On Register, Run A Script, Validate Source IP

Home » Asterisk Users » On Register, Run A Script, Validate Source IP
Asterisk Users 5 Comments

Hi Gang

To increase security against phished passwords and similar attacks, we consider offering customers to define IP ranges (or GeoIP locations)
from which their dynamic registrations are being accepted.

I can already look at the source IP in the dial plan, so no issue with validate an INVITE against a source IP.

But I would also like to prevent registrations from outside of this client’s specific allowed ip addresses as well, so the line cannot be hijacked.

So I’m looking for something like

On Register:
If check_allowed_ip(auth_username) {
return;
} else {
Reply(403 Wrong IP for this user);
}

Any ideas how to do that? (Yes, I asked Google and found nothing useful yet)

Mit freundlichen Grüssen

-Benoît Panizzon-

I m p r o W a r e A G – Leiter Commerce Kunden

5 thoughts on - On Register, Run A Script, Validate Source IP

  • You could use permit/deny in the sip.conf.

    That would require your script to update sip.conf dynamically and reload the config for each time user wants to update their accepted location.

    To avoid excessive reloads, you could have that the changes will take effect after 00:00, so you have a cron script which reads the user database and updates sip.conf, and then reloads asterisk ONCE. So any changes user makes to their sourceIP/GeoIP configuration on webpage, will not take effect until midnight.

    —–Ursprungligt meddelande—–
    Från: asterisk-users För Benoit Panizzon Skickat: den 18 november 2019 13:23
    Till: asterisk-users@lists.digium.com
    Ämne: [asterisk-users] On Register, run a script, validate source IP

    Hi Gang

    To increase security against phished passwords and similar attacks, we consider offering customers to define IP ranges (or GeoIP locations) from which their dynamic registrations are being accepted.

    I can already look at the source IP in the dial plan, so no issue with validate an INVITE against a source IP.

    But I would also like to prevent registrations from outside of this client’s specific allowed ip addresses as well, so the line cannot be hijacked.

    So I’m looking for something like

    On Register:
    If check_allowed_ip(auth_username) {
    return;
    } else {
    Reply(403 Wrong IP for this user);
    }

    Any ideas how to do that? (Yes, I asked Google and found nothing useful yet)

    Mit freundlichen Grüssen

    -Benoît Panizzon-

    I m p r o W a r e A G – Leiter Commerce Kunden

  • Hi Sebastian

    Hmm, maybe using asterisk realtime and attempting to put the config into a database would be worth an approach. Until now we only use realtime for the voicemail application.

    So there isn’t any way to have, for example a special dialplan extension or similar executed on every register (and possibly unregister to send an alert and maybe re-route traffic if a business trunk customer goes offline)

    Mit freundlichen Grüssen

    -Benoît Panizzon-

    I m p r o W a r e A G – Leiter Commerce Kunden

  • Hello,

    Have you tried with ACL (acl.conf) ?

    Cheers

    Le lun. 18 nov. 2019 à 13:22, Benoit Panizzon a
    écrit :

  • Hi,

    for me it sounds like you need an SBC. We use Kamailio in order to check users IP Addresses. There are modules like “permissions” in kamailio what could do this. As well there are pike checks, sanity checks and a bunch of other useful tools.

    If you want to secure and protect your Asterisk you should not use the Asterisk for it.

    BR
    Jöran

  • Hi Jöran

    You are absolutely right. We are on a ‘renewing our infrastructure’ project and on a ‘proof of concept’ and ‘check all needed functionality’ on using Kamailio as a high availiable registration and routing engine and Asterisk for Annoucements and Voicemailbox Service.

    But, I have no Kamailio experience yet and with the actual ‘commercial’
    TSP Voiceswitch in use, we have some very serious functionality /
    signaling issues with SIP PBX customer trunk.

    So as I have been working with Asterisk for quite some time now, I was hoping to be able to find a quick fix for them using Asterisk, before I
    try to figure out how you, for example register PBX Customers to Kamailio. But turns out my project for which I estimated I would need two days is going to take longer, as usual. 🙂

    Mit freundlichen Grüssen

    -Benoît Panizzon-

    I m p r o W a r e A G – Leiter Commerce Kunden