Table of Contents

Build a PBX from Scratch Using CentOS 6, Asterisk and FreePBX

:!: Just use the FreePBX Distro instead.

http://www.powerpbx.org/content/rhel-asterisk-freepbx-install-guide-rhel-v6-asterisk-v18-freepbx-v29

Minimal CentOS 6 Install

Do a Minimal Install of Centos 6.

After the reboot:

yum update -y

then reboot again.

XenServer Tools

If installing on XenServer (skip otherwise):

  1. Mount the XenServer Tools virtual CD into the VM
  2. mount /dev/xvdd /mnt/
  3. /mnt/Linux/install.sh
  4. reboot

Install Prerequisites

yum -y groupinstall base core

yum -y install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-pear php-pear-DB php-mbstring php-process nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano kernel-devel

yum clean all

Firewall

Disable the built-in firewall for now. We assume your PBX is in a protected, private environment.

:!: See Security section below.

service iptables stop
chkconfig iptables off
service ip6tables stop
chkconfig ip6tables off

selinux

Disable selinux:

vim /etc/selinux/config

SELINUX=disabled
setenforce 0

Time Zone

http://www.php.net/manual/en/timezones.php

ln -sf /usr/share/zoneinfo/America/Phoenix /etc/localtime

PHP Settings

Time Zone

vim -c 946 /etc/php.ini

Uncomment and set PHP timezone:

date.timezone = America/Phoenix

Upload File Size

vim -c 878 /etc/php.ini

upload_max_filesize = 20M

Install PBX Software

Asterisk v1.8

wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8-current.tar.gz
tar zxvf asterisk-1.8-current.tar.gz
cd /usr/src/asterisk-1.8*
make clean
./configure && make menuselect

Select all addons. I believe these are all needed or recommended for FreePBX. Select base and addon sounds. I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec. I usually just check both. Then make sure to press the “save” button afterwards.

:!: If upgrading Asterisk on an already running FreePBX system do NOT run make samples.

make && make install && make samples

Create an 'asterisk' user. The user may already exist but this won't hurt:

useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk

The following directory may already exist but just to make sure:

mkdir /var/run/asterisk

Set ownership of various folders:

chown -R asterisk /var/run/asterisk
chown -R asterisk /var/log/asterisk
chown -R asterisk /var/lib/asterisk/moh
chown -R asterisk /var/lib/php/session

Adjust the manager interface username and password:

vim /etc/asterisk/manager.conf

Add a stanza like:

[admin]
secret = your-manager-password
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
read = system,call,log,verbose,command,agent,user
write = system,call,log,verbose,command,agent,user

Music on Hold

Here we create a symbolic link so that both FreePBX and Asterisk will find and store MOH files in the same place:

ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3

Asterisk and FreePBX now only use .wav files for MOH so install mpg123 for converting uploaded mp3's to wav's:

cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.13.4/mpg123-1.13.4.tar.bz2/download
tar -xjvf mpg123-1.13.4.tar.bz2

cd mpg123-1.13.4
./configure && make && make install

ln -s /usr/local/bin/mpg123 /usr/bin/mpg123

Web Server

Here we set the web server to run as the user 'asterisk' and group 'asterisk'.

sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

MySQL Configuration

Start MySQL

service mysqld start

Create Databases and Tables

cd /usr/src/freepbx-2.10.0                       # adjust version if necessary
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql

Configure MySQL Security

mysql

Run these MySQL commands and adjust for your own password:

GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'your-password';

GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'your-password';

flush privileges;

exit

Finally, we set the MySQL root password. Don't forget it!

mysqladmin -u root password 'your-mysql-root-password'

Install FreePBX

Get the latest released version.

cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.10.0.tar.gz     # adjust version if necessary
tar zxvf freepbx-2.10.0.tar.gz

:!: MySQL should still be running…

Start asterisk. You can ignore warnings, errors, and notices for now:

/usr/sbin/safe_asterisk

cd /usr/src/freepbx-2.10.0
./install_amp

You will be asked various questions which will be used to populate /etc/amportal.conf.

Use the defaults, mostly, but change:

VariableValue
AMPMGRUSERadmin
AMPMGRPASSpassword you set when editing manager.conf above
AMPDBPASSpassword you chose when configuring MySQL security above
AMPWEBADDRESSthe IP address of your PBX

Now we delete a few configuration files that may interfere with FreePBX:

rm -f /etc/asterisk/{sip_notify.conf,iax.conf,logger.conf,features.conf,sip.conf,extensions.conf,ccss.conf,chan_dahdi.conf}

MySQL CDR Configuration

vim /etc/asterisk/cdr_mysql.conf

loguniqueid=yes             # add to [Global] section which you may need to also un-comment

Log Rotation

cat << EOF >> /etc/logrotate.d/asterisk
/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {
   missingok
   notifempty
   sharedscripts
   create 0640 asterisk asterisk
   postrotate
   /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
   endscript
}
EOF

kill -HUP $(pidof rsyslogd)

Services Startup

Enable Apache, MySQL and FreePBX to autostart on boot:

chkconfig httpd on
chkconfig mysqld on
echo /usr/local/sbin/amportal start >> /etc/rc.local

:!: Reboot now!

Using FreePBX

:!: Before using FreePBX, you have to visit the configuration page at: http://IP.of.PBX

:!: Click “Apply Configuration Changes”

:!: Reboot again

Defailt Credentials

FunctionUsernamePasswordComment
FreePBXadminadmin
Voicemail & Recordings (ARI)<none><none>Use the FreePBX admin console to enable

Configuration

The FreePBX administration console: http://IP.of.PBX

Important Initial Settings

:!: Save each change and click Apply Configuration after done making changes.

FreePBX → Admin → Administrators → admin →

FreePBX → Settings → Advanced Settings → Asterisk Manager →

FreePBX → Settings → Advanced Settings → System Setup →

FreePBX → Admin → Module Admin → Check Online → Upgrade All → Process

:!: Now continue your configuration here:

FreePBX Configuration

Security

Firewall

See also FreePBX Firewall

The following ports may need to be opened:

ProtocolPortsDescription
TCP80HTTP
TCP443HTTPS
TCP4445Flash Operator Panel
UDP5060-5061SIP
UDP10000-20000RTP
UDP4569IAX

Firewall options:

iptables

system-config-firewall-tui

Arno's Firewall

Arno's Firewall

Fail2Ban

See Fail2Ban.

For a base CentOS 6.2 box, after installing Fail2Ban via the EPEL repo, you can just copy and paste the following in one go to get a basic Fail2Ban installation set up for your PBX:

cat << EOF >> /etc/fail2ban/fail2ban.local
# Fail2Ban local configuration file
#
# This file overrides the fail2ban.conf file

[Definition]
logtarget = /var/log/fail2ban.log

EOF

cat << EOF >> /etc/fail2ban/jail.local
# Fail2Ban local configuration file
#
# This file overrides the jail.conf file

[DEFAULT]
ignoreip = 127.0.0.1 209.193.64.0/24 70.176.57.141
bantime  = 600
findtime  = 600
maxretry = 3
backend = auto


[asterisk-iptables]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=SIP, protocol=all]
#           sendmail-whois[name=SIP, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/asterisk/fail2ban
maxretry = 5
bantime = 600

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#           sendmail-whois[name=SSH, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/secure
maxretry = 3

[apache-tcpwrapper]
enabled  = true
filter   = apache-auth
action   = iptables-allports[name=PBX-GUI, port=http, protocol=tcp]
#           sendmail-whois[name=PBX-GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/httpd/error_log
maxretry = 3

[vsftpd-iptables]
enabled  = true
filter   = vsftpd
action   = iptables[name=FTP, port=ftp, protocol=tcp]
#           sendmail-whois[name=FTP, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/vsftpd.log
maxretry = 3
bantime  = 600

[apache-badbots]
enabled  = true
filter   = apache-badbots
action   = iptables-multiport[name=BadBots, port="http,https"]
#           sendmail-whois[name=PBX GUI, dest=none@yourpbx.com, sender=none@yourpbx.com]
logpath  = /var/log/httpd/*access_log
bantime  = 600
maxretry = 1

EOF

cat << EOF >> /etc/fail2ban/filter.d/asterisk.conf
# Fail2Ban configuration file
#
# Asterisk Filter - /etc/fail2ban/filter.d/asterisk.conf

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
#before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#

failregex = Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Wrong password
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - No matching peer found
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Device does not match ACL
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Username/auth name mismatch
	    Registration from '.*' failed for '<HOST>(:[0-9]{1,5})?' - Peer is not supposed to register
	    NOTICE.* <HOST> failed to authenticate as '.*'$
	    NOTICE.* .*: No registration for peer '.*' (from <HOST>)
	    NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
	    VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

EOF

service fail2ban restart

Troubleshooting

Asterisk Manager Interface

Verify that the username and password in /etc/asterisk/manager.conf and /etc/amportal.conf match.

http://www.freepbx.org/support/documentation/faq/changing-the-asterisk-manager-password

Pear DB

If you see an error during FreePBX installation like:

Checking for PEAR DB..FAILED

try:

pear install DB

then re-run:

./install_amp

Remote Extensions

:!: If you enable remote access to your PBX, secure it!

:!: NAT is a real hurdle for SIP. The best way to deal with NAT issues is to not use NAT if at all possible. NAT on both ends may not be worth attempting if using SIP, it's just not a NAT-friendly protocol like IAX.

IAX Protocol

:!: Using phones with IAX protocol support is a good alternative if the PBX is behind NAT.

:!: IAX protocol is pretty much Asterisk-specific.

If your PBX is behind NAT, forward the single UDP port 4569 from your NAT firewall in to the PBX.

SIP Protocol

http://www.freepbx.org/support/documentation/howtos/howto-setup-a-remote-sip-extension

If your PBX is behind NAT and you'd still like to try getting remote SIP extensions to work:

vim /etc/asterisk/sip_nat.conf

localnet=192.168.1.0/255.255.255.0      #your local network
externhost=your.fqdn.hostname           #your resolvable host name
fromdomain=your.fqdn.domain.name        #your domain mane
nat=yes
qualify=yes
externrefresh=10
canreinvite=no

asterisk -rx reload                     #reload Asterisk configuration

PHP Memory Limit

This should be the default:

vim -c 457 /etc/php.ini
memory_limit = 128M

Re-Install Just FreePBX

amportal stop

rm -f /etc/asterisk/{sip_notify.conf,iax.conf,logger.conf,features.conf,sip.conf,extensions.conf,ccss.conf,chan_dahdi.conf}

/usr/sbin/safe_asterisk

cd /usr/src/freepbx-2.10.0
./install_amp

Visit the configuration page at: http://IP.of.PBX

Click “Apply Settings”

Reboot