Show us the output of ‘pjsip show endpoint test’ so we can see how this is configured.
There is code, in at least some versions, to generate identify_by:
I haven’t followed this through to see what it gets set to and when, and I haven’t checked older versions to see if this is new…
It seems to be controlled by the Match Inbound Authentication setting on the GUI, although that name seems confusing to me:
It appears to have been added after the wiki user guide was written. I guess that, either the OP is using an older version, or they didn’t realise that they needed the option.
2 Likes
@david55 nailed it. The default setting in the pjsip advanced settings for the trunk have “Match Inbound Authentication” set to the asterisk default, so no identify_by line is written in the generated endpoint. Asterisk default is username,ip. You can confirm from cli with:
# asterisk -x " pjsip show endpoint test" |grep identify_by
identify_by : username,ip
The most common trunking use cases for fpbx, will be IP auth only, in which case you will want to select ip from the dropdown in the trunk settings
Which generates the endpoint such that identify_by is written correctly:
# asterisk -x " pjsip show endpoint test" |grep identify_by
identify_by : ip
I’m thinking that this should be the default setting when trunks are created, tho I was just remined about gateways with a mix of FXO/FXS devices, that may still require both ip and username .
If you’re doing IP based matching then it is unlikely user matching is wanted, so changing that I think would be fine from a FreePBX perspective.
I’d suggest the default should be username for inbound registration and ip in other cases.
If I understand this correctly, changing the trunk name to test-5w43gt3CTa0BZCz1pC (and I do not change any other setting) should mitigate the risk as the attacker will not be able to guess the trunk name, correct?
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.