diff --git a/UPGRADE-1.8.txt b/UPGRADE-1.8.txt
index 677fdb7c21a1ebe160778e679f36f0696f909ca3..905681fe25b1f4c1842cfe03fa4127a37611c4f1 100644
--- a/UPGRADE-1.8.txt
+++ b/UPGRADE-1.8.txt
@@ -20,6 +20,9 @@
 
 From 1.6.2 to 1.8:
 
+* The default value for the alwaysauthreject option in sip.conf has been changed
+  from "no" to "yes".
+
 * The behavior of the 'parkedcallstimeout' has changed slightly.  The formulation
   of the extension name that a timed out parked call is delivered to when this
   option is set to 'no' was modified such that instead of converting '/' to '0',
diff --git a/channels/sip/include/sip.h b/channels/sip/include/sip.h
index 0e207ca23d40d80be8d2a05096390f27a5852c7e..cf3c0da6966693bcca9cdb16e210614c4d3aed1b 100644
--- a/channels/sip/include/sip.h
+++ b/channels/sip/include/sip.h
@@ -214,7 +214,7 @@
 #define	DEFAULT_MATCHEXTERNADDRLOCALLY FALSE /*!< Match extern IP locally default setting */
 #define DEFAULT_QUALIFY        FALSE    /*!< Don't monitor devices */
 #define DEFAULT_CALLEVENTS     FALSE    /*!< Extra manager SIP call events */
-#define DEFAULT_ALWAYSAUTHREJECT  FALSE /*!< Don't reject authentication requests always */
+#define DEFAULT_ALWAYSAUTHREJECT  TRUE  /*!< Don't reject authentication requests always */
 #define DEFAULT_REGEXTENONQUALIFY FALSE
 #define DEFAULT_T1MIN             100   /*!< 100 MS for minimal roundtrip time */
 #define DEFAULT_MAX_CALL_BITRATE (384)  /*!< Max bitrate for video */
diff --git a/configs/sip.conf.sample b/configs/sip.conf.sample
index 35f4f682ee779d8828e86d992c20c115aaeaa20c..c61e8787c2e00e29f8c027f157fb605cff06137f 100644
--- a/configs/sip.conf.sample
+++ b/configs/sip.conf.sample
@@ -356,6 +356,7 @@ srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls
                                 ; instead of letting the requester know whether there was
                                 ; a matching user or peer for their request.  This reduces
                                 ; the ability of an attacker to scan for valid SIP usernames.
+                                ; This option is set to "yes" by default.
 
 ;g726nonstandard = yes          ; If the peer negotiates G726-32 audio, use AAL2 packing
                                 ; order instead of RFC3551 packing order (this is required