Installing Asterisk PBX 13 on CentOS

Asterisk is an open source framework to set up communications over IP phones. Asterisk software coverts the normal server for communications servers. It supports VoIP gateways, conference servers. Nowadays most of the businesses organisation and government agencies & call centres using Asterisk as their communications platform. Mainly asterisk voice quality is amazing with latest codec’s and it’s a free open source framework sponsored by Digium.

Let’s see how we can install and configure Asterisk PBX 13.x on CentOS. Here we have built the Asterisk with SRTP to accept the encryption connection so the communications between the server and phones are secured and encrypted.

Our Server Configuration

CentOS 6.9 64 bit
4 GB RAM
4 GB SWAP

You need a bare server to install and setup Asterisk framework. This a step by step procedure to install asterisk PBX 13.x on CentOS

First, you have to update all packages and kernel.

yum -y update

Set the hostname for the server’s

Eg: asterisk.your_domain.com
The hostname is very important, It should be resolved to the server we need to install SSL on the server’s hostname to make SSL connection.

yum -y install gcc gcc-c++ php-xml php php-mysql php-pear php-mbstring mariadb-devel mariadb-server mariadb sqlite-devel lynx bison gmime-devel psmisc tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel audiofile-devel gtk2-devel uuid-devel libtool libuuid-devel subversion kernel-devel kernel-devel-$(uname -r) git subversion kernel-devel php-process crontabs cronie cronie-anacron wget vim

yum groupinstall “Development Tools”

We need to install the Mysql service.
Here we used MariaDB 10 you use the repo as your wish.
Recommeded : Mysql 5.6 or MariaDB 10

To Install MariaDB

# cd /etc/yum.repos.d/
# vim MariaDB.repo

Copy the below repo to the MariaDB.repo

[mariadb] name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos6-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Save the file

# yum install -y MariaDB-server MariaDB-client
# service mysql start

# mysql

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 390
Server version: 10.1.30-MariaDB MariaDB Server

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]>

Now MariaDB-10 is installed

Jansson is C library which is used for encoding and decoding Manipulation of JSON data on Asterisk PBX server.

We need to install jansson

# cd /usr/local/src
# mkdir asterisk-13
# cd asterisk-13
# git clone https://github.com/akheron/jansson.git
# cd jansson
# autoreconf -i
# ./configure –prefix=/usr/local/
# make && make install

# pear install Console_Getopt

FYI: If your pear version is not matched you need to update it.

Asterisk PBX 13 is released on 2016, which one of the most stable version & used by most of the big companies.

# cd /usr/local/src/asterisk-13
# wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/dahdi-linux-complete-current.tar.gz

# wget http://downloads.asterisk.org/pub/telephony/libpri/libpri-1.4-current.tar.gz
# wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz

# wget -O jansson.tar.gz https://github.com/akheron/jansson/archive/v2.7.tar.gz
# wget http://www.pjsip.org/release/2.4/pjproject-2.4.tar.bz2

Compile and install DAHDI if you are connecting to PSTN. This is an OPTIONAL, install if you’ll connect to PSTN.

FYI: It’s a Optional Configuration we need PRI card

# cd /usr/src/asterisk-13
# tar xvfz dahdi-linux-complete-current.tar.gz
# tar xvfz libpri-1.4-current.tar.gz
# rm -f dahdi-linux-complete-current.tar.gz libpri-1.4-current.tar.gz
# cd dahdi-linux-complete-*
# make all
# make install
# make config
# cd libpri-1.4.*
# make
# make install

Asterisk 13 contains two SIP stacks: one, the original chan_sip SIP channel driver that has been present in all previous releases of Asterisk, and a new SIP stack that is based on pjproject.

So we need to configure pjproject

# cd /usr/local/src/asterisk-13
# tar -xjvf pjproject-2.4.tar.bz2
# rm -f pjproject-2.4.tar.bz2
# cd pjproject-2.4
# CFLAGS=’-DPJ_HAS_IPV6=1′ ./configure –prefix=/usr –enable-shared –disable-sound –disable-resample –disable-video –disable-opencore-amr –libdir=/usr/lib64
# make dep
# make
# make install

Compile and Install jansson

# cd /usr/local/src/asterisk-13
# tar vxfz jansson.tar.gz
# rm -f jansson.tar.gz
# cd jansson-*
# autoreconf -i
# ./configure –libdir=/usr/lib64
# make
# make install

We need to build the Asterisk now.

# cd /usr/local/src/asterisk-13
# tar xvfz asterisk-13-current.tar.gz
# cd asterisk-*
# ./configure –libdir=/usr/lib64

# make menuselect

On Core Sound Packages, select the formats of audio packets like below, you can select the required sound packages

On Music On Hold option select the following modules as shown in the picture below

Extra sound packages

Codec_translatore is very important. So I chose all codec’s available you can also install custom codec’s but you need to pay for third-party codecs.

Save & exit

We need mp3 decorders

# cd /usr/src/asterisk-13/asterisk-*
# contrib/scripts/get_mp3_source.sh

# cd /usr/src/asterisk-13/asterisk-*/
# make
# make install
#make samples
# make config

The above setup is for normal for communications If you want to built your server with TLS
So rebuilt the asterisk with ssl and srtp flag

Installation of Basic Dependencies

#yum install -y make wget openssl-devel ncurses-devel newt-devel libxml2-devel kernel-devel gcc gcc-c++ sqlite-devel
#yum install libsrtp

#yum install libsrtp-devel

Recompile asterisk

# cd /usr/local/src/asterisk-13/asterisk-13.19.0
# ./configure –libdir=/usr/lib64 –with-crypto –with-ssl –with-srtp

# make
# make install

# useradd -m asterisk
# chown asterisk.asterisk /var/run/asterisk
# chown -R asterisk.asterisk /etc/asterisk
# chown -R asterisk.asterisk /var/{lib,log,spool}/asteris
# chown -R asterisk.asterisk /usr/lib64/asterisk

# cd /usr/local/src/asterisk-13/asterisk-*
# cp contrib/init.d/rc.redhat.asterisk  /etc/init.d/asterisk
# chmod 755 /etc/init.d/asterisk

Locate asterisk by

# which asterisk

/sbin/asterisk

Then open the file /etc/init.d/asterisk by

# vi /etc/init.d/asterisk

Replace AST_SBIN=, with your location of asterisk binary, in my case it’s /sbin/. See below image.

sed -i ‘s/(^SELINUX=).*/SELINUX=disabled/’ /etc/selinux/config
sestatus

# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or g.
Your MariaDB connection id is 4
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input statement.

MariaDB [(none)]> create user ‘asterisk’@’localhost’ identified by ‘password’;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> create database cdrdb;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> create database asterisk;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON asterisk.* TO asterisk@localhost IDENTIFIED BY ‘password’;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON cdrdb.* TO asterisk@localhost IDENTIFIED BY ‘password’;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> exit
Bye

We need to enable some ports in the firewall. First, you have to create a file for firewall rules that we can simply restore it.

Check for current firewall rules:

# iptables -L

There are no firewall rules

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Create a new file /etc/asterisk.firewall.rules
Add the following rule on the file

*filter

# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn’t use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

# Accept all established inbound connections
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic – you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config, ie 8050
#
-A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT

# SIP on UDP port 5060, 5061 for secure signaling. Used for signals such as “hang up”
-A INPUT -p udp -m udp –dport 5060 -j ACCEPT
-A INPUT -p udp -m udp –dport 5061 -j ACCEPT

# IAX2- the IAX protocol – comment out if you don’t plan to use IAX
# -A INPUT -p udp -m udp –dport 4569 -j ACCEPT

# IAX – old IAX protocol, uncomment if needed for legacy systems.
# -A INPUT -p udp -m udp –dport 5036 -j ACCEPT

# RTP – the media stream – you can change this in /etc/asterisk/rtp.conf
-A INPUT -p udp -m udp –dport 10000:20000 -j ACCEPT

# MGCP – if you use media gateway control protocol in your configuration
-A INPUT -p udp -m udp –dport 2727 -j ACCEPT

# Uncomment these lines if you plan to use FreePBX to manage Asterisk
# -A INPUT -p tcp –dport 80 -j ACCEPT
# -A INPUT -p tcp –dport 443 -j ACCEPT

# Allow ping
-A INPUT -p icmp –icmp-type echo-request -j ACCEPT

# Log iptables denied calls
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7

# Drop all other inbound – default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

Save the file

iptables-restore < /etc/asterisk.firewall.rules

Make sure that iptables is enabled, once the rules added then check the active rules

sudo iptables -L

The asterisk PBX ports are very important & it needs to enable on the firewall. In this setup, we have built SRTP for encrypted communications. The communications take place via two channels through VoIP trunk.
We must secure the signalling because SRTP keys are exchanged in plaintext with SDES, For more info refer

https://www.voip-info.org/wiki/view/Asterisk+SRTP
https://www.voip-info.org/wiki/view/SRTP\

If you facing any difficulty with firewall try it after disabling.

FYI : Disabling the firewall is not recommended. For security purpose we have introduced GEO blocking, It’s a customized ruby script which monitor the activity of asterisk server. If any unwanted access found from any other location, it will block the IP on the firewall.

To check the currently listening ports

# netstat -ntnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 15441/asterisk
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 604/mysqld
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 15441/asterisk
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2243/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 507/sshd
tcp 0 0 0.0.0.0:1720 0.0.0.0:* LISTEN 15441/asterisk
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 669/sendmail
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2243/httpd
# netstat -nnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 15441/asterisk
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 604/mysqld
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 15441/asterisk
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2243/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 507/sshd
tcp 0 0 0.0.0.0:1720 0.0.0.0:* LISTEN 15441/asterisk
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 669/sendmail
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2243/httpd
udp 0 0 0.0.0.0:5000 0.0.0.0:* 15441/asterisk
udp 0 0 0.0.0.0:2727 0.0.0.0:* 15441/asterisk
udp 0 0 0.0.0.0:4520 0.0.0.0:* 15441/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:* 15441/asterisk
udp 0 0 0.0.0.0:4569 0.0.0.0:* 15441/asterisk
udp 0 0 0.0.0.0:35161 0.0.0.0:* 15441/asterisk
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 96580330 1/init @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 96581475 647/saslauthd /var/run/saslauthd/mux
unix 2 [ ACC ] STREAM LISTENING 211747790 15441/asterisk /var/run/asterisk/asterisk.ctl
unix 2 [ ACC ] STREAM LISTENING 96581422 604/mysqld /var/lib/mysql/mysql.sock
#

In order to achieve encrypted communication, we need the SSL certificate for the hostname. You can buy SSL from any SSL provider & install it on your hostname. We are using letsencrypt free SSL.

FYI: I would not recommend letsencrypt, because if you are using hard phones, you need to update the SSL certificate for every 90 days on the server & phones. So better to purchase an SSL with minimum 3-year validity.

We need to install Apache to set the virtual host, if you are going to install letsencrypt free SSL

1. Install httpd

yum install httpd

2. In order for Let’s encrypt software to work with Apache, assure that the SSL/TLS module is installed by issuing the command below:

# yum -y install mod_ssl

3. Finally, start Apache server with the following command:

# systemctl start httpd.service [On RHEL/CentOS 7] # service httpd start [On RHEL/CentOS 6] # yum install epel-release

# yum install git

6. Now, once you have installed all the required dependencies in order to deal with Let’s Encrypt, go to /usr/local/ directory and start pulling the Let’s Encrypt client form its official GitHub repository with the following command:

# cd /usr/local/
# git clone https://github.com/letsencrypt/letsencrypt

# cd /usr/local/letsencrypt
# ./letsencrypt-auto –apache -d asterisk.hostname.com www. asterisk.hostname.com

Type relevant information like email id etc

Add the virtual host before that without SSL host

<VirtualHost *:80>
ServerName asterisk.hostname.com
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html
# ServerName dummy-host.example.com
ErrorLog logs/asterisk.hostname.com_error_log
CustomLog logs/asterisk.hostname.com_access_log common
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName asterisk1.hostname.com
# ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html
# ServerName dummy-host.example.com
ErrorLog logs/asterisk.hostname_error_log
CustomLog logs/asterisk.hostname_access_log common
SSLCertificateFile /etc/letsencrypt/live/asterisk1.hostname.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/asterisk1.hostname.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/asterisk1.hostname.com/chain.pem
</VirtualHost>

</IfModule>

vim /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/letsencrypt/live/asterisk1.hostname.com/cert.pem

# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you’ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/letsencrypt/live/asterisk1.hostname.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/asterisk1.hostname.com/chain.pem

Now SSL enabled for the domain

# service httpd restart

In this part sip.conf & extension.conf is very important

sip.conf contains your VOIP host details and sip ID. The extension.conf contains the dialup plans.

/etc/asterisk/sip.conf

[general] dtmfmode=rfc2833
context=internal
register => YOUR_VOIP_ID:VOIP_PASSWORD@VOIPHOST
allowguest=no
allowoverlap=yes
bindport=5060
bindaddr=0.0.0.0
srvlookup=yes
alwaysauthreject=yes
canreinvite=no
nat=yes
session-timers=refuse
externip= Server_IP
externrefresh=15
localnet=192.168.1.0/255.255.255.0
disallow=all
allow=opus
allow=alaw
allow=adpcm
allow=g722
allow=g726
allow=gsm
allow=ulaw
allow=resample
allow=lpc10
allow=ilbc
allow=g729
allowtransfer=yes
tlsenable=yes
tlsbindaddr=0.0.0.0
; your SSL cert path to make SSL communications
tlscertfile=/etc/letsencrypt/live/asterisk1.hostname.com/asterisk.pem
tlscafile=/etc/letsencrypt/live/asterisk1.hostname.com/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=yes
encryption=yes
callcounter=yes

[VOIP] type=friend
context=internal
host=sip.encryptedsip.com
secret= Your sip host password
remotesecret=Your sip host password
host=sip.encryptedsip.com
username= Your VOIP ID
fromuser= Your VOIP ID
insecure=port,invite
disallowed_methods=UPDATE
directmedia=no
videosupport=no
disallow=all
allow=opus
allow=alaw
allow=adpcm
allow=g722
allow=g726
allow=gsm
allow=ulaw
allow=resample
allow=lpc10
allow=ilbc
allow=g729
sendrpid=yes
trustrpid=yes

[1001] type=friend
host=dynamic
secret=securepassword
context=internal

[1002] type=friend
host=dynamic
secret=securepassword
context=internal
transport=tls
encryption=yes
subscribecontext=internal
callgroup=2
pickupgroup=2
allowsubscribe=yes
busylevel=1

[1003] type=friend
host=dynamic
secret=securepassword
context=internal

Save the file

Here you have configure your sip.conf with informations that provided from VOIP
I have added some sip id’s like 1001,1002.1003

Now let’s configure extension.conf

Dial up plans is most important setup for making calls

The below dial up plan is for basic setup, if you wish to setup more options like callforwading, pickgroup,call group, Voice mail, call waiting, IVR, Background audio etc. then feel free to contact Xieles support.

/etc/asterisk/extensions.conf

exten => 1001,hint,SIP/1001
exten => 1001,1,Answer()
exten => 1001,2,Dial(SIP/1001,60,tT)
exten => 1001,3,Playback(vm-nobodyavail)
exten => 1001,4,Hangup()

exten => 1002,hint,SIP/1002
exten => 1002,1,Answer()
exten => 1002,2,Dial(SIP/1002,60)
exten => 1002,3,Playback(vm-nobodyavail)
exten => 1002,4,Hangup()

exten => 1003,hint,SIP/1003
exten => 1003,1,Answer()
exten => 1003,2,Dial(SIP/1003,30,tT)
exten => 1003,3,Playback(vm-nobodyavail)
exten => 1003,4,Hangup()

;To outbound calls from sip ID, you have to set your country code in first part like ( +54 ,+41)
exten => _+44[0-9+]!,1,Dial(SIP/${EXTEN}@VOIP,60,tT)
exten => _+44[0-9+]!,1,Dial(SIP/${EXTEN}@VOIP,60,tT)
exten => _+44[0-9+]!,1,Dial(SIP/${EXTEN}@VOIP,60,tT)
exten => _[0-9+]!,1,Dial(SIP/${EXTEN}@VOIP,60,tT)

Save the conf & restart the asterisk

Some of the phones need additional codecs. Opus is the best codec ever which provides a clear voice at low bandwidth

FYI: You can install additionl codec’s if you need.

Install additional opus and g729 additional codecs. URL to download http://downloads.digium.com/pub/telephony/

Download opus and g729 tar files

# cp codec_opus.so to /usr/lib64/asterisk/modules/

# cp codec_opus_config-en_US.xml to /var/lib/asterisk/documentation/

Do the same for g729 codecs

# service asterisk restart

That’s all. The server setup & configuration is complete. Now you can configure SIP account using any one of your hard phones or use app like zoiper

FYI: If you are using hard phones with TLS connection you need to install the SSL certs file (hostnames) on phones too.

For mobile phones, you have to enable SRTP at encryption section & protocol TLS

Server security is very important we installed the CSF on the server. If you need high security for your asterisk server feel free to contact Xieles Support, we will help you to harden your server with geo blocking & monitoring system.