Elastix-Asterisk
Install FreePBX 15 on CentOS 7
---
Step 1: Prerequisites
Disable SELinux
setenforce 0 sudo sed -i 's/\(^SELINUX=\).*/\SELINUX=disabled/' /etc/selinux/config
Update CentOS system and Install Development Tools.
sudo yum -y update sudo yum -y groupinstall "Development Tools"
Install other required dependencies:
sudo yum -y install lynx tftp-server ncurses-devel sendmail sendmail-cf sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel subversion kernel-devel git crontabs cronie cronie-anacron wget vim php-xml uuid-devel sqlite-devel net-tools gnutls-devel unixODBC mysql-connector-odbc
Step 2: Install MariaDB Database server:
FreePBX requires a database server. Use the guide on the link below to install and configure MariaDB Database server on CentOS 7.
Install MariaDB 10.x on Ubuntu 18.04 and CentOS 7
Step 3: Installing Node.js 10 LTS
FreePBX has Node.js as a dependency, install it on your system by using our guide below:
Installing Node.js 10 LTS on CentOS 7 / Fedora 29 / Fedora 28
Once installed, confirm version using:
$ node -v v10.13.0
Step 4: Install and configure Apache Web Server
Install httpd package using yum package manager:
sudo yum -y install httpd
Then change Apache user to asterisk and turn on AllowOverride option :
sudo cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf_orig sudo sed -i 's/^\(User\|Group\).*/\1 asterisk/' /etc/httpd/conf/httpd.conf sudo sed -i 's/AllowOverride None/AllowOverride All/' /etc/httpd/conf/httpd.conf
Remove default index.html page
sudo rm -f /var/www/html/index.html
Step 5: Install PHP and required extensions
FreePBX is dependent on PHP, run the following commands to install php and required extensions.
sudo yum -y install epel-release sudo yum -y install wget php php-pear php-cgi php-common php-curl php-mbstring php-gd php-mysql php-gettext php-bcmath php-zip php-xml php-imap php-json php-process php-snmp
Change php maximum file upload size:
sudo sed -i 's/\(^upload_max_filesize = \).*/\120M/' /etc/php.ini
Step 6: Download and Install FreePBX 15 on Ubuntu 18.04 / 16.04 / Debian 9
Download the latest version of FreePBX 15:
sudo yum -y install wget wget http://mirror.freepbx.org/modules/packages/freepbx/freepbx-15.0-latest.tgz
Extract the file:
tar xfz freepbx-15.0-latest.tgz rm -f freepbx-15.0-latest.tgz
Install FreePBX 15 on CentOS 7
cd freepbx sudo ./start_asterisk start sudo ./install -n
If you have a root password for database server, use:
./install -n --dbuser root --dbpass password
Replace password with the root database password.
Sample installation output:
Done. All modules installed. Updating Hooks...Done Done installing modules Taking too long? Customize the chown command, See http://wiki.freepbx.org/display/FOP/FreePBX+Chown+Conf Setting Permissions... Setting base permissions...Done Setting specific permissions... 32451 [============================] Finished setting permissions Generating default configurations... Finished generating default configurations You have successfully installed FreePBX
Start and enable httpd service.
sudo systemctl start httpd sudo systemctl enable httpd
If you have an active firewalld firewall service, open http & https ports
sudo firewall-cmd --add-service={http,https} --permanent sudo firewall-cmd --reload
You have successfully installed FreePBX 15 on CentOS 7.
Step 7: Access FreePBX 15 Web Interface
Open your web browser and connect to the IP address or hostname of your new FreePBX server.
1. Create the first admin account
When done providing admin user details, click “Create Account” to create the account. On the next page, you’ll get a login console.
You’ll get to FreePBX dashboard where you can manage your Asterisk PBX.
You should now have FreePBX 15 running on your CentOS 7 server. Visit our VOIP pae
secure Asterisk and FreePBX from VoIP Fraud and Brute force attacks
How VoIPBL secure?
VoIPBL Geolocation feature allows you to block all network traffic from countries that a network does not need to communicate with, or that are known originators of malicious activity. From their site, you can check if your IP address is on the blacklist.
How to install VoIPBL
VoIP Blacklist depends on Fail2ban to effect blacklisting on your PBX server. Ensure you have a fail2ban package installed and service running:
sudo yum install epel-release sudo yum install fail2ban fail2ban-systemd
For Ubuntu and other Debian families, run:
sudo apt-get -y install fail2ban ufw
If you’re running CentOS 6 or any other RHEL 6 family, install iptables-services and fail2ban without fail2ban-systemd
sudo yum install iptables-services fail2ban
Default settings for Fail2ban are configured on./etc/fail2ban/jail.conf
A basic fail2ban configuration will have ssh monitoring. Let’s add this to /etc/fail2ban/jail.local file.
$ sudo vim /etc/fail2ban/jail.local
Add the following content:
[postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 3 [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 [vsftpd] enabled = false port = ftp filter = vsftpd logpath = /var/log/auth.log maxretry = 5 [pure-ftpd] enabled = true port = ftp filter = pure-ftpd logpath = /var/log/syslog maxretry = 3
Then start and enable fail2ban service
sudo systemctl enable fail2ban.service sudo systemctl start fail2ban.service
Download voipbl.sh script and place it under /usr/local/bin/
wget http://www.voipbl.org/voipbl.sh -O /usr/local/bin/voipbl.sh
Make the script executable:
chmod +x /usr/local/bin/voipbl.sh
The above uses iptables. If your system support ipset, you can use the following script instead:
#!/bin/bash URL="http://www.voipbl.org/update/"set -e echo "Downloading rules from VoIP Blacklist"wget -qO - $URL -O /tmp/voipbl.txt echo "Loading rules..."# Check if rule set exists and create one if requiredif ! $(/usr/sbin/ipset list voipbl > /dev/null 2>&1); then ipset -N voipbl iphash fi #Check if rule in iptablesif ! $(/sbin/iptables -w --check INPUT -m set --match-set voipbl src -j DROP > /dev/null 2>&1); then /sbin/iptables -I INPUT 1 -m set --match-set voipbl src -j DROP fi # Create temporary chain ipset destroy voipbl_temp > /dev/null 2>&1 || true ipset -N voipbl_temp iphash cat /tmp/voipbl.txt |\ awk '{ print "if [ ! -z \""$1"\" -a \""$1"\" != \"#\" ]; then /usr/sbin/ipset -A voipbl_temp \""$1"\" ;fi;"}' | sh ipset swap voipbl_temp voipbl ipset destroy voipbl_temp || true echo "Done! Rules loaded"
Then add a new Fail2ban Jail on /etc/fail2ban/jail.conf:
[asterisk-iptables] action = iptables-allports[name=ASTERISK, protocol=all] voipbl[serial=XXXXXXXXXX]
Now define the VoIP Blacklist actions for Fail2ban on /etc/fail2ban/action.d/voipbl.conf.
sudo vim /etc/fail2ban/action.d/voipbl.conf
Add:
# Description: Configuration for Fail2Ban [Definition] actionban = <getcmd> "<url>/ban/?serial=<serial>&ip=<ip>&count=<failures>" actionunban = <getcmd> "<url>/unban/?serial=<serial>&ip=<ip>&count=<failures>" [Init] getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 \ --read-timeout=60 --retry-connrefused --output-document=- \ --user-agent=Fail2Ban url = http://www.voipbl.org
We can now create cron job file to update rules every 3 hours:
$ sudo vim /etc/cron.d/voipbl # update blacklist each 4 hours 0 */4 * * * * root /usr/local/bin/voipbl.sh
When done, restart fail2ban daemon to get protected against VoIP Fraud:
sudo systemct restart fail2ban
You can also do advanced configurations like:
Filter by Country
Filter by Network
For further reading, check the Asterisk Security document by VOIP-info.
----------------------------------