We are running the FreePBX distro with Asterisk 11.
We have “Allow Anonymous Inbound SIP Calls = no” and “allow SIP guests = no”
Inbound calls are authenticated via the trunk IP but I see a lot of “failed registration attempts” in the log with
NOTICE.* .: Registration from '.’ failed for ':.’ .
where from ‘.*’ is our own server IP and the foreign IP.
Fail2ban catches the attempts and bans the IP.
Would it make sense to use the deny/permit statement in the trunk to make sure only calls from the designated IP are accepted or is this already the default by not allowing anonymous sip calls?
I appreciate your suggestion but I really need an answer to my above question. I want to really understand how the system works with IP authentication.
If you want to “really understand how the system works with IP authentication” your best bet would be to read the documentation on how it works.
I want to stress that using a firewall to block the attempts at registration is the best way to achieve your goal and can assure you that many of the forum members would make the same suggestion to use a firewall.
First of all you can use a firewall, all modern firewall’s can do DNS policies so if you can get your subscribers to use DDNS you can stop the attempts.
You have layer 3 and layer 4 all confused (ISO model), access lists operate at Layer 3, anonymous SIP is protocol based an allows unauthenticated SIP messages into the dial plan at a predetermined context. This is all covered in the Asterisk documentation.
At Layer 3 you could at least block IP’s from countries other than where you subscribers are located.
I have said it before and this is a prime example. I find it stunning that you run a carrier, serving the public’s need, necessity and convenience and don’t understand Asterisk fundamentals and do not have a grasp of basic networking concepts.
I suggest you consider hiring someone and you concentrate on managing and growing your business.