Asterisk Hack: How to accommodate your providers multiple static IP addresses

It’s a common scenario,  you purchased some DIDs and your provider gives you a list of dozens of IP addresses that they may send your calls from in to your asterisk box. This could either be random IPs, a Net block such as 127.0.0.1/24 or maybe it is beneficial if the provider is constantly growing and adding servers such as ourselves. Looks like an ACL/administrative nightmare right?! You can’t possibly spend all those hours adding trunks to accommodate all of those would be IPs. Smartly, you’ve stumbled over here instead.

To make life easier we will use a simple workaround. You may already be familiar with the “allowguest” and “allowanonymous” SIP calls setting. It may sound counter intuitive but in order to achieve what we want to do we will need to enable this feature.

 

Here’s why we normally don’t want to allow anonymous callers. Johnny Hacker notices an IP-PBX online. He then attempts to send a SIP call over using a random phone number. The phone system such as asterisk, has a default “Catch all/Any DID” on the main Inbound route due to lazy administration, and soon finds himself hitting an Auto Attendant or special feature. He can then hammer away at the system over IP to enumerate voicemails, attempt DISA, or perhaps DOS your system all together.

 

So here’s what we’ll do.

1) Create or modify a Catch All/Any from Inbound routing and set it to goto “Congestion”. This way asterisk will not playback a message to the would be caller indicating we’re a live box.

2) Ensure you have a valid Inbound route for every DID (ie; 15145555555) and route accordingly.

3) Enable guestmode as per the following

In asterisk (including vicidial)
nano /etc/asterisk/sip.conf
Find the line “allowguest =  no” and change this to “yes”

 

FreePBX
Through “Settings -> Asterisk SIP Settings”, enable both “Allow SIP Guest” and “Allow Anonymous Inbound SIP calls” by switching on “Yes”.

 

This will allow any IP to call in to the system from the from-pstn context, but since your provider is sending the valid number it is trying to reach (ie;  15145555555), the proper Inbound route will catch the call.

 

Thank’s for joining me, hope this helped other geeks out there and feel free to subscribe to our blog for more useful tips.

Nurango provides Encrypted SIP Trunking, DIDs and Business VoIP by the minute. Simply mention our blog and we’ll give you a free trial credit!