| Summary: | ASTERISK-13106: Sip Registration for Extensions to allow only private IP address, while Trunks allowed from outside Internet | ||
| Reporter: | jperry (jperry999) | Labels: | |
| Date Opened: | 2008-11-22 13:28:45.000-0600 | Date Closed: | 2011-06-07 14:02:53 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/Registration |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Having a phone system compromised hurts the whole community; making it easy to be more secure will help everyone. I would like a feature to allow SIP Registration for Extensions only from private IP addresses (e.g. 192.168.x.x), but allow Trunk SIP registration from the outside Internet. That way, anyone registering from the outside Internet would only have access for an outside incoming call; not like an extension where they have rights to make outgoing calls to their heart's content. Outside Internet IP addresses would be blocked at a very fundamental level and thus could not even attempt thousands of Register attempts to discover passwords. ****** ADDITIONAL INFORMATION ****** See my full posting here http://www.freepbx.org/forum/freepbx/development/security-too-easy-for-intruders-to-use-your-phones-to-make-calls | ||
| Comments: | By: dimitripietro (dimitripietro) 2008-11-22 17:54:04.000-0600 Just use permit= and deny= in your sip.conf By: jperry (jperry999) 2008-11-23 11:50:54.000-0600 * I looked in the "The Asterisk Handbook, Version 2, Last Edit Date: 3/30/03", in the sip.conf (around page 56), it does NOT list permit/deny as allowed settings. (They are available for IAX) * I now looked in O'Reily's Asterisk book (2nd Edition), and there around page 98, for sip.conf it does list "permit/deny". * My version of FreePBX (2.4.0) does NOT have these settings available in the Extension page. So it looks like I should make this suggestion for FreePBX developer forum. (Now found as http://www.freepbx.org/trac/ticket/932 ) In summary, this seems to be a documentation and FreePBX issue. Thank you for pointing out the solution in Asterisk. There is a question on documentation: The O'Reily book lists permit=10.251.55.100/32 but SkykingOH post says: accept=192.168.1.0/255.255.225.0 Does Asterisk let the mask be either "/24" or "/255.255.225.0"? By: Jason Parker (jparker) 2008-11-24 14:46:05.000-0600 The sample configs are always right. Except when they're wrong. | ||