Tilghman Lesher wrote: > On Thursday 12 November 2009 07:47:34 Lee Howard wrote: > >> In your sip.conf file allowguest defaults to yes. This means that >> anyone that can reach the SIP ports on that system has access to make >> unauthenticated calls, by default. The administrator actually has to go >> in and turn it off to prevent unauthenticated SIP calls (in whatever >> context [general] points at). >> > > Actually, they only have access to your default context. Whether you make > available outgoing calls in your default context is your choice. By default, > there is no capability of making outgoing calls from your default context. >
Well, yes, the default configuration is useless. But, let's say I follow doc/security.txt exactly and have this: [default] exten => 6123,Dial(Zap/1) ... therefore, by default, an unauthenticated user from anywhere can call the extension Zap/1. It's not my point whether or not this poses a financial risk. My point is that this is an insecure default behavior to have allowguest=yes. >> Does anyone else agree with me that this is a poor default? I'd like to >> see the default setting changed. >> > > The purpose of the allowguest option is to allow persons to call into your > system from a zero-knowledge position. This allows you to publish a general > SIP address as a point of contact. These people should need to deliberately use allowguest=yes. I would venture to guess that these people already know who they are and deliberately have this set. I would venture to guess that there are far, far more people who have it turned on by default who really don't want it that way than there are who expected it to be that way and desire it to so be. > The reason why it is set that way in the > sample configuration is to make it easy for new users to get to that magic > moment when Asterisk first responds to their call (in essence, to get the user > "hooked"). > This is a poor excuse for a poor default security setting. >> It seems to me that this default is the reason behind the >> doc/security.txt bias against using the "default" context for toll calls. >> > > Correct, you should be using something like "internal" instead. And yet this point is not even made clear in the doc/security.txt file. It says to not use "default" for anything you don't want to get abused, but it doesn't say *why*. So I can envision, then, someone reading the document and then changing context=internal in the [general] section of sip.conf... and thinking that they responded correctly to what the document said. If this default is to persist then I think that it behooves the developers to at least make this exposure clear to the users. Therefore, the in the [general] section of sip.conf the context should not be set to "default", but rather to "unauthorized" or "public" or "open" or "free" or something that makes it clear that this is where unauthenticated SIP calls go. Thanks, Lee. _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
