Hi,
I just noticed that my PBX replies to every INVITE message sent from any IP address. I want to disable this if possible.
It should just reply to addresses in the trunk configuration.
Is that possible ?
If not, what else would you suggest as a security measure ?
Btw, I know that this is related to Asterisk rather than FreePBX but I have better experiences with this forum and I’m sure someone here would know about this.
Thanks.
Did you disable anonymous sip calls?
(but you really need a well configured firewall or two also)
how can I disable anonymous sip calls ?
It’s in the wiki, did you read that yet?
I understand it is the following option.
Allow Anonymous Inbound SIP Calls: No
That is already set to “no” on my FreePBX config. But that does not stop responding to invite messages. The calls are not connected but still they are replied with 100 and 200 Ok messages.
what else should I check ?
Hi,
I have “insecure=INVITE” configured under some of my trunks. Would that cause replying to any IP ?
How canI prevent it ? Adding a “host” definition would solve ?
ok. thank you. but that does not explain how to stop responding invite messages.
I have a firewall but it doesn’t make packet inspection.
I need to stop responding these messages at application level.
what else can I do ? would it be affected by the “insecure=INVITE” lines ?
thanks.
I changed all “insecure” parameters under trunk groups. (added host definition where possible)
but I still see that invite’s from any IP address are replied.
There are some trunk definitions which do not have any incoming settings (empty). Would that allow such INVITEs ?
What else should I check ?
Could there be any other place (other than trunks) where I have “insecure” parameter left ?
grep insecure /etc/asterisk/sip*
alwaysauthregect
for thise who take these things seriously
http://kb.smartvox.co.uk/asterisk/friendlyscanner-gets-aggressive/
from
http://kb.smartvox.co.uk/asterisk/secure-asterisk-pbx-part-1/
and
http://kb.smartvox.co.uk/asterisk/secure-asterisk-pbx-part-2/
(the ruby script is a sip proxy you put your server behind)
when I check with grep insecure /etc/asterisk/* , I only see insecure definitions for trunks under sip_additional.conf
But each of these trunks have a “host” definition under them.
That means only accept invite from those IP addresses , correct ?
So, it shouldn’t be a problem.
However, I still see response from my PBX to any INVITE from any IP address.
There must be something else.
Btw, I am not interested in a firewall solution, because;
So, the question again : Why does my FreePBX respond to any IP address ?
Thanks.
If you refuse to use a proper firewall, then maybe don’t use 5060 for sip signalling, as that is what all the knuckle draggers are expecting and that is where all the attacks land.
I am not refusing to use a firewall. I am just saying that I have to leave open 5060 because I have remote users with dynamic IP addresses.
Of course, I can consider changing the signalling port. But I could not find how it is done on FreePBX. Any clues ?
On the other hand, this should not be necessary if Asterisk works as expected.
Am I wrong ?
I mean, if ;
then, Asterisk should request authorization for dynamic users with passwords and not respond to invite messages from ANY ip address.
Is that a wrong assumption ?
Thanks.
I don’t have your problem so I can’t answer but if you are getting many spurious invites you might be “under attack”. Perhaps explore
match_auth_username=yes
in your sip config.
(I always have my remote users register on an “unlikely port” just for added security, it is a trivial but effective way to reduce the drive-bys )
ok. that’s a good idea. how do you achieve that ?