[Asterisk-Dev] Security Issue in Asterisk with sip.conf configuration.
Olle E. Johansson
oej at edvina.net
Tue Apr 27 23:25:46 MST 2004
Rob Gagnon wrote:
> Have you tried using:
>
> permit=
> deny=
>
> entries in the sip.conf file?
> you can have as many of those as you need to create an ACL
>
The host= command does not limit access. It tells Asterisk where to find
your client if the client doesn't register with Asterisk. It's for
outbound calls, where Asterisk calls the phone.
/O
> ----- Original Message -----
> From: "William Zhang" <w_w_zhang at yahoo.com>
> To: <asterisk-dev at lists.digium.com>
> Sent: Tuesday, April 27, 2004 5:31 PM
> Subject: [Asterisk-Dev] Security Issue in Asterisk with sip.conf
> configuration.
>
>
>
>>I had tried many ways with some advanced user help, but without
>>success(at one point I thought I had it worked).
>>
>>Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
>>file, there are a lot of entries with just "host=a.b.c.d", thinking
>>that * will only accept calls from host "a.b.c.d", but in my test, no
>>mater how you set up the sip.conf entries, either * will NOT accept
>>calls for that user account at all, or it will accept calls from any
>>where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
>>so long the sip userid is the username in sip.conf. This post a very
>>serious security problem.
>>
>>Of course we can put "secret=" for each entries, but giving Asterisk GW
>>and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
>>otherwise it increase the SIP traffic quite a bit.
>>
>>Following are the 4 different entries that I had tried:
>>#Notice that in the "general" section, context is pointed to a none
>>existant context "INVALID".
>>
>>;
>>; SIP Configuration for Asterisk
>>;
>>[general]
>>port = 5060 ; Port to bind to
>>bindaddr = 212.213.66.68
>>context = INVALID ;
>>;srvlookup = yes ; Enable SRV lookups on outbound calls
>>;pedantic = yes ; Enable slow, pedantic checking for
>>Pingtel
>>;tos=lowdelay
>>;tos=184
>>;maxexpirey=3600 ; Max length of incoming registration
>>we allow
>>;defaultexpirey=120 ; Default length of incoming/outoing
>>registration
>>;notifymimetype=text/plain ; Allow overriding of mime type in
>>NOTIFY
>>;videosupport=yes ; Turn on support for SIP video
>>disallow=all ; Disallow all codecs
>>allow=ulaw ; Allow codecs in order of preference
>>allow=g729
>>allow=ilbc
>>;
>>;dtmfmode=info
>>;dtmfmode=inband
>>dtmfmode=rfc2833
>>
>>
>>
>>[20034]
>>type=friend
>>callerid=TEST <61331045>
>>host=212.213.65.66
>>nat=yes ; This phone may be natted
>>canreinvite=no
>>
>>[20035]
>>type=peers
>>callerid=TEST <61331045>
>>host=212.213.65.66
>>nat=yes ; This phone may be natted
>>canreinvite=no
>>
>>[20036]
>>type=friend
>>context=default
>>callerid=TEST <61331045>
>>host=212.213.65.66
>>permit=212.213.65.66
>>nat=yes ; This phone may be natted
>>canreinvite=no
>>
>>[20037]
>>type=peers
>>context=default
>>callerid=TEST <61331045>
>>permit=212.213.65.66
>>nat=yes ; This phone may be natted
>>canreinvite=no
>>
>>Thank you in advance.
>>
>>_______________________________________________
>>Asterisk-Dev mailing list
>>Asterisk-Dev at lists.digium.com
>>http://lists.digium.com/mailman/listinfo/asterisk-dev
>>To UNSUBSCRIBE or update options visit:
>> http://lists.digium.com/mailman/listinfo/asterisk-dev
>>
>
>
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-dev
>
--
Olle E. Johansson, Edvina.net AB, oej at edvina.net
----- Phone +46 8 594 788 10, Cell phone: +46 70 593 68 51
----- IP phone: sip:oej at edvina.net
----- Address: Runbovägen 10, SE-192 48 Sollentuna, Sweden
----- Web: http://edvina.net
More information about the asterisk-dev
mailing list