[asterisk-users] Restrict SIP registration to one ip address only?

Remco Barendse asterisk at barendse.to
Thu Sep 18 07:07:35 CDT 2008


On Wed, 17 Sep 2008, Jared Smith wrote:

> On Wed, 2008-09-17 at 19:58 +0200, Remco Barendse wrote:
>> Why doesn't Asterisk allow both username&pass as well as setting an ip
>> adress on a sip.extension?
>
> It does.  To enforce ACLs on a SIP user or peer or friend, simply use
> "permit" and "deny" statements to allow and disallow various IP
> addresses or subnets.  Standard practice seems to be to deny everything
> first, then specifically allow other IP addresses.
>
> [user]
> type=friend
> secret=mypassword
> host=dynamic
> deny=0.0.0.0/0
> permit=10.1.2.3
> permit=192.168.123.0/24
> permit=192.168.222.0/255.255.255.0

Cool, this is exactly what i was looking for, i couldn't find a reference 
to it anywhere else.

Suprising that this feature isn't used much, i would suspect that many 
asterisk installations (including mine) have very simple (short) extension 
numbers which makes brute forcing them rather easy.

I was never concerned about short extension numbers and easy passwords 
until the need came up to connect to my * box from outside.

Thanks again!



More information about the asterisk-users mailing list