Home

In the [general] section of sip.conf, set “alwaysauthreject=yes”. This makes it much harder for a hacker to scan your server and identify what extension numbers are being used because it tells Asterisk that when the supplied credentials are wrong on an INVITE or REGISTER request, it should always return the same error no matter whether it was the user id or the password that didn’t match.

Prohibit unauthenticated calls entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf.

allowguest=yes means that calls will be accepted even though there is no match in sip.conf.

A benefit of SIP domains

Activating support for SIP Domains in Asterisk can give you one more layer of security, but it will only be effective if you can:
Avoid having your PBX’s Internet IP address as one of the domains, and
Set the parameter allowexternaldomains = no

Doing both of the above will cause Asterisk to reject all SIP requests where the R-URI is using the external IP address of the PBX rather than a legitimate SIP domain – one that you have configured and approved. Since most hacking attempts are based on IP address only, this could be a useful extra layer of protection for your server.