Hopefully someone can help Ive had an asterisk 1.8.8.1 box running for a while and recently had a requirement to configure an offsite sip phone.
ive opened port 5060 to the world because unfortunatly the end user is a dynamic IP, i use strong password on the extension I have configured and all is working well. i have configured fail2ban to reduce bruteforce success … hopefully. the problem I have is that previously traffic to port 5060 was restricted to/from our voip provider now this restriction has been removed i am receiving call attempts into the general context. fortunatly there isnt an extension configured for outbound calling and all calls our routed to our inbound service but the attempts are annoying my and i want to remove them from our logs.
in the ideal world all inbound calls are restricted to our voip provider but handsets can attempt to connect from any where i understand the risk but with secure passwords (12 character upper lower and symbols) and fail2ban to minimise attempts i presume thats a safe way to be…
can i create an inbound sip.conf configuration from our provider and then the extensions that can be connected to through auth?
currently our inbound is not configured for authentication i would need to contact our provider to see if this is an option.
The “extension” device entries should be type=peer.
Their names should not be predictable (e.g. MAC addreses).
allowguest needs to be turned off.
alwaysauthreject is only meaningful in the general section (and of limited use without fixing allowguest).
If you have to use insecure=invite, you might as well have one section for both directions and use type=peer, for it. I’m not entirely sure which entry will actually be used if only the IP address matches, anyway.
Non-security:
Is your ISP really inside NAT and your Asterisk outside? Same for the “extensions”? nat=yes only applies to those situations, not to the normal NAT case where Asterisk and the extensions are inside and the ITSP is outside.
“canreinvite” is deprecated. You should replace it with “directmedia”.
The first xx in the local net values pretty much has to be 10, so I’m not sure why you have suppressed it.
x.11.x.160/24 is an invalid IPv4 network pattern. The 160 must be a zero. Similarly for x.145.x.1/24.
I can’t work out the difference between the two sip.conf’s.
i have spoken to my sip provider to try and understand how to register with them, and i received this responce
If the above is for inbound SIP registration, the entries should be against sip.PROVIDER.com rather than sip-border or sip-wholesale. sip.PROVIDER.com is the only SIP registration platform we offer.
There is no need for permit and deny a static address, as only that single address will match. I suspect that sip..com is not a valid source address for the provider, in which case you do need to use a user type entry, which will mean that they have to provide their identity in the From header, rather than the CLID, or you have to use allowguest and deny/allow, and handle the call in the default context.
From the error message, it does look as though they may be using the From address as the account name, rather than as CLID. In that case, you will have to see if they are sending the CLID by some other means, and enable that mechanism in the sip.conf entry.
Seeing the full invite request may clarify what they are doing.
In your original configuration, host was bogus for the user entry, as user entries do not match on IP address (and you had malformed network masks).
Hi David my inbound calls are from the same provider i presumed i would need to configure each seperatly. the provider is AQL, host is sip.aql.com but the ip that resolves to is differant than the address i receive the calls from.
to show you the full invite request do i paste the contents of sip show debug on ?
Yes. In this case, just the INVITE request should do. However, people often miss the first few lines, so it might be safer to start earlier than you think.
<------------>
Scheduling destruction of SIP dialog ‘bee104006623-509d419b-1cd0996d-b65d0f0-81e059c@127.0.0.1’ in 32000 ms (Method: INVITE)
Scheduling destruction of SIP dialog ‘bee104006623-509d419b-1cd0996d-b65d0f0-81e059c@127.0.0.1’ in 32000 ms (Method: INVITE)
Also, are you making a loop back call using the other account? If so you are confusing the issue, as the From address matches one of your section names, but possibly by accident. Make sure that you call from a mobile phone, or something else completely independent.
I don’t think there is anything there that will allow a user match, and as the source IP doesn’t match the official one, I think you either have to do a peer for each possible source address, or allowguest=yes and do some heavy IP address filtering.
As that involves doing things that are considered bad for security, I would suggest waiting to see if anyone else can confirm or deny.
i set allowguest=off and add several permit and deny statements but i still receive the
chan_sip.c:22041 handle_request_invite: Sending fake auth rejection for device
can you give me an example of how to configure this ?