makes sense :-)

Categories
Elastix Support Knowledge Base

Elastix Custom Extensions.

This Short Video shows you how to setup custom extensions in Elastix and FreePBX

These can be used for calling mobiles or other external numbers that you want users to be able to dial as if they were extensions.

 

 

 

Categories
Elastix Support Knowledge Base

Setting up timed call flow in Elastix

Screenshot from 2013-06-19 14:50:45If you want to set up timed call flow in Elastix but still have the ability to override for holidays and when the office is open late you have a few extra steps to add.

We will assume  you have your queues and extensions setup for this video. If you havent set your extensions up see our other video on setting up extensions.

 

 

We have used 2 day/night modes, One at before the call enters the time condition, This means that you can override day service for holidays etc and another at the end that means the call can be forced to go to a night queue instead of voicemail.

I hope you found this useful and keep coming back for more.

Categories
Asterisk Support Elastix Support Knowledge Base Technical

Running a Macro on answer for Asterisk queues.

asteriskThe Asterisk Queue application has an option that will run a macro on answer, This can be very useful when integrating with CRM such as Capsule or call centre applications.

This option isnt included in freepbx, Though this can be hand coded it isn’t best to do this when using Elastix, AsteriskNoW or any other freepbx based system.

To add this option We have written a couple of patched versions of the relevant freepbx pages that can be downloaded here , You will also need to add a extra field to the mysql database as follows

  1. Log in to mysql:   mysql -u root -p
  2. Enter password
  3. mysql> use asterisk
  4. mysql> ALTER TABLE `queues_config` ADD `qmacro` VARCHAR( 255 ) NULL;
  5. mysql> describe queues_config;

You should now have something like this:- | qmacro | varchar(255) | YES | | NULL | | as the last line of the table.

Now download the tar file and unpack it. then copy the two files to the /var/www/html/admin/modules/queues directory.

On loading the queue page in freepbx you will now have the “Queue macro on answer” box

queuemacro

In this box you put the macro name you wish to run when a member answers a call.

For example:-

[macro-logit]
exten => s,1,Noop( capsule crm intergration ${crminfo} ${CALLERID(all)})
exten => s,n,Set(foo=${CURL(http://127.0.0.1/directory/capsual.php?strCallid=${crminfo})})
exten => s,n,Noop(${foo})
exten => s,n,Hangup()

This a simple dialplan that runs a php script to log calls to the capsule crm

capsual.php

<?php
$today = date(“F j, Y, g:i a”);
$duedate1 = date(“Y-m-d”);
$duedate2 = date(“H:i:s”);
$Token = ‘YOUR CAPSUAL API CODE’;
$number = $_GET[‘strCallid’];
$datetime = $today;
$duedate = “$duedate1″.”T”.”$duedate2″.”Z”;
echo $duedate;
$myxml=”<?xml version=”1.0″ encoding=”UTF-8″?>n
<task>n
<description>Call recieved from $number at $datetime. Please update and assign this task if required</description>n
<dueDateTime>$duedate</dueDateTime>n
<category>incoming call</category>n
</task>”;
// The URL to connect with (note the /api/ that’s needed and note it’s person rather than party)
// SEE: http://capsulecrm.com/help/page/api_gettingstarted/
$capsulepage = “https://youraccount.capsulecrm.com/api/task”;
echo $capsulepage;
echo $number;
// Initialise the session and return a cURL handle to pass to other cURL functions.
$ch = curl_init($capsulepage);
// set appropriate options NB these are the minimum necessary to achieve a post with a useful response
// …can and should add more in a real application such as
// timeout CURLOPT_CONNECTTIMEOUT
// and useragent CURLOPT_USERAGENT
$options = array(CURLOPT_USERPWD => “$Token:x”,
CURLOPT_HTTPHEADER => array(‘Content-Type: application/xml’),
CURLOPT_HEADER => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $myxml
);
curl_setopt_array($ch, $options);
// Do the POST and collect the response for future printing etc then close the session
$response = curl_exec($ch);
$responseInfo = curl_getinfo($ch);
curl_close($ch);
echo $responseInfo;
echo $response;
?>

Have fun

 

Categories
Elastix Support Knowledge Base

Setting up extensions in Elastix

Elastix Asterisk IPPXThis is a short video on the setting up of extensions on the Elastix Asterisk based IPPX.

 

Categories
Elastix Support Software Releases

Elastix 2.4 Released

Elastix.org have announced the release of 2.4 stable.elastix240_en

Key changes are:

Changes in Elastix Framework:

  • The instalation of the Elastix system now its much cleaner.
  • The Migration to Privileged Scripts its completed. Now, there its no need to use commands such as /bin/touch, /bin/chmod, etc.
  • We improve readability on blackmin theme.
  • Fixed readout of FreePBX database password.
  • The internal jQuery was updated to 1.8.3 .
  • Some minor bug fixes for the Elastix Framework.
  •  
  • Changes in Elastix Addons :
  • Correction for Postgresql repo in ARM architecture.
  • Some minor bug fixes for Elastix-Addons.

Changes in Elastix Firstboot :

  • Make an update of password in manager.conf more robust in the case it falls out of sync with elastix.conf file
  • The Cancel option that used to appear in the dialog_password was removed, because if someone pressed, it no allows to continue configuring passwords. Now only appears the Cancel option after the firstboot if its necesary to change the password already seted.
  • Some minor bug fixes for Elastix-Firstboot.

Changes in Elastix Email_Admin :

  • Change of files owners for more security in the web path. Creation of new helper scripts (s
  • pamconfig,remotesmtp,mailman_conig,relayconfig).
  • Was made changes in the module email_account in order to better interaction at moment to create a new email account.
  • Some minor bug fixes for Elastix-Email_Admin.

Changes in Elastix Fax :

  • NEW MODULE Fax Queue.
  • Now errors are displayed when the fax job failed to submit and do not ignore them.
  • Remove useless code that could potentially error out the module.
  • Implementation of fax job cancelation.

Changes in Elastix PBX :

  • Add support and features to following phones: Elastix LXP200, Yealink model SIP-T38G, VP530 model, Alcatel Temporis IP800, Escene 620, Fanvil C62, Damall D3310 and Grandstream model GXV280.
  • Modified the way of displaying Reasons for Status in module weak keys.
  • In module Control Planel was made changes in function showChannel in order to fix bugs in wich the call made through a sip trunk have not been displayed in control panel.Some minor bug fixes for Elastix-PBX.

Changes in Elastix Security:

  • The instalation of this module now its much cleaner.
  • Change of files owners for more security int he path web path.
  • Some bug fixes for Elastix-Security.

Changes in Elastix System :

  • Reimplementation of GUI backup and restore operations on top of backupengine.
  • Add options to active o inactive services when reboot system in Process Status Applet.
  • Some minor bug fixes for Elastix-System.
  • Centos version was updated to 5.9
  • Kernel version was updated to 2.6.18-348.1.1
  • FreePBX version was updated to 2.8.1-16
  • Rhino version was updated to 0.99.6-0.b2
  • Asterisk version was updated to 1.8.20
  • Dadhi version was updated 2.6.1-4
  • Amongst others…

For Product details on Elastix see Here

DOWN LOAD AT  http://www.elastix.org/index.php/en/downloads/main-distro.html