[Asterisk-Dev] Security Issue in Asterisk with sip.conf configuration.

Kelvin Chua kchua at up.edu.ph
Tue May 4 03:21:52 MST 2004


i think the issue is with how * handles the incoming call in the first
place, * should not even entertain unknown clients... or challenge all
registers with authentication, acl is good (if it works...) but it will
definitely pose an additional problem when we're talking hundreds of
clients or even thousands all using different subnets. authentication of
dynamic hosts is the way to go, and accept only registers from known
entities...

my 2 cents...

On Wed, 2004-04-28 at 14:25, Olle E. Johansson wrote:
> Rob Gagnon wrote:
> 
> > Have you tried using:
> > 
> > permit=
> > deny=
> > 
> > entries in the sip.conf file?
> > you can have as many of those as you need to create an ACL
> > 
> The host= command does not limit access. It tells Asterisk where to find
> your client if the client doesn't register with Asterisk. It's for
> outbound calls, where Asterisk calls the phone.
> 
> /O
> 
> > ----- Original Message ----- 
> > From: "William Zhang" <w_w_zhang at yahoo.com>
> > To: <asterisk-dev at lists.digium.com>
> > Sent: Tuesday, April 27, 2004 5:31 PM
> > Subject: [Asterisk-Dev] Security Issue in Asterisk with sip.conf
> > configuration.
> > 
> > 
> > 
> >>I had tried many ways with some advanced user help, but without
> >>success(at one point I thought I had it worked).
> >>
> >>Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> >>file, there are a lot of entries with just "host=a.b.c.d", thinking
> >>that * will only accept calls from host "a.b.c.d", but in my test, no
> >>mater how you set up the sip.conf entries, either * will NOT accept
> >>calls for that user account at all, or it will accept calls from any
> >>where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
> >>so long the sip userid is the username in sip.conf. This post a very
> >>serious security problem.
> >>
> >>Of course we can put "secret=" for each entries, but giving Asterisk GW
> >>and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> >>otherwise it increase the SIP traffic quite a bit.
> >>
> >>Following are the 4 different entries that I had tried:
> >>#Notice that in the "general" section, context is pointed to a none
> >>existant context "INVALID".
> >>
> >>;
> >>; SIP Configuration for Asterisk
> >>;
> >>[general]
> >>port = 5060                     ; Port to bind to
> >>bindaddr = 212.213.66.68
> >>context = INVALID               ;
> >>;srvlookup = yes                ; Enable SRV lookups on outbound calls
> >>;pedantic = yes                 ; Enable slow, pedantic checking for
> >>Pingtel
> >>;tos=lowdelay
> >>;tos=184
> >>;maxexpirey=3600                ; Max length of incoming registration
> >>we allow
> >>;defaultexpirey=120             ; Default length of incoming/outoing
> >>registration
> >>;notifymimetype=text/plain      ; Allow overriding of mime type in
> >>NOTIFY
> >>;videosupport=yes               ; Turn on support for SIP video
> >>disallow=all                    ; Disallow all codecs
> >>allow=ulaw                      ; Allow codecs in order of preference
> >>allow=g729
> >>allow=ilbc
> >>;
> >>;dtmfmode=info
> >>;dtmfmode=inband
> >>dtmfmode=rfc2833
> >>
> >>
> >>
> >>[20034]
> >>type=friend
> >>callerid=TEST <61331045>
> >>host=212.213.65.66
> >>nat=yes                        ; This phone may be natted
> >>canreinvite=no
> >>
> >>[20035]
> >>type=peers
> >>callerid=TEST <61331045>
> >>host=212.213.65.66
> >>nat=yes                        ; This phone may be natted
> >>canreinvite=no
> >>
> >>[20036]
> >>type=friend
> >>context=default
> >>callerid=TEST <61331045>
> >>host=212.213.65.66
> >>permit=212.213.65.66
> >>nat=yes                        ; This phone may be natted
> >>canreinvite=no
> >>
> >>[20037]
> >>type=peers
> >>context=default
> >>callerid=TEST <61331045>
> >>permit=212.213.65.66
> >>nat=yes                        ; This phone may be natted
> >>canreinvite=no
> >>
> >>Thank you in advance.
> >>
> >>_______________________________________________
> >>Asterisk-Dev mailing list
> >>Asterisk-Dev at lists.digium.com
> >>http://lists.digium.com/mailman/listinfo/asterisk-dev
> >>To UNSUBSCRIBE or update options visit:
> >>   http://lists.digium.com/mailman/listinfo/asterisk-dev
> >>
> > 
> > 
> > _______________________________________________
> > Asterisk-Dev mailing list
> > Asterisk-Dev at lists.digium.com
> > http://lists.digium.com/mailman/listinfo/asterisk-dev
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-dev
> > 
> 




More information about the asterisk-dev mailing list