Skip to content
Home » Articles » How to install and secure Asterisk 16 on Debian Bullseye

How to install and secure Asterisk 16 on Debian Bullseye

    install all required Asterisk dependency packages
    apt -y install git curl wget libnewt-dev libssl-dev libncurses5-dev ipset subversion  libsqlite3-dev build-essential libjansson-dev libxml2-dev  uuid-dev

    Download Asterisk tarball
    cd /usr/src && wget https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-16-current.tar.gz
    tar xfv asterisk-16-current.tar.gz
    cd asterisk-16*/
    
    
    Run the following command to download the mp3 decoder library into the source tree
    contrib/scripts/get_mp3_source.sh
    A    addons/mp3
    A    addons/mp3/MPGLIB_README
    A    addons/mp3/common.c
    A    addons/mp3/huffman.h
    A    addons/mp3/tabinit.c
    A    addons/mp3/Makefile
    A    addons/mp3/README
    A    addons/mp3/decode_i386.c
    A    addons/mp3/dct64_i386.c
    A    addons/mp3/MPGLIB_TODO
    A    addons/mp3/mpg123.h
    A    addons/mp3/layer3.c
    A    addons/mp3/mpglib.h
    A    addons/mp3/decode_ntom.c
    A    addons/mp3/interface.c
    Exported revision 202.
    Ensure all dependencies are resolved
    contrib/scripts/install_prereq install
    You should get a success message at the end
    #############################################
    ## install completed successfully
    #############################################
    
    Run the configure script to satisfy build dependencies
    ./configure
    A success should have an output like below
    configure: creating ./config.status
    config.status: creating makeopts
    config.status: creating autoconfig.h
    configure: Menuselect build configuration successfully completed
    
                   .$$$$$$$$$$$$$$$=..
                .$7$7..          .7$$7:.
              .$$:.                 ,$7.7
            .$7.     7$$$$           .$$77
         ..$$.       $$$$$            .$$$7
        ..7$   .?.   $$$$$   .?.       7$$$.
       $.$.   .$$$7. $$$$7 .7$$$.      .$$$.
     .777.   .$$$$$$77$$$77$$$$$7.      $$$,
     $$$~      .7$$$$$$$$$$$$$7.       .$$$.
    .$$7          .7$$$$$$$7:          ?$$$.
    $$$          ?7$$$$$$$$$$I        .$$$7
    $$$       .7$$$$$$$$$$$$$$$$      :$$$.
    $$$       $$$$$$7$$$$$$$$$$$$    .$$$.
    $$$        $$$   7$$$7  .$$$    .$$$.
    $$$$             $$$$7         .$$$.
    7$$$7            7$$$$        7$$$
     $$$$$                        $$$
      $$$$7.                       $$  (TM)
       $$$$$$$.           .7$$$$$$  $$
         $$$$$$$$$$$$7$$$$$$$$$.$$$$$$
           $$$$$$$$$$$$$$$$.
    
    configure: Package configured for:
    configure: OS type  : linux-gnu
    configure: Host CPU : x86_64
    configure: build-cpu:vendor:os: x86_64 : pc : linux-gnu :
    configure: host-cpu:vendor:os: x86_64 : pc : linux-gnu :
    Setup menu options by running the following command
    make menuconfig
    Use arrow keys to navigate, and Enter key to select. You can change any configurations you see fit. When done, save and exit then install Asterisk with selected modules. Build Asterisk by running this command:
    make
    The make command will take a while, you should see an output like this:
    Building Documentation For: third-party channels pbx apps codecs formats cdr cel bridges funcs tests main res addons 
     +--------- Asterisk Build Complete ---------+
     + Asterisk has successfully been built, and +
     + can be installed by running:              +
     +                                           +
     +                make install               +
    When done, install Asterisk by running this command:
    make install
    When done, you should see an output like this:
    +---- Asterisk Installation Complete -------+
     +                                           +
     +    YOU MUST READ THE SECURITY DOCUMENT    +
     +                                           +
     + Asterisk has successfully been installed. +
     + If you would like to install the sample   +
     + configuration files (overwriting any      +
     + existing config files), run:              +
     +                                           +
     + For generic reference documentation:      +
     +    make samples                           +
     +                                           +
     + For a sample basic PBX:                   +
     +    make basic-pbx                         +
     +                                           +
     +                                           +
     +-----------------  or ---------------------+
     +                                           +
     + You can go ahead and install the asterisk +
     + program documentation now or later run:   +
     +                                           +
     +               make progdocs               +
     +                                           +
     + **Note** This requires that you have      +
     + doxygen installed on your local system    +
     +-------------------------------------------+
    Finally, install config samples
    make samples && make config
    Create a dedicated user and group to run asterisk services, and assign correct permissions
    groupadd asterisk
    useradd -r -d /var/lib/asterisk -g asterisk asterisk
    usermod -aG audio,dialout asterisk
    chown -R asterisk.asterisk /etc/asterisk
    chown -R asterisk.asterisk /var/{lib,log,spool}/asterisk
    chown -R asterisk.asterisk /usr/lib/asterisk
    Set Asterisk default user to asterisk
    # vim /etc/default/asterisk
    AST_USER="asterisk"
    AST_GROUP="asterisk"
    
    # vim /etc/asterisk/asterisk.conf
    runuser = asterisk ; The user to run as.
    rungroup = asterisk ; The group to run as.
    Start asterisk service after making the changes and
    systemctl start asterisk && systemctl enable asterisk
    Service should be running without errors
    # systemctl status asterisk
    ● asterisk.service - LSB: Asterisk PBX
         Loaded: loaded (/etc/init.d/asterisk; generated)
         Active: active (running) since Tue 2021-09-07 21:29:27 CEST; 5s ago
           Docs: man:systemd-sysv-generator(8)
          Tasks: 74 (limit: 9510)
         Memory: 45.0M
            CPU: 989ms
         CGroup: /system.slice/asterisk.service
                 └─2910083 /usr/sbin/asterisk
    
    Sep 07 21:29:27 debian systemd[1]: Starting LSB: Asterisk PBX...
    Sep 07 21:29:27 debian asterisk[2910071]: Starting Asterisk PBX: asterisk.
    Sep 07 21:29:27 debian systemd[1]: Started LSB: Asterisk PBX.
    

    Nowadays there are lots of brute force attack and VoIP Fraud attempts targeting Asterisk and other PBX systems on the internet.

    It is a task of any systems Administrator to ensure success rate for such attempts is close to zero. One way to secure Asterisk such attempts is by using custom firewall rules.
    This will save you bandwidth and protect your business. To make our work easier, we will use a country based IP blacklist. We just built a service for a german client, he will expect customers from germany only, therefore we going to allow only german traffic to our SIP ports.

    Create a new file called germany.sh and add the following contents
    # Germany
    ipset -F sip.zone
    ipset -N sip.zone nethash
    for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/de.zone)
            do ipset -A sip.zone $IP
            echo $IP
    done
    
    Execute the script
    chmod +x germany.sh
    ./germany.sh

    To get a list of countries that you can block or allow please visit https://www.ipdeny.com/ipblocks/

    For example, to replace Germany with canada you will need to change this

    de.zone

    To this

    ca.zone
    Execute the following commands to allow the country you want
    iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
    iptables -A INPUT -p udp -m set --match-set sip.zone src -m udp --dport 5060 -j ACCEPT
    iptables -A INPUT -p tcp -m set --match-set sip.zone src -m tcp --dport 5060 -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -m set ! --match-set sip.zone src -m tcp -j DROP
    iptables -A INPUT -p udp -m set ! --match-set sip.zone src -m udp -j DROP
    

    These will allow the following:

    • Allow local connections
    • Allow UDP,TCP connections to port 5060 from the country you set in your shell script
    • Allow related and established connections
    • Allow SSH from anywhere
    • Drop all TCP and UDP connections not matching the country that you listed in your shell script

    Thats it, now you have installed Asterisk16 on Debian Bullseye.
    Your suggestions are always welcome! We want to say thank you for your continued liking and sharing. If you haven’t liked this post yet, you may do that by hitting the buttons at the sidebar. If you are a blogger and you appreciate the hard work, whether or not you copied this post, we implore you to kindly link back this post here, you may do it anyhow you can. We consider that a great contribution.