[Asterisk-Dev] acl in sip
Kelvin Chua
kchua at up.edu.ph
Tue Sep 23 05:12:26 MST 2003
another one,
i think we ought to increase the security of the sip acl, authentication is fine using digest but there are "broken" sip endpoints which couldn't really support the digest authentication or endpoints which are really static, (using static registration would lessen overhead).
my point is, when you put defaultip=x.x.x.x in sip.conf, changing ip addresses would enable me to attack * by flooding invites. * permits calls even though the defaultip tag in sip.conf does not match the caller's ip address. usually, like ser or vocal, it 'may' challenge the invites it receives so that if it is not properly authenticated, it will be rejected and not proxied. in this case, if we set the defaultip, i think * should only allow sip message to and from the provisioned user.
another note, can we like have an entry in sip.conf that will enable you to provision a high density fxs box, let's say 24 ports in just 1 entry? for example:
[1300-1323]
type=friend
defaultip=x.x.x.x
this will yield a much more simpler configuration, besides all those extensions use just 1 ip address. ata 186 will also benefit from this configuration...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20030923/5b995fd3/attachment.htm
More information about the asterisk-dev
mailing list