PIONEERS New SIP Firewall Design for Publicly-Accessible PBX

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
for i in $(cat $( ls *.zone|egrep -v "[ca|us]" ))';[ do echo "add -exist restofworld $i";done |ipset restore

but you need maxelem to be 256k to get the whole set.
I know what to do and how, but it's one of those hind-sight things that aren't worth the trouble for now. It's done in our IPv6 firewall code, but that isn't deployed anywhere yet.
 

w1ve

Guru
Joined
Nov 15, 2007
Messages
819
Reaction score
218
@wardmundy,
I am calling as a random caller from [email protected]. I am calling [email protected]. mypbx.org is the FQDN of the open PBX (for non registrations) and sip.mypbx.org is the FQDN for registrations.

The IP you see from the log snippet is the IP of the caller, not the callee.

So this is why I'm asking. The whole point here is to allow a anonymous SIP safely, is it not?

So, a bit different now. This is an anonymous sip call to server:
[2019-02-07 20:18:23] NOTICE[12873][C-00000004]: chan_sip.c:26374 handle_request_invite: Failed to authenticate device "myFqdnOfServer.com" <sip:[email protected]>;tag=as56a8a5a0
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Sorry. I misunderstood. Are you calling from inside a firewall? Is there also a VoIP server inside that same firewall? Do you have UDP 5060 mapped from the firewall to your VoIP server? This is the one scenario we've seen where there is a problem connecting.

What else does Asterisk CLI show when the call comes in??

Are you sure your correct FQDN has been added to line 10 of extensions_override_freepbx.conf and restarted Asterisk?
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
SECURITY ALERT: Never use the SIP URI MOD on a server with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.
 

mainenotarynet

Not really a Guru - Just a long time user
Joined
May 29, 2010
Messages
754
Reaction score
155
But if you do this SIP Firewall design, id doesn't expose the SIP port anyways, does it? As I have MOSTLY all remotes this Firewall design would be good for my redesign as Alpharacks keeps shutting down on its own from time to time for no reason, so I have to move again anyways. And if it can only register to a FQDN wouldn't that prevent the degenerates from gaining access?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
@mainenotarynet: This only applies to adding outbound SIP URI dialing support. SIP is most definitely exposed in the public server design, but not in traditional Incredible PBX 13-13 deployments with Travelin' Man 3. Otherwise incoming anonymous SIP URI connections would fail. Yes, the FQDN requirement helps, but it's security through obscurity. Make sure it's a very unusual FQDN if you go that route and need outbound SIP URI support. Then pray you don't have any disgruntled employees.
 

Members online

Forum statistics

Threads
25,782
Messages
167,512
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top