Registration against domain auth

Referring to the below

; Matches on user [email protected] in the From user field
[[email protected]]
type=endpoint

;matches on user [email protected] in the From user field
[[email protected]]
type=endpoint

;matches on any 100 user that does not have domain1 or domain2 in the From user field.
 [100]
 type=endpoint

I am testing this, and it works fine.

A couple of questions…

  1. Where can I find the documentation for this?
  2. Can I use wildcards here? for example *.domain.com
  3. If not, is there a way to set multiple domains? Or perhaps aliases.

Thanks

1 Like

Thanks @PitzKey, if I’m reading this correctly, FreePBX could have a field on the extension advanced tab to accept a ‘Domain’ such that only registration attempts to that domain would be successful. All other registration attempts would receive a 403 and there appears to already be a fail2ban regex to act on the corresponding registration failure log line. Other fields in Asterisk SIP settings could allow aliases to be defined.

I don’t see a practical way of adding the domain manually by editing conf files.

That’s correct. I’ve been thinking about contributing something to either, like you said, in the advanced tab enter a domain and FreePBX will regenerate the config with [email protected] Or a module which allows you to enter domains, group domains together (helpful if the extension passes a proxy sometimes) and then in the extension advanced tab select a domain or domain group from a drop-down menu.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.

I am very interested in this. Have you implemented this in your FPBX system? If so, how are you doing it? I have seen other PBXs use this ( Like FreeSwitch) and they say that it dramatically cuts down on bots trying to hammer the server.

I believe that currently you can reorder the transport priorities , but there is no way to actually disable the IP transport which kinda allows everything to eventually 'get hammered '.

(This might have changed though :wink: )

Asterisk will still respond with a 401 when this is implemented. This does not stop bots from discovering your server, Rather, it’s another layer of security and if you have fail2ban tuned properly it can be another way to lower the amount of requests that do not contain a domain in the REGISTER request.

No. As this requires modifying the script that actually writes out these conf files. I had no success yet in locating the scripts, so I haven’t done anything yet with this.