Create rules for disallowing contacts at certain addresses, which may

improve the security of various installations. As this does not change any default behavior, it is not classified as a direct security fix for anything within Asterisk, but may help PBX admins better secure their SIP servers. (closes issue #11776) Reported by: ibc Patches: 20080829__bug11776.diff.txt uploaded by Corydon76 (license 14) Tested by: Corydon76, blitzrage git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@142865 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2026-05-03 20:06:24 +00:00 · 2008-09-12 20:37:18 +00:00
parent bc9f006e3e
commit a4ebc105ef
2 changed files with 51 additions and 7 deletions
--- a/configs/sip.conf.sample
+++ b/configs/sip.conf.sample
@@ -136,6 +136,16 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
                                ; your localnet setting. Unless you have some sort of strange network
                                ; setup you will not need to enable this.

+;dynamic_exclude_static = yes   ; Disallow all dynamic hosts from registering
+                                ; as any IP address used for staticly defined
+                                ; hosts.  This helps avoid the configuration
+                                ; error of allowing your users to register at
+                                ; the same address as a SIP provider.
+
+;contactdeny=0.0.0.0/0.0.0.0           ; Use contactpermit and contactdeny to
+;contactpermit=172.16.0.0/255.255.0.0  ; restrict at what IPs your users may
+                                       ; register their phones.
+
 ;
 ; If regcontext is specified, Asterisk will dynamically create and destroy a
 ; NoOp priority 1 extension for a given peer who registers or unregisters with
@@ -501,6 +511,10 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
 ;                             outboundproxy
 ;                             rfc2833compensate
 ;                             t38pt_usertpsource
+;                             contactpermit         ; Limit what a host may register as (a neat trick
+;                             contactdeny           ; is to register at the same IP as a SIP provider,
+;                                                   ; then call oneself, and get redirected to that
+;                                                   ; same location).

 ;[sip_proxy]
 ; For incoming calls only. Example: FWD (Free World Dialup)