How to stop voice trafic from softphones

Hi Guys,
Hope you all are staying safe in this mess(COVID-19) around the globe.

due to WFH policies I have allowed users to use softphones but now I observe that users are using cracked phones or any softphone. so i want to restrict users to use only use softphone recommended by our Technical Team.

Is there any way that I can restrict users to use only one softphone or like if I recommend zoiper so they can only use zoiper no other softphone.

Not easily. You would only be able to deny calls but you couldn’t stop REGISTERs since there’s no method to parse those requests. At best you can look at the User Agent via the dialplan of the contact and decide if you want to deliver/allow calls to/from it.

yes I know in sip headers there is user agent field and in asterisk dialplan we can also define user agent but I am not sure how can I restrict users to only register via recommended softphone

You can’t, there is no method for it. You would have to implement a proxy like Kamailio or OpenSIPS to deal with that as they would let you parse/read/rewrite/etc the SIP requests before they hit the PBX.

Use any softphone that supports remote provisioning and does not permit the password to be viewed in the settings. Then, the end user won’t know the secret for his extension so won’t be able to use another client.

good idea. can you give me any name ?

Perhaps this?

We currently use Bria Teams but Im looking into others do to the high price on Bria. I do love bria though but would prefer an unlimited licence.

my users are on Cell phones using softphone.

Perhaps you should look at providing a webrtc (websocket / wss://) soft client service (perhaps FOP2 or UCP ), they just need a supporting browser, Chromium being a good choice for phones and desktops.

1 Like

If not using TLS, it’s easy to block in iptables. Something along the lines of:

 iptables -N sip.agents
 iptables -A sip.agents -m string --string "User-Agent: Acme Phone UA String" --algo bm -j ACCEPT
 iptables -A sip.agents -m string --string "User-Agent: Widget Phone UA String" --algo bm -j ACCEPT
 iptables -A sip.agents -m string --string "User-Agent: Some Other UA String" --algo bm -j ACCEPT
 iptables -A sip.agents -m comment --comment "Failed User Agent Match" -j DROP

I don’t use the distro firewall, so can’t comment where it would be appropriate to insert the rules.

1 Like

If you are using SIP registration, wouldn’t be hard to make a little bash script that would kick off every minute maybe, check the active peer registrations, grep out for the "Useragent " type and if it isn’t matching the softphone model you want, could unregister the phone maybe?

this is a good idea but how can I do that any guidelines.

Forcing an unregister is troublesome and arguably mostly useless.

The phone will just re-register in however many seconds it defaults to. Even unregistered it can probably still make calls, but won’t receive them. The user will likely be totally unaware the phone is not 100% operational until a caller complains calls to the user are going to VM.

IMO, the iptables solution is best if not using TLS, otherwise you will need some dialplan code/context to check the user agent and redirect calls from invalid agents to some sort of not authorized error message.

I’ll write some code up today and try it out for you.
As @jerrm indicated, sending unregister command isn’t the best idea, although if done, and you had a firewall going, it would probably cause the phone to be blocked fire firewall automatically.

Anyway, couple of hours, i’ll #bash something together!

Yes this is the case even when phone is unregistered it can make calls.

but the question is why and how if they are unregistered why and how they can make calls?

Thanks Dickson.
I will try the code when it’s ready.

Registration is for Inbound Requests to the endpoint. You register with your provider or a phone to the PBX, you are telling them where to send requests to that endpoint. You need to auth to register.

Outbound calls do not require a registration as it’s outbound and not related to inbound. When you make the call the systems will challenge and auth you (like a register) and as long as that auth is correct the call can happen.

Being able to stop outbound calls if there are no registered contacts is something that can be handled in the device OR at a higher level but FreePBX/Asterisk has no logic for that baked in.

Why/How? Experience suggests otherwise.

Here’s some code to put into a bash script. I put as much comments into it as I could think of.

Basically this script will look at all active SIP extensions,
Pulls a list of all active extensions and then looks at what kind of device it is.
It will remove pulls the IPS of matching extensions and puts in a firewall ban.

When the script is run, it will take a look at the previous IPS it put in as a ban, then remove them if applicable.
It will wait a pre-determined amount of time (you can enter in the duration) after it has cleared everything to allow everyone to reconnect that might have been blocked.
It will then look at their devices and reban if necessary.

You could kick the script off every minute or whatever.
If any problems let me know.

The very bottom of the script. Put a command on that “eval” command.
If you want to test, that is the command that puts in firewall bans. So commenting it, the script will just skip it.

#Comment out this next line if you want to test, but not apply any rules to the firewall
eval “$FirewallCommand”

Anyway, if you have any questions fire away.