[asterisk-users] How to stop intruder from registering sip?

sean darcy seandarcy2 at gmail.com
Sat Jun 12 08:09:22 CDT 2010 

sean darcy wrote:
> This is a small 12 line system, internal extensions 150 - 180. I didn't 
> have a phone on 151. Here's the sip.conf stanza:
> 
> ;;[151]
> ;;type=friend
> ;;context=longdistance
> ;;callerid="Conf Room" <151>
> ;;secret=0000
> ;;host=dynamic
> ;;qualify=yes
> ;;dtmfmode=rfc2833
> ;;allow=all
> ;;defaultuser=151
> ;;nat=yes
> ;;canreinvite=no
> 
> There's no DISA. And then somehow (how???) ip address 79.117.17.247 
> becomes extension 151 and starts making calls to West Africa.
> 
> Now contactdeny and contactpermit over solve the problem. For instance, 
> I can't register with my voip provider. I don't care about peers who I 
> make calls to, or receive calls from. I'm just stunned someone can 
> become a peer and make calls themselves.
> 
> How do I fix this in some reasonable way.
> 
> sean
> 
> [Jun 10 15:51:19] VERBOSE[1662] chan_sip.c:     -- Registered SIP '151' 
> at 79.117.17.247 port 5060
> [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Peer '151' is now Reachable. 
> (161ms / 2000ms)
> [Jun 10 15:51:20] NOTICE[1662] chan_sip.c: Received SIP subscribe for 
> peer without mailbox: 151
> [Jun 10 15:51:21] VERBOSE[1662] netsock.c:   == Using SIP RTP TOS bits 184
> [Jun 10 15:51:21] VERBOSE[1662] netsock.c:   == Using SIP RTP CoS mark 5
> [Jun 10 15:51:21] VERBOSE[1662] netsock.c:   == Using SIP VRTP CoS mark 6
> [Jun 10 15:51:21] VERBOSE[1662] netsock.c:   == Using UDPTL TOS bits 184
> [Jun 10 15:51:21] VERBOSE[1662] netsock.c:   == Using UDPTL CoS mark 5
> [Jun 10 15:51:22] VERBOSE[4780] pbx.c:     -- Executing 
> [01125240212154 at longdistance:1] Answer("SIP/151-000000ae", "") in new stack
> [Jun 10 15:51:22] VERBOSE[4780] pbx.c:     -- Executing 
> [01125240212154 at longdistance:2] Gosub("SIP/151-000000ae", 
> "DialOut,s,1(01125240212154
> ,DAHDI/g0)") in new stack
> .........
> [Jun 10 15:51:22] VERBOSE[4780] pbx.c:     -- Executing [s at DialOut:9] 
> Dial("SIP/151-000000ae", "DAHDI/g0/01125240212154") in new stack
> [Jun 10 15:51:22] VERBOSE[4780] chan_dahdi.c:     -- Requested transfer 
> capability: 0x00 - SPEECH
> [Jun 10 15:51:22] VERBOSE[4780] app_dial.c:     -- Called g0/01125240212154
> [Jun 10 15:51:22] VERBOSE[4780] app_dial.c:     -- DAHDI/2-1 is 
> proceeding passing it to SIP/151-000000ae
> [Jun 10 15:51:23] VERBOSE[4780] app_dial.c:     -- DAHDI/2-1 is making 
> progress passing it to SIP/151-000000ae
> [Jun 10 15:51:23] VERBOSE[4780] app_dial.c:     -- DAHDI/2-1 is making 
> progress passing it to SIP/151-000000ae
> [Jun 10 15:51:25] VERBOSE[4780] app_dial.c:     -- SIP/151-000000ae 
> requested special control 16, passing it to DAHDI/2-1
> [Jun 10 15:51:25] VERBOSE[4780] channel.c:     -- Music class default 
> requested but no musiconhold loaded.
> [Jun 10 15:51:25] VERBOSE[4780] app_dial.c:     -- SIP/151-000000ae 
> requested special control 20, passing it to DAHDI/2-1
> 

I decided to include the following in each sip.conf stanza that has an 
outgoing context:

deny=0.0.0.0/0.0.0.0
permit=10.10.10.0/24

I didn't want to mess around with secrets/passwords. And I want to allow 
registration for incoming contexts.

Won't this do it?

Is this how my intruder did this?

register => 151:0000@<my.pbx.ip.address>
Dial(<some.West.African.number>,SIP/151:0000@<my.pbx.ip.address>)

Blacklisting won't work - see Whack-a-mole.

Does the deny/permit do the trick?

sean

sean

More information about the asterisk-users mailing list