Requiring Registration

How can I make valid registration a requirement for connecting to my Asterisk system? It doesn’t matter how many users are in sip.conf all someone has to do is connect to the IP.

I only want people to be able to access the dial plan that are registered via a username AND password.

Which channel driver are you using? The option to disable for chan_sip is allowguest.

This is actually about authentication for INVITE, not about registration. If you use an ITSP, is very unlikely that they will register with you, which would be incompatible with them, so the only way to avoid someone masquerading as the ITSP, is likely to be to authenticate them by IP address (which you do with type=peer for chan_sip and type=identify, for chan_pjsip, or to restrict access to only their valid IP address range, with permit and deny (and preferably also at the firewall).

For things that do register, they will have to present a valid user and know the correct secret, although identifying them by address, for INVITEs, is also desirable. I’m not entirely sure what you have to do with chan_pjsip to authenticate by a dynamic address; it might come out in the wash.

If not authenticating by address, SIP does not require registration for incoming calls, if the caller knows the user and secret. Registration is about knowing where to send outgoing calls, not about authentication, although the address it learns can be used for IP based authentication.

Also note that allowguest, etc., should be using the default context, and that context should not configured to be able to make chargeable calls, at least not without secondary authentication. Also the context associated with an ITSP should not be able to make chargeable calls, or you need very tight lockdowns on the ITSP’s address range.

So I think I figured out how to accomplish better security:

I set the default context in sip.conf to something that just hangs up then in all the user and trunk contexts I set it to my normal dial-plan value then removed invite from insecure so that it wont allow a wrong password.

Seems to work

That only works if you have no calls from outside your organisation. Service providers never authenticate, so, for the legacy, chan_sip, you need remotesecret, rather than secret, or for older versions, insecure=invite.

Unless using TCP, it is unlikely that you need insecure=port.

With chan_sip, you should use type=peer, unless two peers share an IP address.

You don’t need a default context that hangs up, as long as you disable alllowguest.

All of this was extremely helpful. Thank you!