I am running FreePBX 17 on Debian 12. I need to ensure that all pjsip extensions register only through the domain, and block registrations using the server’s IP address
Asterisk has no way of enforcing this.
Maybe, if you’re using an SBC, you could program it to analyze the REGISTER request and see if it contains the domain name instead of the IP address before allowing it through? This would depend on the clients sending it though, which is not necessarily true.
You can use an iptables rule to match on the domain name. For example
-A INPUT -p udp --dport 5060 -m string --string "mydomain.com" --algo bm -j ACCEPT
If this rule is after the one allowing RELATED and ESTABLISHED, the performance impact is negligible.
If you are running your own firewall, including this is pretty simple.
Unfortunately, I have not looked into how to integrate this robustly with FreePBX Firewall.
thanks for the reply!. unfortunately not using SBC, getting lot of hit as the Server is open in ec2, to tackle this trying to allow only domain access same like freeswitch as fail2ban is not bloking all the IP’s
We have been using geoblocking on our firewall for the past 4-5 years and it led to a huge reduction in attack attempts. But you’re never going to stop them all. As long as you have secure password requirements you shouldn’t be worrying about it too much.
If your devices support it, use SIP over TLS rather than UDP.
Otherwise, if possible, use SIP over TCP.
Regardless of the protocol chosen, select a random port between 20000 and 50000, instead of 5060.
If you are forced to use UDP, set up iptables to filter by domain name.
If that is also infeasible, set up the firewall to allow only small address ranges that cover your extensions.
See my post on random SIP over UDP attacks:
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.