...
| Anchor | ||||
|---|---|---|---|---|
|
identify_by
An endpoint Endpoints and aors can be identified in multiple ways. Currently, the only supported option is options are username, which matches the endpoint or aor id based on the username and domain in the From header (or To header for aors), and auth_username, which matches the endpoint or aor id based on the username and realm in the Authentication header. In all cases, if an exact match on both username and domain/realm fails, the match will be retried with just the username.
| Info | ||
|---|---|---|
| ||
Identification by auth_username has some security considerations because an Authentication header is not present on the first message of a dialog when digest authentication is used. The client can't generate it until the server sends the challenge in a 401 response. Since Asterisk normally sends a security event when an incoming request can't be matched to an endpoint, using auth_username requires that the security event be deferred until a request is received with the Authentication header and only generated if the username doesn't result in a match. This may result in a delay before an attack is recognized. You can control how many unmatched requests are received from a single ip address before a security event is generated using the unidentified_request parameters in the "global" configuration object. |
| Info | ||
|---|---|---|
| ||
Endpoints can also be identified by IP address; however, that method of identification is not handled by this configuration option. See the documentation for the |
usernameauth_username
| Anchor | ||||
|---|---|---|---|---|
|
...
Option Name | Type | Default Value | Regular Expression | Description | |
|---|---|---|---|---|---|
| | | | Value used in Max-Forwards header for SIP requests. | |
| | | | The interval (in seconds) to send keepalives to active connection-oriented transports. | |
| | | | The interval (in seconds) to check for expired contacts. | |
| | | Disable Multi Domain support | ||
| | | | The maximum amount of time from startup that qualifies should be attempted on all contacts. If greater than the qualify_frequency for an aor, qualify_frequency will be used instead. | |
| | | The number of seconds over which to accumulate unidentified requests. | ||
| | | The number of unidentified requests from a single IP to allow. | ||
| | | | The interval at which unidentified requests are older than twice the unidentified_request_period are pruned. | |
| |
| | Must be of type 'global'. | |
| | | | Value used in User-Agent header for SIP requests and Server header for SIP responses. | |
| |
| | When set, Asterisk will dynamically create and destroy a NoOp priority 1 extension for a given peer who registers or unregisters with us. | |
| | | | Endpoint to use when sending an outbound request to a URI without a specified endpoint. | |
| |
| | The voicemail extension to send in the NOTIFY Message-Account header if not specified on endpoint or aor | |
| | | | Enable/Disable SIP debug logging. Valid options include yes | no or a host address |
| | | The order by which endpoint identifiers are processed and checked. Identifier names are usually derived from and can be found in the endpoint identifier module itself (res_pjsip_endpoint_identifier_*). You can use the CLI command "pjsip show identifiers" to see the identifiers currently available. | ||
| | | | When Asterisk generates an outgoing SIP request, the From header username will be set to this value if there is no better option (such as CallerID) to be used. | |
| | | | When Asterisk generates an challenge, the digest will be set to this value if there is no better option (such as auth/realm) to be used. |
Configuration Option Descriptions
...
If disabled it can improve realtime performace by reducing number of database requsts.
| Anchor | ||||
|---|---|---|---|---|
|
unidentified_request_period
If unidentified_request_count unidentified requests are received during unidentified_request_period, a security event will be generated.
| Anchor | ||||
|---|---|---|---|---|
|
unidentified_request_count
If unidentified_request_count unidentified requests are received during unidentified_request_period, a security event will be generated.
| Anchor | ||||
|---|---|---|---|---|
|
endpoint_identifier_order
| Info | ||
|---|---|---|
| ||
One of the identifiers is "auth_username" which matches on the username in an Authentication header. This method has some security considerations because an Authentication header is not present on the first message of a dialog when digest authentication is used. The client can't generate it until the server sends the challenge in a 401 response. Since Asterisk normally sends a security event when an incoming request can't be matched to an endpoint, using auth_username requires that the security event be deferred until a request is received with the Authentication header and only generated if the username doesn't result in a match. This may result in a delay before an attack is recognized. You can control how many unmatched requests are received from a single ip address before a security event is generated using the unidentified_request parameters. |
Import Version
This documentation was imported from Asterisk Version GIT-13-a16aa46cc8a506