You could make your FWD sonfigs even more secure by switching to IAX
(you have to register with them for it) and then you can use RSA keys
(already in your * distro) to prevent faking of connections.
Check with the FWD site. Ther's a howto on there.
I use this method and I like it alot. Especially as the IAX trunk allows
me to have more than one concurrent call and takes up very little extra
network overhead.
Mark
John Fawcett wrote:
I've now setup SIP for:
- internal softphones
- registering with external providers (like FWD) for making calls
- receiving calls from theese providers
For the latter step, it was necessary to forward ports from my NAT
to the asterisk server: 5060 + range of ports mentioned in rtp.conf.
I was just wondering about how to make this setup as secure as
possible. Here's what I've done so far:
1. defined a default context in sip.conf which cannot access any
real extension.
sip.conf:
[general]
context=from-unknown-sip
extensions.conf:
[from-unknown-sip]
exten => _.,1,CONGESTION
2. for peers, defined a context which does not provide access to
outside lines.
sip.conf:
[fwd.pulver.com]
type=peer
username=688426
fromuser=688426
secret=xxxxxxxxxx
host=fwd.pulver.com
port=5060
nat=yes
canreinvite=no
insecure=very
context=sip-external
disallow=all
allow=ulaw
3. for peers, defined insecure=very which should check that the
incoming call comes from the same IP as was registered.
4. for internal softphones, which can make outgoing calls,
limited registrations to a specific network address using
deny/permit
sip.conf:
[31]
type=friend
callerid="[EMAIL PROTECTED]" <31>
host=dynamic
deny=0.0.0.0/0.0.0.0
permit=192.168.2.32/255.255.255.255
context=sip-internal
secret=xxxxxxxxxxxx
disallow=all
allow=ulaw
allow=alaw
Anything else I can do to improve security?
I specifically don't want anyone external to be able to make calls.
As I've opened port 5060 + rtp.conf ports only for the purpose of
receiving calls from services I have registered with, I don't want
any external phones to be able to register via this route.
Is there any risk of this if someone can guess a password (maybe
unlikely but given time this could happen).
Thanks,
John
_______________________________________________
Asterisk-Users mailing list
[email protected]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
Mark, G7LTT/KC2ENI
Randolph, NJ
http://www.g7ltt.com
_______________________________________________
Asterisk-Users mailing list
[email protected]
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
