Asterisk Freepbx Install Guide

This guide covers Asterisk installation from source on CentOS 7. Freepbx 13 with Asterisk 13 will be installed on CentOS 7.
You have to do the installation as root user or with sudo.

Disable SELinux

Check SELinux status:

# sestatus

If not disabled, set SELINUX=disabled in /etc/selinux/config.

# sed -i 's/\(^SELINUX=\).*/\SELINUX=disabled/' /etc/selinux/config

and disable SElinux for current session:

# setenforce 0

Install Asterisk Prerequisites

Ensure all required packages are installed.
yum -y update && yum -y groupinstall core && yum -y groupinstall base && yum -y install epel-release
yum -y install automake gcc gcc-c++ ncurses-devel openssl-devel libxml2-devel unixODBC-devel libcurl-devel libogg-devel libvorbis-devel speex-devel spandsp-devel freetds-devel net-snmp-devel iksemel-devel corosynclib-devel newt-devel popt-devel libtool-ltdl-devel lua-devel sqlite-devel radiusclient-ng-devel portaudio-devel neon-devel libical-devel openldap-devel gmime-devel mysql-devel bluez-libs-devel jack-audio-connection-kit-devel gsm-devel libedit-devel libuuid-devel jansson-devel libsrtp-devel git subversion libxslt-devel kernel-devel audiofile-devel gtk2-devel libtiff-devel libtermcap-devel ilbc-devel bison php php-mysql php-process php-pear php-mbstring php-xml php-gd tftp-server httpd sox tzdata mysql-connector-odbc mariadb mariadb-server fail2ban jwhois xmlstarlet ghostscript libtiff-tools python-devel patch
Legacy pear requirement:
pear install Console_getopt

Set Linux Timezone:

tzselect

Example:

timedatectl set-timezone Europe/Kiev

​timedatectl status

Download and install source files

DAHDI

Only required if physical server is used and you are going to use PRI or BRI cards.

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz
tar zxvf dahdi-linux-complete*
cd /usr/src/dahdi-linux-complete*/
make all && make install && make config
systemctl start dahdi

If make all fails try reboot and run yum -y install kernel-devel .

PJSIP
This separate PJSIP install is optional since Asterisk v13.8. If asterisk is compiled with the --with-pjproject-bundled flag, this separate install will be ignored.

cd /usr/src
wget http://www.pjsip.org/release/2.5.5/pjproject-2.5.5.tar.bz2
tar -xjvf pjproject-2.5*
cd /usr/src/pjproject-2.5*/
make distclean

./configure --prefix=/usr --libdir=/usr/lib64 --enable-shared --disable-sound --disable-resample \
--disable-video --disable-opencore-amr CFLAGS='-O2 -DNDEBUG'

make uninstall && ldconfig && make dep && make && make install && ldconfig

To verify type ldconfig -p | grep pj which should show several linked *.so files in /usr/lib64.
Asterisk

cd /usr/src
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar zxvf asterisk-13-current.tar.gz
cd /usr/src/asterisk-13*/
make distclean

./configure --libdir=/usr/lib64 --with-pjproject-bundled

To verify type nano -v config.log.

cd /usr/src/asterisk-13*/
make menuselect.makeopts

#To select compile options manually from menu run make menuselect instead of the following command.
#To list command line options run menuselect/menuselect –list-options
#If Asterisk fails to run on a virtual machine try add “–disable BUILD_NATIVE”
#To add asterisk realtime for applications such as A2billing add “–enable res_config_mysql”

menuselect/menuselect --enable cdr_mysql --enable EXTRA-SOUNDS-EN-GSM menuselect.makeopts

Create Asterisk user, compile, install, and set ownership.

adduser asterisk -s /sbin/nologin -c "Asterisk User"
make && make install && chown -R asterisk. /var/lib/asterisk


Freepbx

systemctl start mariadb

cd /usr/src
git clone -b release/13.0 https://github.com/FreePBX/framework.git freepbx

cd /usr/src/freepbx
./start_asterisk start
./install -n

# Minimal module install
fwconsole ma upgrade framework core voicemail sipsettings infoservices \
featurecodeadmin logfiles callrecording cdr dashboard music conferences

fwconsole restart
fwconsole reload
fwconsole chown

Post install tasks are mandatory.

Post-install tasks

Lock down the database server.
mysql_secure_installation

Answer Y to everything.

Change apache web server settings.

sed -i 's/\(^upload_max_filesize = \).*/\120M/' /etc/php.ini
sed -i 's/^\(User\|Group\).*/\1 asterisk/' /etc/httpd/conf/httpd.conf
sed -i ':a;N;$!ba;s/AllowOverride None/AllowOverride All/2' /etc/httpd/conf/httpd.conf

Enable access to services and ports.

firewall-cmd --permanent --zone=public --add-service={http,https}
firewall-cmd --permanent --zone=public --add-port=5060-5061/tcp
firewall-cmd --permanent --zone=public --add-port=5060-5061/udp
firewall-cmd --permanent --zone=public --add-port=10000-20000/udp

Set database and web server to start on boot.

systemctl enable mariadb
systemctl enable httpd

Set Freepbx to start on boot.

nano /etc/systemd/system/freepbx.service

​[Unit]
Description=Freepbx
After=mariadb.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/fwconsole start
ExecStop=/usr/sbin/fwconsole stop

[Install]
WantedBy=multi-user.target

systemctl enable freepbx

CDR ODBC

If the deprecated cdr_mysql.so module is installed then this is optional, but still recommended.

nano /etc/odbc.ini

[MySQL-asteriskcdrdb]
Description=MySQL connection to 'asteriskcdrdb' database
driver=MySQL
server=localhost
database=asteriskcdrdb
Port=3306
Socket=/var/lib/mysql/mysql.sock
option=3

Use username & password in /etc/asterisk/res_odbc_additional.conf to test connectivity to the DB via ODBC. For this example we are using username asteriskuser and password amp109

isql -v MySQL-asteriskcdrdb asteriskuser amp109

Finally reboot for all changes to take effect

reboot

 

Optional

Log File Rotation

If this is not done the log files will keep growing indefinitely.

nano /etc/logrotate.d/asterisk

/var/spool/mail/asterisk
/var/log/asterisk/*log
/var/log/asterisk/full
/var/log/asterisk/dtmf
/var/log/asterisk/freepbx_dbug
/var/log/asterisk/fail2ban {
weekly
missingok
rotate 4
#compress
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null || true
endscript
su root root
}

TFTP

If you plan to use hardware SIP phones you will probably want to set up TFTP.

yum -y install tftp-server
nano /etc/xinetd.d/tftp

change server_args = -s /var/lib/tftpboot
to server_args = -s /tftpboot

change disable=yes
to disable=no

mkdir /tftpboot
chmod 777 /tftpboot
systemctl restart xinetd

firewall-cmd –permanent –zone=public –add-port=69/udp
firewall-cmd –reload

MPG123

This is used in combination with sox to convert uploaded mp3 files to Asterisk compatible wav files.

cd /usr/src
wget http://ufpr.dl.sourceforge.net/project/mpg123/mpg123/1.22.4/mpg123-1.22.4.tar.bz2
tar -xjvf mpg123*

cd mpg123*/
./configure –prefix=/usr –libdir=/usr/lib64 && make && make install && ldconfig

Digum addons

To register digium® licenses.

cd /usr/src
wget http://downloads.digium.com/pub/register/linux/register
chmod +x register
./register

To install the individual addons refer to the README files and ignore the register instructions.

http://downloads.digium.com/pub/telephony/codec_g729/README
http://downloads.digium.com/pub/telephony/res_digium_phone/README
http://downloads.digium.com/pub/telephony/fax/README
http://downloads.digium.com/pub/telephony/hpec/README

Password protect http access

A simple way to block scanners looking for exploits on apache web servers.

mkdir -p /usr/local/apache/passwd
htpasswd -c /usr/local/apache/passwd/wwwpasswd someusername
htpasswd -c /usr/local/apache/passwd/wwwpasswd someotherusername

nano /var/www/html/.htaccess

# .htaccess files require AllowOverride On in /etc/httpd/conf/httpd.conf
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require valid-user

Alternatively, the above .htaccess config can be added to /etc/httpd/conf/httpd.conf or as a separate file in /etc/httpd/conf.d/ as follows.

AuthType Basic
AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require valid-user

Whitelist protect http access

If http access is only required from certain IP addresses.

nano /etc/httpd/conf.d/whitelist.conf

## Uncomment the following line to disable the whitelist
#Require all granted

Require ip x.x.x.x
Require ip x.x.x.x x.x.x.x x.x.x.x
Require ip x.x
Require ip x.x.x.0/255.255.255.0
Require host somedomain.com
#
## See http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html for more examples
#

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [dot] com