[asterisk-dev] [asterisk-users] IVR ..sip.conf:allowguest=yes
Alec Davis
sivad.a at paradise.net.nz
Thu Nov 12 01:50:28 CST 2009
The default should be allowguest=no so that when no entry for
allowguest=yes/no exists in sip.conf and a user opens up his [default]
context, he still has to make an effort to have his system compromised.
Alec Davis
-----Original Message-----
From: asterisk-dev-bounces at lists.digium.com
[mailto:asterisk-dev-bounces at lists.digium.com] On Behalf Of Tilghman Lesher
Sent: Thursday, 12 November 2009 8:07 p.m.
To: Asterisk Developers Mailing List
Subject: Re: [asterisk-dev] [asterisk-users] IVR ..sip.conf:allowguest=yes
On Monday 02 November 2009 01:38:31 Alec Davis wrote:
> Security warning. May not be applicable, in this users case, but
> please consider.
> https://issues.asterisk.org/view.php?id=15101
>
> If changing the 'default' context to allow dialout they may be
> allowing anyone to use their server from anywhere, if the default in
> sip.conf is left at 'allowguest=yes'
>
> As suggested in the mantis Bug, this is now open for discussion.
>
> sip.conf: allowguest=no should be the default.
As noted in the bug, I state my objections clearly. The default
configuration is already secure. Note that you have stated that you have to
CHANGE the default configuration to make it insecure. We are not
responsible for changes that people may make, only that the default
configuration is secure (which it, most assuredly, is).
--
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at:
www.digium.com & www.asterisk.org
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
More information about the asterisk-dev
mailing list