FreePBX Production Install Guide (RHEL v6, Asterisk v1.10+, FreePBX v2.10+)

Sections: 

Asterisk & FreePBX This install procedure was tested using the Redhat Enterprise Linux distributions known as CentOS. Software used: CentOS v6 Asterisk 1.10 FreePBX 2.10 Linux commands executed at a command prompt are in courier font. Let's get started If you are installing Linux from scratch using Anaconda via install CD select "minimal" and proceed with the install which will install with no groups.   Skip down to the yum -y update part. Otherwise, it is assumed you already have a server with a base CentOS installation before you begin.  Do NOT install a GUI such as Gnome or KDE.  We only want to be running in console text mode not GUI graphics mode.  If you already have a desktop or server GUI installed you will want to exit to console mode.  You do that by typing init 3 from a terminal or console window.  You will need to be logged in as root in order to do this so if not you can su root.  All instructions in this guide are assuming you are always logged in as root. Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate.  Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).

yum grouplist installed

Installed Groups: DNS Name Server Editors Legacy Network Server Mail Server Network Servers System Tools Text-based Internet Web Server Windows File Server Yum Utilities DNS Name Server' yum groupremove 'Editors' yum groupremove 'Legacy Network Server' yum groupremove 'Mail Server' yum groupremove 'Network Servers' yum groupremove 'System Tools' yum groupremove 'Text-based Internet' yum groupremove 'Web Server' yum groupremove 'Windows File Server' Now update the base install

yum -y update

Install Asterisk/FreePBX required packages, other useful packages, and their dependencies

yum groupinstall core
yum groupinstall base

yum install gcc gcc-c++ wget bison mysql-devel mysql-server php php-mysql php-process php-pear php-pear-DB php-mbstring nano tftp-server httpd make ncurses-devel libtermcap-devel sendmail sendmail-cf caching-nameserver sox newt-devel libxml2-devel libtiff-devel php-gd audiofile-devel gtk2-devel subversion nano kernel-devel selinux-policy sqlite-devel On RHEL v6 and it's clone distributions the php-pear-DB package is not included.  You need to download it from an official mirror and install otherwise the FreePBX install will fail.  Click the link to check for the latest version.

cd /usr/src
wget http://dl.fedoraproject.org/pub/epel/6/i386/php-pear-DB-1.7.13-3.el6.noarch.rpm
rpm -ivh php-pear-DB*

Firewall Check if the firewall (iptables) is enabled by default and if the RHEL v6 default configuration blocks the FreePBX web GUI.  If you know what services/ports are required you can run "system-config-firewall-tui" and configure the firewall as required. At a minimum, the following ports need to be opened: TCP 80 (www) TCP 4445 (Flash Operator Panel) UDP 5060-5061 (SIP) UDP 10,000 - 20,000 (RTP) UDP 4569 (IAX)

Another option is to remove existing settings from the firewall and save.
 
iptables -P input accept
iptables -F
service iptables save

Alternatively, you can disable the firewall for now and prevent it from starting on reboot.

service iptables stop
chkconfig iptables off

Selinux Selinux is not required or recommended.  This will create the required file if it does not already exist.  If it already exists copy paste or edit the contents indicated here to be sure selinux never runs.

nano /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.

SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
(Ctrl-x> y >Enter)

Make sure selinux is turned off for this session

setenforce 0

TFTP Enable the tftp server on startup if required (for configuring phones)

nano /etc/xinetd.d/tftp
change server_args = from "-s /var/lib/tftpboot" to "-s /tftpboot" change “disable=yes” to “disable=no”

(Ctrl-X>y>ENTER)

mkdir /tftpboot
chmod 777 /tftpboot
service xinetd restart

Set Timezone Copy your timezone from this link System timezone Create a symbolic link to the appropriate timezone from /etc/localtime. Example:

ln -sf /usr/share/zoneinfo/America/Vancouver /etc/localtime

PHP Settings PHP timezone (required since PHP v5.3): if not set and using php v5.3+ (the version included with RHEL6) it will revert to the default timezone which may not be the correct one depending on your location.  The FreePBX install will throw out a bunch of warnings if you are using RHEL 6 and don't set this.

nano +946 /etc/php.ini

Uncomment (;) date.timezone = and add your timezone Memory Limit The recommended setting is 128M otherwise you may get warnings in FreePBX.

nano +457 /etc/php.ini

memory_limit = 128M Restart apache for the changes to take effect

service httpd restart

Download and untar source files.   Zaptel/Dahdi is not included in this install procedure.  Starting with Asterisk 1.6.2/FreePBX2.9, it is possible to use ConfBridge in place of MeetMe conferencing.  Asterisk 1.10 has a more full featured version of ConfBridge.  Meetme conferencing was the last Asterisk application that required a timing source. The only reason to install zaptel/dahdi now is if you are installing telephony hardware.  To install meetme conferencing you must install dahdi first and ensure meetme is selected during the asterisk menuselect installation part of the procedure.  Confbridge is installed regardless but FreePBX will default to use MeetMe if it detects it.  You can change that in Asterisk advanced settings in FreePBX. Get FreePBX Check if this is the latest released version.

cd /usr/src
wget http://mirror.freepbx.org/freepbx-2.10.0.tar.gz
tar zxvf freepbx-2.10.0.tar.gz

Get and Install Asterisk

wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-10-current.tar.gz
tar zxvf asterisk-10-current.tar.gz

NOTE: There is no separate asterisk addons package to download starting with Asterisk v1.8

cd /usr/src/asterisk-10*
make clean && make distclean
./configure && make menuselect

Select all addons.  I believe these are all needed or recommended for FreePBX.  Select base and addon sounds.  I suggest ulaw as they sound better than gsm especially if you are using ulaw as your default codec.  I usually just check both.  Then make sure to press the "save" button afterwards. When you select 'format_mp3' above as an addon you must run a script before going any further otherwise the install will fail.

./contrib/scripts/get_mp3_source.sh

You must also have subversion installed to run the above script and be in the root directory of the Asterisk source code. Now install Asterisk.  NOTE: If upgrading Asterisk on an already running FreePBX system do NOT run make samples.

make && make install && make samples

Create user.  The Asterisk install already created this but just to make sure

useradd -c "Asterisk PBX" -d /var/lib/asterisk asterisk

The following directory probably already exists as well but just to make sure

mkdir /var/run/asterisk

Set ownership

chown -R asterisk /var/run/asterisk
chown -R asterisk /var/log/asterisk
chown -R asterisk /var/lib/asterisk/moh

Music on Hold The Asterisk default moh directory is "/moh" and the Freepbx default moh directory is "/mohmp3".  If we create a symbolic link instead everything is in one place and can still be found by both FreePBX and Asterisk.  FreePBX uses mohmp3 by default so moh just sits there unused if we do not create a symbolic link.  You can switch between these two moh directories in the new Advanced Settings GUI.  I still include this symbolic link procedure for legacy reasons.  If you do it everything is in one directory always no matter what.  That simplifies things and simpler is often better.

ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3

The new default behaviour for Asterisk and Freepbx is to only use wav files for moh due to transcoding overhead and Asterisk stability issues with mp3's. So we want to install mpg123 for converting uploaded mp3's to wav automagically.  If you won't be uploading or streaming mp3's or won't be using FreePBX (new) default behaviour then you probably don't need to install mpg123.

cd /usr/src
wget http://sourceforge.net/projects/mpg123/files/mpg123/1.14.2/mpg123-1.14.2.tar.bz2/download
tar -xjvf mpg123-1.14.2.tar.bz2
cd mpg123-1.14.2
./configure && make && make install

Freepbx php script cannot find mpg123 by default so we need to create a symbolic link.

ln -s /usr/local/bin/mpg123 /usr/bin/mpg123

Change Apache User Change User apache and Group apache to User asterisk and Group asterisk.

sed -i "s/User apache/User asterisk/" /etc/httpd/conf/httpd.conf
sed -i "s/Group apache/Group asterisk/" /etc/httpd/conf/httpd.conf

MySQL Setup Before you can do anything to MySQL, you need to make sure it's running: NOTE: If running RHEL/CENTOS/SL 6 you may need to run this first. mysql_install_db Try without and see if it starts first.

service mysqld start

Initializing MySQL database:                               [  OK  ] Starting MySQL:                                            [  OK  ] Now, to configure the databases for freePBX: Note: If mysql admin password is already configured, add "-p" after the command and enter password when asked.  For example, "mysqladmin -p create asterisk"

cd /usr/src/freepbx-2.10.0
mysqladmin create asterisk
mysqladmin create asteriskcdrdb
mysql asterisk < SQL/newinstall.sql
mysql asteriskcdrdb < SQL/cdr_mysql_table.sql

They also need to be secured.  FreePBX will prompt you for a database username/password when you do the install. You need to pick that now. We'll assume that you've picked 'asteriskuser' and 'amp109' - you probably shouldn't use these, as they are well known passwords for Freepbx.  If you use these well know defaults and your server is not firewalled make sure to set bind-address = 127.0.0.1 further down in this procedure so that MySQL only listens to localhost.  Or better yet do both. Security check: It's very important to check that Allow Login With DB Credentials is set to FALSE in FreePBX Advanced Settings GUI.  This is the default setting.  If it were set to TRUE and you were using the default credentials of asteriskuser/amp109 and your FreePBX GUI were exposed to the internet (ie. the http port), anyone could log into your FreePBX GUI as administrator using those credentials. MySQL creates a test database and 2 anonymous user accounts by default which we don't need so first we delete them.  MySQL also creates a non-local root@hostname account and assuming you don't want to access the database remotely as root (other than via SSH) you should probably delete that for security reasons.  DO NOT DELETE the root@localhost account.

mysql

mysql> DROP DATABASE test; Query OK, 0 rows affected (0.00 sec) mysql> SHOW VARIABLES LIKE 'hostname'; +---------------+----------------+ | Variable_name | Value          | +---------------+----------------+ | hostname      | somehostname.com | +---------------+----------------+ 1 row in set (0.00 sec) mysql> DROP USER ''@'localhost'; Query OK, 0 rows affected (0.00 sec) mysql> DROP USER ''@'somehostname.com'; Query OK, 0 rows affected (0.00 sec) mysql> DROP USER 'root'@'somehostname.com'; mysql> GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY 'amp109'; Query OK, 0 rows affected (0.00 sec) mysql> GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY 'amp109'; Query OK, 0 rows affected (0.00 sec) mysql> flush privileges; Query OK, 0 rows affected (0.00 sec) mysql>\q Bye Now, after all of this, you need to pick a root 'mysql' password. We'll make it 'abcdef' just for this example.  You should use a reasonably strong password. If you need to do anything else with mysql, you'll need to provide this password. mysqladmin -u root password 'abcdef' Install FreePBX

/usr/sbin/safe_asterisk
You may get a bunch of warnings, errors, and notices at this point.  Don't worry about them.  Hit ENTER to get a command prompt.
cd /usr/src/freepbx-2.10.0
./install_amp

If you get any warnings or errors in the last part of the output, they're usually not traumatic. Default username is: admin Default pw is: admin Freepbx 2.10 now wants to create symlinks to some .conf files and complains if actual files already exist as is the case when Asterisk make samples is run.  So we need to delete or move these files.  In FreePBX 2.9 you should only have to delete sip_notify.conf and ccss.conf.  Not sure what would happen if you try delete the rest.  After deleting or moving the following files, the next time we make a change in FreePBX and apply settings these symlinks will be created.

mv /etc/asterisk/sip_notify.conf /etc/asterisk/sip_notify.conf.old
mv /etc/asterisk/iax.conf /etc/asterisk/iax.conf.old
mv /etc/asterisk/logger.conf /etc/asterisk/logger.conf.old
mv /etc/asterisk/features.conf /etc/asterisk/features.conf.old
mv /etc/asterisk/sip.conf /etc/asterisk/sip.conf.old
mv /etc/asterisk/extensions.conf /etc/asterisk/extensions.conf.old
mv /etc/asterisk/ccss.conf /etc/asterisk/ccss.conf.old
mv /etc/asterisk/chan_dahdi.conf /etc/asterisk/chan_dahdi.conf.old
mv /etc/asterisk/confbridge.conf /etc/asterisk/confbridge.conf.old

set FreePBX to start on boot

echo /usr/local/sbin/amportal start >> /etc/rc.local

Enable Apache and MySQL to start on boot

chkconfig httpd on
chkconfig mysqld on

Now reboot at which point you should be able to access FreePBX with your web browser.  The very first thing you need to do when you enter the FreePBX Admin GUI for the first time is "Apply Configuration Changes" so all the *.conf files are created then reboot again or 'amportal restart' from command prompt. You may get an error in the FreePBX GUI saying "symlink failed for /etc/asterisk/sip_notify.conf" or something along those lines.  If that is the case just delete or rename /etc/asterisk/sip_notify.conf.  The next time you "Apply Configuration Changes" in the FreePBX GUI after some change this file will be recreated and the error should be gone. AMPORTAL.conf changes FreePBX v2.9+ now includes an "advanced settings" gui that is designed to replace amportal.conf and the requirements to edit it directly.  There are also some settings in a new file /etc/freepbx.conf At this point you should go into this new advanced settings GUI on the FreePBX webpage and edit the following settings: http://IPaddressOFyourFreePBXserver/ In the GUI Go to: Tools>Advanced Administration>Advanced Settings>System Setup>User Portal Admin Password Choose your admin password for accessing the Voicemail & Recordings (ARI) section of the front webpage. In the same GUI go to: System Setup>FreePBX Web Address Remove the "xx.xx.xx.xx" and leave blank.  If that does not work use your public (ie. web facing) IP address for this server. After saving these changes by pressing the green arrow on the right hand side of each box make sure to "Apply Configuration Changes" at the top of the GUI. Misc. optional settings Change the “upload_max_filesize” from 2M to 20M to allow larger music on hold files RHEL 6

nano +878 /etc/php.ini

Edit Apache web server for GUI access using a port other than 80:

nano +134 /etc/httpd/conf/httpd.conf

change "Listen 80" to "Listen 8888" or whatever port you want Change default Apache setting of AllowOverride None to All so that Apache obeys directives in .htaccess files which by default prevents viewing sensitive directories on Freepbx.

nano +338 /etc/httpd/conf/httpd.conf
AllowOverride All
service httpd restart

Instead of accessing FreePBX by http://xxx.xxx.xxx.xxx You now access it by http://xxx.xxx.xxx.xxx:8888 setup external sip extensions if going through NAT

nano /etc/asterisk/sip_nat.conf
nat=yes
externip= or
;externhost=yourdns.com
localnet=192.168.1.0/255.255.255.0
;change the above to whatever your local subnet is
externrefresh=10

(Ctrl-X>y>ENTER) Also, when adding the external SIP extension in FreePBX, make sure to change the nat=never default in the configuration to nat=yes for the extension that will be external. Log Files Configuration If you don't want to see a bunch of notices, warnings and errors each time you restart amportal from command line and you don't want your asterisk log files getting huge from constantly writing debug information do the following:

nano /etc/asterisk/logger_logfiles_custom.conf
console =>
full => notice,warning,error,verbose

Also make sure freepbx debug logging is disabled in FreePBX GUI>Settings>Advanced Settings>Developer and Customization logrotate setup Set up configuration to rotate log files otherwise they get too big after a short while. Create the following file.

nano /etc/logrotate.d/asterisk

Now add the following to make sure the asterisk log files are rotated weekly along with all the other log files.

/var/log/asterisk/messages /var/log/asterisk/*log /var/log/asterisk/full {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}
 
nano /etc/logrotate.d/freepbx
/var/log/asterisk/freepbx_dbug /var/log/asterisk/freepbx_debug {
missingok
notifempty
sharedscripts
create 0640 asterisk asterisk
postrotate
/usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null
endscript
}

Root alias Edit /etc/aliases file and add an email address to forward ‘root’ messages to your personal email address.  At the very bottom you should see a commented example.  Copy it and replace with your email address

root:   some_email@somedomain.com

Then run

/usr/bin/newaliases

after saving the file to rebuild the aliases database and have the change take effect. Test if you can receive emails via sendmail which we are assuming is installed and running as is standard on RHEL 5 and 6.

# service sendmail status

sendmail is running sm-client is running

# mail -s "test mail" root@localhost

From command prompt:

service mysqld restart

MySQL security enhancement This will prevent outside IP's from connecting to the MySQL port

nano /etc/my.cnf
[mysqld]
.
.
.
bind-address = 127.0.0.1

(Ctl-x > y > ENTER) Add Password Protection to Flash Operator Panel GUI By default, flash operator panel GUI (/var/www/html/admin/modules/fw_fop) is visible to anyone who points a browser at your server unless port 4445 is blocked by a firewall.   Here is one way to protect it.

mkdir -p /usr/local/apache/passwd
htpasswd -c /usr/local/apache/passwd/wwwpasswd NewUserName

Apache will prompt you for a new password for the user name you've just indicated New password: Apache will prompt you to retype your new password Re-type new password: Apache will then confirm the new user Adding password for user NewUserName Now you have to add the user name you've just created to the "httpd.conf" file. To edit that file in "nano" type:

nano +587 /etc/httpd/conf/httpd.conf

Now do a CTRL-W to search for "AuthUser" and you'll find the area where all the users are listed (for example: "maint", your AMP user).  If you don't find any try around line 587 right after the cgi-bin " AuthType Basic

AuthName "Restricted Area"
AuthUserFile /usr/local/apache/passwd/wwwpasswd
Require user NewUserName NewUserName1 NewUserName2 yaddayaddayadda​

To delete an Apache user, type in the following and then remove the user from the "httpd.conf" file.

htpasswd -D /usr/local/apache/passwd/wwwpasswd NewUserName

To change the password:

htpasswd /usr/local/apache/passwd/wwwpasswd NewUserName

Then restart apache.

service httpd restart