Linode PBX: CentOS 5.5 + Asterisk 1.4 + FreePBX 2.7 Tutorial
I routinely log my server installs and as such I wanted to contribute mine for getting a properly configured FreePBX server up and running.
This is provided as-is and is pretty raw for the untrained eye. There are some custom preferences I like and certain sections remain unexplained.
I have to give credit to Preston Moore because I based part of the config on his outdated freepbx install script for CentOS. His site has been dead for ages now so I guess it's not bad thing repeating some of the stuff here. If you do need it you might want to read this post ztxen / ztdummy / dahdi_dummy support on Linode
This install does NOT install Zaptel/DAHDI - so there is no dummy timing device and therefore no meet_me functionality. I personally don't need this for this install.
THIS IS NOT A BASH SCRIPT
Security is important so learn to configure Iptables, Denyhosts, rkhunter, cronjob for security updates, configure sshd, configure httpd, HTTPS by default.
root
[DELETED PASSWORD]
mika
[DELETED PASSWORD]
# add a second user
useradd mika -d /home/mika/
passwd mika
#set proper timezone centos
cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime
# rpm fusion and software
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum install foo
rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm
yum -y update
yum -y install yum-fastestmirror yum-cron yum-security yum-protect-packages httpd mod_evasive mod_security mod_ssl openssl denyhosts rkhunter apachetop htop mlocate
# iptables script for basic security and white-listing my trunk (redudant). the most basic ports you'll need open are 22, 80, 443, SIP, IAX and the RTP range. the rest is just for faxing (ie. google it)
iptables -F
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4000:4999 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p udp -m udp --source 64.154.41.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --source 81.85.224.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --source 204.11.194.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --source 212.150.88.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L
service iptables save
# services
chkconfig --list | grep on
chkconfig iptables on & chkconfig ntpd on & chkconfig denyhosts on & chkconfig httpd on
# kernel settings
sysctl -p
nano /etc/sysctl.conf
#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 1
# enable ignoring to icmp request
net.ipv4.icmp_echo_ignore_all = 1
# enable ignoring broardcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# setup automated daily yum security updates
crontab -e
@daily /usr/bin/yum -y update --security
# secure some more shit (figure this out on your own)
nano /etc/rkhunter.conf (comment out xinetd)
rkhunter --update; rkhunter --checkall
nano /etc/denyhosts.conf (setup email notification and syslog)
nano /etc/resolv.conf (nothing really)
nano /etc/sysconfig/network (add HOSTNAME=)
nano /etc/httpd/conf/httpd.conf (do some stuff)
nano /etc/ssh/sshd_config (do some more stuff)
nano /etc/hosts (add your hostname)
# freepbx install
export IP_ADDRESS=YOURSERVERIP
export FREEPBX_VERSION=2.7.0
export MYSQL_ROOT_PW=YOURPASSWORD1
export ASTERISK_DB_PW=YOURPASSWORD2
export ASTERISK_MGR_PW=YOURPASSWORD3
export ARI_PW=YOURPASSWORD4
# install mysql server
yum -y install mysql-server
/etc/init.d/mysqld start
chkconfig mysqld on
# configure mysql root password
mysqladmin -u root password ${MYSQL_ROOT_PW}
# install packages needed beyond base install
yum -y install kernel-devel make bison flex gcc-c++ gcc httpd php php-cli php-mysql php-pear php-gd curl sox ncurses-devel openssl-devel mysql-devel gtk2-devel
# install pear DB module
pear install db
# place source packages in standard place
cd /usr/src
# download, make and install libpri
wget http://downloads.digium.com/pub/libpri/libpri-1.4-current.tar.gz
tar xfv libpri-1.4-current.tar.gz
cd `find . -name "libpri-1.4.*" -print`
make; make install; cd ..
# download, make and install asterisk and configuration files
wget http://downloads.digium.com/pub/asterisk/asterisk-1.4-current.tar.gz
tar xfvz asterisk-1.4-current.tar.gz
cd `find . -name "asterisk-1.4.*" -print`
./configure; make; make install; make samples; cd ..
# download, make and install asterisk-addons
wget http://downloads.digium.com/pub/asterisk/asterisk-addons-1.4-current.tar.gz
tar xfvz asterisk-addons-1.4-current.tar.gz
cd `find . -name "asterisk-addons-1.4.*" -print`
./configure; make; make install; make samples; cd ..
# download and install voicevector.com sounds
wget http://www.voicevector.com/voicepacks/sounds-amer-fem-1.0-ulaw.tgz
mv sounds-amer-fem-1.0-ulaw.tgz /var/lib/asterisk
cd /var/lib/asterisk
mv sounds sounds.old
tar vxzf sounds-amer-fem-1.0-ulaw.tgz
cd sounds
ln -s /var/spool/asterisk/vm vm
ln -s /var/spool/asterisk/voicemail voicemail
# create asterisk user and group for apache server
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk
# fix up apache configuration to run as asterisk user
chown asterisk /var/lib/php/session/
cp -v /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.original
sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf
# download and unpack freepbx
cd /usr/src/
wget http://mirror.freepbx.org/freepbx-${FREEPBX_VERSION}.tar.gz
tar xfvz freepbx-${FREEPBX_VERSION}.tar.gz
# configure freepbx
cd freepbx-${FREEPBX_VERSION}
# setup databases for freepbx use
mysqladmin -u root -p${MYSQL_ROOT_PW} create asterisk
mysqladmin -u root -p${MYSQL_ROOT_PW} create asteriskcdrdb
mysql -u root -p${MYSQL_ROOT_PW} asterisk < SQL/newinstall.sql
mysql -u root -p${MYSQL_ROOT_PW} asteriskcdrdb < SQL/cdr_mysql_table.sql
mysql -u root -p${MYSQL_ROOT_PW} <<-END_PRIVS
GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
flush privileges;
END_PRIVS
# reconfigure php for freepbx
cp -v /etc/php.ini /etc/php.ini-orig
sed -i "s/\(upload_max_filesize *= *\)\(.*\)/\120M/" /etc/php.ini
sed -i "s/\(memory_limit *= *\)\(.*\)/\1100M/" /etc/php.ini
# fix up directory use and permissions for asterisk
mkdir /var/run/asterisk
chown asterisk:asterisk -Rv /var/run/asterisk
chown asterisk:asterisk -Rv /etc/asterisk
chown asterisk:asterisk -Rv /var/lib/asterisk
chown asterisk:asterisk -Rv /dev/zap
chown asterisk:asterisk -Rv /var/log/asterisk
chown asterisk:asterisk -Rv /var/spool/asterisk
chown asterisk:asterisk -Rv /var/www/html
sed -i "s|astrundir *=> */var/run|astrundir => /var/run/asterisk|" /etc/asterisk/asterisk.conf
# configure amportal
cp -v amportal.conf /etc/amportal.conf
sed -i "s/# \(AMPDBUSER=asteriskuser\) */\1/" /etc/amportal.conf
sed -i "s/# \(AMPDBPASS=\).*/\1${ASTERISK_DB_PW}/" /etc/amportal.conf
sed -i "/#AMPWEBADDRESS=192.168.1.101/d" /etc/amportal.conf
sed -i "s/AMPWEBADDRESS=/AMPWEBADDRESS=${IP_ADDRESS}/" /etc/amportal.conf
sed -i "s/\(AMPMGRPASS=*\)\(.*\)/\1${ASTERISK_MGR_PW}/" /etc/amportal.conf
sed -i "s/\(secret *= *\)\(.*\)/\1${ASTERISK_MGR_PW}/" /etc/asterisk/manager.conf
also in amportal.conf AUTHTYPE=database
# start asterisk
./start_asterisk start
# install freepbx
./install_amp
# start apache web server
service httpd restart
chkconfig httpd on
# set ARI admin password
sed -i "s/ari_password/${ARI_PW}/" /var/www/html/recordings/includes/main.conf.php
# moh fix
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
chown asterisk:asterisk /var/lib/asterisk/mohmp3
# asterisk logrotate
cat > /etc/logrotate.d/asterisk <<-END_ROTATE
/var/log/asterisk/*log {
missingok
rotate 5
weekly
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
/var/log/asterisk/full {
missingok
rotate 5
daily
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
/var/log/asterisk/cdr-csv/*csv {
missingok
rotate 5
monthly
create 0640 asterisk asterisk
}
END_ROTATE
# start amportal at boot
echo "/usr/sbin/amportal start" >> /etc/rc.local
# start freepbx
/usr/sbin/amportal start
# clean up
cd /usr/src/
rm -rf *.tar.gz
# freepbx manager gui password got refused
# was facing a bug and this solved it (converted my password to sha1)
mysql -u root -p
use asterisk;
UPDATE ampusers SET password_sha1 = 'yoursha1hash' where username='admin';
exit
# generate a self-signed ssl certificate
yum install mod_ssl openssl
cd ~
# Generate private key
openssl genrsa -out ca.key 1024
# Generate CSR
openssl req -new -key ca.key -out ca.csr
# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
# Move the files to the correct locations
mv ca.crt /etc/pki/tls/certs
mv ca.key /etc/pki/tls/private/ca.key
mv ca.csr /etc/pki/tls/private/ca.csr
# update httpd config with new paths
nano /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
# create .htaccess file for auto https
# requires you to have AllowOverride All in httpd.conf for public_html dir
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
chown asterisk:asterisk .htaccess
NOW YOU ARE READY FOR THE GUI CONFIG OF FREEPBX
Thats it - hope this helped someone.
10 Replies
@Mika1974:
I've completed configurations (queue's, IVRs, etc etc) and it handles fine. The smallest Linode with the 32-bit CentOS install uses about 50% of memory when idle. So far no issues with 10 users.
How many trunks are being paid for and shared and how much?
Thanks for the instructions, just not sure about the IP trunk costs.
The per-minute costs are what cover the channel costs, the initial $0.99 is just to pay for the number itself.
In terms of cost, voip.ms (a local company) charges $0.99 for the DID in major Canadian cities ($1.95 in smaller cities) and $0.01 per minute for the incoming calls. Their pricing for US DIDs seems similar.
I use
I'll check out the other recommendation though there is a huge list on
I'm studying the prices and the sites you posted and would in the end go with configuring something like this if I can replace the cool little box that provides the fake dial tone. If I hosted this on my Linode I'd have to figure out how to get the dial tone while connecting remotely to my Linode Asterisk.
I use land line phone for meetings about 20-30 hours a month so I'm no sure it will be cheaper yet. Though it would be more convenient since I could even use my laptop when I'm on the go and access my home phone line, so to speak, I think. I've been out of the telephony stuff for a few years so I'm a bit rusty on it all.
Thanks again, something interesting to look into.
After all there aren't really cost savings; you'll still want to keep your TV and Internet anyways. Adding 20$/mo for a Linode, 10$/mo for an inbound DID (phone number), ?$/mo for outbound minutes.. you get the picture.
This setup is for small/medium businesses who need an Interactive Voice Response menu and voicemail boxes etc. Also though FreePBX makes using Asterisk easier you still need background knowledge such as dialplans etc.
Not practival but potentially fun.
I program for a living, used to program CTI and IVR apps.
Thanks for the tips, Mika1974.
@funkytastic:
Hey Linode admins, can we get this SEO spammer jimm1909 to stop barfing all over this thread?
a support ticket took care of him