In your mind, what are they?
This could include but not be limited to:
The steps you always or near always take to install a system
Conventions you use such as how you name & number users, phones, passwords, etc.
Things you must configure a "certain way" or regret later
Operating System you like to use
Other apps you like to install
Versions you prefer
Hardware that works well and those that don't
What has worked for you in the past and what hasn't
Any other good advice you may have!
Thanks in advance!
VICIDIAL Best Practices
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
5 posts
• Page 1 of 1
VICIDIAL Best Practices
by Jif19 » Wed Dec 08, 2010 10:38 pm
- Jif19
- Posts: 29
- Joined: Sun Nov 28, 2010 12:06 am
by williamconley » Thu Dec 09, 2010 10:42 am
Use Vicibox Redux so you can get all this straight from Kumba since his "best practices" are already installed without any issues.
And use the included sql file that installs 50 sip/iax phones (then change the password!)
And use the included sql file that installs 50 sip/iax phones (then change the password!)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
- williamconley
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
by Kumba » Fri Dec 17, 2010 8:57 pm
List of things that Redux doesn't do, or not completely, that I usually do for a customer:
Set up phones on all servers with an alphabetical suffix pertaining to the server position. So for extension 1000, the phone I create on server 1 is 1000a, the phone I create on server 2 is 1000b, the phone I create on server 3 is 1000c, etc. Then I create a phone alias of 1000x with phones 1000a,1000b,1000c in the list. This gives me load-balanced agent logins.
Generate a purely random password for the server's "Conf file secret" entry under Admin --> Servers. I either use the first 14 characters of an MD5 hash of the date + hostname + IP, or go to www.strongpasswordgenerator.com and generate a 14-character string without symbols.
Modify /boot/grub/menu.lst, replacing the vga=something with nomodeset. This causes the system upon reboot to just use the standard BIOS framebuffer, as opposed to loading up VGA drivers, and switching to higher resolutions, and all that other garbage that is not needed and can actually slow a system down.
I will usually slave the NTP on the dialer and web servers with the Database server. This way you make sure everything is always in sync, irregardless of the state of internet connectivity. If you have multiple databases then you would slave to each of them. Just edit /etc/ntp.conf and change the server lines to just be your database servers, and delete the other server lines except 127.127.1.0. You can also just leave this alone, as by default all servers will attempt to connect to time servers on the internet.
I prefer to use IP-addresses in astguiclient.conf as opposed to domain names. We've had problems with some microsoft DNS servers being slow to respond, or when DNS goes offline.
Change the SSH port on the firewall so that it's something else instead of port 22. I then just make sure I add Port <XX> to /etc/ssh/sshd_config and restart. You should have two entries in sshd_config, Port 22, and then below it Port <XX> for your firewall's port forward. This way internally it's all the same, and externally it's different.
If you have a hosted model, a private LAN for inter-cluster communication, and an external WAN for offered services (Web and SIP/IAX). Yes, it's two NIC's per server and two networks/VLANs to manage. No, it's not a burden or overly cumbersome, just twice as many cables usually. And NEVER have the database on the internet. It's just bad.
Don't try to save money on the database server, save it on the web server and dialers. There is no way to short-change the DB and expect good results.
That's all I got off the top of my head.
Set up phones on all servers with an alphabetical suffix pertaining to the server position. So for extension 1000, the phone I create on server 1 is 1000a, the phone I create on server 2 is 1000b, the phone I create on server 3 is 1000c, etc. Then I create a phone alias of 1000x with phones 1000a,1000b,1000c in the list. This gives me load-balanced agent logins.
Generate a purely random password for the server's "Conf file secret" entry under Admin --> Servers. I either use the first 14 characters of an MD5 hash of the date + hostname + IP, or go to www.strongpasswordgenerator.com and generate a 14-character string without symbols.
Modify /boot/grub/menu.lst, replacing the vga=something with nomodeset. This causes the system upon reboot to just use the standard BIOS framebuffer, as opposed to loading up VGA drivers, and switching to higher resolutions, and all that other garbage that is not needed and can actually slow a system down.
I will usually slave the NTP on the dialer and web servers with the Database server. This way you make sure everything is always in sync, irregardless of the state of internet connectivity. If you have multiple databases then you would slave to each of them. Just edit /etc/ntp.conf and change the server lines to just be your database servers, and delete the other server lines except 127.127.1.0. You can also just leave this alone, as by default all servers will attempt to connect to time servers on the internet.
I prefer to use IP-addresses in astguiclient.conf as opposed to domain names. We've had problems with some microsoft DNS servers being slow to respond, or when DNS goes offline.
Change the SSH port on the firewall so that it's something else instead of port 22. I then just make sure I add Port <XX> to /etc/ssh/sshd_config and restart. You should have two entries in sshd_config, Port 22, and then below it Port <XX> for your firewall's port forward. This way internally it's all the same, and externally it's different.
If you have a hosted model, a private LAN for inter-cluster communication, and an external WAN for offered services (Web and SIP/IAX). Yes, it's two NIC's per server and two networks/VLANs to manage. No, it's not a burden or overly cumbersome, just twice as many cables usually. And NEVER have the database on the internet. It's just bad.
Don't try to save money on the database server, save it on the web server and dialers. There is no way to short-change the DB and expect good results.
That's all I got off the top of my head.
- Kumba
- Posts: 939
- Joined: Tue Oct 16, 2007 11:44 pm
- Location: Florida
by williamconley » Fri Dec 17, 2010 9:21 pm
Brilliant list Kumba.
I'd like to add IPTables to lock out ALL unworthy attempts to connect. If they aren't on your whitelist, they should not be able to communicate. Changing port 22 is then no longer necessary, but still not a bad idea. Unfortunately, port 5060 will still be attacked and often is required or "smoother" with providers, so at least using IPtables to lock port 5060 instead of wide open is a great idea.
While we're at it:
I also like to change the cron password to something a little less standard than 1234
We also like to add the install packages for x-lite, zoiper and twinkle to save the "search" and weirdness often associated with getting these "free" packages.
We also add a password to the root mysql user so phpMyAdmin can log in as root (after IPTables locks out all non-Whitelist IPs, that's useful for the administrator and still quite safe).
Then of course we'll set up the backup system and link it to its associated drop location for mysql tables and modify the cron for a weekly or monthly alternate backup with ALL (for systems that will have modifications).
We also like to change the phone login password (in addition to the conf secret) to something easily remembered but unique to that client so the agents can log in, but the rest of the world has no shot.
We also like to turn off logging, since the system is clean and has no bugs. We turn logging off systemwide until there is at least ONE problem.
And last but not least: we change the root web to bounce somewhere OTHER than Vicidial's login (client home page?). As a rule, anyone not linking directly to the page should not know there is a phone server on the system. (Even for IPTable locked systems, although many of those request that we leave port 80 unlocked so dynamic IP managers at home can get reports and manipulate campaigns and lists.)
I'd like to add IPTables to lock out ALL unworthy attempts to connect. If they aren't on your whitelist, they should not be able to communicate. Changing port 22 is then no longer necessary, but still not a bad idea. Unfortunately, port 5060 will still be attacked and often is required or "smoother" with providers, so at least using IPtables to lock port 5060 instead of wide open is a great idea.
While we're at it:
I also like to change the cron password to something a little less standard than 1234
We also like to add the install packages for x-lite, zoiper and twinkle to save the "search" and weirdness often associated with getting these "free" packages.
We also add a password to the root mysql user so phpMyAdmin can log in as root (after IPTables locks out all non-Whitelist IPs, that's useful for the administrator and still quite safe).
Then of course we'll set up the backup system and link it to its associated drop location for mysql tables and modify the cron for a weekly or monthly alternate backup with ALL (for systems that will have modifications).
We also like to change the phone login password (in addition to the conf secret) to something easily remembered but unique to that client so the agents can log in, but the rest of the world has no shot.
We also like to turn off logging, since the system is clean and has no bugs. We turn logging off systemwide until there is at least ONE problem.
And last but not least: we change the root web to bounce somewhere OTHER than Vicidial's login (client home page?). As a rule, anyone not linking directly to the page should not know there is a phone server on the system. (Even for IPTable locked systems, although many of those request that we leave port 80 unlocked so dynamic IP managers at home can get reports and manipulate campaigns and lists.)
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
- williamconley
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
by Trying » Sat Feb 19, 2011 12:04 pm
I think this post should also be a sticky.
Vicibox Redux 3.1.14 64 bit
Asterisk: 1.4.39.2-vici | VERSION: 2.8-433a | BUILD: 140411-1434
Sangoma A102D/E1
Servers: 1 x Database; 1 x Web; 6 x Telephony; 2 x Archive
Outbound and blended ratio 3:1 with full voice recording
No additional software
Asterisk: 1.4.39.2-vici | VERSION: 2.8-433a | BUILD: 140411-1434
Sangoma A102D/E1
Servers: 1 x Database; 1 x Web; 6 x Telephony; 2 x Archive
Outbound and blended ratio 3:1 with full voice recording
No additional software
- Trying
- Posts: 865
- Joined: Sun Sep 09, 2007 8:41 am
- Location: South Africa
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 34 guests