How to prevent calls from being dialed without registration?

I have just installed an asterisk and exposed it on the Internet. I am getting the following:

[Apr 16 22:44:34] NOTICE[407][C-000000f5]: chan_sip.c:26447 handle_request_invite: Call from ‘’ (207.38.90.45:5070) to extension ‘+441970709906’ rejected because extension not found in context ‘public’.

[Apr 16 22:45:06] WARNING[407]: chan_sip.c:4068 retrans_pkt: Retransmission timeout reached on transmission e8aa2929468e1601e19c615e59fbb1bf for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response

How did this guy from Germany manage to initiate a call?

Did you disable anonymous calling? If not then it would go to your default context, which appears to be “public”.

Thanks! Just saw this in the default sip.conf:

; Note: Please read the security documentation for Asterisk in order to
; understand the risks of installing Asterisk with the sample
; configuration. If your Asterisk is installed on a public
; IP address connected to the Internet, you will want to learn
; about the various security settings BEFORE you start
; Asterisk.
;
; Especially note the following settings:
; - allowguest (default enabled)
; - permit/deny/acl - IP address filters
; - contactpermit/contactdeny/contactacl - IP address filters for registrations
; - context - Which set of services you offer various users

As a suggestion, this is how I handle unauthorized attempts to place a call.

In sip.conf:

allowguest=yes
context=unauthenticated

In extensions.conf:


[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban=’${CHANNEL(peerip)}’)
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()

exten => _+X.,1,Log(WARNING,fail2ban=’${CHANNEL(peerip)}’)
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()

For Fail2Ban configuration

In jail.conf

[asterisk]
filter = asterisk
action = iptables-allports[name=ASTERISK]
logpath = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime = 864000
enabled = true

In dilter.d/asterisk.conf:

Fail2Ban configuration file

$Revision: 250 $

[INCLUDES]

Read common prefixes. If any customizations available – read them from

common.local

#before = common.conf

[Definition]

#_daemon = asterisk

Option: failregex

Notes.: regex to match the password failures messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching and is only an alias for

(?:::f{4,6}:)?(?P\S+)

Values: TEXT

failregex = NOTICE.* .: Registration from '.’ failed for ‘:.’ - Wrong password
NOTICE.
.: Call from '.’ ((:[0-9]{1,5})?) to extension ‘.’ rejected because extension not found in context ‘unauthenticated’
NOTICE.
chan_sip.c: Call from ‘.’ ((:[0-9]{1,5})?) to extension '.’ rejected because extension not found in context ‘unauthenticated’
NOTICE.* .: Registration from '.’ failed for ‘:.’ - Username/auth name mismatch
NOTICE.
.: Registration from '.’ failed for ‘:.’ - No matching peer found
NOTICE.
.: Registration from '.’ failed for ‘:.’ - Not a local domain
NOTICE.
.: Registration from '.’ failed for ‘:.’ - Peer is not supposed to register
NOTICE.
.: Registration from '.’ failed for ‘:.’ - Device does not match ACL
NOTICE.
.: Registration from '.’ failed for ‘:.’ - Device not configured to use this transport type
NOTICE.
.: No registration for peer '.’ (from )
NOTICE.* .: Host failed MD5 authentication for '.’ (.)
NOTICE.
.: Host denied access to register peer '.
NOTICE.* .: Host did not provide proper plaintext password for '.
NOTICE.* .: Registration of '.’ rejected: ‘.’ from: ‘’
NOTICE.
.: Peer '.’ is not dynamic (from )
NOTICE.* .: Host denied access to register peer '.
SECURITY.* .: SecurityEvent=“InvalidAccountID”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY.
.: SecurityEvent=“FailedACL”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY.
.: SecurityEvent=“InvalidPassword”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY.
.: SecurityEvent=“ChallengeResponseFailed”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
VERBOSE.
logger.c: – .IP/-. Playing ‘ss-noservice’ (language ‘.’)
SECURITY.
.: SecurityEvent=“ChallengeSent”.,Severity=“Informational”,Service=“SIP”.,AccountID="sip:.@93.94.247.123".,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+
WARNING.
.*: fail2ban=’’

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex =

frank71, thanks. But what is the purpose? Who are your legitimate unregistered users and wouldn’t they be similarly blocked?

Also there is some risk that a mistake or oversight in the dial plan may cause damage.

He’s not necessarily allowing any unregistered users make calls. The sip.conf’s general section entry context is the context in the dialplan where calls from peers without a sip.conf peer/user entry are sent.

Hope this helps