[Asterisk-Dev] Security Issue in Asterisk with
sip.conf configuration.
Kelvin Chua
kchua at up.edu.ph
Tue May 4 04:23:14 MST 2004
uhm, maybe you have a point there, how about making it optional then?
that way, everybody's happy? :) the optional 'secret=' in the peer
configuration is very nice, at least you get to choose whether you want
authentication or not with a particular peer, but the entities not
included in the peers section are not given that option. they are simply
allowed to be registered and call(without acl, :) or with a broken acl),
now don't you think that's dangerous?
same issue goes for chan_h323...
4 cents.
On Tue, 2004-05-04 at 18:59, Duane wrote:
> Kelvin Chua wrote:
> > i think the issue is with how * handles the incoming call in the first
> > place, * should not even entertain unknown clients... or challenge all
> > registers with authentication, acl is good (if it works...) but it will
> > definitely pose an additional problem when we're talking hundreds of
> > clients or even thousands all using different subnets. authentication of
> > dynamic hosts is the way to go, and accept only registers from known
> > entities...
>
> Guest accounts saves adding 100's of entries, if not more, from people
> doing inter-asterisk calls via enum... Most/all configuration examples
> I've seen actively promote authorised users connecting only which is a
> pain if they give you URL details and your call gets rejected because
> they didn't add a guest account...
More information about the asterisk-dev
mailing list