On Thursday 12 November 2009 09:53:17 Lee Howard wrote: > Tilghman Lesher wrote: > > On Thursday 12 November 2009 07:47:34 Lee Howard wrote: > >> In your sip.conf file allowguest defaults to yes. This means that > >> anyone that can reach the SIP ports on that system has access to make > >> unauthenticated calls, by default. The administrator actually has to go > >> in and turn it off to prevent unauthenticated SIP calls (in whatever > >> context [general] points at). > > > > Actually, they only have access to your default context. Whether you > > make available outgoing calls in your default context is your choice. By > > default, there is no capability of making outgoing calls from your > > default context. > > Well, yes, the default configuration is useless. But, let's say I > follow doc/security.txt exactly and have this: > > [default] > exten => 6123,Dial(Zap/1) > > ... therefore, by default, an unauthenticated user from anywhere can > call the extension Zap/1. It's not my point whether or not this poses a > financial risk. My point is that this is an insecure default behavior > to have allowguest=yes. > > >> Does anyone else agree with me that this is a poor default? I'd like to > >> see the default setting changed. > > > > The purpose of the allowguest option is to allow persons to call into > > your system from a zero-knowledge position. This allows you to publish a > > general SIP address as a point of contact. > > These people should need to deliberately use allowguest=yes. I would > venture to guess that these people already know who they are and > deliberately have this set. I would venture to guess that there are > far, far more people who have it turned on by default who really don't > want it that way than there are who expected it to be that way and > desire it to so be.
And the people who use this probably believe that YOU should be the one who has to deliberately turn this option off. I would venture to guess that 90% of all statistics are made up on the spot, including this one and the two you specified above. > > The reason why it is set that way in the > > sample configuration is to make it easy for new users to get to that > > magic moment when Asterisk first responds to their call (in essence, to > > get the user "hooked"). > > This is a poor excuse for a poor default security setting. It's not a security setting; it's a functionality setting. You see it behind rose-tinted spectacles because in your specific case, you don't have a use for it. That's fine, but please do not extrapolate from your limited use cases what the global settings should be. > >> It seems to me that this default is the reason behind the > >> doc/security.txt bias against using the "default" context for toll > >> calls. > > > > Correct, you should be using something like "internal" instead. > > And yet this point is not even made clear in the doc/security.txt file. > It says to not use "default" for anything you don't want to get abused, > but it doesn't say *why*. So I can envision, then, someone reading the > document and then changing context=internal in the [general] section of > sip.conf... and thinking that they responded correctly to what the > document said. You've just made a case for enhancing the documentation, not for changing the defaults. If you contribute documentation changes to this effect on the issue tracker, I would be more than happy to commit them. -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com & www.asterisk.org _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
