Matthew Jordan
| Programming, Running, and ThingsHouston, We Have a Problem
“21055537: the number of failed authentication attempts against a public #Asterisk 12 server since January 11th” - @joshnet
— Matt Jordan (@mattcjordan) July 16, 2014
Yeah… that’s not cool.
When Josh told me how many failed authentication attempts his public Asterisk 12 server was getting, I wouldn’t say I was surprised: it is, after all, something of the wild west still on ye olde internet. I enjoy the hilarity of having fraud-bots break themselves on a tide of 401s. Seeing the total number of perturbed electrons is a laugh. But you know what’s more fun? Real-time stats.
I wondered: would it be possible to get information about the number of failed authentication attempts in real-time? If we included the source IP address, would that yield any interesting information?
Statistics are fun, folks. And, plus, it is for security. I can justify spending time on that. These people are clearly bad. Our statistics will serve a higher purpose. This is for a good cause.
For great justice!
Stasis: Enter the message bus
We’re going to start off using our sample module. In Asterisk 12 and later versions, the Stasis message bus will publish notifications about security events to subscribed listeners. We can use the message bus to get notified any time an authentication fails.
Getting Stasis moving
I’m making the assumption that we’ve copied our res_sample_module.c file and named it res_auth_stats.c. Again, feel free to name it whatever you like.
First, let’s get the right headers pulled into our module. We’ll probably want the main header for Stasis,
asterisk/stasis.h. Stasis has a concept called a message router, which simplifies a lot of boiler plate code that can grow when you have to handle multiple message types that are published on a single topic. However, in our case, we only have a single message type,ast_security_event_type, that will be published to the topic we’ll subscribe to. As such, it really is overkill for this application, so we’ll just deal with managing the subscription ourselves. Said Stasis topic for security events is defined inasterisk/security_events.h, so let’s add that as well. Finally, the payload in the message that will be delivered to us is encoded in JSON, so we’ll need to addasterisk/json.htoo.1
2
3
4#include "asterisk/module.h"
#include "asterisk/stasis.h"
#include "asterisk/security_events.h"
#include "asterisk/json.h"In
load_module, we’ll subscribe to theast_security_topicand tell it to callhandle_security_eventwhen the topic receives a message. The third parameter to the subscription function let’s us pass an object to the callback function whenever it is called; we don’t need it, so we’ll just pass itNULL. We’ll want to keep that subscription, so at the top of our module, we’ll declare astatic struct stasis_subscription *.1
2
3
4
5
6
7
8
9
10
11
12
13
14/*! Our Stasis subscription to the security topic */
static struct stasis_subscription *sub;
...
static int load_module(void)
{
sub = stasis_subscribe(ast_security_topic(), handle_security_event, NULL);
if (!sub) {
return AST_MODULE_LOAD_FAILURE;
}
return AST_MODULE_LOAD_SUCCESS;
}Since we’re subscribing to a Stasis topic when the module is loaded, we also need to unsubcribe when the module is unloaded. To do that, we can call
stasis_unsubscribe_and_join- the join implying that the unsubscribe will block until all current messages being published to our subscription have been delivered. This is important, asunsubscribingdoes not prevent in-flight messages from being delievered; since our module is unloading, this is likely to have “unhappy” effects.1
2
3
4
5
6
7static int unload_module(void)
{
stasis_unsubscribe_and_join(sub);
sub = NULL;
return 0;
}Now, we’re ready to implement the handler. Let’s get the method defined:
1
2
3
4
5static void handle_security_event(void *data, struct stasis_subscription *sub,
struct stasis_message *message)
{
}A Stasis message handler takes in three parameters:
A
void *to a piece of data. If we had passed anao2object when we calledstasis_subscribe, this would be pointing to our object. Since we passedNULL, this will beNULLevery time our function is invoked.A pointer to the
stasis_subscriptionthat caused this function to be called. You can have a single handler handle multiple subscriptions, and you can also cancel your subscription in the callback. For our purposes, we’re (a) going to always be subscribed to the topic as long as the module is loaded, and (b) we are only subscribed to a single topic. So we won’t worry about this parameter.A pointer to our message. All messages published over Stasis are an instance of
struct stasis_message, which is an opaque object. It’s up to us to determine if we want to handle that message or not.
Let’s add some basic defensive checking in here. A topic can have many messages types published to it; of these, we know we only care about
ast_security_event_type. Let’s ignore all the others:1
2
3
4
5
6
7
8static void handle_security_event(void *data, struct stasis_subscription *sub,
struct stasis_message *message)
{
if (stasis_message_type(message) != ast_security_event_type()) {
return;
}
}Now that we know that our message type is
ast_security_event_type, we can safely extract the message payload. Thestasis_message_payloadfunction extracts whatever payload was passed along with thestruct stasis_messageas avoid *. It is incredibly important to note that by convention, message payloads passed with Stasis messages are immutable. You must not change them. Why is this the case?
A Stasis message that is published to a topic is delivered to all of that topic’s subscribers. There could be many modules that are intrested in security information. When designing Stasis, we had two options:(1) Do a deep copy of the message payload for each message that is delivered. This would incur a pretty steep penalty on all consumers of Stasis, even if they did not need to modify the message data. Publishers would also have to implement a copy callback for each message payload.
(2) Pretend that the message payload is immutable and can’t be modified (this is C after all, if you want to shoot yourself in the foot, you’re more than welcome to). If a subscriber needs to modify the message data, it has to copy the payload itself.
For performance reasons, we chose option #2. In practice, this has worked out well: many subscribers don’t need to change the message payloads; they merely need to know that something occurred.
Anyway, the code:
1
2
3
4
5
6
7
8
9
10struct ast_json_payload *payload;
if (stasis_message_type(message) != ast_security_event_type()) {
return;
}
payload = stasis_message_data(message);
if (!payload || !payload->json) {
return;
}Note that our payload is of type
struct ast_json_payload, which is a thin ao2 wrapper around astruct ast_jsonobject. Just for safety’s sake, we make sure that both the wrapper and the underlying JSON object aren’tNULLbefore manipulating them.
Now that we have our payload, let’s print it out. The JSON wrapper API provides a handy way of doing this via
ast_json_dump_string_format. This will give us an idea of what exactly is in the payload of a security event:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21static void handle_security_event(void *data, struct stasis_subscription *sub,
struct stasis_message *message)
{
struct ast_json_payload *payload;
char *str_json;
if (stasis_message_type(message) != ast_security_event_type()) {
return;
}
payload = stasis_message_data(message);
if (!payload || !payload->json) {
return;
}
str_json = ast_json_dump_string_format(payload->json, AST_JSON_PRETTY);
if (str_json) {
ast_log(LOG_NOTICE, "Security! %s\n", str_json);
}
ast_json_free(str_json);
}
Stasis in action
Let’s make a security event. While there’s plenty of ways to generate a security event in Asterisk, one of the easiest is to just fail an AMI login. You’re more than welcome to do any failed (or even successful) login to test out the module, just make sure it is through a channel driver/module that actually emits security events!
AMI Demo
Build and install the module, then:
1 | $ telnet 127.0.0.1 5038 |
In Asterisk, we should see something like the following:
1 | *CLI> [Aug 3 16:00:51] NOTICE[12019]: manager.c:2959 authenticate: 127.0.0.1 tried to authenticate with nonexistent user 'i_am_not_a_user' |
Great success!
Dissecting the event
There’s a few interesting fields in the security event that we could build statistics from, and a few that we should consider carefully when writing the next portion of our module. In no particular order, here are a few thoughts to guide the next part of the development:
There are a number of different types of security events, which are conveyed by the SecurityEvent field. This integer value corresponds to the
enum ast_security_event_type. There are a fair number of security events that we may not care about (at least not for this incarnation of the module). Since what we want to track are failed authentication attempts, we will need to filter out events based on this value.The Service field tells us who raised the security event. If we felt like it, we could use that to only look at SIP attacks, or failed AMI logins, or what not. For now, I’m going to opt to not care about where the security event was raised from: the fact that we get one is sufficient.
The RemoteAddress is interesting: it tells us where the security issue came from. While we’re concerned with statistics - and I think keeping track of how many failed logins a particular source had is pretty interesting - for people using fail2ban, iptables, or other tools to restrict access, this is a pretty useful field. Consume, update; rinse, repeat.
STATS!
Let’s get rid of the log message and start doing something interesting. In Asterisk 12, we added a module, res_statsd, that does much what its namesake implies: it allows Asterisk to send stats to a StatsD server. StatsD is really cool: if you have a statistic you want to track, it has a way to consume it. With a number of pluggable backends, there’s also (usually) a way to display it. And it’s open source!
In the interest of full disclosure, installing statsd on my laptop hit a few … snags. Libraries and what-not. I’ll post again with how well this module works in practice. For now, let’s just hope the theory is sound.
To use this module, we’ll want to pull in Asterisk’s integration library with StatsD, statsd.h.
1 | ... |
And we should go ahead and declare that our module depends on res_statsd:
1 | /*** MODULEINFO |
Since we’re not going to print out the Stasis message any more, go ahead and delete the char *str_json. Now that we know we’re getting messages, let’s filter out the ones we don’t care about:
1 | static void handle_security_event(void *data, struct stasis_subscription *sub, |
Here, after pulling out the payload from the Stasis message, we get the SecurityEvent field out and assign it to an integer, event_type. Note that we know that the value will be one of the AST_SECURITY_EVENT_* values. In my case, I only care when someone:
Fails to provide a valid account
Fails to provide a valid password
Fails a challenge check (rather important for SIP)
So we bail on any of the event types that aren’t one of those.
The first stat I’ll send to StatsD are the number of times a particular address trips one of those three security events. StatsD uses a period delineated message format, where each period denotes a category of statistics. The API provided by Asterisk’s StatsD module lets us send any statistic using ast_statsd_log. In this case, we want to just simply bump a count every time we get a failed message, so we’ll use the statistic type of AST_STATSD_METER.
Using a struct ast_str to build up the message we sent to StatsD, we’d have something that looks like this:
1 | static void handle_security_event(void *data, struct stasis_subscription *sub, |
Cool! If we get an attack from, say, 192.168.0.1 over UDP via SIP, we’d send the following message to StatsD:
1 | security.failed_auth.SIP.UDP/192.168.0.1/5060 |
Except, we have one tiny problem… IP addresses are period delineated. Whoops.
(cleaner) STATS!
We really want the address we receive from the security event to be its own “ID”, identifying what initiated the security event. That means we really need to mark the octets in an IPv4 address with something other than a ‘.’. We also need to lose the port: if the connection is TCP based, that port is going to bounce all over the map (and we probably don’t care which port it originated from either). Since the address is delineated with a ‘/‘ character, we can just drop the last bit of information that’s returned to us in the RemoteAddress field. Let’s write a few helper functions to do that:
1 | static char *sanitize_address(char *buffer) |
Note that we don’t need to return anything here, as this modifies buffer in place, but I find those semantics to be nice. Using the return value makes the modification of the buffer parameter obvious.
That should turn this:
1 | IPV4/TCP/127.0.0.1/57546 |
Into this:
1 | IPV4/TCP/127_0_0_1 |
Nifty.
Since we used a struct ast_str * to build our message, we’ll need to pull out the RemoteAddress into a char * to manipulate it.
REMEMBER: STASIS MESSAGES ARE IMMUTABLE.
We’re about to mutate a field in it; you cannot just muck around with this value in the message. Let’s do it safely:
1 | char *remote_address; |
Better. With the rest of the code, this now looks like:
1 | static void handle_security_event(void *data, struct stasis_subscription *sub, |
Yay! But what else can we do with this?
MOAR (cleaner) STATS!
So, right now, we’re keeping track of each individual remote address that fails authentication. That may be a bit aggressive for some scenarios - sometimes, we may just want to know how many SIP authentication requests have failed. So let’s track that. We’ll use a new string buffer (dual purposing buffers just feels me with ewww), and populate it with a new stat:
1 | service = ast_json_string_get(ast_json_object_get(payload->json, "Service")); |
Since we’re unlikely to get a remote address of count, this should work out okay for us. With the rest of the code, this looks like the following:
1 | static void handle_security_event(void *data, struct stasis_subscription *sub, |
In Conclusion
And there we go! Statistics of those trying to h4x0r your PBX, delivered to your StatsD server. In this particular case, getting this information off of Stasis was probably the most direct method, since we want to programmatically pass this information off to StatsD. On the other hand, since security events are now passed over AMI, we could do this in another language as well. If I wanted to update iptables or fail2ban, I’d probably use the AMI route - it’s generally easier to do things in Python or JavaScript than C (sorry C afficianados). On the other hand: this also makes for a much more interesting blog post and an Asterisk module!
A lot of modules for Asterisk were written a long time ago. For the most part, these modules targeted Asterisk 1.4. I tend to suspect this was for a variety of reasons: the Asterisk project really took off during that time frame, and a lot of capabilities were being added at that time. Unfortunately (or fortunately, if you happen to be one of those who develop for Asterisk often), the Asterisk Architecture has changed a lot since then. While a some of those modules may still work just fine (with maybe a few find and replaces), there’s a lot of tools in the toolbox that didn’t exist then.
In fact, if I could point to two things that have resulted in Asterisk evolving into the stable, robust platform that it is today, it would be:
LOTS of testing.
Frameworks, frameworks, frameworks!
Not that there is a framework for everything, mind you. Or that everything is “perfect”. Software is hard, after all. But if there’s something you want to do, there’s probably something available to help you do that, and if you use that, then you stand a good chance of using something that just. Plain. Works.
So, let’s start at the beginning.
When Asterisk starts, it looks for modules to load in the modules directory (specified in asterisk.conf in the astmoddir setting). If modules.conf says to load a module in that directory - either explicitly or via autoload - then it loads that module into memory. But that doesn’t actually start the module - it just gets it into memory. However, due to some fancy usage of the constructor attribute, it also gets it registered in a few places as a “module” that can be manipulated. That registration really occurs due to an instance of a certain struct that all modules must have, and which provides a few different things:
Notification that the module is GPLv2. Unless your module includes the disclaimer that the module is GPLv2, it can’t be loaded. So, yes, you have to distribute your module per the conditions of the GPLv2.
Various bits of metadata - the name of the module, a description of it, etc.
The module’s load order priority. Asterisk’s module loader is a tad … simple… which means things have a rough integer priority for loading. If you have lots of dependencies, make sure you load after them - and if things depend on your module, make sure they load after you.
Most importantly (for this blog post), it defines a set of virtual functions that will be called at key times by Asterisk. Namely:
load_module: Called during module load. This should process the configuration, set up containers, and initialize module data. If your module can’t be loaded, you can tell the core not to load your module.unload_module: The analogue of load_module; called when Asterisk is shutting down. Your module should shut down whatever it is using, unsubscribe from things, dispose of memory, etc.reload_module: Called when a module is reloaded by an interface, i.e., through the CLI’s module reload command or the AMI ModuleReload action. You should reprocess your configuration when this is called. More on that in a future post; for now, we’ll just focus on load and unload.
Writing the basics
For now, let’s just get something that will load. We’ll add interesting stuff later. I’m going to assume that this module is named res_sample_module.c, stored in the res directory of Asterisk. If you’d rather write an application, or a function, or whatever, feel free to rename it and place it where it suits you best. The Asterisk build system should find it, so long as it is in one of the canonical directories. I’m also going to assume that this is done on Asterisk 13 - if you’d like to use another version of Asterisk, that’s fine, but your mileage may vary.
Add a
MODULEINFOcomment block at the top of your file. When Asterisk compiles, it will parse out this comment block and feed it into menuselect, which allows users to control which modules they want to build. It also will prevent a module from compiling if its dependencies aren’t met. For now, we’ll simply set its support level:1
2
3/*** MODULEINFO
<support_level>extended</support_level>
***/Include the main asterisk header file. This pulls in the build options from the configure script, throws in some forward declarations for common items, and gives us the ability to register the version of this file. Immediately after this, we should go ahead and add the call that will register the file version, using the macro
ASTERISK_FILE_VERSION:1
2
3#include "asterisk.h"
ASTERISK_FILE_VERSION(__FILE__, "$Revision: $")While we’re here, after the
ASTERISK_FILE_VERSION, let’s include the headermodule.h. That header contains the definition for the module struct with its handy virtual table of load/unload/reload functions.1
2
3ASTERISK_FILE_VERSION(__FILE__, "$Revision: $")
#include "asterisk/module.h"At the bottom of the file, declare that this is a “standard” Asterisk module. This will make a few assumptions:
That you have a
load_moduleandunload_modulestatic functions conforming to the correct signature, and noreload_modulefunction (which is okay, we’ll worry about that one another time).That you’re okay with loading your module at the “default” time, i.e.,
AST_MODPRI_DEFAULT. For now, we are.That your module generally doesn’t get used by other things, e.g., it doesn’t export global symbols, or have any really complex dependencies. Again, if we need that, we’ll worry about that later.
1
AST_MODULE_INFO_STANDARD(ASTERISK_GPL_KEY, "Sample module");
Now that we have our sample module defined, we need to provide implementations of the
load_moduleandunload_modulefunctions. Each of these functions takes in no parameters, and returns anint:1
2
3
4
5
6
7
8
9static int unload_module(void)
{
}
static int load_module(void)
{
}These two functions should probably do something.
unload_moduleis pretty straight forward; we’ll just return 0 for success. Note that generally, a module unload routine should return 0 unless it can’t be unloaded for some reason. If the CLI is attempting to unload your module, it will give up; if Asterisk is shutting down, it won’t care. It will eventually skip on by your module and terminate (with extreme prejudice, no less).1
2
3
4static int unload_module(void)
{
return 0;
}Now we need something for
load_module. Unlike the unload routine, the load routine can return a number of different things to instruct the core on how to treat the load attempt. In our case, we just want it to load up. For now, we’ll just return success:1
2
3
4static int load_module(void)
{
return AST_MODULE_LOAD_SUCCESS;
}
Putting it all together
The whole module would look something like this:
1 | /*** MODULEINFO |
Note that this module is available in a GitHub repo:
https://github.com/matt-jordan/asterisk-modules
Let’s make a module
Let’s get this thing compiled and running. Starting from a clean checkout:
Configure Asterisk. Note that when you’re writing code, always configure Asterisk with
--enable-dev-mode. This turns gcc warnings into errors, and allows you to enable a number of internal nicities that help you test your code (such as the unit test framework).1
$ ./configure --enable-dev-mode
Look at menuselect and make sure your module is there:
1
$ make menuselect
If you don’t see it, something went horribly wrong. Make sure your module has the
MODULEINFOsection.Build!
1
$ make
Install!
1
$ sudo make install
Start up Asterisk. We should see our module go scrolling on by:
1
2
3
4$ sudo asterisk -cvvg
...
Loading res_sample_module.so.
== res_sample_module.so => (Sample module)We can unload our module:
1
2
3*CLI> module unload res_sample_module.so
Unloading res_sample_module.so
Unloaded res_sample_module.soAnd we can load it back into memory:
1
2
3
4*CLI> module load res_sample_module.so
Loaded res_sample_module.so
Loaded res_sample_module.so => (Sample module)
*CLI>
Granted, this module doesn’t do much, but it does let us form the basis for much more interesting modules in the future.
So, like a lot of people, as soon as I could I got my hands on a Raspberry Pi (I got mine from Adafruit and was very happy with the experience). If you don’t know what a Raspberry Pi is, it’s the greatest thing since sliced bread - a small single board computer that runs Linux for only thirty-five bucks. Along with a case, a good power supply, and a few other odds and ends, it’s still a steal, coming in somewhere under seventy-five bucks. They’re ridiculously flexible. They can be used for a whole host of microcontroller projects, but are also powerful enough to act as mini home “servers”. For awhile now, I’ve planned to set mine up as a home Asterisk system. In particular, my poor wife - who happens to work from home - has had to make do without much in the way of good business communications (there’s a story in there somewhere about a cobbler and his kids not having any shoes). Unfortunately, just about every waking moment for the past six months has been spent on getting Asterisk 12 developed and released, so my poor Pi has sat on a desk collecting dust.
Today, however, no more. I got the Pi out, plugged it in, connected it to my home network, and got tinkering. The goal: get Asterisk 12 running on a Raspberry Pi. By running, I mean just running - configuration is a bit beyond the scope of today (or this blog post) - but if I can get myself to the CLI prompt, that will do. As an aside, this is realistic: the Raspberry Pi does not compile quickly. I ended up running a lot of errands between steps, so this whole project was stretched out quite a bit over today.
It’s not often that a developer gets to take a step back and look at things from a user’s perspective, so this should be a lot of fun.
As another aside, I think like most folks using a Raspberry Pi for the first time, I found the experience to be quite a pleasure. While I would never claim that I’m a Linux guru (I did work in Microsoft shops for quite a long time; I still find myself moving back and forth between the two worlds), I can get around just fine in the major Linux distros and have no problems setting up a Linux system. Even still, I was still pleasantly surprised at the configuration tools that come with the Pi. They really nailed their target audience, and even for those of us who use Linux daily, they still made life nice and easy.
Moving on!
I spent the first bit just configuring the Pi with the tools. I set it up with a static IP address behind my home router, updated Wheezy, changed the default user’s password to something secure, and changed the hostname to ‘mjordan-pi’ (terribly original, I know. I’m not good at naming things - I leave that to Mr. Joshua Colp on our team)
At this point, I figured I should be good to go on the actual task of getting Asterisk downloaded, installed, and configured. While the folks at Asterisk for Raspberry Pi have done a spectacular job of documenting and making it easy to install Asterisk on a Pi, I’m going to depart from their guidelines here. While I love FreePBX, I’m going to eschew a GUI as well as MySQL. I really want a relatively stream-lined install of Asterisk 12, with .conf files for configuration, access through the CLI, and everything done by hand. When we get to configuration, you’ll note that I’m going to take a pretty slow and conservative approach to configuration - but that will let me look at each module and step and really digest what I’m doing. We’re going old school here. Should be fun!
Step 1: Get Asterisk
Since I’m working through ssh from my laptop, everything is going to be done through the shell. That means downloading Asterisk using wget from downloads.asterisk.org.
1 | pi@mjordan-pi ~ $ wget http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-12-current.tar.gz |
Hooray! We got it. Now to untar it:
1 | pi@mjordan-pi ~ $ tar -zvxf asterisk-12-current.tar.gz |
As you may notice, Asterisk 12 is a bit large (what can I say, we did a lot of work). Some of that heft comes from the exported documentation from the Asterisk wiki, in the form of the Asterisk Administrators Guide. Since I don’t really need that on my Pi, I’m going to go ahead and get rid of it, as well as the tarball now that I’ve extracted it.
1 | pi@mjordan-pi ~ $ rm asterisk-12-current.tar.gz |
Random note here. You might be wondering why the PDF is in the doc subfolder, while the zip of the HTML documentation is in the base directory. When we were making the Alpha tarball, we had a number of problems crop up in the scripts that make the release. There’s a lot of moving parts in that process, in particular with making the release summaries and pulling the documentation from Confluence. We had some connectivity issues going back from the release build virtual machine to the issue tracker, such that the connection would drop - or have some random fit at least - while it was trying to obtain information about Asterisk issues. After the fourth or fifth exception thrown by the script (various socket errors, HTTP timeouts, and other random badness), we had managed to pull all of the data but - for various reasons - not in the correct locations in the directory that was destined to become the tarball. So the location of the zip file is a goof on my part - I had to move it manually, and accidentally moved it into the wrong location. All of this went to show that it’s a well known fact that whatever can go wrong in your systems will go wrong just as you’re trying to push something live, particularly if you’re supposed to meet with your colleagues for a celebratory beer in five minutes. Every. Freaking. Time.
Anyway, let’s see how far we get running configure:
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ ./configure |
That’s not terribly surprising. In fact, raspberry-asterisk.org has a good list of dependencies you’ll need if your’e installing Asterisk from source. As it is, I don’t really want all of the libraries listed in the FAQ. For example, I know I won’t be integrating Asterisk with MySQL, as I am - for the time - eschewing any Realtime configuration. But most of the rest are needed, and, as the Raspberry Pi is slow, it’s good to think things through and get things right the first time.
Step 2: Install Asterisk Dependencies
Let’s get what we do know:
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ apt-get install build-essential libsqlite3-dev libxml2-dev libncurses5-dev libncursesw5-dev libiksemel-dev libssl-dev libeditline-dev libedit-dev curl libcurl4-gnutls-dev |
Since this is Asterisk 12, however, I’ll want a few other things as well. The CHANGES and UPGRADE.txt file tell you the additional dependencies - let’s got those as well:
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ apt-get install libjansson4 libjansson-dev libuuid1 uuid-dev libxslt1-dev liburiparser-dev liburiparser1 |
We could, at this point, configure and build Asterisk - but there’s one more thing I want. Since this is Asterisk 12, we have the brand new SIP stack to try out, and I’m definitely going to be using it over the legacy chan_sip channel driver. But, to get it working, we’ll need PJSIP.
Step 3: Get PJSIP
As of today (and I’m hopeful this isn’t a permanent situation), Asterisk needs a particular flavor of pjproject (I’m going to use the terms pjproject/PJSIP interchangeably here. There is a difference, but let’s just pretend there isn’t for the purposes of this blog post). There’s instructions on the wiki for how to obtain, configure, and install pjproject for use with Asterisk:
https://wiki.asterisk.org/wiki/display/AST/Installing+pjproject
Following along with the instructions, we first need git. Let’s get that:
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ apt-get install git |
And then we can clone pjproject from our repo on github:
1 | pi@mjordan-pi $ git clone https://github.com/asterisk/pjproject pjproject |
Now here’s the tricky part. What parameters should we pass to the configure script?
At a minimum, from the wiki article we know we need to tell it to install in /usr, and to enable shared objects with –enable-shared. But pjproject embeds a lot of third party libraries, which will conflict if we want to use them in Asterisk (or at least, will generally not play nicely). It is very important to know what you have on your system what installing pjproject, and what you want to use in Asterisk.
In my case, I don’t have libsrtp installed and I’m not going to use SRTP in Asterisk, so I can ignore that. I also don’t have libspeex installed, and I don’t really care about using libspeex in Asterisk either. The same goes for the GSM library. So, in the end I ended up with the following:
1 | pi@mjordan-pi ~/pjproject $ ./configure --prefix=/usr --enable-shared --disable-sound --disable-video --disable-resample |
After a little bit, we get the configuration success message:
1 | Configurations for current target have been written to 'build.mak', and 'os-auto.mak' in various build directories, and pjlib/include/pj/compat/os_auto.h. |
I went ahead and skipped ‘make dep’, since we don’t really need to do that step. Thus… the fateful command was typed:
1 | pi@mjordan-pi ~/pjproject $ make |
This took a long time.
1 | if test ! -d ../bin/samples/armv6l-unknown-linux-gnu; then mkdir -p ../bin/samples/armv6l-unknown-linux-gnu; fi |
Huzzah! Let’s get this bad boy installed.
1 | pi@mjordan-pi ~/pjproject $ sudo make install |
And after a bit:
1 | for d in pjlib pjlib-util pjnath pjmedia pjsip; do \ |
Let’s verify we got it.
1 | pi@mjordan-pi ~/pjproject $ pkg-config --list-all | grep pjproject |
Yay! As an aside, Asterisk uses pkg-config to locate libpjproject - so if this step fails, something has gone horribly wrong and Asterisk is not going to find libpjproject either. So this is always a useful step to perform, regardless of the platform you’re installing Asterisk on.
Step 4: Build and Install Asterisk
Back to Asterisk!
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ ./configure --with-pjproject |
I specified --with-pjproject, because I really wanted to know if it failed. It takes a bit to compile, and this way the configure script will tell me. Otherwise, the first time I’ll find out whether or not I have the dependencies for the new SIP stack is when I fire up menuselect.
1 | configure: Menuselect build configuration successfully completed |
And now for some configuration via menuselect.
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ make menuselect |
I’m going to be a bit conservative here. There’s a lot of things I just won’t need for this Asterisk install. Rather than build everything and exclude them all via modules.conf, I’m going to disable them here. That way my overall installation will just be smaller (space is a premium on a pi), and I’ll be less likely to leave something lying around in Asterisk that doesn’t need to be there.
The following are what I disabled in menuselect:
- Compiler flags:
DONT_OPTIMIZE- this may seem odd, but since I’m running an alpha of Asterisk 12, if I have a problem, I want to be able to fix it. This will make backtraces a bit more usable.
- Applications:
app_agent_pool- I’m not going to be using Queues or Agents.app_authenticate- I’m not going to need to Authenticate people myself.app_gelgenuserevent- I’m not using CEL.app_forkcdr- I hate this application, but that’s probably because I had to rewrite the CDR engine in Asterisk 12. While there’s one or two valid reasons to fork a CDR, most of what ForkCDR has traditionally done is silly.app_macro- Use GoSubs everyone!app_milliwatt- I’ll use something else to annoy people.app_page- I don’t see myself setting up a home paging system right now. I’m only planning on connecting one or two SIP phones.app_privacy- Nope!app_queue- If I need a tech support queue for my house, I’ve got bigger problems.app_sendtext- Nope.app_speech_utils- Maybe someday, but probably not. I’d rather play around with calendaring or conferencing than speech manipulation of any kind.app_system- Until I have a use for it, I view this as one big security vulnerability.- Everything in extended, except for
app_zapateller. It may be fun to try and zap a telemarketer.
- CDR:
- Everything but
cdr_custom. I’ll probably end up logging call records using this, since we don’t tend to have more than a handful of calls a day.
- Everything but
- CEL:
- Disable everything.
- Channel Drivers:
chan_iax2- I’m not going to set up an IAX2 trunk, and all my phones are SIP.chan_multicast_rtp- Since I’m not doing any paging, I don’t need this channel driver.chan_sip- I’m committing tochan_pjsip!- I left
chan_motifto play around with some day. This may be useful for some soft phones or XMPP text message integration. - Everything in the extended/deprecated sections was disabled.
- Codecs:
- I left all of the codecs enabled.
- Formats:
format_jpeg- I’m not going to do any fax at this point.format_vox- I shouldn’t need this either.
- Functions:
I decided to leave most functions. Most function modules are rather small and don’t take up much space, and I find that you never know when you’re going to need one.func_frame_trace- This is only ever used for development (and isn’t used often then)func_pitchshift- Funny, but not super useful.func_sysinfo- Interesting, but I shouldn’t need it.func_env- I shouldn’t need to muck around with environment variables from the dialplan.
- PBX:
pbx_ael- Classic dialplan all they way for me.pbx_dundi- I don’t think I’ll be needing anything as complex as DUNDi for my little Pi.pbx_realtime- Definitely not. I’m not a fan of realtime dialplan, for a variety of reasons.
- Resources:
I’m going to leave a number of resources that I may end up using someday, such as res_calendar. The ones I know for sure I won’t use I’ll disable.res_adsi- Nope. I’m not sure you can even find ADSI devices still.res_config_curl- Nope, not doing Realtime. I’ll come back and enable it if I decide to do Realtime some day.res_config_sqlite3- Nope, for the same reason as res_config_curl.res_fax- Ew, fax. Not going to mess with fax at home.res_pjsip_info_dtmf- I shouldn’t need DTMF over INFO.res_pjsip_endpoint_identifier_anonymous- I don’t want anonymous access.res_pjsip_one_touch_record_info- The SIP devices I’m using won’t need this.res_pjsip_t38- Fax: just say no.res_rtp_multicast- Since I’m not doing any paging, I don’t needres_rtp_multicast.res_smdi- Same reason as res_adsi.res_speech- Nope, for the same reason as the speech utilities.- Everything in extended, except:
res_http_websocket. That should be fun to play with at some point, and ARI needs it.
- MoH/Sounds:
- I enabled g.722 sounds/MoH. Wideband audio!
Phew. Time to save changes and finally compile.
1 | menuselect changes saved! |
Woot! We’re compiled. Time to install:
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ sudo make install |
And we’re installed!
I’m going to set up the bare minimum Asterisk configuration files to get Asterisk up and running. I’m not going to do anything more than get the CLI prompt up for now - I’ll save getting a phone configured and howler monkeys playing back for another time.
Step 5: Configure Asterisk
asterisk.conf
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ sudo nano /etc/asterisk/asterisk.conf |
As you can see, a pretty simple asterisk.conf. Not much else is needed for this, at least for now.
modules.conf
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ sudo nano /etc/asterisk/modules.conf |
Rather than go with autoloading, I’ve chosen to explicitly load modules. For now, I’ve only specified the “basics” - codecs and formats, the bridge modules (now used a lot in Asterisk 12), and the ancillary PBX modules. This will let me catch configuration errors easier - if you autoload, I find most people tend to ignore the warnings and errors.
extensions.conf
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ sudo nano /etc/asterisk/extensions.conf |
Nothing needed in there right now!
Step 6: Profit
And now, for the moment of truth:
1 | pi@mjordan-pi ~/asterisk-12.0.0-alpha1 $ sudo asterisk -cvvvvg |
Woohoo!