System information
192.168.1.0/255.255.255.0 = 1024
[some_peer]
; A dynamic peer's address is not known until that peer
; registers. A call number limit can be specified in the
; peer's section instead of the callnumberlimits section.
type = peer
host = dynamic
maxcallnumbers = 512
If a peer does not yet support call token validation, but you would like to turn it on as
soon as you detect that the peer has been upgraded to support it, there is an option that
allows for this behavior:
[some_other_peer]
requirecalltoken = auto
If you would like to allow guest access over IAX2, you will most likely want to disable
call token validation for unauthenticated calls. This will ensure that the largest number
of people can call your system over IAX2. However, if you do so, you should also set
the option that provides a global limit to how many call numbers can be consumed by
hosts that did not pass call token validation:
[general]
maxcallnumbers_nonvalidated = 2048
[guest]
type = user
requirecalltoken = no
If at any time you would like to see some statistics on call number usage on your system,
execute the iax2 show callnumber usage command at the Asterisk CLI.
Tip #10: Be happy knowing that IAX2 has been updated to secure itself from denial of
service attacks due to call number exhaustion. If you must turn off these security features
in some cases, use the options provided to limit your exposure to an attack.
Other Risk Mitigation
There are a couple more useful features in Asterisk that can be used to mitigate the risk
of attacks. The first is to make use of the permit and deny options to build access control
lists (ACLs) for privileged accounts. Consider a PBX that has SIP phones on a local
network, but also accepts SIP calls from the public Internet. Calls coming in over the
Internet are only granted access to the main company menu, while local SIP phones
have the ability to make outbound calls that cost you money. In this case, it is a very
574 | Chapter 26: Security