IP Authentication Security Issue?

I’ve peers with a static host=ip.address.x.x format for authentication.

I found out you can match the peer by setting username to it, and it ignores the host IP address.

For example:


With this peer, i’ll be able to identify by using Zoiper with Username hello and an empty password.

It will ignore the fact that i’ve an host= here and match any IP as long as i’ve hello as the username and empty password.

For example, I can go to a popular voip provider, they all have insecure=very in there with a [trunkname] in the configuration samples.

Find an ip with asterisk that has the provider configured, put in [trunkname] as the username in my zoiper and dial out on that asterisk machine, even if my Ip doesn’t match the host= of the voip provider.

Is there a solution to this?

Edit: version used

Well using deny permit fixed my issue. Apparently host is used for auth if name not found but if there’s no secret, asterisk doesn’t care if there’s a specific host or not. It’s just ok with the name. Well deny/permit does it thanks.