[asterisk-users] How to stop intruder from registering sip?

sean darcy seandarcy2 at gmail.com
Sat Jun 12 13:14:15 CDT 2010


On 06/12/2010 10:57 AM, Benoit wrote:
> On 12/06/2010 15:09, sean darcy wrote:
>> I decided to include the following in each sip.conf stanza that has an
>> outgoing context:
>>
>> deny=0.0.0.0/0.0.0.0
>> permit=10.10.10.0/24
>>
> If all your phones are on a defined network like that, you really should
> use iptables to allow
> inbound SIP from the 10-network and from the ip addresses of your
> provider(s) only.
>> Blacklisting won't work - see Whack-a-mole.
>>
> Well, in you case you need to think the other way (whitelisting), and
> that work pretty nice
>> Does the deny/permit do the trick?
>>
> It should, as long as the asterisk auth is working fine. But i would
> strongly urge you to add an iptables (or any other FW)
> layer on top of it, better safe than sorry.
>
> Example:
>
> *filter
> :INPUT DROP [0:0]
> :SIP - [0:0]
> :IAX - [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i bond0 -p icmp -m icmp --icmp-type any -j ACCEPT
> # ssh
> -A INPUT -i bond0 -s .... -p tcp -m tcp --dport 22 -j ACCEPT
> -A INPUT -i bond0 -p udp -m udp --dport 5060 -j SIP
> -A INPUT -i bond0 -p udp -m udp --dport 4569 -j IAX
> -A SIP --src 10.10.10.0/24 -j ACCEPT
> -A SIP --src ip.provider.1 -j ACCEPT
> -A SIP --src ip.provider.2 -j ACCEPT
> ...
> -A IAX --src 10.10.10.0/24 -j ACCEPT
> COMMIT
>

The trouble with whitelisting, or using iptables to block 5060 (in fact 
* is behind a router - 5060 is port forwarded) is that traveling 
employees wouldn't be able to register with inbound extensions. We set 
up our travelers so they can connect from wherever, and be treated as if 
they were at a local extension. That is, the employee can dial 151, or 
be dialed at his extension. He can not however dial third parties, or at 
least isn't supposed to.

sean




More information about the asterisk-users mailing list