I am getting hammered by Chinese “war dialing” from IP 113.105.152.103 and 113.105.152.102. My CDR Report has hundreds of these entries:
2010-02-10 12:06:45 asterisk 711 SIP/113.105.152.102-08e5fac8 SIP/711-08edf278 ANSWERED 36(extension 711 is the extension that rings “if all else fails”)
I am using FreePBX 2.5.2.2 on Asterisk 1.4.24 and have a SIP trunk provider. How can I change my configuration to only accept SIP connections/calls from my SIP trunk provider?
I have searched and searched, but all the configuration info I find tells me how to include my provider, not how to to exclude others. Found an interesting blog about it here http://ericrichardson.com/2009/12/1757-the-phone-is-ringing, but no solution to the problem.
I can’t believe allowguest defaults to yes. It was not in any of my config files. I added it, and it seems to have solved the problem.
I had a properly configured peer entry, which still works after adding allowguest=no to sip.conf.
The firewall rule for 5060 is a great idea. Unfortunately, the sip trunk provider uses several IPs, located around the US. I sent a request to them to provide me with a list of what IPs I can expect traffic from. I suspect they will be less than forthcoming with that information.
The last suggestion about security.tex… I don’t have that file anywhere on my asterisk box. If I can find it, I’ll take a look.
The setting of allowguest has been raised on issues.asterisk.org. The reason for the current setting is that the intent is to allow people trying out Asterisk to get a working system with the least effort. Otherwise there would be a lot of questions here about why incoming calls don’t work.
If you install from source, you get told to look at security file and it is part of the source tree. Anyone providing a binary package really ought to provide the same warning and also a final form (e.g. PDF) version of that file (I think it is a chapter in the PDF documentation).
One thing that I didn’t explicitly mention, is that if you want to lock down a system, you should not include any outgoing extension in the default context.
[quote=“kda406”]
The firewall rule for 5060 is a great idea. Unfortunately, the sip trunk provider uses several IPs, located around the US. I sent a request to them to provide me with a list of what IPs I can expect traffic from. I suspect they will be less than forthcoming with that information.[/quote]
Any 1/2 decent ITSP will gladly tell you all the SIP gateways that you will receive traffic from. All of the major players (Level3, Qwest, Bandwidth.com) all only have 2 source IPs for termination.
You definitely need to block all traffic which isn’t ‘friendly’… even with allowguest=no, you may still be vulnerable to DoS attacks since the SIP signaling is reaching the application layer.