Basing this on several recent threads about security, it seems that you can use a permit/deny mask on individual extensions (the contexts found in sip_additional.conf) but there is no way to set these from within FreePBX. It seems like this should be relatively trivial to add these two lines to the FreePBX extensions page (and write them in the sip_additional.conf file) and could possibly help save someone from a brute force attack. See examples at http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+permit-deny-mask
I realize that one can use fail2ban to limit access also, but it never hurts to have additional security, and since Asterisk apparently provides it then I think it would be a really good idea if FreePBX would make it easier to implement. You have text boxes for various other little-used options on the extension setup pages, so please consider adding these as well.
I'm setting the priority on this as major based on the number of reports recently received about systems being breached - see this post: http://www.freepbx.org/forum/freepbx/users/security-alert-is-port-5060-open-on-your-router
If you add this please consider backporting it to the 2.4 branch also. Thank you.
Edit: After some additional research I see this may be essentially a duplicate of Ticket #932, where there was even a pair of patches contributed. However, at the time that ticket was opened there had not yet been any known (or at least publicized) exploits of that security hole - the situation is apparently much more critical now. So I will expand my request to ask that if the patch given in #932 actually works, please include it in a FreePBX release/module update so that it is available to all FreePBX users.
