IP Authentication Security Issue?

I’ve peers with a static host=ip.address.x.x format for authentication.

I found out you can match the peer by setting username to it, and it ignores the host IP address.

For example:

[hello]
type=friend
context=from-internal
insecure=port
disallow=all
allow=all
nat=yes
canreinvite=no
host=12.13.14.15

With this peer, i’ll be able to identify by using Zoiper with Username hello and an empty password.

It will ignore the fact that i’ve an host=12.13.14.15 here and match any IP as long as i’ve hello as the username and empty password.

For example, I can go to a popular voip provider, they all have insecure=very in there with a [trunkname] in the configuration samples.

Find an ip with asterisk that has the provider configured, put in [trunkname] as the username in my zoiper and dial out on that asterisk machine, even if my Ip doesn’t match the host= of the voip provider.

Is there a solution to this?

Edit: version used 1.4.21.1

Well using deny permit fixed my issue. Apparently host is used for auth if name not found but if there’s no secret, asterisk doesn’t care if there’s a specific host or not. It’s just ok with the name. Well deny/permit does it thanks.