How can I get my asterisk server to accept public, incoming calls to user@domain?

ajgnet · June 15, 2022, 2:51pm

Right now I have a SIP trunk and all incoming calls come through that. But I’d also like to accept public internet calls destined to user@example.com. I have the SRV records set up appropriately. How can I safely do this? Examples appreciated Thank you

fsilvestre · June 15, 2022, 3:07pm

I think the best way will be allowing only calls to @ValidDomains and ban those who call dialing @IPAddress (because they are probably friendly scanners).
And use TLS!

ajgnet · June 15, 2022, 3:18pm

Thanks that makes sense. Would you have a sample config of what that might look like? I am a beginner

david551 · June 15, 2022, 3:44pm

Basically you define an anonymous endpoint:

github.com

asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample#L41

      
        
            ; At a minimum please read the file "README-SERIOUSLY.bestpractices.txt",
            ; located in the Asterisk source directory before starting Asterisk.
            ; Otherwise you risk allowing the security of the Asterisk system to be
            ; compromised. Beyond that please visit and read the security information on
            ; the wiki at: https://wiki.asterisk.org/wiki/x/EwFB
            ;
            ; A few basics to pay attention to:
            ;
            ; Anonymous Calls
            ;
            ; By default anonymous inbound calls via PJSIP are not allowed. If you want to
            ; route anonymous calls you'll need to define an endpoint named "anonymous".
            ; res_pjsip_endpoint_identifier_anonymous.so handles that functionality so it
            ; must be loaded. It is not recommended to accept anonymous calls.
            ;
            ; Access Control Lists
            ;
            ; See the example ACL configuration in this file. Read the configuration help
            ; for the section and all of its options. Look over the samples in acl.conf
            ; and documentation at https://wiki.asterisk.org/wiki/x/uA80AQ
            ; If possible, restrict access to only networks and addresses you trust.

then write dialplan with an extension for user, which uses the CHANNEL function to obtain the domain part, and validate it. You make very sure that the context is incapable of making chargeable calls, including making sure that caller side transfer options are all turned off in Dial.

Although SIP is designed to work like this you should note that hardly anyone actually configures theirs this way. Most people would consider it an unacceptable security risk.

You will get large numbers of calls with the wrong user and domain.

Using TLS is only of value to the extent that most phone fraudsters don’t bother with it; certificates that validate against commonly trusted CAs are easy to obtain. On the other hand, your callers may find getting a certificate too much trouble, given that ad hoc point to point SIP is so rarely used.

fsilvestre · June 15, 2022, 5:36pm

Try what David suggested

And/Or

1- Create a service to watch UDP 5060, filtering remote incoming INVITEs. Grab IP Address from those who not use your acceptable/allowed domain names in TO field and put a DROP role in iptables with these addresses (eternally).

system · July 15, 2022, 5:37pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.