Skip to content
Home » Articles » How to install and secure Asterisk 16 on Debian Bullseye

How to install and secure Asterisk 16 on Debian Bullseye

    install all required Asterisk dependency packages
    apt -y install git curl wget libnewt-dev libssl-dev libncurses5-dev ipset subversion  libsqlite3-dev build-essential libjansson-dev libxml2-dev  uuid-dev

    Download Asterisk tarball
    cd /usr/src && wget
    tar xfv asterisk-16-current.tar.gz
    cd asterisk-16*/
    Run the following command to download the mp3 decoder library into the source tree
    A    addons/mp3
    A    addons/mp3/MPGLIB_README
    A    addons/mp3/common.c
    A    addons/mp3/huffman.h
    A    addons/mp3/tabinit.c
    A    addons/mp3/Makefile
    A    addons/mp3/README
    A    addons/mp3/decode_i386.c
    A    addons/mp3/dct64_i386.c
    A    addons/mp3/MPGLIB_TODO
    A    addons/mp3/mpg123.h
    A    addons/mp3/layer3.c
    A    addons/mp3/mpglib.h
    A    addons/mp3/decode_ntom.c
    A    addons/mp3/interface.c
    Exported revision 202.
    Ensure all dependencies are resolved
    contrib/scripts/install_prereq install
    You should get a success message at the end
    ## install completed successfully
    Run the configure script to satisfy build dependencies
    A success should have an output like below
    configure: creating ./config.status
    config.status: creating makeopts
    config.status: creating autoconfig.h
    configure: Menuselect build configuration successfully completed
                .$7$7..          .7$$7:.
              .$$:.                 ,$7.7
            .$7.     7$$$$           .$$77
         ..$$.       $$$$$            .$$$7
        ..7$   .?.   $$$$$   .?.       7$$$.
       $.$.   .$$$7. $$$$7 .7$$$.      .$$$.
     .777.   .$$$$$$77$$$77$$$$$7.      $$$,
     $$$~      .7$$$$$$$$$$$$$7.       .$$$.
    .$$7          .7$$$$$$$7:          ?$$$.
    $$$          ?7$$$$$$$$$$I        .$$$7
    $$$       .7$$$$$$$$$$$$$$$$      :$$$.
    $$$       $$$$$$7$$$$$$$$$$$$    .$$$.
    $$$        $$$   7$$$7  .$$$    .$$$.
    $$$$             $$$$7         .$$$.
    7$$$7            7$$$$        7$$$
     $$$$$                        $$$
      $$$$7.                       $$  (TM)
       $$$$$$$.           .7$$$$$$  $$
    configure: Package configured for:
    configure: OS type  : linux-gnu
    configure: Host CPU : x86_64
    configure: build-cpu:vendor:os: x86_64 : pc : linux-gnu :
    configure: host-cpu:vendor:os: x86_64 : pc : linux-gnu :
    Setup menu options by running the following command
    make menuconfig
    Use arrow keys to navigate, and Enter key to select. You can change any configurations you see fit. When done, save and exit then install Asterisk with selected modules. Build Asterisk by running this command:
    The make command will take a while, you should see an output like this:
    Building Documentation For: third-party channels pbx apps codecs formats cdr cel bridges funcs tests main res addons 
     +--------- Asterisk Build Complete ---------+
     + Asterisk has successfully been built, and +
     + can be installed by running:              +
     +                                           +
     +                make install               +
    When done, install Asterisk by running this command:
    make install
    When done, you should see an output like this:
    +---- Asterisk Installation Complete -------+
     +                                           +
     +                                           +
     + Asterisk has successfully been installed. +
     + If you would like to install the sample   +
     + configuration files (overwriting any      +
     + existing config files), run:              +
     +                                           +
     + For generic reference documentation:      +
     +    make samples                           +
     +                                           +
     + For a sample basic PBX:                   +
     +    make basic-pbx                         +
     +                                           +
     +                                           +
     +-----------------  or ---------------------+
     +                                           +
     + You can go ahead and install the asterisk +
     + program documentation now or later run:   +
     +                                           +
     +               make progdocs               +
     +                                           +
     + **Note** This requires that you have      +
     + doxygen installed on your local system    +
    Finally, install config samples
    make samples && make config
    Create a dedicated user and group to run asterisk services, and assign correct permissions
    groupadd asterisk
    useradd -r -d /var/lib/asterisk -g asterisk asterisk
    usermod -aG audio,dialout asterisk
    chown -R asterisk.asterisk /etc/asterisk
    chown -R asterisk.asterisk /var/{lib,log,spool}/asterisk
    chown -R asterisk.asterisk /usr/lib/asterisk
    Set Asterisk default user to asterisk
    # vim /etc/default/asterisk
    # vim /etc/asterisk/asterisk.conf
    runuser = asterisk ; The user to run as.
    rungroup = asterisk ; The group to run as.
    Start asterisk service after making the changes and
    systemctl start asterisk && systemctl enable asterisk
    Service should be running without errors
    # systemctl status asterisk
    ● asterisk.service - LSB: Asterisk PBX
         Loaded: loaded (/etc/init.d/asterisk; generated)
         Active: active (running) since Tue 2021-09-07 21:29:27 CEST; 5s ago
           Docs: man:systemd-sysv-generator(8)
          Tasks: 74 (limit: 9510)
         Memory: 45.0M
            CPU: 989ms
         CGroup: /system.slice/asterisk.service
                 └─2910083 /usr/sbin/asterisk
    Sep 07 21:29:27 debian systemd[1]: Starting LSB: Asterisk PBX...
    Sep 07 21:29:27 debian asterisk[2910071]: Starting Asterisk PBX: asterisk.
    Sep 07 21:29:27 debian systemd[1]: Started LSB: Asterisk PBX.

    Nowadays there are lots of brute force attack and VoIP Fraud attempts targeting Asterisk and other PBX systems on the internet.

    It is a task of any systems Administrator to ensure success rate for such attempts is close to zero. One way to secure Asterisk such attempts is by using custom firewall rules.
    This will save you bandwidth and protect your business. To make our work easier, we will use a country based IP blacklist. We just built a service for a german client, he will expect customers from germany only, therefore we going to allow only german traffic to our SIP ports.

    Create a new file called and add the following contents
    # Germany
    ipset -F
    ipset -N nethash
    for IP in $(wget -O -
            do ipset -A $IP
            echo $IP
    Execute the script
    chmod +x

    To get a list of countries that you can block or allow please visit

    For example, to replace Germany with canada you will need to change this

    To this
    Execute the following commands to allow the country you want
    iptables -A INPUT -s -j ACCEPT
    iptables -A INPUT -p udp -m set --match-set src -m udp --dport 5060 -j ACCEPT
    iptables -A INPUT -p tcp -m set --match-set src -m tcp --dport 5060 -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp -m set ! --match-set src -m tcp -j DROP
    iptables -A INPUT -p udp -m set ! --match-set src -m udp -j DROP

    These will allow the following:

    • Allow local connections
    • Allow UDP,TCP connections to port 5060 from the country you set in your shell script
    • Allow related and established connections
    • Allow SSH from anywhere
    • Drop all TCP and UDP connections not matching the country that you listed in your shell script

    Thats it, now you have installed Asterisk16 on Debian Bullseye.
    Your suggestions are always welcome! We want to say thank you for your continued liking and sharing. If you haven’t liked this post yet, you may do that by hitting the buttons at the sidebar. If you are a blogger and you appreciate the hard work, whether or not you copied this post, we implore you to kindly link back this post here, you may do it anyhow you can. We consider that a great contribution.