If you setup Asterisk as some sort of SBC, it would be either doing registration with your upstream providers or if you had a static IP, they (like Gamma) would use IP auth. In either case, you don’t need to be able to read in or accept (inward) any REGISTER sip message.

[phones]<==>[Asterisk PBX]<==>[Asterisk SBC]<=={internet}=>[Voip S.P.]

Like allowsubscribe=no, is there something like that for REGISTER?

Remembering… this box will still have to make use of the REGISTER construct for it to inform its possible upstream providers of your own IP address.

If I add deny=0.0.0.0/0.0.0.0 to the general section, and then open up an allow=X.X.X.X for each of the ISP sip trunks, would that achieve the same results?

I wasn’t aware that Asterisk even allowed anonymous registration.

ha ha David, ok look, when you open UPD port 5060, you’ll get all sorts of attempts… 50% of them are REGISTER attempts, and the other 50% are INVITE requests.

All I really want to do is to reduce the spam on the port 5060, but I have to have the ports open, and I’m looking at ways to do this without using iptables etc to allow/disallow communications. (This would move security from application level to system level and involve different teams, and slow down operations)

Is Astersik honouring the REGISTER attempts? All that any block would do is to prevent it honouring them; they would still arrive.

correct… and reduce load, and lookups on the objects, databases etc possibly even prevent a DOS attack, or make it pointless.

Sounds like it not a feature, but sure would be useful.

you can reduce register attempts, you can change default 5060 port, also install fail2ban to block failed attempts, also iptables in case you can whitelist range of IP

I beleive you could set up an iptables rule that will specifically trap REGISTER requrests over UDP.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.