[Asterisk-Dev] SIP Phone reset from CLI

John Todd jtodd at loligo.com
Tue Sep 2 10:14:53 MST 2003 

Comments in-line.

>No problem - I understand that completely.  But a phone will only 
>reboot based on its sync parameters you've assigned it based on the 
>SIP image it's running.  I don't think there's more security issues 
>if some is able to edit your syncinfo.xml file more than being able 
>to send an unsolicted NOTIFY to a Cisco phone.  (that can be done 
>outside of asterisk, you know).

Ah, but it can't.  My SIP clients are using Asterisk as an 
application-layer proxy.  Packets from the outside world can't get to 
my Cisco phones.  However, if Asterisk accepted NOTIFY messages as 
proxy requests (or any other type of SIP message, for that matter) 
and passed them through, then suddenly my SIP network is vulnerable 
to weird SIP attacks.

I'm not being discouraging: I really would LIKE to have Asterisk 
support proxy features, but they need to be turned off by default, 
and also need to have extremely tight origin and destination controls 
(IP address, SIP message, password?)

Your particular example is not terribly dangerous: the sync command 
is not a big deal.  However, once that path is open, who is to say 
that no other commands will be able to be inserted into my network? 
That's like saying "I leave the door unlocked, because I've only ever 
seen my friends come into my house."

>I know in our situation, it's easier on us to have a master reboot 
>option or extension reboot option so I have some lower-techs do some 
>administration & be able to implement this into a perl script.  But, 
>in another location - it may be better to not have this option.
>
>Regardless - I've posted the diff for anyone to use if they like or 
>to modify it based on their needs.
>Whatever you decide is fine with me either way.  :-)

Thaks for the code!  This, and other good (but specific) code has 
made me start thinking that a "contrib" section is needed for things 
that probably should not go into the default distribution, but would 
be worthwhile to distribute in the main tree. I'll start up another 
thread on it...

JT


>See ya!
>
>
>
>
>-----Original Message-----
>From: John Todd [mailto:jtodd at loligo.com]
>Sent: Tuesday, September 02, 2003 3:42 AM
>To: asterisk-dev at lists.digium.com
>Subject: Re: [Asterisk-Dev] SIP Phone reset from CLI
>
>
>>On Fri, Aug 29, 2003 at 04:48:12PM -0400, James Golovich wrote:
>>>   I don't know if this should really be in cvs, unless its a feature that is
>>>   supported by all phones and not just the cisco phones.
>>
>>	I tend to agree.
>>
>>	But I'd like to see asterisk be able to pass the notify
>>messages itself, so if I send a notify message to
>>the asterisk server, i'd like it to forward them to the phones.
>>
>>	i have a perl script that you can use that takes
>><exten> <ip> as arguments.
>>
>>	if you use an asterisk server as the <ip> it
>>does not work..
>>
>>	seems like forwarding these would be the best way to do this.
>>
>>	- jared
>>--
>>Jared Mauch  | pgp key available via finger from jared at puck.nether.net
>>clue++;      | http://puck.nether.net/~jared/  My statements are only mine.
>
>
>This suggestion, and several others that require "proxy"
>functionality in Asterisk, have been made in the last few weeks.  I
>have said in the past that Asterisk doesn't make a good proxy, since
>it isn't really a proxy at all.  At the moment, I'll suggest again
>that is the case. (SER and Vocal are perfectly suitable,
>mostly-RFC-compliant proxies.)
>
>While not being related to the exact circumstance at hand in this
>thread, this general concept of expanded SIP feature requests can be
>see in this request:
>http://bugs.digium.com/bug_view_page.php?bug_id=0000157
>
>Don't get me wrong; I'd like to see some selectable "proxy" features,
>but I also would like to see that ability locked down very tightly on
>a global and/or per peer basis.  I don't want your script able to
>send SIP messages into my network if you happen to know the NAT'ed IP
>address of my phone, and the IP address of my Asterisk server.  :-)
>
>JT
>_______________________________________________
>Asterisk-Dev mailing list
>Asterisk-Dev at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-dev
>_______________________________________________
>Asterisk-Dev mailing list
>Asterisk-Dev at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-dev

More information about the asterisk-dev mailing list