[asterisk-users] How to stop intruder from registering sip?
Benoit
maverick at maverick.eu.org
Sat Jun 12 09:57:58 CDT 2010
On 12/06/2010 15:09, sean darcy wrote:
> I decided to include the following in each sip.conf stanza that has an
> outgoing context:
>
> deny=0.0.0.0/0.0.0.0
> permit=10.10.10.0/24
>
If all your phones are on a defined network like that, you really should
use iptables to allow
inbound SIP from the 10-network and from the ip addresses of your
provider(s) only.
> Blacklisting won't work - see Whack-a-mole.
>
Well, in you case you need to think the other way (whitelisting), and
that work pretty nice
> Does the deny/permit do the trick?
>
It should, as long as the asterisk auth is working fine. But i would
strongly urge you to add an iptables (or any other FW)
layer on top of it, better safe than sorry.
Example:
*filter
:INPUT DROP [0:0]
:SIP - [0:0]
:IAX - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i bond0 -p icmp -m icmp --icmp-type any -j ACCEPT
# ssh
-A INPUT -i bond0 -s .... -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i bond0 -p udp -m udp --dport 5060 -j SIP
-A INPUT -i bond0 -p udp -m udp --dport 4569 -j IAX
-A SIP --src 10.10.10.0/24 -j ACCEPT
-A SIP --src ip.provider.1 -j ACCEPT
-A SIP --src ip.provider.2 -j ACCEPT
...
-A IAX --src 10.10.10.0/24 -j ACCEPT
COMMIT
More information about the asterisk-users
mailing list