We have a FreePBX-12 / Asterisk-12 setup that supports about 24 extensions, most internal Snom870s but six or so external (Jitsi-2.8). we use TLS and SRTP everywhere on our side of the fence. The server host is a dedicated atom(tm) box using the FreePBX distro (CentOS-6.x) and is up-to-date. Registrations require very long random passwords and registrable devices are further restricted by netblock filters. We have the usual firewall and fail2ban intrusion prevention and detection set-ups in place. Our connection to the rest of the world is via PSTN. We do our own DNS, both forward and reverse. We have NAPTR and SRV RRs for SIP and SIPS. That is the environment. Now for the questions. Can I safely configure FreePBX/Asterisk to allow people to call us directly via SIP? In other words, sip://something at harte-lyne.ca would reach us and ring internally as if someone had called our main office number via PSTN. Does it make sense to do so? I am not talking about routing our main number through a SIP trunk provider. We will remain on PSTN for the foreseeable future. But I am curious as to whether or not it it worthwhile to allow others who have the capability to simply call us via SIP rather than over PSTN. And if we do allow it what are the caveats and how does one actually configure Asterisk to do it? I have read a number of blogs, sections of the Definitive Asterisk book and mailing list archived posts respecting anonymous SIP calls. But I have to say these leave me rather more confused than informed. Virtually all sources advise against accepting any anonymous incoming SIP calls whatsoever. The few that do not absolutely advise against do not give much guidance in how to handle incoming calls. And frankly, I have only a dim idea how an incoming SIP call should be handled from a theoretical point of view. Any guidance would be welcome. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
You have to consider whether you really want "anonymous" calls, or you
just want to enable SIP calls from trusted companies/partners. The latter means
setting up routes to these companies and (ideally) registration between peers.
If you really want anonymous calls, then you will have to setup your dialplan
with a guest/anonymous context for the calls to drop into. Once they arrive in
that context you can route them anywhere else in your dialplan based on rules
you setup. To help understand how this works, set verbose up to 10 in the
Asterisk CLI and then call into your PBX using a SIP phone (without
registration) . You'll quickly see how it works.
The bigger concern here is security. Hackers will have a field day with an
unsecured SIP connection. You will want to add some security on and around your
Asterisk server. Take a look at
http://www.voip-info.org/wiki/view/Asterisk+security for suggestions.
To be conservative, assume someone WILL find a hole in your dialplan and attempt
to commit fraud (i.e. rack up charges on your phone system). You will want to
add security to your asterisk server which detects this fraud and disconnects
the callers. There's a great video of an Astricon attendee explaining how
callers racked up $100,000 in charges in one weekend.
________________________________________
From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at
lists.digium.com> on behalf of James B. Byrne <byrnejb at
harte-lyne.ca>
Sent: Thursday, March 26, 2015 9:24 PM
To: Asterisk Users List
Subject: [asterisk-users] Anonymous SIP calls
We have a FreePBX-12 / Asterisk-12 setup that supports about 24
extensions, most internal Snom870s but six or so external (Jitsi-2.8).
we use TLS and SRTP everywhere on our side of the fence. The server
host is a dedicated atom(tm) box using the FreePBX distro (CentOS-6.x)
and is up-to-date. Registrations require very long random passwords
and registrable devices are further restricted by netblock filters.
We have the usual firewall and fail2ban intrusion prevention and
detection set-ups in place.
Our connection to the rest of the world is via PSTN.
We do our own DNS, both forward and reverse. We have NAPTR and SRV
RRs for SIP and SIPS.
That is the environment. Now for the questions.
Can I safely configure FreePBX/Asterisk to allow people to call us
directly via SIP? In other words, sip://something at harte-lyne.ca would
reach us and ring internally as if someone had called our main office
number via PSTN. Does it make sense to do so?
I am not talking about routing our main number through a SIP trunk
provider. We will remain on PSTN for the foreseeable future. But I
am curious as to whether or not it it worthwhile to allow others who
have the capability to simply call us via SIP rather than over PSTN.
And if we do allow it what are the caveats and how does one actually
configure Asterisk to do it?
I have read a number of blogs, sections of the Definitive Asterisk
book and mailing list archived posts respecting anonymous SIP calls.
But I have to say these leave me rather more confused than informed.
Virtually all sources advise against accepting any anonymous incoming
SIP calls whatsoever. The few that do not absolutely advise against
do not give much guidance in how to handle incoming calls. And
frankly, I have only a dim idea how an incoming SIP call should be
handled from a theoretical point of view.
Any guidance would be welcome.
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
On Thu, March 26, 2015 22:29, Michelle Dupuis wrote:> You have to consider whether you really want "anonymous" calls, or you > just want to enable SIP calls from trusted companies/partners. The > latter means setting up routes to these companies and (ideally) > registration between peers. >This is what I am trying to get a handle on. It seemed to me that the promise of VOIP was essentially that one could use the Internet as a replacement for the PSTN directly, providing that ones callers/callees were also directly connected via VOIP. SIP providers I had considered a necessary transition to act as gateways between PSTN dialing and VOIP until VOIP replaced PSTN virtually entirely if not completely. That is why we are on Asterisk. We had to replace our old keyed system and the thought was that we might as well get ready for VOIP even if we planned to stay on PSTN for the foreseeable future. However, the overwhelming evidence I find is that one simply does not employ VOIP in the same way that PSTN works. Actually, I have put that backwards. What I have discovered is that the most commonly recommended method is to switch from a Telco to A SIP provider and continue in a manner similar to the former set-up. External calls all have to travel through a third party provider. One does not accept incoming VOIP calls from just everyone, apparently. One only accepts VOIP calls from known correspondents. I am not clear why this is so other than vague warnings respecting (admittedly real and serious) security issues. Even limiting VOIP to known correspondents one is ultimately trusting that they themselves are secured sufficiently to prevent unauthorised access to your systems through theirs. And that seems a bit of a stretch by way of rationalisation to me. Also I do not understand is why the same issues do not exist from incoming calls via PSTN. I somewhat understand the process of getting devices to register and authenticate to obtain access to our outgoing routes. What is it about incoming SIP calls destined to our internal users that make those calls so dangerous? Why cannot incoming anonymous SIP calls not be treated exactly as incoming PSTN calls (other than PSTN have to go though DAHDI to turn them into digital VOIP calls). What is it that prevents them from being blocked from gatewaying through to our PSTN lines? Please forgive my abysmal ignorance on this matter. Perhaps I have been down in the weeds too long getting our internal FreePBX system working to see what is obvious to others. I have been going theough the Asticon Videos on security and have or already had implemented most of the suggestions: Outbound LD secured by pins and allowed only during work hours; IPTABLES rules and fail2ban checks; Separation of voice and data network segments and addresses; Private IP for VOIP desk-sets and internal provisioning; and so forth. However, I still have the sense that I am just not getting it. What am I missing? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3