How to prevent calls from being dialed without registration?

Asterisk Asterisk Support
1

I have just installed an asterisk and exposed it on the Internet. I am getting the following:

[Apr 16 22:44:34] NOTICE[407][C-000000f5]: chan_sip.c:26447 handle_request_invite: Call from ‘’ (207.38.90.45:5070) to extension ‘+441970709906’ rejected because extension not found in context ‘public’.

[Apr 16 22:45:06] WARNING[407]: chan_sip.c:4068 retrans_pkt: Retransmission timeout reached on transmission e8aa2929468e1601e19c615e59fbb1bf for seqno 1 (Critical Response) – See Home - Asterisk Documentation
Packet timed out after 32000ms with no response

How did this guy from Germany manage to initiate a call?

2

Did you disable anonymous calling? If not then it would go to your default context, which appears to be “public”.

3

Thanks! Just saw this in the default sip.conf:

; Note: Please read the security documentation for Asterisk in order to
; understand the risks of installing Asterisk with the sample
; configuration. If your Asterisk is installed on a public
; IP address connected to the Internet, you will want to learn
; about the various security settings BEFORE you start
; Asterisk.
;
; Especially note the following settings:
; - allowguest (default enabled)
; - permit/deny/acl - IP address filters
; - contactpermit/contactdeny/contactacl - IP address filters for registrations
; - context - Which set of services you offer various users

4

As a suggestion, this is how I handle unauthorized attempts to place a call.

In sip.conf:

allowguest=yes
context=unauthenticated

In extensions.conf:


[unauthenticated]
;; Incomming calls from unauthenticated caller -> Fail2Ban
exten => _X.,1,Log(WARNING,fail2ban=’${CHANNEL(peerip)}’)
exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _X.,3,HangUp()

exten => _+X.,1,Log(WARNING,fail2ban=’${CHANNEL(peerip)}’)
exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)})
exten => _+X.,3,HangUp()

For Fail2Ban configuration

In jail.conf

[asterisk]
filter = asterisk
action = iptables-allports[name=ASTERISK]
logpath = /var/log/asterisk/messages
maxretry = 1
findtime = 86400
bantime = 864000
enabled = true

In dilter.d/asterisk.conf:

Fail2Ban configuration file

$Revision: 250 $

[INCLUDES]

Read common prefixes. If any customizations available – read them from

common.local

#before = common.conf

[Definition]

#_daemon = asterisk

Option: failregex

Notes.: regex to match the password failures messages in the logfile. The

host must be matched by a group named “host”. The tag “” can

be used for standard IP/hostname matching and is only an alias for

(?:::f{4,6}:)?(?P\S+)

Values: TEXT

failregex = NOTICE.* .: Registration from '.’ failed for ‘:.’ - Wrong password
NOTICE. .: Call from '.’ ((:[0-9]{1,5})?) to extension ‘.’ rejected because extension not found in context ‘unauthenticated’
NOTICE. chan_sip.c: Call from ‘.’ ((:[0-9]{1,5})?) to extension '.’ rejected because extension not found in context ‘unauthenticated’
NOTICE.* .: Registration from '.’ failed for ‘:.’ - Username/auth name mismatch
NOTICE. .: Registration from '.’ failed for ‘:.’ - No matching peer found
NOTICE. .: Registration from '.’ failed for ‘:.’ - Not a local domain
NOTICE. .: Registration from '.’ failed for ‘:.’ - Peer is not supposed to register
NOTICE. .: Registration from '.’ failed for ‘:.’ - Device does not match ACL
NOTICE. .: Registration from '.’ failed for ‘:.’ - Device not configured to use this transport type
NOTICE. .: No registration for peer '.’ (from )
NOTICE.* .: Host failed MD5 authentication for '.’ (.)
NOTICE. .: Host denied access to register peer '.
NOTICE.* .: Host did not provide proper plaintext password for '.
NOTICE.* .: Registration of '.’ rejected: ‘.’ from: ‘’
NOTICE. .: Peer '.’ is not dynamic (from )
NOTICE.* .: Host denied access to register peer '.
SECURITY.* .: SecurityEvent=“InvalidAccountID”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY. .: SecurityEvent=“FailedACL”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY. .: SecurityEvent=“InvalidPassword”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
SECURITY. .: SecurityEvent=“ChallengeResponseFailed”.,Severity=“Error”,Service=“SIP”.,RemoteAddress=“IPV[46]/(UDP|TCP|TLS)//[0-9]+”
VERBOSE. logger.c: – .IP/-. Playing ‘ss-noservice’ (language ‘.’)
SECURITY. .: SecurityEvent=“ChallengeSent”.,Severity=“Informational”,Service=“SIP”.,AccountID="sip:.@93.94.247.123".,RemoteAddress="IPV[46]/(UDP|TCP|TLS)//[0-9]+
WARNING. .*: fail2ban=’’

Option: ignoreregex

Notes.: regex to ignore. If this regex matches, the line is ignored.

Values: TEXT

ignoreregex =

5

frank71, thanks. But what is the purpose? Who are your legitimate unregistered users and wouldn’t they be similarly blocked?

Also there is some risk that a mistake or oversight in the dial plan may cause damage.

6

He’s not necessarily allowing any unregistered users make calls. The sip.conf’s general section entry context is the context in the dialplan where calls from peers without a sip.conf peer/user entry are sent.

Hope this helps