If you want someone to ring you, using a SIP URI, you are going to have to allow people to reach your SIP server.
Given that you are giving this facility to anyone and everyone, does it not follow that most of the people calling will in fact be anonymous people? At least until they introduce themselves.
In the same way that when some one rings you on your Ma Bell phone, you don't know who is going to ring, or when they are going to ring - hence the caller is anonymous until they tell you who they are.
I can only assume that Ward thought I was referring to the tick box in general settings that says "Allow Anonymous Inbound SIP Calls" : I was not. I was referring to the fact that you must have your SIP ports open and pointed to the PBX if you want any anonymous person from anywhere at any time to call you.
Whether that is desirable is another matter.
So reading Ward's Link - he writes.
Second, if you have a default incoming route, do NOT change the No setting for Allow Anonymous Inbound SIP Calls in the General Setting section of FreePBX. Otherwise, anyone can access your PBX from anywhere.
This is only a small part of the story and can bear some clarification.
It may have been better to write:-
Second, if you have a default incoming route, do NOT change the No setting for Allow Anonymous Inbound SIP Calls in the General Setting section of FreePBX. Otherwise, anyone can ring your PBX from anywhere using any SIP URI formed with your hostname or IP.
All SIP calls which are not authenticated, e.g. do not come in to a registered SIP trunk, come to the context from-sip-external - you can see this line in /etc/asterisk/sip_general_addtional.conf
This then sends them to this context in extensions.conf:-
Code:
[from-sip-external]
;give external sip users congestion and hangup
; Yes. This is _really_ meant to be _. - I know asterisk whinges about it, but
; I do know what I'm doing. This is correct.
exten => _.,1,NoOp(Received incoming SIP connection from unknown peer to ${EXTEN})
exten => _.,n,Set(DID=${IF($["${EXTEN:1:2}"=""]?s:${EXTEN})})
exten => _.,n,Goto(s,1)
exten => s,1,GotoIf($["${ALLOW_SIP_ANON}"="yes"]?from-trunk,${DID},1)
exten => s,n,Set(TIMEOUT(absolute)=15)
exten => s,n,Answer
exten => s,n,Wait(2)
exten => s,n,Playback(ss-noservice)
exten => s,n,Playtones(congestion)
exten => s,n,Congestion(5)
exten => h,1,NoOp(Hangup)
exten => i,1,NoOp(Invalid)
exten => t,1,NoOp(Timeout)
With Allow Anonymous Inbound SIP Calls set to no, the call comes in, is answered, Sorry not in service played, play congestion tones for 5 seconds then hangup.
When set to yes, the call is controlled by inbound routes. If the DID or CLI matches, the call is sent to the destination you select.
I would argue that is more secure to have a catchall or default route with "Hangup" selected for the destination and anon set to yes, and all your DID listed with proper destinations, than to have "anon" set to no.
The reason for this is that when someone calls you with anon set to no, a message is played. With the method described above, people can only call you if they know your number or they are a person you recognise on the basis of the caller ID.
Using SIPP, a person could bring PBX to its knees in fairly short order simply by sending 5000 calls a second to any SIP URI formed with your hostname or IP, and "Sorry Not In Service message" plays 5000 times concurrently. If you simply hangup the call, that is far less load on the system, and the DOS attack is going to have to work harder to stop your PBX working.
Looking at Ward's additions to this context, he bypasses the Allow Anon with the addition of these two lines in two cases:-
Code:
exten => 3366,1,Goto(from-trunk,${DID},1)
exten => demo,1,Goto(from-trunk,3366,1)
This basically says that if you ring sip/
[email protected] or sip/
[email protected] from anywhere on the internet, any anonymous person can get at least as far as inbound routes.
To lock down your PBX you need to look further than dial plans. As Patrick suggests, there are a number of techniques to lock down SIP access - mostly mentioned here:-
http://nerdvittles.com/index.php?p=580
The main ones are:-
- Use a firewall and IP tables to block access to all but your carriers and remote phones.
- Permit and Deny in your sip settings to only have SIP listening to authorised endpoints and carriers
- Secure passwords so that SIP dictionary attacks are likely to fail
- Fail2Ban or similar to block IP addresses that try to hack the PBX or discover passwords.
Jon, I trust that this helps to clarify SIP URI's the purpose of the Allow Annonymous SIP calls, and how they can work with inbound routes.
Joe