Hey guys,

I routinely log my server installs and as such I wanted to contribute mine for getting a properly configured FreePBX server up and running.

This is provided as-is and is pretty raw for the untrained eye. There are some custom preferences I like and certain sections remain unexplained.

I have to give credit to Preston Moore because I based part of the config on his outdated freepbx install script for CentOS. His site has been dead for ages now so I guess it's not bad thing repeating some of the stuff here. If you do need it you might want to read this post ztxen / ztdummy / dahdi_dummy support on Linode

This install does NOT install Zaptel/DAHDI - so there is no dummy timing device and therefore no meet_me functionality. I personally don't need this for this install.

THIS IS NOT A BASH SCRIPT

Security is important so learn to configure Iptables, Denyhosts, rkhunter, cronjob for security updates, configure sshd, configure httpd, HTTPS by default.

root
[DELETED PASSWORD]

mika
[DELETED PASSWORD]

# add a second user
useradd mika -d /home/mika/
passwd mika

#set proper timezone centos
cp /usr/share/zoneinfo/Europe/Amsterdam /etc/localtime

# rpm fusion and software

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
yum install foo

rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm
yum -y update

yum -y install yum-fastestmirror yum-cron yum-security yum-protect-packages  httpd mod_evasive mod_security mod_ssl openssl denyhosts rkhunter apachetop htop mlocate 

# iptables script for basic security and white-listing my trunk (redudant). the most basic ports you'll need open are 22, 80, 443, SIP, IAX and the RTP range. the rest is just for faxing (ie. google it)
iptables -F
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
iptables -A INPUT -p udp -m udp --dport 2727 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4000:4999 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT 
iptables -A INPUT -p udp -m udp --dport 5036 -j ACCEPT 
iptables -A INPUT -p udp -m udp --dport 5059:5061 -j ACCEPT 
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT 
iptables -A INPUT -p udp -m udp --source 64.154.41.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --source 81.85.224.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --source 204.11.194.0/24 -j ACCEPT
iptables -A INPUT -p udp -m udp --source 212.150.88.0/24 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -L 
service iptables save

# services
chkconfig --list | grep on
chkconfig iptables on & chkconfig ntpd on & chkconfig denyhosts on & chkconfig httpd on


# kernel settings
sysctl -p
nano /etc/sysctl.conf 

#Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 1
# enable ignoring to icmp request
net.ipv4.icmp_echo_ignore_all = 1
# enable ignoring broardcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# enable bad error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
#Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1


# setup automated daily yum security updates
crontab -e
@daily /usr/bin/yum -y update --security

# secure some more shit (figure this out on your own)
nano /etc/rkhunter.conf (comment out xinetd)
rkhunter --update; rkhunter --checkall

nano /etc/denyhosts.conf (setup email notification and syslog)
nano /etc/resolv.conf (nothing really)
nano /etc/sysconfig/network (add HOSTNAME=)
nano /etc/httpd/conf/httpd.conf (do some stuff)
nano /etc/ssh/sshd_config (do some more stuff)
nano /etc/hosts (add your hostname)


# freepbx install
export IP_ADDRESS=YOURSERVERIP 
export FREEPBX_VERSION=2.7.0
export MYSQL_ROOT_PW=YOURPASSWORD1
export ASTERISK_DB_PW=YOURPASSWORD2
export ASTERISK_MGR_PW=YOURPASSWORD3
export ARI_PW=YOURPASSWORD4

# install mysql server
yum -y install mysql-server
/etc/init.d/mysqld start
chkconfig mysqld on

# configure mysql root password
mysqladmin -u root password ${MYSQL_ROOT_PW}

# install packages needed beyond base install
yum -y install kernel-devel make bison flex gcc-c++ gcc httpd php php-cli php-mysql php-pear php-gd curl sox ncurses-devel openssl-devel mysql-devel gtk2-devel

# install pear DB module
pear install db

# place source packages in standard place
cd /usr/src

# download, make and install libpri
wget http://downloads.digium.com/pub/libpri/libpri-1.4-current.tar.gz
tar xfv libpri-1.4-current.tar.gz
cd `find . -name "libpri-1.4.*" -print`
make; make install; cd ..

# download, make and install asterisk and configuration files
wget http://downloads.digium.com/pub/asterisk/asterisk-1.4-current.tar.gz
tar xfvz asterisk-1.4-current.tar.gz 
cd `find . -name "asterisk-1.4.*" -print`
./configure; make; make install; make samples; cd ..

# download, make and install asterisk-addons
wget http://downloads.digium.com/pub/asterisk/asterisk-addons-1.4-current.tar.gz
tar xfvz asterisk-addons-1.4-current.tar.gz 
cd `find . -name "asterisk-addons-1.4.*" -print`
./configure; make; make install; make samples; cd ..

# download and install voicevector.com sounds
wget http://www.voicevector.com/voicepacks/sounds-amer-fem-1.0-ulaw.tgz
mv sounds-amer-fem-1.0-ulaw.tgz /var/lib/asterisk
cd /var/lib/asterisk
mv sounds sounds.old
tar vxzf sounds-amer-fem-1.0-ulaw.tgz
cd sounds
ln -s /var/spool/asterisk/vm vm
ln -s /var/spool/asterisk/voicemail voicemail

# create asterisk user and group for apache server
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk

# fix up apache configuration to run as asterisk user
chown asterisk /var/lib/php/session/
cp -v /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.original
sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

# download and unpack freepbx
cd /usr/src/
wget http://mirror.freepbx.org/freepbx-${FREEPBX_VERSION}.tar.gz
tar xfvz freepbx-${FREEPBX_VERSION}.tar.gz

# configure freepbx
cd freepbx-${FREEPBX_VERSION}

# setup databases for freepbx use
mysqladmin -u root -p${MYSQL_ROOT_PW} create asterisk
mysqladmin -u root -p${MYSQL_ROOT_PW} create asteriskcdrdb
mysql -u root -p${MYSQL_ROOT_PW} asterisk < SQL/newinstall.sql
mysql -u root -p${MYSQL_ROOT_PW} asteriskcdrdb < SQL/cdr_mysql_table.sql
mysql -u root -p${MYSQL_ROOT_PW} <<-END_PRIVS
        GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
        GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}";
        flush privileges;
END_PRIVS


# reconfigure php for freepbx
cp -v /etc/php.ini /etc/php.ini-orig
sed -i "s/\(upload_max_filesize *= *\)\(.*\)/\120M/" /etc/php.ini
sed -i "s/\(memory_limit *= *\)\(.*\)/\1100M/" /etc/php.ini

# fix up directory use and permissions for asterisk
mkdir /var/run/asterisk
chown asterisk:asterisk -Rv /var/run/asterisk
chown asterisk:asterisk -Rv /etc/asterisk
chown asterisk:asterisk -Rv /var/lib/asterisk
chown asterisk:asterisk -Rv /dev/zap
chown asterisk:asterisk -Rv /var/log/asterisk
chown asterisk:asterisk -Rv /var/spool/asterisk
chown asterisk:asterisk -Rv /var/www/html
sed -i "s|astrundir *=> */var/run|astrundir => /var/run/asterisk|" /etc/asterisk/asterisk.conf

# configure amportal
cp -v amportal.conf /etc/amportal.conf
sed -i "s/# \(AMPDBUSER=asteriskuser\) */\1/" /etc/amportal.conf
sed -i "s/# \(AMPDBPASS=\).*/\1${ASTERISK_DB_PW}/" /etc/amportal.conf
sed -i "/#AMPWEBADDRESS=192.168.1.101/d" /etc/amportal.conf
sed -i "s/AMPWEBADDRESS=/AMPWEBADDRESS=${IP_ADDRESS}/" /etc/amportal.conf
sed -i "s/\(AMPMGRPASS=*\)\(.*\)/\1${ASTERISK_MGR_PW}/" /etc/amportal.conf
sed -i "s/\(secret *= *\)\(.*\)/\1${ASTERISK_MGR_PW}/" /etc/asterisk/manager.conf

also in amportal.conf AUTHTYPE=database

# start asterisk
./start_asterisk start

# install freepbx
./install_amp

# start apache web server
service httpd restart
chkconfig httpd on

# set ARI admin password
sed -i "s/ari_password/${ARI_PW}/" /var/www/html/recordings/includes/main.conf.php

# moh fix
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
chown asterisk:asterisk /var/lib/asterisk/mohmp3

# asterisk logrotate
cat > /etc/logrotate.d/asterisk <<-END_ROTATE 
/var/log/asterisk/*log {
    missingok
    rotate 5
    weekly
    create 0640 asterisk asterisk
    postrotate
        /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
    endscript
}
/var/log/asterisk/full {
    missingok
    rotate 5
    daily
    create 0640 asterisk asterisk
    postrotate
        /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
    endscript
}
/var/log/asterisk/cdr-csv/*csv {
    missingok
    rotate 5
    monthly
    create 0640 asterisk asterisk
}
END_ROTATE


# start amportal at boot
echo "/usr/sbin/amportal start" >> /etc/rc.local

# start freepbx
/usr/sbin/amportal start

# clean up
cd /usr/src/
rm -rf *.tar.gz

# freepbx manager gui password got refused
# was facing a bug and this solved it (converted my password to sha1) 
mysql -u root -p
use asterisk;
UPDATE ampusers SET password_sha1 = 'yoursha1hash' where username='admin';
exit

# generate a self-signed ssl certificate
yum install mod_ssl openssl
cd ~

# Generate private key 
openssl genrsa -out ca.key 1024 

# Generate CSR 
openssl req -new -key ca.key -out ca.csr

# Generate Self Signed Key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt

# Move the files to the correct locations
mv ca.crt /etc/pki/tls/certs
mv ca.key /etc/pki/tls/private/ca.key
mv ca.csr /etc/pki/tls/private/ca.csr

# update httpd config with new paths
nano /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key

# create .htaccess file for auto https
# requires you to have AllowOverride All in httpd.conf for public_html dir

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

chown asterisk:asterisk .htaccess 

NOW YOU ARE READY FOR THE GUI CONFIG OF FREEPBX

Thats it - hope this helped someone.

I've completed configurations (queue's, IVRs, etc etc) and it handles fine. The smallest Linode with the 32-bit CentOS install uses about 50% of memory when idle. So far no issues with 10 users.

How many trunks are being paid for and shared and how much?

Thanks for the instructions, just not sure about the IP trunk costs.

The number of incoming channels matters less and less these days. Some providers like voip.ms will sell you a DID with unlimited incoming channels and let you use it for super heavy-duty commercial use if you want. They get paid per-minute, so they don't really care if you're using a hundred channels at a time; that means you're paying for 100 minutes at a time too.

The per-minute costs are what cover the channel costs, the initial $0.99 is just to pay for the number itself.

In terms of cost, voip.ms (a local company) charges $0.99 for the DID in major Canadian cities ($1.95 in smaller cities) and $0.01 per minute for the incoming calls. Their pricing for US DIDs seems similar.

The cost of your DIDs and channels isn't something you can blame on Linode. I'm already happy with the cost savings of going from a dedicated server to a cheap Linode with equal performance.

I use www.ipcomms.net for our US inbound DIDs and www.didwww.com for the rest. These don't charge per minute but you only have 2 channels (in their default pricing, you can add more).

I'll check out the other recommendation though there is a huge list on http://www.voip-info.org/

Thanks for the information guys. We have Internet, VoIP, and HD cable all combined in one bill, all over cable. The box that connects to the cable side (for Internet) also does the VoIP and provides a fake dial tone throughout the house to boot.

I'm studying the prices and the sites you posted and would in the end go with configuring something like this if I can replace the cool little box that provides the fake dial tone. If I hosted this on my Linode I'd have to figure out how to get the dial tone while connecting remotely to my Linode Asterisk.

I use land line phone for meetings about 20-30 hours a month so I'm no sure it will be cheaper yet. Though it would be more convenient since I could even use my laptop when I'm on the go and access my home phone line, so to speak, I think. I've been out of the telephony stuff for a few years so I'm a bit rusty on it all.

Thanks again, something interesting to look into.

To be frank; it sounds you would be better off with either a set of Skype minutes or a SIP phone and a SIP account somewhere. For example the Grandstream GXP 2020 or using software from CounterPath or Zoiper.

After all there aren't really cost savings; you'll still want to keep your TV and Internet anyways. Adding 20$/mo for a Linode, 10$/mo for an inbound DID (phone number), ?$/mo for outbound minutes.. you get the picture.

This setup is for small/medium businesses who need an Interactive Voice Response menu and voicemail boxes etc. Also though FreePBX makes using Asterisk easier you still need background knowledge such as dialplans etc.

Right, i was just looking to see if the numbers would scale down and I'd have a new project to use my Linode for.

Not practival but potentially fun.

I program for a living, used to program CTI and IVR apps.

Thanks for the tips, Mika1974.

Hey Linode admins, can we get this SEO spammer jimm1909 to stop barfing all over this thread?

_________________
Hartford makes bread and jeans, and paper art.

a support ticket took care of him

Nicely done. There's still the wryans post, though.

_________________
Hartford makes bread and jeans, and paper art.