FreePBX Production Install Guide (RHEL v5 or v6, Asterisk v1.8+, FreePBX v2.9+)
This install procedure was tested using the Redhat Enterprise Linux distributions known as CentOS and Scientific Linux.
Software used:
CentOS v5 or CentOS v6 or Scientific Linux v6
Asterisk 1.8
FreePBX 2.9 or 2.10
Let's get started
If you are installing Linux from scratch using Anaconda via install CD select "minimal" and proceed with the install which will install with no groups. Skip down to the yum -y update
part.
Otherwise, it is assumed you already have a server with a base CentOS installation before you begin. Do NOT install a GUI such as Gnome or KDE. We only want to be running in console text mode not GUI graphics mode. If you already have a desktop or server GUI installed you will want to exit to console mode. You do that by typing init 3 from a terminal or console window. You will need to be logged in as root in order to do this so if not you can su root. All instructions in this guide are assuming you are always logged in as root.
Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate. Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).
yum grouplist installed
Installed Groups:
DNS Name Server
Editors
Legacy Network Server
Mail Server
Network Servers
System Tools
Text-based Internet
Web Server
Windows File Server
Yum Utilities
yum groupremove 'DNS Name Server' yum groupremove 'Editors' yum groupremove 'Legacy Network Server' yum groupremove 'Mail Server' yum groupremove 'Network Servers' yum groupremove 'System Tools' yum groupremove 'Text-based Internet' yum groupremove 'Web Server' yum groupremove 'Windows File Server'
Now update the base install
yum -y update
Install Asterisk/FreePBX required packages, other useful packages, and their dependencies
yum groupinstall core yum groupinstall base yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-pear php-pear-DB php-mbstring nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano kernel-devel selinux-policy
RHEL v5 NOTES
Skip this section if you are using a RHEL6 distribution.
On RHEL 5 shutdown unnecessary daemon brcm-iscsi which is enabled by default and tends to do a lot of logging even when not used. This creates unnecessary I/O load.
chkconfig iscsi off chkconfig iscsid off service iscsi stop service iscsid stop
Replace syslog with the improved and backwards compatible rsyslog (standard in RHEL6 but not RHEL5). This also prevents a problem that comes up with improper timestamps in /var/log/secure when you get disconnects.
NOTE:This is only for RHEL5 based systems. You do not need to do this for RHEL6.
yum -y install rsyslog chkconfig syslog off chkconfig rsyslog on service syslog stop service rsyslog start
--END of RHEL v5 NOTES--
RHEL v6 NOTES
Skip this section if you are using a RHEL5 based distribution.
On RHEL v6 and it's clone distributions the php-pear-DB package is not included so we need to install it
pear install db
RHEL v6 uses a newer version of php. In this version php-posix is no longer in php-common, it is in php-process. So you need to install php-process if using RHEL v6 or it's clones otherwise the FreePBX install will fail.
yum -y install php-process
Check if the firewall (iptables) is enabled by default and if the RHEL v6 default configuration blocks the FreePBX web GUI. If you know what services/ports are required you can run "system-config-firewall-tui" and configure the firewall as required.
At a minimum, the following ports need to be opened:
TCP 80 (www)
TCP 4445 (Flash Operator Panel)
UDP 5060-5061 (SIP)
UDP 10,000 - 20,000 (RTP)
UDP 4569 (IAX)
Another option is to remove existing settings from the firewall and save.
iptables -F service iptables save
Alternatively, you can disable the firewall for now and prevent it from starting on reboot.
service iptables stop chkconfig iptables off
--END of RHEL v6 NOTES--
Selinux is not required or recommended. This will create the required file if it does not already exist. If it already exists copy paste or edit the contents indicated here to be sure selinux never runs.
nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0
(Ctrl-x> y >Enter)
Make sure selinux is turned off for this session
setenforce 0
TFTP
nano /etc/xinetd.d/tftp change server_args = from "-s /var/lib/tftpboot" to "-s /tftpboot" change “disable=yes” to “disable=no”
mkdir /tftpboot chmod 777 /tftpboot service xinetd restart
Set Timezone
Copy your timezone from this link or use tzselect
tzselect
Create a symbolic link to the appropriate timezone from /etc/localtime.
Example:
ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime
PHP timezone (required since PHP v5.3):
if not set and using php v5.3+ (the version included with RHEL6) it will revert to the default timezone which may not be the correct one depending on your location. The FreePBX install might throw out a bunch of warnings if you are using RHEL 6 and don't set this.
nano +633 /etc/php.ini
for RHEL6
nano +946 /etc/php.ini
Uncomment (;) date.timezone = and add your timezone
Restart apache for the changes to take effect
service httpd restart
Memory Limit
The recommended setting is 128M otherwise you may get warnings in FreePBX. RHEL 5 installs will probably already have this set correctly. RHEL 6 may need to have this changed.
For RHEL 5
nano +302 /etc/php.ini
memory_limit = 128M
For RHEL 6
nano +457 /etc/php.ini
memory_limit = 128M
As always after php.ini changes, apache needs to be restarted for the changes to take effect.
service httpd restart
Download and untar source files and install.
Zaptel/Dahdi is not included in this install procedure. Starting with Asterisk 1.6.2/FreePBX2.9, it is possible to use ConfBridge in place of MeetMe conferencing. Meetme conferencing was the last Asterisk application that required a timing source. The only reason to install zaptel/dahdi now is if you are installing telephony hardware. Meetme still has some features that confbridge does not and is still required if you also require paging. To install meetme conferencing you must install dahdi and ensure meetme is selected during the asterisk menuselect installation part of the procedure. You can also install confbridge but FreePBX will default to use MeetMe if it detects it.
Get FreePBX. Check if this is the latest released version.
cd /usr/src wget http://mirror.freepbx.org/freepbx-2.10.0.tar.gz tar zxvf freepbx-2.10.0.tar.gz
Get Asterisk v1.8.
wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-1.8-current.tar.gz tar zxvf asterisk-1.8-current.tar.gz
NOTE: There is no separate asterisk addons package to download starting with Asterisk v1.8.
cd /usr/src/asterisk-1.8* make clean ./configure && make menuselect
Select all addons. I believe these are all needed or recommended for FreePBX. Select base and addon sounds. I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec. I usually just check both. Then make sure to press the "save" button afterwards.
When you select 'format_mp3' above as an addon you must run a script before going any further otherwise the install will fail.
./contrib/scripts/get_mp3_source.sh
You must also have subversion installed to run the above script and be in the root directory of the Asterisk source code.
Now install Asterisk. NOTE: If upgrading Asterisk on an already running FreePBX system do NOT run make samples.
make && make install && make samples
Create user. May already exist but just to make sure
useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk
The following directory may already exist but just to make sure
mkdir /var/run/asterisk
Set ownership
chown -R asterisk /var/run/asterisk chown -R asterisk /var/log/asterisk chown -R asterisk /var/lib/asterisk/moh chown -R asterisk /var/lib/php/session
Music on Hold
The Asterisk default moh directory is "/moh" and the Freepbx default moh directory is "/mohmp3". If we create a symbolic link instead everything is in one place and can still be found by both FreePBX and Asterisk.
ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3
The new default behaviour for Asterisk and Freepbx is to only use wav files for moh due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically. If you won't be uploading or streaming mp3's or won't be using FreePBX (new) default behaviour then you probably don't need to install mpg123.
cd /usr/src wget http://sourceforge.net/projects/mpg123/files/mpg123/1.14.2/mpg123-1.14.2.tar.bz2/download tar -xjvf mpg123-1.14.2.tar.bz2 cd mpg123-1.14.2 ./configure && make && make install
Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.
ln -s /usr/local/bin/mpg123 /usr/bin/mpg123
CHANGE APACHE USER
Change User apache and Group apache to User asterisk and Group asterisk.
sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf
MYSQL SETUP
Before you can do anything to MySQL, you need to make sure it's running:
NOTE: If running RHEL/CENTOS/SL 6 you may need to run mysql_install_db
first. Try without and see if it starts first.
service mysqld start
Starting MySQL: [ OK ]
Now, to configure the databases for freePBX:
Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked. For example: mysqladmin -p create asterisk
cd /usr/src/freepbx-2.10.0 mysqladmin create asterisk mysqladmin create asteriskcdrdb mysql asterisk < SQL/newinstall.sql mysql asteriskcdrdb < SQL/cdr_mysql_table.sql
They also need to be secured. FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked 'asteriskuser' and 'amp109' - you probably shouldn't use these, as they are well known passwords for Freepbx. If you use these well know defaults and your server is not firewalled make sure to set bind-address = 127.0.0.1 further down in this procedure so that MySQL only listens to localhost. Or better yet do both.
Security check: It's very important to check that Allow Login With DB Credentials is set to FALSE in FreePBX Advanced Settings GUI. This is the default setting. If it were set to TRUE and you were using the default credentials of asteriskuser/amp109 and your FreePBX GUI were exposed to the internet (ie. the http port), anyone could log into your FreePBX GUI as administrator using those credentials.
MySQL creates a test database and 2 anonymous user accounts by default which we don't need so first we delete them. MySQL also creates a non-local root@hostname account and assuming you don't want to access the database remotely as root (other than via SSH) you should probably delete that for security reasons. DO NOT DELETE the root@localhost account.
mysql
mysql> DROP DATABASE test;
Query OK, 0 rows affected (0.00 sec)
mysql> SHOW VARIABLES LIKE 'hostname';
+---------------+----------------+
| Variable_name | Value |
+---------------+----------------+
| hostname | somehostname.com |
+---------------+----------------+
1 row in set (0.00 sec)
mysql> DROP USER ''@'localhost';
Query OK, 0 rows affected (0.00 sec)
mysql> DROP USER ''@'somehostname.com';
Query OK, 0 rows affected (0.00 sec)
mysql> DROP USER 'root'@'somehostname.com';
mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> \q
Bye
Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example. You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password.
mysqladmin -u root password 'abcdef'
Install Freepbx
/usr/sbin/safe_asterisk
You may get a bunch of warnings, errors, and notices at this point. Don't worry about them. Hit ENTER to get a command prompt.
cd /usr/src/freepbx-2.10.0 ./install_amp
If you get any warnings or errors in the last part of the output, they're usually not traumatic.
Default username is: admin
Default pw is: admin
Freepbx 2.10 now wants to create symlinks to some .conf files and complains if actual files already exist as is the case when Asterisk make samples is run. So we need to delete these files. In FreePBX 2.9 you should only have to delete sip_notify.conf and ccss.conf. Not sure what would happen if you try delete the rest. After deleting the following files, the next time we make a change in FreePBX and apply settings these symlinks will be created.
rm -f /etc/asterisk/sip_notify.conf rm -f /etc/asterisk/iax.conf rm -f /etc/asterisk/logger.conf rm -f /etc/asterisk/features.conf rm -f /etc/asterisk/sip.conf rm -f /etc/asterisk/extensions.conf rm -f /etc/asterisk/ccss.conf rm -f /etc/asterisk/chan_dahdi.conf
Edit /etc/asterisk/cdr_mysql.conf
and add loguniqueid=yes
to the global section which will give each call record a unique identifier number.
nano /etc/asterisk/cdr_mysql.conf
loguniqueid=yes
set FreePBX to start on boot
echo /usr/local/sbin/amportal start >> /etc/rc.local
Enable Apache and MySQL to start on boot
chkconfig httpd on chkconfig mysqld on
Now reboot at which point you should be able to access FreePBX with your web browser. The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is "Apply Configuration Changes" so all the *.conf files are created then reboot again or 'amportal restart' from command prompt.
You may get an error in the FreePBX GUI saying "symlink failed for /etc/asterisk/sip_notify.conf" or something along those lines. If that is the case just delete or rename /etc/asterisk/sip_notify.conf. The next time you "Apply Configuration Changes" in the FreePBX GUI after some change this file will be recreated and the error should be gone.
AMPORTAL.conf changes
FreePBX v2.9+ now includes an "advanced settings" gui that is designed to replace amportal.conf and the requirements to edit it directly. There are also some settings in a new file /etc/freepbx.conf
At this point you should go into this new advanced settings GUI on the FreePBX webpage and edit the following settings:
http://IPaddressOFyourFreePBXserver/
In the GUI Go to: Tools>Advanced Administration>Advanced Settings>System Setup>User Portal Admin Password
Choose your admin password for accessing the Voicemail & Recordings (ARI) section of the front webpage.
In the same GUI go to: System Setup>FreePBX Web Address
Remove the "xx.xx.xx.xx" and leave blank. If that does not work use your public (ie. web facing) IP address for this server.
After saving these changes by pressing the green arrow on the right hand side of each box make sure to "Apply Configuration Changes" at the top of the GUI.
logrotate setup
Set up configuration to rotate log files otherwise they get too big after a short while. Create the following file.
nano /etc/logrotate.d/asterisk
Now add the following to make sure the asterisk log files are rotated weekly along with all the other log files.
/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full { missingok notifempty sharedscripts create 0640 asterisk asterisk postrotate /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null endscript }
nano /etc/logrotate.d/freepbx
Now add the following to make sure the freepbx log files are rotated weekly
/var/log/asterisk/freepbx_dbug /var/log/asterisk/freepbx_debug { missingok notifempty sharedscripts create 0640 asterisk asterisk postrotate /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null endscript }
Misc. optional settings
Change the “upload_max_filesize” from 2M to 20M to allow larger music on hold files
RHEL 5
nano +582 /etc/php.ini
RHEL 6
nano +878 /etc/php.ini
Edit Apache web server for GUI access using a port other than 80:
nano +134 /etc/httpd/conf/httpd.conf
change "Listen 80" to "Listen 8888" or whatever port you want
Change default Apache setting of AllowOverride None to All so that Apache obeys directives in .htaccess files which by default prevents viewing sensitive directories on Freepbx.
nano +338 /etc/httpd/conf/httpd.conf
AllowOverride All
service httpd restart
Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx
You now access it by http://xxx.xxx.xxx.xxx:8888
setup external sip extensions if going through NAT
nano /etc/asterisk/sip_nat.conf
nat=yes externip= or ;externhost=yourdns.com localnet=192.168.1.0/255.255.255.0 ;change the above to whatever your local subnet is externrefresh=10
(Ctrl-X>y>ENTER)
Also, when adding the external SIP extension in FreePBX, make sure to change the nat=never default in the configuration to nat=yes for the extension that will be external.
Log Files Configuration
If you don't want to see a bunch of notices, warnings and errors each time you restart amportal from command line and you don't want your asterisk log files getting huge from constantly writing debug information do the following:
nano /etc/asterisk/logger_logfiles_custom.conf
console => full => notice,warning,error,verbose
Also make sure freepbx debug logging is disabled in FreePBX GUI>Settings>Advanced Settings>Developer and Customization
Sendmail configuration (optional)
Edit /etc/aliases
file and add a root: username_to_forward_to
to forward all ‘root’ messages to your personal email address. Put in the full email address if it is not on the asterisk system itself.
Then run
/usr/bin/newaliases
to restart the service.
If emails are not received you must set up masquerading in sendmail. These still may be rejected if the email server requires the source of the email to also resolve to the same DNS that sendmail is masquerading as.
To enable this, add the following lines to the /etc/mail/sendmail.mc
file:
MASQUERADE_AS(domain.com)dnl FEATURE(masquerade_envelope)dnl FEATURE(masquerade_entire_domain)dnl MASQUERADE_DOMAIN(domain.com)dnl
Put a “dnl” in front of the line ”EXPOSED_USER (`root’) dnl”. This enables host masquerading for root as well which is disabled by default.
Update the Sendmail configuration files using the m4 macro processor to generate a new sendmail.cf file by executing the following command:
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
To get the Sendmail macro file, the sendmail-cf package must be installed on the system.
After creating a new /etc/mail/sendmail.cf
file, restart Sendmail for the changes to take effect. To do this, use the following command:
service sendmail restart
nano /etc/asterisk/vm_general.inc
change serveremail=vm@asterisk
to whom ever you want it to appear voicemail emails are coming from.
NOTE: If you are installing on a LAN or do not have a domain resolving to the IP of the VPS, Sendmail will hang for a couple minutes everytime you reboot. To prevent this your VPS hostname should end with .local or .localhost. So, for example, instead of naming the VPS hostname 'powerpbx' it should be named 'powerpbx.local'. The manual method is to edit your /etc/hosts file.
There should be 2 lines.
127.0.0.1 localhost.localdomain localhost yourIPaddress yourhostname.local yourhostname yourhostname
MySQL performance tuning for low memory
This will reduce memory usage significantly without affecting performance.
nano /etc/my.cnf
[mysqld] . . . skip-innodb skip-bdb
(Ctl-x > y > ENTER)
From command prompt:
service mysqld restart
RHEL v6 NOTE: Berkley DB support has been removed from the version of MYSQL included with RHEL v6 and the other v6 distributions. Therefore you must NOT use the "skip-bdb" line with RHEL v6 otherwise Mysql will fail to start.
MySQL security enhancement
This will prevent outside IP's from connecting to the MySQL port
nano /etc/my.cnf
[mysqld] . . . bind-address = 127.0.0.1
(Ctl-x > y > ENTER)
Add Password Protection to Flash Operator Panel GUI
By default, flash operator panel GUI (/var/www/html/panel) is visible to anyone who points a browser at your server unless port 4445 is blocked by a firewall. Here is one way to protect it.
mkdir -p /usr/local/apache/passwd htpasswd -c /usr/local/apache/passwd/wwwpasswd NewUserName
Apache will prompt you for a new password for the user name you've just indicatedNew password:
Apache will prompt you to retype your new passwordRe-type new password:
Apache will then confirm the new user
Adding password for user NewUserName
Now you have to add the user name you've just created to the "httpd.conf" file. To edit that file in "nano" type:
nano +587 /etc/httpd/conf/httpd.conf
Now do a CTRL-W to search for "AuthUser" and you'll find the area where all the users are listed (for example: "maint", your AMP user). If you don't find any try around line 587 right after the cgi-bin
AuthType Basic AuthName "Restricted Area" AuthUserFile /usr/local/apache/passwd/wwwpasswd Require user NewUserName NewUserName1 NewUserName2 yaddayaddayadda
To delete an Apache user, type in the following and then remove the user from the "httpd.conf" file.
htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName
To change the password:
htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName
Then restart apache.
service httpd restart