I just noticed that my PBX replies to every INVITE message sent from any IP address. I want to disable this if possible.
It should just reply to addresses in the trunk configuration.
Is that possible ?
If not, what else would you suggest as a security measure ?
Btw, I know that this is related to Asterisk rather than FreePBX but I have better experiences with this forum and I’m sure someone here would know about this.
I understand it is the following option.
Allow Anonymous Inbound SIP Calls: No
That is already set to “no” on my FreePBX config. But that does not stop responding to invite messages. The calls are not connected but still they are replied with 100 and 200 Ok messages.
I have “insecure=INVITE” configured under some of my trunks. Would that cause replying to any IP ?
How canI prevent it ? Adding a “host” definition would solve ?
ok. thank you. but that does not explain how to stop responding invite messages.
I have a firewall but it doesn’t make packet inspection.
I need to stop responding these messages at application level.
what else can I do ? would it be affected by the “insecure=INVITE” lines ?
thanks.
I changed all “insecure” parameters under trunk groups. (added host definition where possible)
but I still see that invite’s from any IP address are replied.
There are some trunk definitions which do not have any incoming settings (empty). Would that allow such INVITEs ?
What else should I check ?
Could there be any other place (other than trunks) where I have “insecure” parameter left ?
If you refuse to use a proper firewall, then maybe don’t use 5060 for sip signalling, as that is what all the knuckle draggers are expecting and that is where all the attacks land.
I am not refusing to use a firewall. I am just saying that I have to leave open 5060 because I have remote users with dynamic IP addresses.
Of course, I can consider changing the signalling port. But I could not find how it is done on FreePBX. Any clues ?
On the other hand, this should not be necessary if Asterisk works as expected.
Am I wrong ?
I mean, if ;
I have no dynamic host parameter under any trunks
I have all extensions configured with passwords
I have static host defined for every trunk with “insecure” parameter
then, Asterisk should request authorization for dynamic users with passwords and not respond to invite messages from ANY ip address.