[Asterisk-Dev] Security Issue in Asterisk with sip.conf configuration.
Olle E. Johansson
oej at edvina.net
Tue May 4 07:14:43 MST 2004
Kelvin Chua wrote:
> uhm, maybe you have a point there, how about making it optional then?
> that way, everybody's happy? :) the optional 'secret=' in the peer
> configuration is very nice, at least you get to choose whether you want
> authentication or not with a particular peer, but the entities not
> included in the peers section are not given that option. they are simply
> allowed to be registered and call(without acl, :) or with a broken acl),
> now don't you think that's dangerous?
>
Asterisk accept SIP calls from anyone and send to the context you define as a default
context in the [general] section. Define a "blackhole" context without any
extensions and Asterisk will not accept any calls.
I can't see that we accept registrations from anyone not defined in sip.conf,
unless you turn on "autocreatepeer". Please explain how that happens in
your configuration and state examples of configuration and registration
debug output.
/Olle
More information about the asterisk-dev
mailing list