asterisk users - Sep 2008 - Restrict SIP registration to one ip address only?

Maybe a bit silly question, but why doesn't Asterisk accept if you set 
both a username&password as well as an ip address for a phone?

My fixed phones in my home all have a fixed ip address, but i also have 2 
Nokia GSM phones that can talk sip wich i would like to use from public 
wifi.

It's obvious that the more phones you have the more successful a brute 
force attack on the server will be, so i would only like to allow access 
to he 2 Nokia phones from "any" ip.

Why doesn't Asterisk allow both username&pass as well as setting an ip 
adress on a sip.extension?

> Maybe a bit silly question, but why doesn't Asterisk accept if you set
> both a username&password as well as an ip address for a phone?
but it does accept!

in a peer definition:

[user]
type=user (or better friend)
username=user
secret=secret
host=10.0.0.1

[snip]
> It's obvious that the more phones you have the more successful a brute
> force attack on the server will be, so i would only like to allow access
> to he 2 Nokia phones from "any" ip.
just set host=dynamic for those peers only

cheers

-- 
------------------------------------------------
Daniele Santi .o.
daniele at santi.vr.it ..o () ascii ribbon campaign
Linux User #415108 ooo /\ www.asciiribbon.org
------------------------------------------------

On Wed, 2008-09-17 at 19:58 +0200, Remco Barendse wrote:
> Why doesn't Asterisk allow both username&pass as well as setting an
ip
> adress on a sip.extension?
It does.  To enforce ACLs on a SIP user or peer or friend, simply use
"permit" and "deny" statements to allow and disallow various
IP
addresses or subnets.  Standard practice seems to be to deny everything
first, then specifically allow other IP addresses.

[user]
type=friend
secret=mypassword
host=dynamic
deny=0.0.0.0/0
permit=10.1.2.3
permit=192.168.123.0/24
permit=192.168.222.0/255.255.255.0

-- 
Jared Smith
Training Manager
Digium, Inc.