allow registration from IP range

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#1
Im looking for a way in asterisk to limit phone registrations to a specific IP network but be able to make exceptions. such as allowing registration from 10.0.0.0/8, 216.12.13.14 and disallowing it from everywhere else.

I know that this can be done in with iptables but I want to have all my asterisk configuration in asterisk. I also want to allow anonymous inbound SIP calls from IP ranges that are not allowed to register. That way I can get inbound calls but external agents cant make calls through my system.

I want to avoid the bulk registration hack attempts as someone might be able to guess the passwords. I must enable anonymous sip calls as I have some ATA devices that blind forward SIP calls to my system and do not register.
 

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#2
I want to clarify something.

If I use iptables I have to block port 5060 to block registration which also blocks anonymous SIP calls (from ATA devices or from ENUM) so I dont want to use iptables to do the job.

Thanks
 

pawels

Joined
May 19, 2008
Messages
51
Likes
0
Points
0
#3
Have you tried deny/permit options in extension configuration?
 

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#4
In the web interface or in /etc/asterisk/extentions??.conf?

what should I add. I have seen a few examples floating around in french and portugese but google's translate just mangles up the explanations.
 

pawels

Joined
May 19, 2008
Messages
51
Likes
0
Points
0
#5

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#6
Thanks, but how do I make this a universal setting? instead of a per-extention setting?
 

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#7
I have tried to add the deny/permit lines to sip_general_custom.conf

I just want to get this setting above the individual extensions in the system and make it a system wide setting.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#8

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#9
I figured out my problem but still dont have a solution. The settings in sip_general_custom.conf are loaded first and act as a default, then sip_additional.conf is loaded and the settings in there override sip_general_custom.conf. The problem is that freepbx seems to always put the deny and permits in there even if they are blank, so the general setting essentially always gets overridden.

I tried to delete the deny and permit lines out of extensions right in mysql in the sip table so that they would not be over-written but it doesnt work. I tried deleting the contents of the permit and deny boxes in freepbx also but then "deny=" and "permit=" gets written to sip_additional.conf on reload which negates my settings in sip_general_custom.conf

The only half-solution I found was to put the deny and permit in that last included custom file for sip.conf but if I do that I cannot make exceptions for mobile users with softphones.

The whole idea here is to only let people with softphones register remotely, allow anonymous sip calls, and protect against brute force attacks.

How can I remove the settings in mysql/freepbx that write the deny= and permit= into sip_additional.conf? If I could do that, then I could have the general settings work and only put the deny/permits in those extensions for remote phones.

I may just have to maintain highly complex sip secrets and use fail2ban.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#10
The "includes" are heirarchical amd sequential in nature starting in sip.conf. the last line parsed will have effect, the allow/deny in extensions will override anything before them but anything after will override them, does that make sense
 

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#11
yes. now my problem is that I want to remove the deny and allows from freepbx that get written into sip_additional.conf on each reload. I just want to remove the configs so that they are not taking precedence. Some of my extensions do not have the allow and deny as I imported them in a batch but ones I added manually do. How do I remove just those details for wherever freepbx is storing the data? I assumed it was in mysql but when I deleted the data from mysql and reloaded asterisk the permit and deny re-appear so I dont know where they are stored.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#12
look into bulk extensions add-on for FreePBX it allows an export/import of extensions and fields 40 and 41 are the allow/deny ranges, it will probably save you some time.
(or a well constructed mysql query would do the same)
 

syadnom

Joined
Aug 4, 2009
Messages
36
Likes
0
Points
6
#13
I tried that but I still get a permit= and deny= entry in sip_additional.conf

Its like once the permit and deny is in, its in. I will look through the database and see if I can find the fields anywhere else.

Thanks for the help.
 

brost

Joined
Dec 1, 2009
Messages
1
Likes
0
Points
0
#14
Hi all
Please tell how to include an option "permit/deny" in FreePBX web gui?
At me in FreePBX it is not present.

FreePBX
FreePBX 2.5.1.0
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,915
Messages
130,920
Members
17,595
Latest member
feparra121
Top