Koozali.org: home of the SME Server

ACL checking - howto implement?

Offline chris burnat

  • *****
  • 1,135
  • +2/-0
    • http://www.burnat.com
ACL checking - howto implement?
« on: June 16, 2010, 11:47:54 AM »
Hello Jeff,

"You should also apply ACL checking to your inbound trunks making it more difficult for them to be spoofed. You may think that this is unnecessary; using the logic "why would anyone spend money on an inbound call to me in order to phreak me?". Trust us there are scams that work just like that."

Where does one find info/howto about ACL checking in general (as implemented in extension config files) and ACL for inbound trunks in particular?
Any pointer would be great.
Many thanks
chris


- chris
If it does not work out of the box, please fill in a Bug Report @ Bugzilla (http://bugs.contribs.org)  - check: http://wiki.contribs.org/Bugzilla_Help .  Thanks.

Offline versa

  • ****
  • 109
  • +0/-0
Re: ACL checking - howto implement?
« Reply #1 on: June 16, 2010, 12:17:11 PM »
Hi I'm not sure if this is relevent to your question but this came to mind,
Im running asterisks 1.4.30 (compiled install)
and Sail sail-2.4.1-12  I found a few extra things when I was creating extensions (compared with an older install) like the acl and call limit.
This is just for home use but it works and I have not had the time to play more with things.
I'm not sure about ACL checking to your inbound trunks I have not looked into it.

But this is one of my extensions;

Code: [Select]
type=friend
username=username
secret=password
mailbox=5001
host=dynamic
qualify=3000
canreinvite=no
context=internal
callerid="XXXXX" <5001>
pickupgroup=1
callgroup=1
call-limit=99
subscribecontext=extensions
deny=0.0.0.0/0.0.0.0
permit=10.9.20.8/255.255.255.0
disallow=all
allow=ulaw
allow=alaw


And this is from a recent log:
Code: [Select]
[Jun 13 10:08:00] NOTICE[5651] chan_sip.c: Registration from '"5001"<sip:5001@10.9.20.10:5060>' failed for '94.74.229.229' - Device does not match ACL
So i guess the idea is to stop someone hijacking one of your system and making a load of calls  :D.
......

Offline SARK devs

  • *****
  • 2,806
  • +1/-0
    • http://sarkpbx.com
Re: ACL checking - howto implement?
« Reply #2 on: June 16, 2010, 10:53:57 PM »
Hi Chris, versa

There isn't anything much on ACL, but it's just like hosts or a simple firewall rule; i.e. it's an IP address and a mask.  By default, on the later releases, for internal phones, SAIL will set the rule as

Code: [Select]
deny=0.0.0.0/0.0.0.0
permit=your.local.subnet.0/255.255.255.0

This will allow phones from inside your subnet to register and make calls but should stop anyone from outside your subnet from registering an extension which exists on the local subnet.

For a remote phone, at ip address 1.2.3.4  you might do something like

Code: [Select]
deny=0.0.0.0/0.0.0.0
permit=1.2.3.4/255.255.255.255

For trunks you'll need to apply your rules at the firewall and only allow traffic from known IP address on port 5060.  Asterisk can't really enforce ACL on DiD's, or if it can, then I'm not sure how to do it - comments and ideas welcome if anyone does know how to do it.

Best

jeff