英文名 Jack Lin
專長 Asterisk PBX Intsallation & basic setup
使用平台 PBX in a Flash on DELL SC-440, Asterisk on Asus WL-520GU, Asterisk/FreePBX on SheevaPlug
電子信箱 jack888lin@gmail.com
#!/bin/bash # Asterisk/FreePBX Install Script on SheevaPlug Debian Squeeze (For USB Drive or SDHC use but not for internal NAND) # Re-Written By Jack Lin, on Nov. 1, 2010 # # Originally based on a script by Stephen Brown - http://www.k1lnx.net/wiki/ # # This script installs the version of Asterisk 1.4.35, dahdi-linux-complete-2.2.1.2+2.2.1.1 and FreePBX 2.7.0 on a new install of Debian "Squeeze". # # You should be aware of that # If you don't like the Asterisk version above you can change it to any version as you wish between Asterisk1.4 and Asterisk1.6. # FreePBX version will fit from 2.6 to 2.8. # As for DAHDI Linux / DAHDI Tools you'd better stick with dahdi-linux-complete-2.4.0+2.4.0, dahdi-linux-complete-2.2.1.2+2.2.1.1 or dahdi-linux-complete-2.2.1+2.2.1 because the others will probably cause a high cpu usage issue in SheevaPlug. Or you can comment it out if you don't use Meetme conferencing. # # Must be run with superuser privileges. # # Script functions # # Random password generator function # This may not be the most secure method as it makes use of /dev/urandom but can generate random passwords nonetheless :) date df -h function passwd () { passwds=(`cat /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 10 | head -n 5`) MYSQL_ROOT_PW=`echo ${passwds[1]}` ASTERISK_DB_PW=`echo ${passwds[2]}` ASTERISK_MGR_PW=`echo ${passwds[3]}` ARI_PW=`echo ${passwds[4]}` echo "# Make sure to keep these in a safe place!!!" > /root/passwords echo "MySQL root password is: $MYSQL_ROOT_PW" >> /root/passwords echo "Asterisk database password is: $ASTERISK_DB_PW" >> /root/passwords echo "Asterisk manager portal password is: $ASTERISK_MGR_PW" >> /root/passwords echo "ARI password is: $ARI_PW" >> /root/passwords echo "Random passwords generated..." # encrypt the password file with gpg # This may not be a good idea. I would like to encrypt the final password file, but they can easily be seen in their respective config files anyhow echo "Encrypting file, please enter a password you will remember for decryption!" echo "The file WILL NOT be recoverable without it due to the use of strong encryption!" echo "Press return when ready: " ;read input gpg -c /root/passwords rm /root/passwords mkdir /root/passwords mv passwords.gpg /root/passwords echo "To decrypt this file run gpg passwords.gpg and supply the password you used to encrypt the file originally when asked" > /root/passwords/README.passwords } # Yes/No function for script interaction function promptyn () { echo -n "$1 [y/N]? " read ANSWER if [ ! -z $ANSWER ] then if [ $ANSWER = Y ] || [ $ANSWER = y ] then ANSWER=Y else ANSWER=N fi else ANSWER=N fi } # Intro text clear echo "This script installs the version of Asterisk 1.4.35, Asterisk Addons-1.4.11, FreePBX 2.7.0, libpri and dahdi-linux-complete-2.2.1.2+2.2.1.1" echo "It will first update/upgrade any packages, and then (optionally) install the OpenSSH server and client. This is highly recommended" echo "Press return to continue, Ctrl-C to abort: " ;read input # Password generation echo "Random passwords for all applications will now be generated and placed in /root/passwords" echo "File will be encrypted for your protection!!!" echo "Press enter to continue: " ;read input passwd # Ensure package directory up to date and system upgraded promptyn "Preparing to run package updates. Would you like to install the OpenSSH server and client?" if [ "$ANSWER" = "N" ] ; then echo "OpenSSH server will NOT be installed, press enter to continue" ;read input fi apt-get -y update apt-get -y dist-upgrade # Variables IP_ADDRESS=`ifconfig eth0 | grep 'inet addr:' | cut -d: -f2 | awk '{ print $1}'` FREEPBX_VERSION=2.7.0 # Retrieve utilities and set debconf to noninteractive front-end apt-get -y install debconf-utils debconf-set-selections <<CONF_EOF debconf debconf/frontend select noninteractive CONF_EOF # Install mysql server apt-get -y install mysql-server-5.1 # Configure mysql root password mysqladmin -u root password ${MYSQL_ROOT_PW} # Set debconf back to normal interactive front-end debconf-set-selections <<CONF_EOF debconf debconf/frontend select Dialog CONF_EOF # Install the dependencies for Asterisk apt-get -y install ssh kernel-package g++ libncurses5-dev linux-libc-dev sqlite libnewt-dev libusb-dev zlib1g-dev libmysqlclient-dev libsqlite0-dev php5 mysql-server-5.1 php-pear php5-mysql php-db php5-gd linux-headers-$(uname -r) bison openssl libssl-dev libeditline0 libeditline-dev libedit-dev gcc make mc php5-cli sox # Download and extract Astersik and Asterisk-related files mkdir -p /usr/src/asterisk cd /usr/src/asterisk wget http://downloads.asterisk.org/pub/telephony/asterisk/old-releases/asterisk-1.4.35.tar.gz wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-addons-1.4-current.tar.gz wget http://downloads.asterisk.org/pub/telephony/dahdi-linux-complete/releases/dahdi-linux-complete-2.2.1.2+2.2.1.1.tar.gz wget http://downloads.digium.com/pub/libpri/libpri-1.4-current.tar.gz tar xfvz asterisk-1.4.35.tar.gz tar xfvz asterisk-addons-1.4-current.tar.gz tar xfvz dahdi-linux-complete-2.2.1.2+2.2.1.1.tar.gz tar xfvz libpri-1.4-current.tar.gz rm asterisk-1.4.35.tar.gz rm asterisk-addons-1.4-current.tar.gz rm dahdi-linux-complete-2.2.1.2+2.2.1.1.tar.gz rm libpri-1.4-current.tar.gz # Install Libpri cd `find . -name "libpri-1.4.*" -print` make clean make make install cd .. # Install DADHI cd `find . -name "dahdi-linux-complete-2.2.*" -print` make all make install make config cd .. # Install Asterisk 1.4 # In Asterisk Module and Build Option Selection, You can simply go with the defaults and press Exit - this will install all that is needed. # Or you can chose to install extra language and sound files in 12. Core Sound Packages, 13. Music On Hold File Packages and 14. Extras Sound Packages for better quality audio, and to avoid transcoding sound files. cd `find . -name "asterisk-1.4.*" -print` make clean ./configure --disable-xmldoc sed -i 's/PROC=armv5tel/PROC=arm/g' /usr/src/asterisk/asterisk-1.4.*/makeopts make menuselect make make install make samples make progdocs make config cd .. # Install Asterisk Addons # In asterisk-Addons module selection, make sure to deselect H323 in channel drivers. # Press Esc to return to the main menu, then x to save your changes. The install will continue. cd `find . -name "asterisk-addons-1.4.*" -print` make clean ./configure make menuselect make make install cd ../../ # Create asterisk user and group, adding to www-data group for apache server adduser asterisk --disabled-password --gecos "asterisk PBX" adduser www-data asterisk # Fix up apache configuration to run as asterisk user cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf-orig sed -i "s/\(^User *\)\(.*\)/\1asterisk/" /etc/apache2/apache2.conf sed -i "s/\(^Group *\)\(.*\)/\1asterisk/" /etc/apache2/apache2.conf # Patch safe_asterisk script to use bash sed -i "s|#!/bin/sh|#!/bin/bash|" /usr/sbin/safe_asterisk # Add dummy timing device for asterisk modprobe dahdi_dummy # Download and unpack freepbx wget http://mirror.freepbx.org/freepbx-${FREEPBX_VERSION}.tar.gz tar xfvz freepbx-${FREEPBX_VERSION}.tar.gz rm freepbx-${FREEPBX_VERSION}.tar.gz # Add Asterisk startup item cat > /etc/init.d/asterisk <<-END_STARTUP #!/bin/bash set -e set -a PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin DESC="Asterisk" NAME=amportal DAEMON=/usr/sbin/\$NAME test -x \$DAEMON || exit 0 d_start() { amportal start } d_stop() { amportal stop } d_reload() { amportal restart } case "\$1" in start) echo -n "Starting \$DESC: \$NAME" d_start echo "." ;; stop) echo -n "Stopping \$DESC: \$NAME" d_stop echo "." ;; restart|force-reload) echo -n "Restarting \$DESC: \$NAME" d_stop sleep 10 d_start echo "." ;; *) echo "Usage: \$SCRIPTNAME {start|stop|restart|force-reload}" >&2 exit 3 ;; esac exit 0 END_STARTUP chmod 755 /etc/init.d/asterisk update-rc.d asterisk defaults 90 10 # Configure freepbx cd freepbx-${FREEPBX_VERSION} # Setup databases for freepbx use mysqladmin -u root -p${MYSQL_ROOT_PW} create asterisk mysqladmin -u root -p${MYSQL_ROOT_PW} create asteriskcdrdb mysql -u root -p${MYSQL_ROOT_PW} asterisk < SQL/newinstall.sql mysql -u root -p${MYSQL_ROOT_PW} asteriskcdrdb < SQL/cdr_mysql_table.sql mysql -u root -p${MYSQL_ROOT_PW} <<-END_PRIVS GRANT ALL PRIVILEGES ON asterisk.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}"; GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asteriskuser@localhost IDENTIFIED BY "${ASTERISK_DB_PW}"; flush privileges; END_PRIVS # Reconfigure php for freepbx cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini-orig sed -i "s/\(upload_max_filesize *= *\)\(.*\)/\120M/" /etc/php5/apache2/php.ini sed -i "s/\(memory_limit *= *\)\(.*\)/\1128M/" /etc/php5/apache2/php.ini #sed -i "s/\(magic_quotes_gpc *= *\)\(.*\)/\1Off/" /etc/php5/apache2/php.ini sed -i 's/;suhosin.memory_limit = 0/suhosin.memory_limit = 134217728/' /etc/php5/conf.d/suhosin.ini # Fix up directory use and permissions for asterisk chown asterisk:asterisk /var/run/asterisk chown asterisk:asterisk -R /etc/asterisk chown asterisk:asterisk -R /var/lib/asterisk chown asterisk:asterisk -R /var/log/asterisk chown asterisk:asterisk -R /var/spool/asterisk chown asterisk:asterisk -R /var/www sed -i "s/\[directories\](!) .*/[directories]/" /etc/asterisk/asterisk.conf sed -i "s|astrundir *=> */var/run|astrundir => /var/run/asterisk|" /etc/asterisk/asterisk.conf # Fix mohmp3 #mkdir -p /var/lib/asterisk/mohmp3 #cp /var/lib/asterisk/moh/* /var/lib/asterisk/mohmp3 ln -s /var/lib/asterisk/moh /var/lib/asterisk/mohmp3 #chown -R asterisk:asterisk /var/lib/asterisk/mohmp3 #chmod -R ug+rwx,o+rx-w /var/lib/asterisk/mohmp3 # Start Asterisk ./start_asterisk start # Configure amportal cp amportal.conf /etc/amportal.conf sed -i "s/# \(AMPDBUSER=asteriskuser\) */\1/" /etc/amportal.conf sed -i "s/# \(AMPDBPASS=\).*/\1${ASTERISK_DB_PW}/" /etc/amportal.conf sed -i "s/AUTHTYPE=none/AUTHTYPE=database/" /etc/amportal.conf sed -i "s|\(AMPWEBROOT=\)/var/www/html|\1/var/www|" /etc/amportal.conf sed -i "s|\(FOPWEBROOT=\)/var/www/html/panel|\1/var/www/panel|" /etc/amportal.conf sed -i "/#AMPWEBADDRESS=192.168.1.101/d" /etc/amportal.conf sed -i "s/AMPWEBADDRESS=/AMPWEBADDRESS=${IP_ADDRESS}/" /etc/amportal.conf # Change default manager password sed -i "s/secret = amp111/secret = ${ASTERISK_MGR_PW}/" /etc/asterisk/manager.conf sed -i "s/AMPMGRPASS=amp111/AMPMGRPASS=${ASTERISK_MGR_PW}/" /etc/amportal.conf # Enable DAHDI for FreePBX sed -i "s/# ZAP2DAHDICOMPAT=true|false/ZAP2DAHDICOMPAT=true/" /etc/amportal.conf # Install amp ./install_amp # Fix and start apache web server echo " ServerName Debian " >> /etc/apache2/apache2.conf /etc/init.d/apache2 restart # Start amportal amportal start # Set ARI admin password sed -i "s/ari_password/${ARI_PW}/" /var/www/recordings/includes/main.conf.php # Setup log rotation touch /etc/logrotate.d/asterisk echo " /var/log/asterisk/*log { missingok rotate 5 weekly create 0640 asterisk asterisk postrotate /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null endscript } /var/log/asterisk/full { missingok rotate 5 daily create 0640 asterisk asterisk postrotate /usr/sbin/asterisk -rx 'logger reload' > /dev/null 2> /dev/null endscript } /var/log/asterisk/cdr-csv/*csv { missingok rotate 5 monthly create 0640 asterisk asterisk } /var/log/atftp.log { missingok rotate 5 monthly create 0640 nobody nobody } " > /etc/logrotate.d/asterisk clear echo "Complete. You can access FreePBX at http://$IP_ADDRESS/admin" echo "Login using username asteriskuser and password $ASTERISK_DB_PW" date df -h
cd /root chmod +x asterisk1435 ./asterisk1435
reboot
References:
http://www.k1lnx.net/wiki/
https://wiki.ubuntu.com/AsteriskScri...FreePBX_1.2.sh
http://www.corenetworks.com.au/wiki/...freepbx_script
http://www.plugpbx.org/?page_id=137
http://forums.plugpbx.org/index.php/topic,102.0.html
http://www.fonicaprojects.com/wiki/i...ePBX_on_Debian
在SheevaPlug Debian Squeeze安裝好Asterisk/FreePBX後, 讓我覺得缺少些什麼,就像是沒有穿衣服一樣,
那就為它穿上一套功能極為強大又免費的OSSEC主機型入侵偵測系統,可以讓人多少安心一點.
什麼是OSSEC主機型入侵偵測系統? 為什麼要為Asterisk/FreePBX安裝OSSEC主機型入侵偵測系統?
就我簡而言之,就是OSSEC可隨時偵測主機系統在遭受到入侵行為時,主動加以阻斷反制並立即通知你的一套安全系統,好神.
所以要為Asterisk/FreePBX安裝OSSEC主機型入侵偵測系統是理所當然. 如果覺得不合用,當然還有別的選擇,如 fail2ban 我也很喜歡,若不會造成衝突的話,也把fail2ban裝在一起試試看.
有關OSSEC主機型入侵偵測系統詳細說明不在本筆記範圍,請參閱所附參考資料.
cd /root wget http://www.ossec.net/files/ossec-hids-latest.tar.gz tar -zxvf ossec-hids-*.tar.gz rm ossec-hids-*.tar.gz cd ossec-hids-* ./install.sh
以下*號部份可能會出現亂碼,不必理會,就用預設值:
** Para instalaA§A£o em portuguAas, escolha [br].
** e|a??c”‥a﹐-a–?e??e!?aR?e£…, e¯·e€?a?c [cn].
** Fur eine deutsche Installation wohlen Sie [de].
** I“I1I± IμI3IoI±I?I?I?I?I±I?I· I?I?I± I‧I?I?I·I?I1IoI?, IμI€I1I?I-I?I?Iμ [el].
** For installation in English, choose [en].
** Para instalar en EspaA±ol , eliga [es].
** Pour une installation en franA§ais, choisissez [fr]
** Per l'installazione in Italiano, scegli [it].
** a—¥a??ea?a§a??a?3a?1a??a??a??a—a?a?i??e﹐a??a—a|a﹐?a‧a?i??[jp].
** Voor installatie in het Nederlands, kies [nl].
** Aby instalowaA? w jA?zyku Polskim, wybierz [pl].
** D”D?N D﹐D?NN?N€N?DoN?D﹐D1 D?D? N?NN?D°D?D?D2DoDμ D?D° N€N?NNDoD?D? ,D2D2DμD’D﹐N?Dμ [ru].
** Za instalaciju na srpskom, izaberi [sr].
** TA?rkA§e kurulum iA§in seA§in [tr].
(en/br/cn/de/el/es/fr/it/jp/nl/pl/ru/sr/tr) [en]: 按Enter鍵
OSSEC HIDS v2.5.1 Installation Script - http://www.ossec.net
You are about to start the installation process of the OSSEC HIDS.
You must have a C compiler pre-installed in your system.
If you have any questions or comments, please send an e-mail
to dcid@ossec.net (or daniel.cid@gmail.com).
- System: Linux debian 2.6.32-5-kirkwood
- User: root
- Host: debian
-- Press ENTER to continue or Ctrl-C to abort. -- 按Enter鍵
以下安裝類別選用說明:
a.server:除了監控自身主機外還可將區網內其它Windows, Linux等主機納入監控,這樣所有主機的安全狀態都在這裡,當然就是選用它了.
b.agent:這須與a.server併用,將自身主機完全依附由server主機端監控,自身主機無監控功能.
c.local:僅負責監控自身主機,既不受server主機端監控,也不能監控其它主機,如果Asterisk/FreePBX主機不必監控其它主機,就選它.
1- What kind of installation do you want (server, agent, local or help)? server
- Server installation chosen.
2- Setting up the installation environment.
- Choose where to install the OSSEC HIDS [/var/ossec]: 按Enter鍵
- Installation will be made at /var/ossec .
3- Configuring the OSSEC HIDS.
3.1- Do you want e-mail notification? (y/n) [y]: 按Enter鍵
- What's your e-mail address? jack888lin@gmail.com
- We found your SMTP server as: gmail-smtp-in.l.google.com.
- Do you want to use it? (y/n) [y]: n
- What's your SMTP server ip/host? localhost
3.2- Do you want to run the integrity check daemon? (y/n) [y]: 按Enter鍵
- Running syscheck (integrity check daemon).
3.3- Do you want to run the rootkit detection engine? (y/n) [y ]: 按Enter鍵
- Running rootcheck (rootkit detection).
3.4- Active response allows you to execute a specific
command based on the events received. For example,
you can block an IP address or disable access for
a specific user.
More information at:
http://www.ossec.net/en/manual.html#active-response
- Do you want to enable active response? (y/n) [y]: 按Enter鍵
- Active response enabled.
- By default, we can enable the host-deny and the
firewall-drop responses. The first one will add
a host to the /etc/hosts.deny and the second one
will block the host on iptables (if linux) or on
ipfilter (if Solaris, FreeBSD or NetBSD).
- They can be used to stop SSHD brute force scans,
portscans and some other forms of attacks. You can
also add them to block on snort events, for example.
- Do you want to enable the firewall-drop response? (y/n) [y]: 按Enter鍵
- firewall-drop enabled (local) for levels >= 6
- Default white list for the active response:
- 192.168.1.1
以下如果要讓區網內其它主機不受Ossec server主機阻斷,就再加入特定IP或全區網段通行,都是自家人使用,所以我選用全區網段:
- Do you want to add more IPs to the white list? (y/n)? [n]: y
- IPs (space separated): 192.168.1.0/24
3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]: 按Enter鍵
- Remote syslog enabled.
3.6- Setting the configuration to analyze the following logs:
-- /var/log/messages
-- /var/log/auth.log
-- /var/log/syslog
-- /var/log/mail.info
-- /var/log/dpkg.log
-- /var/log/apache2/error.log (apache log)
-- /var/log/apache2/access.log (apache log)
- If you want to monitor any other file, just change
the ossec.conf and add a new localfile entry.
Any questions about the configuration can be answered
by visiting us online at http://www.ossec.net .
--- Press ENTER to continue --- 按Enter鍵
開始編譯Ossec過程,請稍後...
編譯完成後會出現下列資訊:
- System is Debian (Ubuntu or derivative).
- Init script modified to start OSSEC HIDS during boot.
- Configuration finished properly.
- To start OSSEC HIDS:
/var/ossec/bin/ossec-control start
- To stop OSSEC HIDS:
/var/ossec/bin/ossec-control stop
- The configuration can be viewed or modified at /var/ossec/etc/ossec.conf
Thanks for using the OSSEC HIDS.
If you have any question, suggestion or if you find any bug,
contact us at contact@ossec.net or using our public maillist at
ossec-list@ossec.net
( http://www.ossec.net/main/support/ ).
More information can be found at http://www.ossec.net
--- Press ENTER to finish (maybe more information below). --- 按Enter鍵
- In order to connect agent and server, you need to add each agent to the server.
Run the 'manage_agents' to add or remove them:
/var/ossec/bin/manage_agents
More information at:
http://www.ossec.net/en/manual.html#ma
nano -w /var/ossec/etc/ossec.conf
<ossec_config>
<global>
<email_notification>yes</email_notification>
<email_to>jack888lin@gmail.com</email_to>
<smtp_server>localhost</smtp_server>
<email_from>ossecm@debian.dyndns.org</email_from>
</global>
nano -w /etc/iptables.up.rules
# Allow connections from Ossec Agents to our Ossec Server
-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 1514 -j ACCEPT
sed -i '/ossec:/s|$|asterisk|' /etc/group
reboot
主機重新啟動後再從http://www.fonicaprojects.com/wiki/index.php/FreePBX_Module:_OSSEC 網頁下載ossec-1.0.2.tgz檔到Windows桌面
打開FreePBX-> Tools-> Module Admin-> Upload Module-> 瀏覽-> 桌面-> ossec-1.0.2.tgz
點按Upload 後再到Module Administration-> Maintenance-> OSSEC-> Install
完成安裝後,在左頁Tools-> 點按OSSEC 可看到Ossec Server Web介面如下圖示:
/var/ossec/bin/ossec-control stop /var/ossec/bin/ossec-control start /var/ossec/bin/ossec-control restart
ps -ef | grep ossec
/var/ossec/bin/manage_agents