PIONEERS New SIP Firewall Design for Publicly-Accessible PBX

jerrm

Guru
Joined
Sep 23, 2015
Messages
491
Reaction score
204
for i in $(cat $( ls *.zone|egrep -v "[ca|us]" ))';[ do echo "add -exist restofworld $i";done |ipset restore

but you need maxelem to be 256k to get the whole set.
I know what to do and how, but it's one of those hind-sight things that aren't worth the trouble for now. It's done in our IPv6 firewall code, but that isn't deployed anywhere yet.
 

w1ve

Guru
Joined
Nov 15, 2007
Messages
631
Reaction score
97
@wardmundy,
I am calling as a random caller from [email protected]. I am calling [email protected]. mypbx.org is the FQDN of the open PBX (for non registrations) and sip.mypbx.org is the FQDN for registrations.

The IP you see from the log snippet is the IP of the caller, not the callee.

So this is why I'm asking. The whole point here is to allow a anonymous SIP safely, is it not?
So, a bit different now. This is an anonymous sip call to server:
[2019-02-07 20:18:23] NOTICE[12873][C-00000004]: chan_sip.c:26374 handle_request_invite: Failed to authenticate device "myFqdnOfServer.com" <sip:[email protected]>;tag=as56a8a5a0
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,954
Reaction score
2,579
Sorry. I misunderstood. Are you calling from inside a firewall? Is there also a VoIP server inside that same firewall? Do you have UDP 5060 mapped from the firewall to your VoIP server? This is the one scenario we've seen where there is a problem connecting.

What else does Asterisk CLI show when the call comes in??

Are you sure your correct FQDN has been added to line 10 of extensions_override_freepbx.conf and restarted Asterisk?
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,954
Reaction score
2,579
SECURITY ALERT: Never use the SIP URI MOD on a server with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.
 

mainenotarynet

Not really a Guru - Just a long time user
Joined
May 29, 2010
Messages
599
Reaction score
72
Location
Bangor, ME USA
But if you do this SIP Firewall design, id doesn't expose the SIP port anyways, does it? As I have MOSTLY all remotes this Firewall design would be good for my redesign as Alpharacks keeps shutting down on its own from time to time for no reason, so I have to move again anyways. And if it can only register to a FQDN wouldn't that prevent the degenerates from gaining access?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
14,954
Reaction score
2,579
@mainenotarynet: This only applies to adding outbound SIP URI dialing support. SIP is most definitely exposed in the public server design, but not in traditional Incredible PBX 13-13 deployments with Travelin' Man 3. Otherwise incoming anonymous SIP URI connections would fail. Yes, the FQDN requirement helps, but it's security through obscurity. Make sure it's a very unusual FQDN if you go that route and need outbound SIP URI support. Then pray you don't have any disgruntled employees.
 
  • Like
Reactions: krzykat

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,271
Messages
136,510
Members
14,503
Latest member
techwiz