[asterisk-dev] [asterisk-users] IVR ..sip.conf:allowguest=yes

Alec Davis sivad.a at paradise.net.nz
Thu Nov 12 01:50:28 CST 2009


The default should be allowguest=no so that when no entry for
allowguest=yes/no exists in sip.conf and a user opens up his [default]
context, he still has to make an effort to have his system compromised.

Alec Davis
   

-----Original Message-----
From: asterisk-dev-bounces at lists.digium.com
[mailto:asterisk-dev-bounces at lists.digium.com] On Behalf Of Tilghman Lesher
Sent: Thursday, 12 November 2009 8:07 p.m.
To: Asterisk Developers Mailing List
Subject: Re: [asterisk-dev] [asterisk-users] IVR ..sip.conf:allowguest=yes

On Monday 02 November 2009 01:38:31 Alec Davis wrote:
> Security warning. May not be applicable, in this users case, but 
> please consider.
> https://issues.asterisk.org/view.php?id=15101
>
> If changing the 'default' context to allow dialout they may be 
> allowing anyone to use their server from anywhere, if the default in 
> sip.conf is left at 'allowguest=yes'
>
> As suggested in the mantis Bug, this is now open for discussion.
>
> sip.conf: allowguest=no should be the default.

As noted in the bug, I state my objections clearly.  The default
configuration is already secure.  Note that you have stated that you have to
CHANGE the default configuration to make it insecure.  We are not
responsible for changes that people may make, only that the default
configuration is secure (which it, most assuredly, is).

--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at:
www.digium.com & www.asterisk.org

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev




More information about the asterisk-dev mailing list