2

I have a working asterisk environment, but I get a lot of unwanted traffic, like sip scanners of people who even try to call as a guest.

I'm using res_pjsip, the configuration is stored in pjsip.conf. But I can't find options like alwaysauthreject and allowguests in this configuration.

And I can't find any of the security options of pjsip on the wiki. Only for chan_sip.

Can someone tell me that these options are present in this driver? Or that they have ben replaced by an other function.

Thank you in advance

Haije Ploeg
  • 153
  • 2
  • 11

3 Answers3

1

I have found an answer.

alwaysauthreject
allowguests

These 2 functions aren't part of pjsip.conf anymore and are standard.

Furthermore you need to secure your server with a firewall and fail2ban. Security needs to be done on OS level.

Haije Ploeg
  • 153
  • 2
  • 11
0

It's not clear what type of security options you are looking for - since simplistic restrictions like refusing guest, requiring registration, etc. will not reduce the load created by SIP scanners, hackers trying to get in, etc.

If you are trying to secure your server check out this page www.voip-info.org for details. Solutions range from basic Asterisk server settings to perimeter protection to advanced security like Asterisk plug-ins which look at the source IP of attackers to block geographic areas, watch for heuristic attack patterns, etc.

You will find that some older apps/plus-ins struggle with PJSIP but some fully support it.

Community
  • 1
TSG
  • 1,634
  • 6
  • 29
  • 51
0

According to this:

There is no option for “alwaysauthreject”. It is always on.

There is no equivalent settings functionality wise for “domain” and “allowexternaldomains”.

The “allowguest” option is always set to no unless you create an endpoint named “anonymous”.

The “deny” and “permit” options can be set at a global and endpoint basis.

Example of old configuration:

alwaysauthreject=yes

domain = asterisk.mydomain.com

allowexternaldomains = no

allowguest = no

deny=0.0.0.0/0.0.0.0
permit=10.0.0.0/255.0.0.0

And as the author of the question wrote, you have to use a firewall and fail2ban.

Here are the ports used (taken from here):

  • 4569 UDP - IAX/2, forward this port if you have purchased IAX trunking , IAX can traverse your firewall easier than SIP

  • 5060 UDP - SIP

  • 10000 - 20000 UDP - SIP RTP Media (configured inside rtp.conf)

NoOne
  • 101
  • 4