First, we have the General tab. Here we find the default Extension, Dial Plan, GUI, and Queues Callback Settings.
For Extensions, we can set the following default settings.

• Default Language – This is the voice prompt language used for new extensions.
• Devices Prefix – This is a prefix automatically added to device users.
• Public Domain – This is the FQDN (Fully Qualified Domain Name) used for various
  URL settings. This will overwrite the hostname set for this installation.
• Auto-Generated Passwords Length – This is the default length for auto-generated
  passwords.
• Enable Voicemail – This is whether or not voicemail is enabled by default for
  extensions.
• Enable Portal – This is whether or not the User Portal is enabled by default.
• Create Hints – This is whether or not Hints are generated for new extensions. Keep in
  mind that enabling hints for all extensions can take a toll on system performance.
• Email Credentials – If enabled, this will send the extension welcome email to new
  extensions.
• Send Diversion Headers – If enabled, additional call diversion headers will be sent
  such as the different Call Forwards. Some SBCs might complain if these are enabled.

For the Dial Plan Settings, we can establish the following default settings.

• Default Ring Time – This is the default time in seconds an extension will ring before
  going to voicemail or hangup.
• Attended Transfer Timeout – This is the default time in seconds where a call is
  placed after the last digit is dialed for an attended transfer.
• Transfer Digit Timeout – This is the default time in seconds between digits pressed
  during a call transfer.
• Features Digit Timeout – This is the default time in milliseconds between digits for a
  feature during a call.
• Recording Script – This is a custom script that can be run after a call is recorded.
• Drop Attended Transfer Callbacks – When set to No, Asterisk will call the transfer
  initiator back after an early hangup if the transferred party does not answer the
  attended transfer.
• Play Call Waiting Tone – When set to Yes a tone will play when an extension receives
  a new call while on an existing call.

Finally, we have the Show Add-Ons Menu for the GUI Settings, which will hide direct access to the Sonata Suite and VitXi from the login screen if it is set to No. And if you have the Queues Callback module installed, you are able to set the Search Frequency which is how often the Queues Callback will search for queued calls for a callback.

If you make any changes in this module, you can then Save and Apply Changes.

Next, we have the System Prompts tab. Here, you can change the voice prompts used when you have Do Not Disturb turned on, and the prompt that plays back when a blacklisted number calls your VitalPBX and you didn’t set a destination for blacklisted calls.

Once you select the sound recordings for these voice prompts, you can Save and Apply Changes.
Lastly, we have the System Directories tab, which will show you the directories for popular Asterisk locations.

• Asterisk AGI Directory – /var/lib/asterisk/agi-bin
• Asterisk Directory – /etc/asterisk
• Asterisk Log Directory – /var/log/asterisk
• Asterisk Modules Directory – /usr/lib/asterisk/modules
• Asterisk Sound Directory – /var/lib/asterisk/sounds
• Asterisk Spool Directory – /var/spool/asterisk
• Asterisk Libraries Directory – /var/lib/asterisk

If you require to change the RTP port range, these can be modified with the RTP Start and End fields. By default, these go from port 10,000 to 20,000. If you change these ports, make sure you also make the changes in the Firewall Services under Admin > Firewall > Firewall Services.

These fields can be left with their default values. You can enable or disable Strict RTP, and
RTP Checksums. We recommend you leave Strict RTP on for security purposes. If it is disabled, VitalPBX will not drop packets that come from any source that is not the source for the RTP stream. If you are using a STUN or TURN server you can enter the necessary information here.

Additionally, you can enable ICE Support in this module. If you are using an ICE server, you can enter your settings under the ICE Host Settings. Where the Local Address is a LAN IP Address, and the Advertised Address is a Public IP Address.

If you made any changes here, Save and Apply Changes.

The first thing you will notice is that CEL will be disabled by default. This is why you might not see CEL events in the CDR. You can enable them so you can start logging the events. We have it disabled by default, since logging too many CEL events can fill your storage quickly if it is too small.

Here you can select the APPs and Events you wish to log for the CEL events. You can also change the Date Format using the strftime format.

You can then Save and Apply Changes.

With the CEL Events enabled, if you place a new call and check the CEL Events field in the CDR reports, you will now see information being logged.

In this module, you can enable Batch Mode for the CDR. With batch mode, instead of logging every call in the CDR as each call ends, the data will be stored in a buffer. The Max Batch Size is how many calls are stored in the buffer, and the Max Batch Time is how often in seconds the calls are transferred from the buffer to the CDR logs and Database.

Note: When Batch Mode is enabled, there is a risk of data loss after unsafe
Asterisk termination. For example, Power Loss, Software Crash, Kill -9, etc. So
keep this in mind when using this feature.

If you made any changes, you can Save and Apply Changes.

This module is typically used with WebRTC applications such as VitXi, so you can refer to the VitXi manual for more information on its use with that add-on application..

By default, we use ports 8088 and 8089 for the HTTP and TLS Bind addresses. If you change these, make sure you also change it in the Firewall Services under Admin > Firewall > Firewall Services.

To use this mini HTTP server, you need to Enable HTTP, and if you are using a Certificate, you need to Enable TLS. You can also change the Sessions Limit of how many WebSocket/HTTP sessions can be connected at the same time, by default this is 1000 sessions.

If you made any changes here, Save and Apply Changes.

This section can work as a checklist of various configurations you can follow when setting up your VitalPBX installation.

1. Never use the same username and password on your extensions.

• It is quite common to see instances where the username and password for extensions are the same as the extension number. This might make remembering the usernames and passwords easier when setting up your devices, but it is the easiest way to get bad actors registering on your PBX
  system. The bad actors can then start placing a massive number of phone calls.
• What we recommend, and taking advantage of VitalPBX’s separation of the extension number and devices, is to use unique usernames and strong passwords for your extensions. You can make the device’s user anything you like, instead of the extension number. VitalPBX also generates a random strong password automatically, so we recommend using this instead of a repeating
  password for all your devices.

2. Use the “Permit” and “Deny” options for your devices.

If possible, you should limit the networks that can reach the registration for your devices. In the case you know that a device will only register from a specific network address, you can use the Permit and Deny options when configuring your devices. Permit will only allow devices from the defined network address or segment to register. Deny will disallow devices from the defined segment to register.

3. Limit extension registration using a Bind Address.

The Bind Address option will also limit who can register to your extensions. With this option, you can limit the network addresses or segments that can register to your extension devices.

4. Change the default ports for the services you are using.

Default ports are one of the most common ways to have your system attacked by online scanners. By changing these ports to another value, bot scanners will have a harder time detecting open spots in your VitalPBX Server. You can change these ports on the VitalPBX firewall. Remember that you also need to change the ports on the Technology Settings module for PJSIP and IAX2. The most common ports to change are PJSIP, IAX2, and SSH.

5. Disable the ports you are not using.

Speaking of ports, if you are not using a service, disabling the port is a better option than changing it to something else. For example, if you are not using IAX2, disable the port on the VitalPBX firewall. This is one less way to detect an open spot by bot scanners.

6. Don’t route inbound calls to very permissive contexts.

When routing incoming calls make sure that you are limiting the incoming calls to only the intended destinations. Using the right Class of Service can help you limit the destination options that someone can reach in a context. For example, don’t have an IVR with a permissive Class of Service. Create one that limits the options to the destinations you intend. If you are using a Custom Context, only allow dialing to a specific destination.

7. Always have the Firewall active and try to place your PBX behind a Firewall
   and/or SBC.

The firewall included in VitalPBX is set to block unwanted access to your PBX. Having it enabled at all times will deter attempts to breach the server. Having an external firewall is another good way to manage the network routes and permissions at a network level to limit access to the VitalPBX server. Finally, an SBC or Session Border Controller is a good way to externally filter registration and other type of events from reaching your VitalPBX server.

8. Use Fail2Ban to automatically detect malicious attempts to enter your PBX.

Using the Fail2Ban application allows you to easily jail malicious attempts towards your VitalPBX server. Fail2Ban will block the connection from an IP Address after multiple failed attempts to access the server. This can be through SSH, PJSIP/IAX2 Registration, or web login. You can set the number of failed attempts and for how long the IP address will be blocked.

Following these suggestions will allow you to have a more secure server and keep your data and work safely. These are ways that you can secure your server out of the box. In the following lessons, we will look into more ways to make your server even safer.