Asterisk PBX: Build Your Own Phone System on Linux

Asterisk is a free, open-source framework for building communications applications — the engine behind countless business phone systems worldwide. Running on a Linux server, it gives you a full-featured PBX: internal extensions, voicemail, IVR menus, call recording, and SIP trunks to carry real phone calls, all without a single licence fee.

In this guide we'll install Asterisk on Ubuntu 22.04, configure two SIP extensions using the modern PJSIP driver, write a basic dialplan, and make a test call between two softphones.

Prerequisites

• Ubuntu 22.04 server with at least 1 GB RAM and 1 CPU
• A non-root user with sudo privileges
• A SIP softphone for testing — Zoiper (free, Windows/Mac/Linux/mobile) or Linphone work well
• UDP ports 5060 (SIP) and 10000–20000 (RTP audio) accessible on your server

Step 1: Install Asterisk

Asterisk is available directly from the Ubuntu repositories:

sudo apt update
sudo apt install -y asterisk

Verify the service started and check the version:

sudo systemctl status asterisk
asterisk --version

Connect to the live Asterisk CLI (type exit or press Ctrl+C to leave):

sudo asterisk -rvvv

Step 2: Configure the PJSIP Transport

Asterisk's modern SIP driver is PJSIP. Open the main PJSIP configuration file:

sudo nano /etc/asterisk/pjsip.conf

Replace the entire file content with the following. This defines a UDP transport and two extensions — 100 and 101:

; ── Transport ────────────────────────────────────────────────────────────────
[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060

; ── Extension 100 ─────────────────────────────────────────────────────────────
[100]
type=endpoint
context=internal
disallow=all
allow=ulaw
allow=alaw
auth=100
aors=100

[100]
type=auth
auth_type=userpass
username=100
password=SecurePass100!

[100]
type=aor
max_contacts=1
qualify_frequency=30

; ── Extension 101 ─────────────────────────────────────────────────────────────
[101]
type=endpoint
context=internal
disallow=all
allow=ulaw
allow=alaw
auth=101
aors=101

[101]
type=auth
auth_type=userpass
username=101
password=SecurePass101!

[101]
type=aor
max_contacts=1
qualify_frequency=30

Each extension has three stanzas sharing the same name: endpoint (call behaviour), auth (credentials), and aor (address of record — where to reach the phone). Change the passwords to something strong before use.

Step 3: Write the Dialplan

The dialplan tells Asterisk what to do when a number is dialled. Open extensions.conf:

sudo nano /etc/asterisk/extensions.conf

Add the following [internal] context (the context name must match what you set in pjsip.conf above):

[internal]
; Dial extension 100 — ring for 20 seconds, then hang up
exten => 100,1,Dial(PJSIP/100,20)
 same => n,Hangup()

; Dial extension 101
exten => 101,1,Dial(PJSIP/101,20)
 same => n,Hangup()

; Echo test — dial *43 to hear your own voice back (great for testing)
exten => *43,1,Answer()
 same => n,Echo()
 same => n,Hangup()

The same => n syntax means "next priority in the same extension" — it keeps dialplan entries readable without manually numbering each step.

Step 4: Open Firewall Ports

SIP signalling uses UDP 5060. Audio (RTP) uses a range of UDP ports — Asterisk defaults to 10000–20000:

sudo ufw allow 5060/udp
sudo ufw allow 10000:20000/udp
sudo ufw reload

Step 5: Reload Asterisk and Verify

Apply the new configuration without restarting the service:

sudo asterisk -rx "pjsip reload"
sudo asterisk -rx "dialplan reload"

Check that both endpoints are registered:

sudo asterisk -rx "pjsip show endpoints"

You should see both 100 and 101 listed. Their status will show Not in use until a phone registers.

Step 6: Connect a SIP Softphone and Test

Open Zoiper (or Linphone) and create a new SIP account with these settings:

• SIP server / Domain: your server's IP address
• Username: 100
• Password: SecurePass100!
• Transport: UDP, port 5060

Register a second softphone (or a second device) with extension 101 using the same server IP and the corresponding password.

Once both phones show as registered, dial *43 from either phone — you should hear your own voice echoed back, confirming audio is working end-to-end. Then dial 101 from extension 100 to make your first internal call.

Checking Logs

If something isn't working, the Asterisk full log is your first stop:

sudo tail -f /var/log/asterisk/full

Registration failures usually show 401 Unauthorized (wrong password) or Unable to create subscription (endpoint name mismatch). The verbose CLI (sudo asterisk -rvvvv) shows real-time call processing step by step.

Securing Your Asterisk Installation

SIP port 5060 is one of the most aggressively scanned ports on the internet. Within hours of going live, automated bots will attempt to brute-force your extensions and place fraudulent international calls — a attack known as SIP toll fraud. The steps below are not optional for any internet-facing server.

Change the Example Passwords First

Before anything else, replace the placeholder passwords in /etc/asterisk/pjsip.conf with strong, unique values for each extension. A good password is at least 16 characters, mixing letters, numbers, and symbols. Never use a password that matches the extension number.

Install fail2ban

fail2ban monitors the Asterisk log and automatically bans IPs that repeatedly fail authentication:

sudo apt install -y fail2ban

Create the local jail configuration — this file overrides the defaults and won't be touched by package updates:

sudo nano /etc/fail2ban/jail.local

Add the following:

[DEFAULT]
bantime  = 3600
findtime = 600
maxretry = 5

[asterisk]
enabled  = true
port     = 5060,5061
protocol = udp
filter   = asterisk
logpath  = /var/log/asterisk/full
maxretry = 3
bantime  = 86400

The Asterisk filter ships with fail2ban at /etc/fail2ban/filter.d/asterisk.conf — no extra filter file needed. Apply the config and verify:

sudo systemctl restart fail2ban
sudo fail2ban-client status asterisk

A successful output shows the jail as active with zero bans. After a few hours on a public IP you will start to see bans accumulating — that is fail2ban working correctly.

Narrow the RTP Port Range

By default Asterisk uses UDP 10000–20000 for audio (10,000 ports). Reduce this to a smaller range to limit your exposed attack surface. Edit the RTP config:

sudo nano /etc/asterisk/rtp.conf

[general]
rtpstart=10000
rtpend=10100

Then update the firewall to match:

sudo ufw delete allow 10000:20000/udp
sudo ufw allow 10000:10100/udp
sudo ufw reload

Reload Asterisk to apply the RTP change:

sudo asterisk -rx "module reload res_rtp_asterisk.so"

Restrict SIP to Known Networks (Recommended)

If your SIP phones are all on a known IP range (e.g. your office or home network), block SIP from everywhere else. This eliminates the brute-force risk entirely:

# Replace 192.168.1.0/24 with your actual trusted network
sudo ufw delete allow 5060/udp
sudo ufw allow from 192.168.1.0/24 to any port 5060 proto udp
sudo ufw reload

If you need remote phones over the internet, consider putting Asterisk behind a VPN (WireGuard or OpenVPN) and only exposing the VPN port — this is the most secure architecture and completely eliminates SIP exposure.

What's Next?

• Voicemail — configure /etc/asterisk/voicemail.conf and add VoiceMail(100@default) to your dialplan for unanswered calls.
• IVR / Auto-attendant — use Background() to play a greeting and WaitExten() to route callers by key press.
• SIP trunk — sign up with a SIP provider (VoIP.ms, Twilio, or Vonage) to make and receive real phone calls through your PBX.
• Call recording — add MixMonitor(/var/spool/asterisk/monitor/${UNIQUEID}.wav) to any dialplan context.
• FreePBX GUI — if you prefer a web interface over config files, FreePBX is a free graphical front-end that sits on top of Asterisk.

The official Asterisk documentation covers advanced topics including AGI scripting, ARI (Asterisk REST Interface), conferencing, and high-availability setups.