Disallow CALLS Without Registry
HI ALL
got small question
i use call-limit=1 on peers
but call limit is not working if user is not registered on PBX and making calls
so the main question is — how to Disallow CALLS without registering on PBX
HI ALL
got small question
i use call-limit=1 on peers
but call limit is not working if user is not registered on PBX and making calls
so the main question is — how to Disallow CALLS without registering on PBX
9 thoughts on - Disallow CALLS Without Registry
sip.conf configuration In the [general] section, define:
[general]
… allowguest=no alwaysauthreject=yes
…
The “allowguest” line disables anonymous SIP calls to your PBX. Some SIP
providers connect as a guest user, however, so this may be inappropriate for your situation. Also, if you want to accept anonymous SIP calls, this line would block them, so you wouldn’t want that. But it is listed here because it is the safest configuration.
The “alwaysauthreject” line is important. This causes a hacker to get the same response from your PBX when they try to guess passwords whether or not they guessed a valid username. This also has the side-effect of making poorly written scanning scripts (the vast majority of hacker scripts seem to be poorly written) take less resources on your Asterisk box, as even if they scan a valid username, they’ll think it doesn’t exist.
(Source: https://www.voip-info.org/wiki/view/Asterisk+security )
—
Thanks Frank — but this not a solution below my current config
[general]
;sms
accept_outofcall_message = yes
outofcall_message_context = messages
auth_message_requests = no
;general
allowguest = no
jbenable = no
jbimpl = adaptive
allow = !all,g722,ulaw,gsm
udpbindaddr = 0.0.0.0
transport = udp
language = ru
context = public
alwaysauthreject = yes
nat = force_rport,comedia
directmedia = no
allowoverlap = no
match_auth_username = yes
progressinband = yes
textsupport = yes
videosupport = yes
maxcallbitrate = 1384
;
sendrpid = pai
rpid_update = yes
pedantic=no
;tos
tos_sip=cs3
tos_audio=ef
tos_video=cs4
2017-02-10 16:40 GMT+02:00 Frank Vanoni:
Hi Antony,
Sory but I don’t understand why your Asterisk accept anon calls with the conf you provide us.
Maybe a full excerpt of an incoming call will help.
Last, there exist dialplan like GROUP and GROUP_COUNT that permits you count the number of calls in a custom group fashion.
El 10/2/2017 11:51, “Антон Сацкий” escribió:
–Apple-Mail=_A667690E-D682-4B8F-B389-639208425AEB
Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;
charset=utf-8
I don’t think either of these configuration attributes achieve what the OP requested (“how to Disallow CALLS without registering on PBX”).
In fact, I’m not sure that it’s actually possible to disallow [authenticated] calls from a peer that hasn’t registered!
As far as I can tell, ‘registration’ was never intended to be part of the authentication process. It’s sole purpose is to inform the PBX as to the current location of the endpoint. I suspect this means that what the OP is asking for cannot be achieved with the current code bases.
But each time I’m proven wrong I learn something, so if I’m wrong then please by all means correct me! 🙂
Pete
–Apple-Mail=_A667690E-D682-4B8F-B389-639208425AEB
Content-Transfer-Encoding: quoted-printable Content-Type: text/html;
charset=utf-8
–Apple-Mail=_A667690E-D682-4B8F-B389-639208425AEB
I think your understanding is largely correct… although I do believe it _is_ possible to achieve what the original poster wants, with a bit of dialplan trickery.
I think you’re correct, in that registration of a peer (using proper credentials) is not normally necessary in order for that peer to be able to place a call (again, with those same valid credentials). The
“ingoing” and “outgoing” aspects of a peer are fundamentally separate… and that’s why there’s no option which requires registration to make a call.
The way you’re “supposed to” prevent unauthorized calls, is to make sure that each peer has valid (unique, cryptographically-strong)
credentials (i.e. a proper password). The peer has to prove that it has these when it places a call – and, so, registration per se is irrelevant. As long as you don’t allow anonymous calls to be placed, you should be OK.
Now, there probably _is_ a way to force specific peers to register prior to placing a call, if that’s what you really want to do (although I would ask “Why?” to anyone who wants to do things this way). The way I would do it, in Asterisk, is:
– Turn on “qualify”, so that Asterisk will check each registered
peer periodically and confirm that it’s still on-line. Using
a modest registration timeout (a few minutes) is probably also
beneficial.
– Create a new dialplan context, which will be used as the initial
context for all of these peers when they try to place a call.
Specify this context in the definition of each such peer.
– In this call-placing context, have a single ruleset which matches
all numbers being dialed.
– In this ruleset, retrieve the name of the peer placing the call
(I think it’s CHANNEL(peername) but I could be wrong).
– Test the peer’s SIP status with SIPPEER($peername:status) and see
if it’s OK. If so, the peer is registered – jump to another rule
or ruleset which dials the requested number. If not, reject the
call, or play a polite (or rude) message which explains that
unregistered phones may not place calls.
–Apple-Mail=_54009F89-2B0B-4AF3-A106-78437693471A
Content-Transfer-Encoding: quoted-printable Content-Type: text/plain;
charset=us-ascii
Good thinking Dave, and thanks for adding your comments to the discussion. I love how Asterisk is like it’s own programming language; if the fundamental components your feature needs are available from the system but the glue that provides the logic doesn’t exist, then you can just write it yourself!
Excellent suggestion 🙂
Pete
–Apple-Mail=_54009F89-2B0B-4AF3-A106-78437693471A
Content-Transfer-Encoding: quoted-printable Content-Type: text/html;
charset=us-ascii
–Apple-Mail=_54009F89-2B0B-4AF3-A106-78437693471A
With the above configuration on my Asterisk, I obtain the following result:
– if the phone is registered to Asterisk, I can place any call according to the dial plan.
– if the phone is NOT registered and I try to place a call, the phone obtains a “403 forbidden” at any calling attempt.
Now, English is not my native language, but as far as I can understand,
“forbidden” means “not allowed” or “disallowed”.
THINK i found a solution
NoOP(${DB_EXISTS(/SIP/Registry/${CHANNEL(peername)})});
THANKS TO ALL
2017-02-12 12:34 GMT+02:00 Frank Vanoni:
sorry NoOP(${DB_EXISTS(SIP/Registry/${CHANNEL(peername)})});
2017-02-13 19:31 GMT+02:00 Антон Сацкий: