[asterisk-dev] [asterisk-users] IVR ..sip.conf:allowguest=yes
Tilghman Lesher
tlesher at digium.com
Thu Nov 12 01:06:55 CST 2009
On Monday 02 November 2009 01:38:31 Alec Davis wrote:
> Security warning. May not be applicable, in this users case, but please
> consider.
> https://issues.asterisk.org/view.php?id=15101
>
> If changing the 'default' context to allow dialout they may be allowing
> anyone to use their server from anywhere, if the default in sip.conf is
> left at 'allowguest=yes'
>
> As suggested in the mantis Bug, this is now open for discussion.
>
> sip.conf: allowguest=no should be the default.
As noted in the bug, I state my objections clearly. The default configuration
is already secure. Note that you have stated that you have to CHANGE the
default configuration to make it insecure. We are not responsible for changes
that people may make, only that the default configuration is secure (which it,
most assuredly, is).
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org
More information about the asterisk-dev
mailing list