The request for blocking additional connection attempts after x attempts in given y time frame is a good one. Also improvements on limiting where registration attempts can be allowed from is good. But this is the wrong forum for those as nobody here has control over or writes the code for asterisk.

FreePBX is a application that sits on top of asterisk and generates dialplans and expands featureset for those that do not want to or can't write dial plans for asterisk (yes I'm skipping over many other things like ease of use, better interface, etc).

I'd make a formal request in the asterisk forums for that option. You can find that over at www.asterisk.org.

There are many good documents on the web for securing your setup that should be followed. also keeping up to date with all patches for asterisk are critical. As you had picked the trixbox distro (yes I was online in IRC with you yesterday) you need to pick a distro that keeps current with asterisk and all security patches. Unfortunately trixbox has decided to move on and nolonger support asterisk 1.2.x with newer patches as they have for a year tried to put as much distance between them and that build series as possible. Due to them basically abandoning support for those older versions they have not even kept up with just updating nothing but asterisk to he latest release available which had a few security updates released. 'm not current on them but one of those might have closed a known issue that somebody took advantage of.

Have you contacted the authorities and reported the theft of services, preserved the logs, reported the abuse to your provider so that they know, etc.. If not I'd do that ASAP. It might be possible to catch them but the longer you wait the easier it is for them to get away with it.

We secure our sip port in one of two ways. First it is locked down with a REAL firewall where I can say exactly which IP's are allowed access and which ones are not So those external locations that have static IP's can connect and nobody else is allowed. We also require that external employee's that have IP's that change often or are on dhcp from a provider use the VPN into the office so that we have it secured in a way that can't be abused.

Why not use MAC or IP filtering for your devices?

Hey, jperry999, fail2ban is awesome for type of thing.
Sorry to hear your system got compromised :(

I´ve been using Piaf for a bit, and fail2ban comes bundled with it. I saw the hundreds of SSH brute force connections to my systems every day drop to a handful, after using fail2ban.
Naturally, it can be configured for other ports, so you might want to give it a test drive.

Alternatively, you could try Privacy Manager on inbound calls, and Route Password on Outbound Calls, but that does make it a tad restrictive for making calls, and you have to update all your friends and family on their password. :(

As fskrotzki said, fail2ban comes shipped with PiaF.
Personally, I *love* PiaF, because it fills some of the gaps that aren't strictly PABX related, and makes administering the system a lot easier.
It uses FreePBX as the GUI for Asterisk, Webmin for the OS and fail2ban is preconfigured, all you need to do is simply download, install, update and configure.

Depending on your familiarity and expertise, you can easily have a system ready for action within a couple of hours, all patched and perky..

Fair enough call, SkyKing.
I found this comment from Ward Mundy, and it sounds like they've taken that step towards securing SIP registrations.

Just recently, we've added the latest release of Fail2Ban to all PBX in a Flash systems using our software update service.
Fail2Ban blocks SIP and IAX attacks which are becoming more and more prevalent by locking IP addresses out of your server for a specified period of time whenever a designated number of invalid passwords are submitted.

Of course, if you get a user who inadvertently puts in the wrong password for their SIP phone, it could well end up banning them, and you'd have all sorts of fun finding that out..

Thanks for finding my syntax mistake. I knew the constructs where available in Asterisk.

Patch 932 has not been merged into the release, it's not a bad request.

It does set a precedent of looking to the application for perimeter security. If you install the application in a secure environment none of this is an issue. These features are aimed at the 'do it your selfer'

Even the SIP specification delegates the feature called "admission control' to the functionality of a 'Session Border Control'.

FreePBX and Asterisk developers have limited cycles. They should be spent on telephony features not extending the scope of the application.

Thanks for your comments.

If you take a look in the notes at the beginning of sip.conf you will see you can add any settings you need in sip_custom_post.conf on a per peer basis.

My definition of a secure environment is the Asterisk server existing in a 'server' DMZ with access lists for each allowed service. Ideally this device should provide session border controller functionality. The latest release of Juniper ScreenOS performs this function nicely.

The problem is most folks don't want to run a PIX or a Juniper firewall in the SOHO environment. The only option that I know of is to run DD-WRT and use IP-tables for your access list.

If you are going to open SIP anonymous dialing you don't have to open up SIP registration for the peers outside your localnet.

As I indicated fail2ban is a great solution also. Strong SIP secrets are a must.

I had the pleasure of spending a week with Philippe and having dinner with Mark Spencer at the last OTTS seminar (which I highly recommend). The conversation focused on business deployments. It's fun to run Asterisk at home and gets you way up the ladder in geek factor, however at the end of the day it's business deployments that support the ecosystem. Most IT departments have well developed security policies, established perimeter security and intrusion detection systems in place.