allow registration from IP range

Discussion in 'General' started by syadnom, Nov 6, 2009.

  1. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    Im looking for a way in asterisk to limit phone registrations to a specific IP network but be able to make exceptions. such as allowing registration from 10.0.0.0/8, 216.12.13.14 and disallowing it from everywhere else.

    I know that this can be done in with iptables but I want to have all my asterisk configuration in asterisk. I also want to allow anonymous inbound SIP calls from IP ranges that are not allowed to register. That way I can get inbound calls but external agents cant make calls through my system.

    I want to avoid the bulk registration hack attempts as someone might be able to guess the passwords. I must enable anonymous sip calls as I have some ATA devices that blind forward SIP calls to my system and do not register.
     
  2. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    I want to clarify something.

    If I use iptables I have to block port 5060 to block registration which also blocks anonymous SIP calls (from ATA devices or from ENUM) so I dont want to use iptables to do the job.

    Thanks
     
  3. pawels

    Joined:
    May 19, 2008
    Messages:
    51
    Likes Received:
    0
    Have you tried deny/permit options in extension configuration?
     
  4. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    In the web interface or in /etc/asterisk/extentions??.conf?

    what should I add. I have seen a few examples floating around in french and portugese but google's translate just mangles up the explanations.
     
  5. pawels

    Joined:
    May 19, 2008
    Messages:
    51
    Likes Received:
    0
  6. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    Thanks, but how do I make this a universal setting? instead of a per-extention setting?
     
  7. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    I have tried to add the deny/permit lines to sip_general_custom.conf

    I just want to get this setting above the individual extensions in the system and make it a system wide setting.
     
  8. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
  9. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    I figured out my problem but still dont have a solution. The settings in sip_general_custom.conf are loaded first and act as a default, then sip_additional.conf is loaded and the settings in there override sip_general_custom.conf. The problem is that freepbx seems to always put the deny and permits in there even if they are blank, so the general setting essentially always gets overridden.

    I tried to delete the deny and permit lines out of extensions right in mysql in the sip table so that they would not be over-written but it doesnt work. I tried deleting the contents of the permit and deny boxes in freepbx also but then "deny=" and "permit=" gets written to sip_additional.conf on reload which negates my settings in sip_general_custom.conf

    The only half-solution I found was to put the deny and permit in that last included custom file for sip.conf but if I do that I cannot make exceptions for mobile users with softphones.

    The whole idea here is to only let people with softphones register remotely, allow anonymous sip calls, and protect against brute force attacks.

    How can I remove the settings in mysql/freepbx that write the deny= and permit= into sip_additional.conf? If I could do that, then I could have the general settings work and only put the deny/permits in those extensions for remote phones.

    I may just have to maintain highly complex sip secrets and use fail2ban.
     
  10. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    The "includes" are heirarchical amd sequential in nature starting in sip.conf. the last line parsed will have effect, the allow/deny in extensions will override anything before them but anything after will override them, does that make sense
     
  11. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    yes. now my problem is that I want to remove the deny and allows from freepbx that get written into sip_additional.conf on each reload. I just want to remove the configs so that they are not taking precedence. Some of my extensions do not have the allow and deny as I imported them in a batch but ones I added manually do. How do I remove just those details for wherever freepbx is storing the data? I assumed it was in mysql but when I deleted the data from mysql and reloaded asterisk the permit and deny re-appear so I dont know where they are stored.
     
  12. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    look into bulk extensions add-on for FreePBX it allows an export/import of extensions and fields 40 and 41 are the allow/deny ranges, it will probably save you some time.
    (or a well constructed mysql query would do the same)
     
  13. syadnom

    Joined:
    Aug 4, 2009
    Messages:
    36
    Likes Received:
    0
    I tried that but I still get a permit= and deny= entry in sip_additional.conf

    Its like once the permit and deny is in, its in. I will look through the database and see if I can find the fields anywhere else.

    Thanks for the help.
     
  14. brost

    Joined:
    Dec 1, 2009
    Messages:
    1
    Likes Received:
    0
    Hi all
    Please tell how to include an option "permit/deny" in FreePBX web gui?
    At me in FreePBX it is not present.

    FreePBX
    FreePBX 2.5.1.0
     

Share This Page