[Asterisk-bsd] Securing Asterisk with a DID
Vahan Yerkanian
vahan at arminco.com
Mon Aug 30 08:42:35 CDT 2010
On 8/30/10 4:34 PM, Frank Griffith wrote:
> Executing [011972599544327 at default:1]
This is perhaps one of the worst things you can ever do with Asterisk -
putting toll access into the default context. Never put anything you
don't want to be accessible to unauthenticated guests there.
Your Asterisk server with that config is an open gateway, and anyone can
dial through it if they try to dial SIP/011something at your_ip.
Solution: move everything out of the default context in extensions.conf
or .ael, leaving it empty, and place all the extensions instead in a
different context.
Assign your devices and/or DID accounts to that context so the
extensions are still available to them, f.e.
[myDIDprovider]
type=user
host=ipaddr_or_hostname
context=my_context
disallow=all
allow=whatever_codec(s)
qualify=yes
[201] ; a sip account
type=friend
host=dynamic
secret=verysecretandlonghash
context=my_context
disallow=all
allow=whatever_codec(s)
qualify=yes
These are rough examples, but should be enough for the start. Yeah, and
make sure you have alwaysauthreject=yes in sip.conf
Hope this helps,
Vahan
More information about the Asterisk-BSD
mailing list