[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

[Alec Davis]

allowguest=yes as default is IMO a breach of AST-2008-003 which states
"A fix has been added which checks for the option 'allowguest' to be enabled
before determining that authentication is not required"
 
please refer.http://downloads.asterisk.org/pub/security/AST-2008-003.pdf

Sorry I missed that on my original posting.
 
Alec Davis
  _____  

From: asterisk-dev-bounces at lists.digium.com
[mailto:asterisk-dev-bounces at lists.digium.com] On Behalf Of Alec Davis
Sent: Thursday, 12 November 2009 8:34 p.m.
To: asterisk-dev at lists.digium.com
Subject: [asterisk-dev] Security Request for discussion: Should sip.conf
allowguest=yes be the default


At Tilghman's request.
 
We need to agree to change the sip.conf default from allowguest=yes to
allowguest=no
and extensions.conf to have a warning in the [default] section that sip.conf
may have allowguest=yes or nothing which will default of yes.
 
Reference mantis bugs;
 <https://issues.asterisk.org/view.php?id=15101>
https://issues.asterisk.org/view.php?id=15101 SIP allowguest defaults to yes
with 'make samples' 
 <https://issues.asterisk.org/view.php?id=16226>
https://issues.asterisk.org/view.php?id=16226 1.4.26.3 security issue -
Chinese IPs somehow are making calls without authentication 
 
There are many installations out there where newbies are playing in the
[default] context in their dialplan, getting things working, then opening
port 5060 in their firewall without understanding what they've just done.
 
Initially I thought it was great that we allow any SIP phone to connect to
asterisk, with no configuration required at the astrisk end, how wrong I
was. 
 
Alec Davis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-dev/attachments/20091112/4239a430/attachment-0001.htm