REGISTER check safety

The sip_register check performs a real SIP registration against your registrar using digest authentication, then immediately removes its own binding. Done carelessly, registration monitoring can hijack call routing. Follow these rules.

Use a dedicated test extension — always

Registrars bind contacts per AOR (address of record). If the probe registers against a production endpoint’s AOR, the registrar may add the probe as an additional binding and fork or route calls to it — calls the probe will never answer.

Create a dedicated extension (e.g. sipsentry-test) with its own credentials that no phone uses, and monitor that. This exercises exactly the same auth path, database, and registrar logic as a real phone — without touching production routing.

What the probe does to stay safe

  • Registers with a short Expires: 60, so even an orphaned binding vanishes within a minute.
  • After a successful registration, immediately sends a targeted de-register (Contact: <its own contact>;expires=0). It never sends Contact: *, which would wipe every binding for the AOR, including real phones.
  • Uses the distinctive contact user part sipsentry-probe, so any stray binding is instantly identifiable in your registrar’s location table.
  • Reports teardown failures in the check detail (teardown: failed) so you can spot registrars that ignore de-registration.

Fail2ban and rate limits

Registrars commonly ban IPs after repeated authentication attempts. SIP Sentry enforces a minimum interval of 60 seconds for REGISTER checks (300s recommended), and any hosted probe IPs are published for allowlisting. If your registrar runs fail2ban/pike, allowlist the probe addresses before enabling this check — a credential typo can otherwise get the probe banned.

Credentials handling

The password is encrypted (AES-256-GCM) at rest, never returned by any API endpoint, and travels to the probe only over the TLS WebSocket at dispatch time. Probes never persist credentials to disk. Rotate the test extension’s password like any other secret.