Difference between revisions of "Asterisk on centos (deprecated)"
m (Ndi moved page Asteriks on centos (deprecated) to Asterisk on centos (deprecated): deprecated) |
|||
(43 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | this guide was gathered from official asteriks | + | '''IN PROGRESS! DEPRECATED.not finished.''' |
+ | |||
+ | '''Refer to the actual tested Guide: | ||
+ | |||
+ | http://wiki.vpsget.com/index.php/Asterisk_11_with_TLS_and_SRTP_on_Centos_6''' | ||
+ | |||
+ | |||
+ | this guide was gathered from official asteriks wikies (https://wiki.asterisk.org/wiki/display/AST/Asterisk+Packages#AsteriskPackages-YUM(CentOS6/RedHatEnterpriseLinux6, https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics, https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial, | ||
+ | https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics) | ||
+ | and tested in VPS server with Centos 6 OS | ||
first of all install libsrtp and libsrtp-devel | first of all install libsrtp and libsrtp-devel | ||
yum install libsrtp libsrtp-devel | yum install libsrtp libsrtp-devel | ||
+ | If the packages cannot be found make sure you have [http://wiki.vpsget.com/index.php/Epel_centos epel repository] installed. | ||
Adding the repository | Adding the repository | ||
Line 21: | Line 31: | ||
Basic configure | Basic configure | ||
− | add | + | add user accounts into the /etc/asterisk/sip.conf |
[user1] | [user1] | ||
+ | nat=yes | ||
type=friend | type=friend | ||
host=dynamic | host=dynamic | ||
Line 33: | Line 44: | ||
[user2] | [user2] | ||
+ | nat=yes | ||
type=friend | type=friend | ||
host=dynamic | host=dynamic | ||
Line 39: | Line 51: | ||
;deny=0.0.0.0/0 | ;deny=0.0.0.0/0 | ||
;permit=192.168.5.0/255.255.255.0 ; replace with your network settings | ;permit=192.168.5.0/255.255.255.0 ; replace with your network settings | ||
+ | |||
+ | |||
We have commented deny/permit lines with ";" character coz we would like to allow users to access server from anywhere. | We have commented deny/permit lines with ";" character coz we would like to allow users to access server from anywhere. | ||
BUT! Asterisks wiki told us: | BUT! Asterisks wiki told us: | ||
− | + | '''Be Serious About Account Security''' | |
− | + | ''We can't stress enough how important it is for you to pick a strong password for all accounts on Asterisk, and to only allow access from trusted networks. Unfortunately, we've found many instances of people exposing their Asterisk to the internet at large with easily-guessable passwords, or no passwords at all. You could be at risk of toll fraud, scams, and other malicious behavior. | |
− | + | For more information on Asterisk security and how you can protect yourself, check out http://www.asterisk.org/security/webinar/. | |
− | + | (c)https://wiki.asterisk.org/wiki/display/AST/Creating+SIP+Accounts'' | |
+ | |||
+ | go to the Asterisk command-line interface. with simple command | ||
+ | |||
+ | asterisk | ||
+ | |||
+ | make sip reload with next command: | ||
+ | |||
+ | sip reload | ||
+ | |||
+ | Create Dialplan Extensions. add these lines into /etc/asterisk/extensions.conf | ||
+ | |||
+ | [users] | ||
+ | exten=>6001,1,Dial(SIP/user1,20) | ||
+ | exten=>6002,1,Dial(SIP/user2,20) | ||
+ | |||
+ | The extension numbered 6001 which attempts to ring user1 phone for twenty seconds, and an extension 6002 which attempts to rings user2 phone for twenty seconds. | ||
+ | |||
+ | make dialplan reload in the Asterisk command line interface | ||
+ | |||
+ | dialplan reload | ||
+ | |||
+ | You can verify that Asterisk successfully read the configuration file by typing dialplan show users at the CLI. | ||
+ | dialplan show users | ||
+ | |||
+ | You can now try to make test call using for example ExpressTalk software for windows (http://www.nch.com.au/talk/index.html) | ||
+ | |||
+ | As another option you can configure your users in /etc/asterisk/users.conf | ||
+ | Here is the example with NAT enabled, codecs and other options just for example. Simply add these lines to users.conf: | ||
+ | adding 1 user | ||
+ | |||
+ | <pre style="color: grey"> | ||
+ | [6100] | ||
+ | fullname = test1 | ||
+ | registersip = no | ||
+ | host = dynamic | ||
+ | callgroup = 1 | ||
+ | mailbox = 6100 | ||
+ | call-limit = 100 | ||
+ | type = peer | ||
+ | username = 6100 | ||
+ | transfer = yes | ||
+ | callcounter = yes | ||
+ | context = DLPN_DialPlan1 | ||
+ | cid_number = 6100 | ||
+ | hasvoicemail = no | ||
+ | vmsecret = | ||
+ | email = | ||
+ | threewaycalling = no | ||
+ | hasdirectory = yes | ||
+ | callwaiting = no | ||
+ | hasmanager = no | ||
+ | hasagent = no | ||
+ | hassip = yes | ||
+ | hasiax = yes | ||
+ | secret = P@ssword1 | ||
+ | nat = yes | ||
+ | canreinvite = no | ||
+ | dtmfmode = rfc2833 | ||
+ | insecure = no | ||
+ | pickupgroup = 1 | ||
+ | requirecalltoken = yes | ||
+ | macaddress = 6100 | ||
+ | autoprov = yes | ||
+ | label = 6100 | ||
+ | linenumber = 1 | ||
+ | LINEKEYS = 1 | ||
+ | disallow = all | ||
+ | allow = ulaw,g729,alaw,gsm | ||
+ | </pre> | ||
+ | |||
+ | if you want you can setup web gui for asteriks management regarding this guide: | ||
+ | https://wiki.asterisk.org/wiki/display/AST/Asterisk+GUI#AsteriskGUI-Download | ||
+ | Also sometimes it's necessary to fix permissions for make GUI work: | ||
+ | sudo chown -R asterisk:asterisk /var/lib/asterisk/static-http/ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | == Adding security == | ||
+ | |||
+ | You should download Asterisk source code if you haven't download it before from http://www.asterisk.org/downloads. | ||
+ | Unzip it to some folder on your asterisk server. | ||
+ | tar -xvzf asterisk-11-current.tar.gz | ||
+ | change dir to unzipped folder and run next command: | ||
+ | contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys | ||
+ | |||
+ | You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key | ||
+ | NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname | ||
+ | |||
+ | Generate a client certificate for our SIP device. | ||
+ | |||
+ | contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1 | ||
+ | |||
+ | you also will be prompted to enter passphrase for keys | ||
+ | Create cert for users. after check that all key files should be in the key directory: | ||
+ | |||
+ | /etc/asterisk/keys/ | ||
+ | |||
+ | Configure Asterisk to use TLS: | ||
+ | add/edit corresponding lines in sip.conf | ||
+ | |||
+ | tlsenable=yes | ||
+ | tlsbindaddr=0.0.0.0 | ||
+ | tlscertfile=/etc/asterisk/keys/asterisk.pem | ||
+ | tlscafile=/etc/asterisk/keys/ca.crt | ||
+ | tlscipher=ALL | ||
+ | tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client | ||
+ | |||
+ | Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. | ||
+ | add the line to your user/sip conf (it placed in sip.conf or in users.conf) | ||
+ | |||
+ | transport=tls | ||
+ | port=5061 # not neccessary but it will force use tls | ||
+ | |||
+ | Now you should copy keys from server to your client (pc or phone) | ||
+ | |||
+ | Now you should configure your sip client to use tls via port 5061. | ||
+ | |||
+ | How to make it depends from client you using. | ||
+ | |||
+ | We will add soon manual for android CSip client | ||
+ | |||
+ | TLS only encrypt extensions on the PBX we're dialing. | ||
+ | We need to encrypt voice data with SRTP | ||
+ | |||
+ | Asteriks wiki told us: SRTP support is provided by libsrtp. libsrtp has to be installed on the machine before Asterisk is compiled, otherwise you're going to see something like: | ||
+ | [Jan 24 09:29:16] ERROR[10167]: chan_sip.c:27987 setup_srtp: No SRTP module loaded, can't setup SRTP session. | ||
+ | But we installed it at first steps in our man. so don't care. | ||
+ | |||
+ | Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: | ||
+ | install libsrtp (and the development header, and then reinstall Asterisk | ||
+ | |||
+ | go to you asterisk source code directory and run next commands: | ||
+ | |||
+ | ./configure | ||
+ | make | ||
+ | make install | ||
+ | |||
+ | If you're getting errors during '''./configure''' is running make sure you have these packages installed: | ||
+ | yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel | ||
+ | |||
+ | Add the next line to your user config (in sip.conf or in users.conf) | ||
+ | |||
+ | encryption=yes | ||
+ | |||
+ | Also better to force only one codec use: | ||
+ | |||
+ | disallow = all | ||
+ | ;allow = ulaw,g729,gsm <--this line is commented! | ||
+ | allow = g722 | ||
+ | |||
+ | You can also restart asterisk service for sure. | ||
+ | |||
+ | |||
+ | |||
− | |||
− | + | "[[Category:Linux]]" |
Latest revision as of 15:20, 20 May 2015
IN PROGRESS! DEPRECATED.not finished.
Refer to the actual tested Guide:
http://wiki.vpsget.com/index.php/Asterisk_11_with_TLS_and_SRTP_on_Centos_6
this guide was gathered from official asteriks wikies (https://wiki.asterisk.org/wiki/display/AST/Asterisk+Packages#AsteriskPackages-YUM(CentOS6/RedHatEnterpriseLinux6, https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics, https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial,
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics)
and tested in VPS server with Centos 6 OS
first of all install libsrtp and libsrtp-devel
yum install libsrtp libsrtp-devel
If the packages cannot be found make sure you have epel repository installed.
Adding the repository
rpm -Uvh http://packages.asterisk.org/centos/6/current/i386/RPMS/asterisknow-version-3.0.0-1_centos6.noarch.rpm yum update
install
yum install asterisk asterisk-configs --enablerepo=asterisk-11
install dahdi
yum install dahdi-linux dahdi-tools libpri
again upgrade
yum update
Basic configure add user accounts into the /etc/asterisk/sip.conf
[user1] nat=yes type=friend host=dynamic secret=verysecretpassword ; put a strong, unique password here instead context=users ;deny=0.0.0.0/0 ;permit=192.168.5.0/255.255.255.0 ; replace with your network settings [user2] nat=yes type=friend host=dynamic secret=othersecretpassword ; put a strong, unique password here instead context=users ;deny=0.0.0.0/0 ;permit=192.168.5.0/255.255.255.0 ; replace with your network settings
We have commented deny/permit lines with ";" character coz we would like to allow users to access server from anywhere. BUT! Asterisks wiki told us:
Be Serious About Account Security We can't stress enough how important it is for you to pick a strong password for all accounts on Asterisk, and to only allow access from trusted networks. Unfortunately, we've found many instances of people exposing their Asterisk to the internet at large with easily-guessable passwords, or no passwords at all. You could be at risk of toll fraud, scams, and other malicious behavior. For more information on Asterisk security and how you can protect yourself, check out http://www.asterisk.org/security/webinar/. (c)https://wiki.asterisk.org/wiki/display/AST/Creating+SIP+Accounts
go to the Asterisk command-line interface. with simple command
asterisk
make sip reload with next command:
sip reload
Create Dialplan Extensions. add these lines into /etc/asterisk/extensions.conf
[users] exten=>6001,1,Dial(SIP/user1,20) exten=>6002,1,Dial(SIP/user2,20)
The extension numbered 6001 which attempts to ring user1 phone for twenty seconds, and an extension 6002 which attempts to rings user2 phone for twenty seconds.
make dialplan reload in the Asterisk command line interface
dialplan reload
You can verify that Asterisk successfully read the configuration file by typing dialplan show users at the CLI.
dialplan show users
You can now try to make test call using for example ExpressTalk software for windows (http://www.nch.com.au/talk/index.html)
As another option you can configure your users in /etc/asterisk/users.conf Here is the example with NAT enabled, codecs and other options just for example. Simply add these lines to users.conf: adding 1 user
[6100] fullname = test1 registersip = no host = dynamic callgroup = 1 mailbox = 6100 call-limit = 100 type = peer username = 6100 transfer = yes callcounter = yes context = DLPN_DialPlan1 cid_number = 6100 hasvoicemail = no vmsecret = email = threewaycalling = no hasdirectory = yes callwaiting = no hasmanager = no hasagent = no hassip = yes hasiax = yes secret = P@ssword1 nat = yes canreinvite = no dtmfmode = rfc2833 insecure = no pickupgroup = 1 requirecalltoken = yes macaddress = 6100 autoprov = yes label = 6100 linenumber = 1 LINEKEYS = 1 disallow = all allow = ulaw,g729,alaw,gsm
if you want you can setup web gui for asteriks management regarding this guide: https://wiki.asterisk.org/wiki/display/AST/Asterisk+GUI#AsteriskGUI-Download Also sometimes it's necessary to fix permissions for make GUI work:
sudo chown -R asterisk:asterisk /var/lib/asterisk/static-http/
Adding security
You should download Asterisk source code if you haven't download it before from http://www.asterisk.org/downloads. Unzip it to some folder on your asterisk server.
tar -xvzf asterisk-11-current.tar.gz
change dir to unzipped folder and run next command:
contrib/scripts/./ast_tls_cert -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys
You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key NOTE if you got hostname related error pls make next : http://wiki.vpsget.com/index.php/Set_hostname
Generate a client certificate for our SIP device.
contrib/scripts/./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pbx.privatecompany.com -O "privatecompany" -d /etc/asterisk/keys -o sipuser1
you also will be prompted to enter passphrase for keys Create cert for users. after check that all key files should be in the key directory:
/etc/asterisk/keys/
Configure Asterisk to use TLS: add/edit corresponding lines in sip.conf
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client
Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. add the line to your user/sip conf (it placed in sip.conf or in users.conf)
transport=tls port=5061 # not neccessary but it will force use tls
Now you should copy keys from server to your client (pc or phone)
Now you should configure your sip client to use tls via port 5061.
How to make it depends from client you using.
We will add soon manual for android CSip client
TLS only encrypt extensions on the PBX we're dialing. We need to encrypt voice data with SRTP
Asteriks wiki told us: SRTP support is provided by libsrtp. libsrtp has to be installed on the machine before Asterisk is compiled, otherwise you're going to see something like: [Jan 24 09:29:16] ERROR[10167]: chan_sip.c:27987 setup_srtp: No SRTP module loaded, can't setup SRTP session. But we installed it at first steps in our man. so don't care.
Anyway if you got this in "asterisk -r" CLI during trying to make call do the next: install libsrtp (and the development header, and then reinstall Asterisk
go to you asterisk source code directory and run next commands:
./configure make make install
If you're getting errors during ./configure is running make sure you have these packages installed:
yum install gcc-c++ libtermcap-devel libxml2* sqlite-devel
Add the next line to your user config (in sip.conf or in users.conf)
encryption=yes
Also better to force only one codec use:
disallow = all ;allow = ulaw,g729,gsm <--this line is commented! allow = g722
You can also restart asterisk service for sure.
""