Multiple Sites Server Registration Via SIP

I am in the process of upgrading all of our companies site servers from asterisk 1.4 to 13. I thought I would take the initiative to make sure everything is as secure and clean as it can be; the current configs are fairly messy.

I just want to make sure I am wrapping my head around the security and authentication between servers in each location. Does the configuration below look correct between 3 sites? Is using type=peer correct on the servers and type=friend on the desk phones best practice? Do I need to be using username=*** fromuser=*** on the servers? I have come across a lot of different examples showing a mix-match of both on servers and devices.

Any input is greatly appreciated.

Site 1

[general]
port=5060
bindaddr=0.0.0.0
disallow=all
allow=ulaw
context=inbound
registerattempts=0
registertimeout=300
rfc2833compensate=yes

[site2]
type=peer
host=... ;public IP address
secret=***
context=inbound
directmedia=no
qualify=yes
dtmfmode=rfc2833

[site3]
type=peer
host=... ;public IP address
secret=***
context=inbound
directmedia=no
qualify=yes
dtmfmode=rfc2833

[john]
type=peer
host=dynamic
port=5060
username=john
secret=***
callerid=“John Doe” <200>
context=outbound
insecure=no
directmedia=yes
qualify=yes
mailbox=200

Site 2

[general]
port=5060
bindaddr=0.0.0.0
disallow=all
allow=ulaw
context=inbound
registerattempts=0
registertimeout=300
rfc2833compensate=yes

[site1]
type=peer
host=... ;public IP address
secret=***
context=inbound
directmedia=no
qualify=yes
dtmfmode=rfc2833

[site3]
type=peer
host=... ;public IP address
secret=***
context=inbound
directmedia=no
qualify=yes
dtmfmode=rfc2833

[mary]
type=peer
host=dynamic
port=5060
username=mary
secret=***
callerid=“Mary Jane” <201>
context=outbound
insecure=no
directmedia=yes
qualify=yes
mailbox=201

Site 3

[general]
port=5060
bindaddr=0.0.0.0
disallow=all
allow=ulaw
context=inbound
registerattempts=0
registertimeout=300
rfc2833compensate=yes

[site1]
type=peer
host=... ;public IP address
secret=***
context=inbound
directmedia=no
qualify=yes
dtmfmode=rfc2833

[site2]
type=peer
host=... ;public IP address
secret=***
context=inbound
directmedia=no
qualify=yes
dtmfmode=rfc2833

[bill]
type=peer
host=dynamic
port=5060
username=bill
secret=***
callerid=“Bill Ding” <202>
context=outbound
insecure=no
directmedia=yes
qualify=yes
mailbox=202

It’s dangerous. Anyone knowing one of your extension names can make calls over the trunks.

Remove insecure=invite from all the local phones (unless there is some other reason for insecure=port, remove insecure=port, as well. Change friend to peer in all places. Insecure means they don’t need a password to make calls. Friend additionally means that you need only to know the extension number to do so.

Consider following best practice and not using extension numbers for device names.

Replace canreinvite by directmedia, as it is deprecated.

1 Like

Applying ACL rules to each to restrict what IP addresses can use the peer entries on incoming matches would also help.

1 Like

In order to keep this thread from getting really long, I have made your suggested edits in bold on my main post. Does everything looks secure now?

I guess I also should have mentioned that this set up (this far) should not allow for outside calls. The given set up is only for the inter-office calling side of things between sites. I will add one more peer to each of the sites which will be where all of the outbound calls will come from.

Thanks for your help.

Is this done directly on each site peer? I am already using iptables to restrict all traffic on port 5060, but I guess any added security is good.

Yes, they are permit and deny lines.