Re: [asterisk-users] Restrict SIP registration to one ip address only?
Remco Barendse schrieb: > Suprising that this feature isn't used much, i would suspect that many > asterisk installations (including mine) have very simple (short) extension > numbers which makes brute forcing them rather easy. Extension numbers and SIP account basically have nothing to do with each other. If you name your SIP accounts after the respective extension number, you have a security issue in your design which you should solve first! A SIP peer definition can be like [Remcossoftclientathislaptop] type=friend secret=verysecretpassword ... And then in the diaplan you just do something like [internalcontext] exten => 10,1,Dial(SIP/Remcossoftclientathislaptop,30) exten => 10,2,Hangup() ... So, the username for you SIP client would be "Remcossoftclientathislaptop" while the dialled extension would be "10". Terve, Stefan -- Last words of a stormchaser: "Where is that rotation on the radar?!" ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Restrict SIP registration to one ip address only?
On Wed, 17 Sep 2008, Jared Smith wrote: > On Wed, 2008-09-17 at 19:58 +0200, Remco Barendse wrote: >> Why doesn't Asterisk allow both username&pass as well as setting an ip >> adress on a sip.extension? > > It does. To enforce ACLs on a SIP user or peer or friend, simply use > "permit" and "deny" statements to allow and disallow various IP > addresses or subnets. Standard practice seems to be to deny everything > first, then specifically allow other IP addresses. > > [user] > type=friend > secret=mypassword > host=dynamic > deny=0.0.0.0/0 > permit=10.1.2.3 > permit=192.168.123.0/24 > permit=192.168.222.0/255.255.255.0 Cool, this is exactly what i was looking for, i couldn't find a reference to it anywhere else. Suprising that this feature isn't used much, i would suspect that many asterisk installations (including mine) have very simple (short) extension numbers which makes brute forcing them rather easy. I was never concerned about short extension numbers and easy passwords until the need came up to connect to my * box from outside. Thanks again! ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Restrict SIP registration to one ip address only?
It will syntactically take that definition, but it's nearly pointless. I suspect he is encountering a problem I have found: It doesn't do full support static and registration simultaneously. Most notably, at least in 1.2 (and probably 1.4) if you create a registrable peer it is NOT monitorable (using 'qualify=yes'). So, you have no idea if the phone is really offline or simply registered to one of the other servers in your server farm. And, no, 'defaultip=x.x.x.x' doesn't help either. You would think it would. If you create a purely static peer, it rejects registration (even if it's from the right address). That makes sense. This complicates things in a distributed environment. I'd love to be wrong about this. John Mr Shunz wrote: >> Maybe a bit silly question, but why doesn't Asterisk accept if you set >> both a username&password as well as an ip address for a phone? >> > > but it does accept! > > in a peer definition: > > [user] > type=user (or better friend) > username=user > secret=secret > host=10.0.0.1 > > [snip] > > >> It's obvious that the more phones you have the more successful a brute >> force attack on the server will be, so i would only like to allow access >> to he 2 Nokia phones from "any" ip. >> > > just set host=dynamic for those peers only > > cheers > > ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Restrict SIP registration to one ip address only?
On Wed, 2008-09-17 at 19:58 +0200, Remco Barendse wrote: > Why doesn't Asterisk allow both username&pass as well as setting an ip > adress on a sip.extension? It does. To enforce ACLs on a SIP user or peer or friend, simply use "permit" and "deny" statements to allow and disallow various IP addresses or subnets. Standard practice seems to be to deny everything first, then specifically allow other IP addresses. [user] type=friend secret=mypassword host=dynamic deny=0.0.0.0/0 permit=10.1.2.3 permit=192.168.123.0/24 permit=192.168.222.0/255.255.255.0 -- Jared Smith Training Manager Digium, Inc. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Restrict SIP registration to one ip address only?
> Maybe a bit silly question, but why doesn't Asterisk accept if you set > both a username&password as well as an ip address for a phone? but it does accept! in a peer definition: [user] type=user (or better friend) username=user secret=secret host=10.0.0.1 [snip] > It's obvious that the more phones you have the more successful a brute > force attack on the server will be, so i would only like to allow access > to he 2 Nokia phones from "any" ip. just set host=dynamic for those peers only cheers -- Daniele Santi .o. [EMAIL PROTECTED] ..o () ascii ribbon campaign Linux User #415108 ooo /\ www.asciiribbon.org ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Restrict SIP registration to one ip address only?
Maybe a bit silly question, but why doesn't Asterisk accept if you set both a username&password as well as an ip address for a phone? My fixed phones in my home all have a fixed ip address, but i also have 2 Nokia GSM phones that can talk sip wich i would like to use from public wifi. It's obvious that the more phones you have the more successful a brute force attack on the server will be, so i would only like to allow access to he 2 Nokia phones from "any" ip. Why doesn't Asterisk allow both username&pass as well as setting an ip adress on a sip.extension? ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2008 - September 22 - 25 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users