I've now setup SIP for: - internal softphones - registering with external providers (like FWD) for making calls - receiving calls from theese providers
For the latter step, it was necessary to forward ports from my NAT to the asterisk server: 5060 + range of ports mentioned in rtp.conf. I was just wondering about how to make this setup as secure as possible. Here's what I've done so far: 1. defined a default context in sip.conf which cannot access any real extension. sip.conf: [general] context=from-unknown-sip extensions.conf: [from-unknown-sip] exten => _.,1,CONGESTION 2. for peers, defined a context which does not provide access to outside lines. sip.conf: [fwd.pulver.com] type=peer username=688426 fromuser=688426 secret=xxxxxxxxxx host=fwd.pulver.com port=5060 nat=yes canreinvite=no insecure=very context=sip-external disallow=all allow=ulaw 3. for peers, defined insecure=very which should check that the incoming call comes from the same IP as was registered. 4. for internal softphones, which can make outgoing calls, limited registrations to a specific network address using deny/permit sip.conf: [31] type=friend callerid="[EMAIL PROTECTED]" <31> host=dynamic deny=0.0.0.0/0.0.0.0 permit=192.168.2.32/255.255.255.255 context=sip-internal secret=xxxxxxxxxxxx disallow=all allow=ulaw allow=alaw Anything else I can do to improve security? I specifically don't want anyone external to be able to make calls. As I've opened port 5060 + rtp.conf ports only for the purpose of receiving calls from services I have registered with, I don't want any external phones to be able to register via this route. Is there any risk of this if someone can guess a password (maybe unlikely but given time this could happen). Thanks, John _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
