[Asterisk-Dev] Security Issue in Asterisk with sip.conf configuration.

William Zhang w_w_zhang at yahoo.com
Tue Apr 27 15:31:58 MST 2004 

I had tried many ways with some advanced user help, but without
success(at one point I thought I had it worked).

Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
file, there are a lot of entries with just "host=a.b.c.d", thinking
that * will only accept calls from host "a.b.c.d", but in my test, no
mater how you set up the sip.conf entries, either * will NOT accept
calls for that user account at all, or it will accept calls from any
where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
so long the sip userid is the username in sip.conf. This post a very
serious security problem.

Of course we can put "secret=" for each entries, but giving Asterisk GW
and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
otherwise it increase the SIP traffic quite a bit.

Following are the 4 different entries that I had tried:
#Notice that in the "general" section, context is pointed to a none
existant context "INVALID".

;
; SIP Configuration for Asterisk
;
[general]
port = 5060                     ; Port to bind to
bindaddr = 212.213.66.68
context = INVALID               ;
;srvlookup = yes                ; Enable SRV lookups on outbound calls
;pedantic = yes                 ; Enable slow, pedantic checking for
Pingtel
;tos=lowdelay
;tos=184
;maxexpirey=3600                ; Max length of incoming registration
we allow
;defaultexpirey=120             ; Default length of incoming/outoing
registration
;notifymimetype=text/plain      ; Allow overriding of mime type in
NOTIFY
;videosupport=yes               ; Turn on support for SIP video
disallow=all                    ; Disallow all codecs
allow=ulaw                      ; Allow codecs in order of preference
allow=g729
allow=ilbc
;
;dtmfmode=info
;dtmfmode=inband
dtmfmode=rfc2833



[20034]
type=friend
callerid=TEST <61331045>
host=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

[20035]
type=peers
callerid=TEST <61331045>
host=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

[20036]
type=friend
context=default
callerid=TEST <61331045>
host=212.213.65.66
permit=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

[20037]
type=peers
context=default
callerid=TEST <61331045>
permit=212.213.65.66
nat=yes                        ; This phone may be natted
canreinvite=no

Thank you in advance.

More information about the asterisk-dev mailing list