limiting asterisk/freepbx to some "User Agent"

AD

Hi, i wanted to make server restricted to softphone we have made, any other phone should get rejected.

its required to make customized flow in order.

please suggest.

so far, as per information collected from google, it seems for this we required to make changes in code, so is there is guide available to setup dev environment step by step?

Regards,
AD

scottalanmiller

@ad that's going to be pretty complex. You need a way to both strongly identify your user agent, and a way to lock down the PBX to only that agent. Not likely something you will find any examples of or something that you'll find people having been doing. I don't know of anyone that has done that, even conceptually.

JaredBusch

@ad Asterisk cannot do this natively, but it is simple for your firewall to do so. You are not running a phone system on the public internet without a firewall are you?

I assume you know exactly what your User Agent string is

Write an accept rule for your user agent (and any you need for your service provider)

iptables -A INPUT -p udp -m udp --dport 5060 -m string --icase 'User-Agent: YourString' --algo bm --to 65535 -j ACCEPT

Then a drop rule for any other packet with a User-Agent

iptables -A INPUT -p udp -m udp --dport 5060 -m string --icase 'User-Agent:' --algo bm --to 65535 -j DROP

JaredBusch

The problem with this is that I can customize my user agent to be anything I want.

So as soon as anyone knows what you are doing, it is trivial to customize my device user-agent to spoof the one you want to see.

JaredBusch

https://support.yealink.com/faq/faqInfo?id=236

Dashrender

@jaredbusch said in limiting asterisk/freepbx to some "User Agent":

The problem with this is that I can customize my user agent to be anything I want.

So as soon as anyone knows what you are doing, it is trivial to customize my device user-agent to spoof the one you want to see.

Yeah, that was what I was wondering - I was pretty sure the user-agent string is in plain text, so anyone can sniff the network and now they're in.

So a bit more than security through obscurity, thought not sure how much more.

JaredBusch

@dashrender said in limiting asterisk/freepbx to some "User Agent":

@jaredbusch said in limiting asterisk/freepbx to some "User Agent":

The problem with this is that I can customize my user agent to be anything I want.

So as soon as anyone knows what you are doing, it is trivial to customize my device user-agent to spoof the one you want to see.

Yeah, that was what I was wondering - I was pretty sure the user-agent string is in plain text, so anyone can sniff the network and now they're in.

So a bit more than security through obscurity, thought not sure how much more.

If you are using TLS, it is not easily visible.

scottalanmiller

@jaredbusch said in limiting asterisk/freepbx to some "User Agent":

@dashrender said in limiting asterisk/freepbx to some "User Agent":

@jaredbusch said in limiting asterisk/freepbx to some "User Agent":

The problem with this is that I can customize my user agent to be anything I want.

So as soon as anyone knows what you are doing, it is trivial to customize my device user-agent to spoof the one you want to see.

Yeah, that was what I was wondering - I was pretty sure the user-agent string is in plain text, so anyone can sniff the network and now they're in.

So a bit more than security through obscurity, thought not sure how much more.

If you are using TLS, it is not easily visible.

But, if you know what it is, then you can still set it. But it helps hide it if you don't know what's being sent.