How can I have the allowguest=yes rule for incoming traffic only?

Hello, I’d like to be able to recieve anonymouys/guest sip calls from third party servers to a especific extension, but somehow when enabling allowguest=yes, somebody (maybe a hacker) can actually make calls through my system, so how are they able to do that and how can I prevent it?

The hacker traffic is incoming traffic!

You should no longer be using chan_sip. In most cases, where allowguest was needed with chan_sip, the ability to use multiple address ranges with chan_pjsip makes it unnecessary.

Where anonymous access is needed, it should land in a context that is not able to make to make chargeable calls. Your inside phone can be in a a context that does allow chargeable calls. Typically people use default or from_trunk for incoming calls, and from_internal, or, simply, internal, for locally originated ones.

I solved my problem by checking the exten, dnid and ip and any process trying to make a call from and extension and ip different than my current server, gets logged and then hangup, then I ban the ips with fail2ban.