[kwlug-disc] Blocking SIP registrations

B.S. bs27975 at yahoo.ca
Mon Jan 19 23:47:29 EST 2015


 > The ip address of the remote extension changes as
 > the ip address is dynamic so I need to open up my firewall to allow
 > remote sip registration.

voip.ms lets you do this. And there are advantages, as pointed out, to 
letting them be your firewall.

At the least, drop all traffic coming from outside the geographic areas 
you reasonably expect. If you don't expect anyone outside Canada to 
register (let alone Ontario), drop it all. From what you have said, 
there is no reason at all for your WAN / IP to be registering, drop it. 
i.e. Internal extension registrations will not be coming in on that 
interface, and there is no reason for an external extension to not src 
ip from that remote location.

Obscurity is no substitute for security (or so I said/thought at one 
time), and brings user support aggravation. e.g. If they or you fresh 
install a client, but forget to change the default port, you can chase 
your tail for a while. So using a non-standard port may not buy you 
much, they'll find you eventually. And faster than you would like. The 
non-standard port does cut down astonishingly on the logs, though. e.g. 
SIP access attempt on an SSH server, and vice versa, auto-rejected.

So, at the least, put in the drops for geo ip & as Lori suggested. You 
might peek at the remote capabilities of voip.ms in case such will save 
you some aggravation. (But there will be a cost to such that you don't 
have when they register against your own server. How much and whether it 
matters to you only you can judge.)

I assume your asterisk server is not directly connected to the net, so 
you'll want your blocks on the router facing the world, not your 
asterisk box. As Lori essentially points out, you can use OpenVPN (by 
certs only) to get inside your network from outside, for your own 
maintenance purposes, and so on. Heck, for that matter, even ssh (with 
certs) may give you enough for what you need, with port redirects.

Good luck. Agreed, the useless external incoming traffic attempts sure 
are annoying.


On 01/13/2015 08:29 PM, Herman Gruetzmacher wrote:
> I like voip.ms and use them too along with Unlimitel. But I am using 8
> sip phones as extensions off of my FreePBX including remote extensions
> (outside of my home). The ip address of the remote extension changes as
> the ip address is dynamic so I need to open up my firewall to allow
> remote sip registration. fail2ban will block external ip addresses after
> 3 unsuccessful attempts but there are many more registration attempts
> which appear to be coming directly from my own wan, ie my external
> Rogers IP address. I was thinking of using non standard sip udp ports as
> a starting point and port forwarding them, is that enough? I saw this
> SecAst product but it appears quite involved to set-up and was wondering
> if anyone else has used it.
>
> Thanks
>
> Herman
>
> -----Original Message----- From: William Park
> Sent: Tuesday, January 13, 2015 7:01 PM
> To: kwlug-disc at kwlug.org
> Subject: Re: [kwlug-disc] Blocking SIP registrations
>
> Off topic question...
>
> Why do you need to be your own telephone company?  Can't you get away
> with using voip.ms or others?  I've attended a voip.ms demo, and it
> seems like you're running your own telophone company through voip.ms,
> because they allow you to resell.





More information about the kwlug-disc mailing list