Benoit Panizzon
2019-Nov-18 12:20 UTC
[asterisk-users] On Register, run a script, validate source IP
Hi Gang
To increase security against phished passwords and similar attacks, we
consider offering customers to define IP ranges (or GeoIP locations)
from which their dynamic registrations are being accepted.
I can already look at the source IP in the dial plan, so no issue with
validate an INVITE against a source IP.
But I would also like to prevent registrations from outside of this
client's specific allowed ip addresses as well, so the line cannot be
hijacked.
So I'm looking for something like
On Register:
If check_allowed_ip(auth_username) {
return;
} else {
Reply(403 Wrong IP for this user);
}
Any ideas how to do that? (Yes, I asked Google and found nothing
useful yet)
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Sebastian Nielsen
2019-Nov-18 12:41 UTC
[asterisk-users] On Register, run a script, validate source IP
You could use permit/deny in the sip.conf.
That would require your script to update sip.conf dynamically and reload the
config for each time user wants to update their accepted location.
To avoid excessive reloads, you could have that the changes will take effect
after 00:00, so you have a cron script which reads the user database and updates
sip.conf, and then reloads asterisk ONCE.
So any changes user makes to their sourceIP/GeoIP configuration on webpage, will
not take effect until midnight.
-----Ursprungligt meddelande-----
Från: asterisk-users <asterisk-users-bounces at lists.digium.com> För
Benoit Panizzon
Skickat: den 18 november 2019 13:23
Till: asterisk-users at lists.digium.com
Ämne: [asterisk-users] On Register, run a script, validate source IP
Hi Gang
To increase security against phished passwords and similar attacks, we consider
offering customers to define IP ranges (or GeoIP locations) from which their
dynamic registrations are being accepted.
I can already look at the source IP in the dial plan, so no issue with validate
an INVITE against a source IP.
But I would also like to prevent registrations from outside of this client's
specific allowed ip addresses as well, so the line cannot be hijacked.
So I'm looking for something like
On Register:
If check_allowed_ip(auth_username) {
return;
} else {
Reply(403 Wrong IP for this user);
}
Any ideas how to do that? (Yes, I asked Google and found nothing useful yet)
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
Check out the new Asterisk community forum at: https://community.asterisk.org/
New to Asterisk? Start here:
https://wiki.asterisk.org/wiki/display/AST/Getting+Started
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
Benoit Panizzon
2019-Nov-18 13:58 UTC
[asterisk-users] On Register, run a script, validate source IP
Hi Sebastian> That would require your script to update sip.conf dynamically and reload the config for each time user wants to update their accepted location.Hmm, maybe using asterisk realtime and attempting to put the config into a database would be worth an approach. Until now we only use realtime for the voicemail application. So there isn't any way to have, for example a special dialplan extension or similar executed on every register (and possibly unregister to send an alert and maybe re-route traffic if a business trunk customer goes offline) Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________
Olivier
2019-Nov-20 09:00 UTC
[asterisk-users] On Register, run a script, validate source IP
Hello, Have you tried with ACL (acl.conf) ? Cheers Le lun. 18 nov. 2019 à 13:22, Benoit Panizzon <benoit.panizzon at imp.ch> a écrit :> Hi Gang > > To increase security against phished passwords and similar attacks, we > consider offering customers to define IP ranges (or GeoIP locations) > from which their dynamic registrations are being accepted. > > I can already look at the source IP in the dial plan, so no issue with > validate an INVITE against a source IP. > > But I would also like to prevent registrations from outside of this > client's specific allowed ip addresses as well, so the line cannot be > hijacked. > > So I'm looking for something like > > On Register: > If check_allowed_ip(auth_username) { > return; > } else { > Reply(403 Wrong IP for this user); > } > > Any ideas how to do that? (Yes, I asked Google and found nothing > useful yet) > > Mit freundlichen Grüssen > > -Benoît Panizzon- > -- > I m p r o W a r e A G - Leiter Commerce Kunden > ______________________________________________________ > > Zurlindenstrasse 29 Tel +41 61 826 93 00 > CH-4133 Pratteln Fax +41 61 826 93 01 > Schweiz Web http://www.imp.ch > ______________________________________________________ > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191120/0fc3cb15/attachment.html>
Jöran Vinzens
2019-Nov-20 09:08 UTC
[asterisk-users] On Register, run a script, validate source IP
Hi, for me it sounds like you need an SBC. We use Kamailio in order to check users IP Addresses. There are modules like "permissions" in kamailio what could do this. As well there are pike checks, sanity checks and a bunch of other useful tools. If you want to secure and protect your Asterisk you should not use the Asterisk for it. BR Jöran On Wed, Nov 20, 2019 at 10:03 AM Olivier <oza.4h07 at gmail.com> wrote:> Hello, > > Have you tried with ACL (acl.conf) ? > > Cheers > > > Le lun. 18 nov. 2019 à 13:22, Benoit Panizzon <benoit.panizzon at imp.ch> a > écrit : > >> Hi Gang >> >> To increase security against phished passwords and similar attacks, we >> consider offering customers to define IP ranges (or GeoIP locations) >> from which their dynamic registrations are being accepted. >> >> I can already look at the source IP in the dial plan, so no issue with >> validate an INVITE against a source IP. >> >> But I would also like to prevent registrations from outside of this >> client's specific allowed ip addresses as well, so the line cannot be >> hijacked. >> >> So I'm looking for something like >> >> On Register: >> If check_allowed_ip(auth_username) { >> return; >> } else { >> Reply(403 Wrong IP for this user); >> } >> >> Any ideas how to do that? (Yes, I asked Google and found nothing >> useful yet) >> >> Mit freundlichen Grüssen >> >> -Benoît Panizzon- >> -- >> I m p r o W a r e A G - Leiter Commerce Kunden >> ______________________________________________________ >> >> Zurlindenstrasse 29 Tel +41 61 826 93 00 >> CH-4133 Pratteln Fax +41 61 826 93 01 >> Schweiz Web http://www.imp.ch >> ______________________________________________________ >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Check out the new Asterisk community forum at: >> https://community.asterisk.org/ >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Jöran Vinzens - vinzens at sipgate.de Telefon: +49 211-63 55 56-21 Telefax: +49 211-63 55 55-22 sipgate GmbH - Gladbacher Str. 74 - 40219 Düsseldorf HRB Düsseldorf 39841 - Geschäftsführer: Thilo Salmon, Tim Mois Steuernummer: 106/5724/7147, Umsatzsteuer-ID: DE219349391 www.sipgate.de - www.sipgate.co.uk -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191120/cad44d0a/attachment.html>
Reasonably Related Threads
- pjsip: How is asterisk choosing the IP address to put in the Contact header?
- Solved: Re: Asterisk 13.18.3 PJSIP. Wrong Port in Contact Header in Reply to REGISTER?
- PJSIP: identify endpoint by authentication username?
- DUNDI anyone?
- Global number rewriting rules affecting ALL headers?