[asterisk-users] Securing Asterisk - How to avoid sending, "SIP/2.0 603 Declined"

Alex Balashov abalashov at evaristesys.com
Fri Jul 22 20:45:33 CDT 2011 

Asterisk does not expose low-level control of its SIP stack.  It's something intended to be configured and used at the application level.

If you really want to do this without a firewall, put a Kamailio proxy in front of your Asterisk install and drop things as you see fit.  But why go through the trouble?  What's wrong with iptables?

--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/

On Jul 22, 2011, at 9:30 PM, Bruce B <bruceb444 at gmail.com> wrote:

> Thanks for the input. I am really surprised. But yes, I want exactly what firewall does, DROP packet instead of REJECTING it.
> 
> So, you are saying that one has to tamper the SIP stack to add the option to not respond to un-trusted sources?
> I really thought Asterisk might have this built in as a feature.
> 
> 
> I can't even do a dialplan search for a registered PEER because even if I find the IP to not be a trusted I still need to Hangup() on the invite which in turn send 603 Declined. 
> 
> There isn't really any work-around to this?
> 
> Thanks again
> 
> 
> On Fri, Jul 22, 2011 at 7:39 PM, Alex Balashov <abalashov at evaristesys.com> wrote:
> On 07/22/2011 07:32 PM, Bruce B wrote:
> Hello,
> 
> I am wondering if there is a way to drop SIP packets for generic
> transactions? For example, only SIP PEERs are allowed to call in and
> receive ACK or Declined rather that those inviting a call who are not
> PEERs at all.
> 
> Currently my Asterisk setup sends, "*SIP/2.0 603 Declined" *to any
> stranger invites because my dialplan includes Hangup(). Is there any
> way I can not send a 603 declined so to mislead the probe runner?
> 
> There is really no way to accomplish that except with a firewall.
> 
> 
> -- 
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>              http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>  http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110722/d0a88cbe/attachment-0001.htm>

More information about the asterisk-users mailing list