====== Build a PBX from Scratch Using CentOS 6, Asterisk and FreePBX ======

:!: Just use the **[[http://www.freepbx.org/freepbx-distro|FreePBX Distro]]** instead.

http://www.powerpbx.org/content/rhel-asterisk-freepbx-install-guide-rhel-v6-asterisk-v18-freepbx-v29

===== Minimal CentOS 6 Install =====

Do a [[computing:linux:minimal_centos_install|Minimal Install]] of Centos 6.

After the reboot:

<file>
yum update -y
</file>

then reboot again.

===== XenServer Tools =====

If installing on XenServer (skip otherwise):

  - Mount the XenServer Tools virtual CD into the VM
  - <file>mount /dev/xvdd /mnt/</file>
  - <file>/mnt/Linux/install.sh</file>
  - <file>reboot</file>

===== Install Prerequisites =====

<file>
yum -y groupinstall base core

yum -y install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-pear php-pear-DB php-mbstring php-process nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano kernel-devel

yum clean all
</file>

===== Firewall =====

Disable the built-in firewall for now.  We assume your PBX is in a protected, private environment.

:!: See Security section below.

<file>
service iptables stop
chkconfig iptables off
service ip6tables stop
chkconfig ip6tables off
</file>

===== selinux =====

Disable selinux:

<file>
vim /etc/selinux/config

SELINUX=disabled
</file>

<file>
setenforce 0
</file>

===== Time Zone =====

http://www.php.net/manual/en/timezones.php

<file>
ln -sf /usr/share/zoneinfo/America/Phoenix /etc/localtime
</file>

===== PHP Settings =====

==== Time Zone ====

<file>
vim -c 946 /etc/php.ini
</file>

Uncomment and set PHP timezone:

<file>
date.timezone = America/Phoenix
</file>

==== Upload File Size ====

<file>
vim -c 878 /etc/php.ini

upload_max_filesize = 20M
</file>

===== Install PBX Software =====

==== Asterisk v1.8 ====

<file>
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8-current.tar.gz
tar zxvf asterisk-1.8-current.tar.gz
cd /usr/src/asterisk-1.8*
make clean
./configure && make menuselect
</file>

Select all addons.  I believe these are all needed or recommended for FreePBX.  Select base and addon sounds.  I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec.  I usually just check both.  Then make sure to press the "save" button afterwards.

:!: If upgrading Asterisk on an already running FreePBX system do NOT run make samples.

<file>
make && make install && make samples
</file>

Create an 'asterisk' user.  The user may already exist but this won't hurt:

<file>
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk
</file>

The following directory may already exist but just to make sure:

<file>
mkdir /var/run/asterisk
</file>

Set ownership of various folders:

<file>
chown -R asterisk /var/run/asterisk
chown -R asterisk /var/log/asterisk
chown -R asterisk /var/lib/asterisk/moh
chown -R asterisk /var/lib/php/session
</file>

Adjust the manager interface username and password:

<file>
vim /etc/asterisk/manager.conf
</file>

Add a stanza like:

<file>
[admin]
secret = your-manager-password
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user
</file>

==== Music on Hold ====

Here we create a symbolic link so that both FreePBX and Asterisk will find and store MOH files in the same place:

<file>
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
</file>

Asterisk and FreePBX now only use .wav files for MOH so install mpg123 for converting uploaded mp3's to wav's:

<file>
cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.13.4/mpg123-1.13.4.tar.bz2/download
tar -xjvf mpg123-1.13.4.tar.bz2

cd mpg123-1.13.4
./configure && make && make install

ln -s /usr/local/bin/mpg123 /usr/bin/mpg123
</file>

==== Web Server ====

Here we set the web server to run as the user 'asterisk' and group 'asterisk'.

<file>
sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf
</file>

==== MySQL Configuration ====

=== Start MySQL ===

<file>
service mysqld start
</file>

=== Create Databases and Tables ===

<file>
cd /usr/src/freepbx-2.10.0                       # adjust version if necessary
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql
</file>

=== Configure MySQL Security ===

<file>
mysql
</file>

Run these MySQL commands and adjust for your own password:

<file>
GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'your-password';

GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'your-password';

flush privileges;

exit
</file>

Finally, we set the MySQL root password.  **Don't forget it!**

<file>
mysqladmin -u root password 'your-mysql-root-password'
</file>

==== Install FreePBX ====

Get the latest released version.

<file>
cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.10.0.tar.gz     # adjust version if necessary
tar zxvf freepbx-2.10.0.tar.gz
</file>

:!: MySQL should still be running...

Start asterisk.  You can ignore warnings, errors, and notices for now:

<file>
/usr/sbin/safe_asterisk

cd /usr/src/freepbx-2.10.0
./install_amp
</file>

You will be asked various questions which will be used to populate /etc/amportal.conf.

Use the defaults, mostly, but change:

^Variable^Value^
|AMPMGRUSER|admin|
|AMPMGRPASS|password you set when editing manager.conf above|
|AMPDBPASS|password you chose when configuring MySQL security above|
|AMPWEBADDRESS|the IP address of your PBX|

Now we delete a few configuration files that may interfere with FreePBX:

<file>
rm -f /etc/asterisk/{sip_notify.conf,iax.conf,logger.conf,features.conf,sip.conf,extensions.conf,ccss.conf,chan_dahdi.conf}
</file>

==== MySQL CDR Configuration ====

<file>
vim /etc/asterisk/cdr_mysql.conf

loguniqueid=yes             # add to [Global] section which you may need to also un-comment
</file>

==== Log Rotation ====

<file>
cat << EOF >> /etc/logrotate.d/asterisk
/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {
   missingok
   notifempty
   sharedscripts
   create 0640 asterisk asterisk
   postrotate
   /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
   endscript
}
EOF

kill -HUP $(pidof rsyslogd)
</file>

==== Services Startup ====

Enable Apache, MySQL and FreePBX to autostart on boot:

<file>
chkconfig httpd on
chkconfig mysqld on
echo /usr/local/sbin/amportal start >> /etc/rc.local
</file>

:!: Reboot now!

===== Using FreePBX =====

:!: Before using FreePBX, you have to visit the configuration page at: http://IP.of.PBX

:!: Click "Apply Configuration Changes"

:!: Reboot again

==== Defailt Credentials ====

^Function^Username^Password^Comment^
|FreePBX|admin|admin| |
|Voicemail & Recordings (ARI)|<none>|<none>|Use the FreePBX admin console to enable|

==== Configuration ====

The FreePBX administration console: http://IP.of.PBX

=== Important Initial Settings ===

:!: Save each change and click Apply Configuration after done making changes.

**FreePBX -> Admin -> Administrators -> admin ->**

  * **Password -> your-freepbx-admin-password**

**FreePBX -> Settings -> Advanced Settings -> Asterisk Manager ->**

  * **Asterisk Manager Password -> your-asterisk-manager-password**

**FreePBX -> Settings -> Advanced Settings -> System Setup ->**

  * **User Portal Admin Username -> your-ari-admin-username**
  * **User Portal Admin Password -> your-ari-admin-password**

**FreePBX -> Admin -> Module Admin -> Check Online -> Upgrade All -> Process**

:!: Now continue your configuration here:

**[[voice:pbx:freepbx:freepbx_config|FreePBX Configuration]]**

===== Security =====

==== Firewall ====

See also **[[voice:pbx:freepbx:freepbx_firewall|FreePBX Firewall]]**

The following ports may need to be opened:

^Protocol^Ports^Description^
|TCP|80|HTTP|
|TCP|443|HTTPS|
|TCP|4445|Flash Operator Panel|
|UDP|5060-5061|SIP|
|UDP|10000-20000|RTP|
|UDP|4569|IAX|

Firewall options:

=== iptables ===

<file>
system-config-firewall-tui
</file>

=== Arno's Firewall ===

**[[networking:firewall:arno_s_firewall|Arno's Firewall]]**

==== Fail2Ban ====

See **[[networking:linux:fail2ban|Fail2Ban]]**.

For a base CentOS 6.2 box, after installing Fail2Ban via the EPEL repo, you can just copy and paste the following in one go to get a basic Fail2Ban installation set up for your PBX:

<file>
cat << EOF >> /etc/fail2ban/fail2ban.local
# Fail2Ban local configuration file
#
# This file overrides the fail2ban.conf file

[Definition]
logtarget = /var/log/fail2ban.log

EOF

cat << EOF >> /etc/fail2ban/jail.local
# Fail2Ban local configuration file
#
# This file overrides the jail.conf file

[DEFAULT]
ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141
bantime  = 600
findtime  = 600
maxretry = 3
backend = auto


[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
#           sendmail-whois[name=SIP, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#           sendmail-whois[name=SSH, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/secure
maxretry = 3

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=PBX-GUI, port=http, protocol=tcp]
#           sendmail-whois[name=PBX-GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/httpd/error_log
maxretry = 3

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=FTP, port=ftp, protocol=tcp]
#           sendmail-whois[name=FTP, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 600

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
#           sendmail-whois[name=PBX GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/httpd/*access_log
bantime  = 600
maxretry = 1

EOF

cat << EOF >> /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
# Asterisk Filter - /etc/fail2ban/filter.d/asterisk.conf

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
	    NOTICE.* <HOST> failed to authenticate as '.*'$
	    NOTICE.* .*: No registration for peer '.*' (from <HOST>)
	    NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
	    VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

EOF

service fail2ban restart
</file>

===== Troubleshooting =====

==== Asterisk Manager Interface ====

Verify that the username and password in /etc/asterisk/manager.conf and /etc/amportal.conf match.

http://www.freepbx.org/support/documentation/faq/changing-the-asterisk-manager-password

==== Pear DB ====

If you see an error during FreePBX installation like:

<file>
Checking for PEAR DB..FAILED
</file>

try:

<file>
pear install DB
</file>

then re-run:

<file>
./install_amp
</file>

==== Remote Extensions ====

:!: If you enable remote access to your PBX, **secure it!**

:!: NAT is a real hurdle for SIP.  The best way to deal with NAT issues is to not use NAT if at all possible.  NAT on both ends may not be worth attempting if using SIP, it's just not a NAT-friendly protocol like IAX.

=== IAX Protocol ===

:!: Using phones with IAX protocol support is a good alternative if the PBX is behind NAT.

:!: IAX protocol is pretty much Asterisk-specific.

If your PBX is behind NAT, forward the single UDP port 4569 from your NAT firewall in to the PBX. 

=== SIP Protocol ===

http://www.freepbx.org/support/documentation/howtos/howto-setup-a-remote-sip-extension

If your PBX is behind NAT and you'd still like to try getting remote SIP extensions to work:

<file>
vim /etc/asterisk/sip_nat.conf

localnet=192.168.1.0/255.255.255.0      #your local network
externhost=your.fqdn.hostname           #your resolvable host name
fromdomain=your.fqdn.domain.name        #your domain mane
nat=yes
qualify=yes
externrefresh=10
canreinvite=no

asterisk -rx reload                     #reload Asterisk configuration
</file>

==== PHP Memory Limit ====

This should be the default:

<file>
vim -c 457 /etc/php.ini
</file>

<file>
memory_limit = 128M
</file>

==== Re-Install Just FreePBX ====

<file>
amportal stop

rm -f /etc/asterisk/{sip_notify.conf,iax.conf,logger.conf,features.conf,sip.conf,extensions.conf,ccss.conf,chan_dahdi.conf}

/usr/sbin/safe_asterisk

cd /usr/src/freepbx-2.10.0
./install_amp
</file>

Visit the configuration page at: http://IP.of.PBX

Click “Apply Settings”

Reboot