[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Olle E. Johansson oej at edvina.net
Thu Nov 12 04:34:23 CST 2009 

I've changed the sip.conf.sample in trunk to say the following.

Like Tzafrir, I don't want to change the channel setting in the code which might break current installations.

If enough people are behind it, we can change sip.conf.sample to have allowguest=no as a default setting
without the semicolon in front.

Feedback?

/O

Modified: trunk/configs/sip.conf.sample
URL: http://svnview.digium.com/svn/asterisk/trunk/configs/sip.conf.sample?view=diff&rev=229606&r1=229605&r2=229606
==============================================================================
--- trunk/configs/sip.conf.sample (original)
+++ trunk/configs/sip.conf.sample Thu Nov 12 04:22:30 2009
@@ -1,5 +1,17 @@
;
; SIP Configuration example for Asterisk
+;
+; Note: Please read the security documentation for Asterisk in order to
+; 	understand the risks of installing Asterisk with the sample
+;	configuration. If your Asterisk is installed on a public
+;	IP address connected to the Internet, you will want to learn
+;	about the various security settings BEFORE you start
+;	Asterisk. 
+;	Specially note the following settings:
+;		- Allowguest (default enabled)
+;		- Permit/deny - IP address filters
+;		- Contactpermit/contactdeny - IP address filters for registrations
+;		- Context - Which set of services you offer various users
;
; SIP dial strings
;-----------------------------------------------------------
@@ -87,6 +99,10 @@
[general]
context=default                 ; Default context for incoming calls
;allowguest=no                  ; Allow or reject guest calls (default is yes)
+				; If your Asterisk is connected to the Internet
+				; and you have allowguest=yes
+				; you want to check which services you offer everyone
+				; out there, by enabling them in the default context (see below).
;match_auth_username=yes        ; if available, match user entry using the
                               ; 'username' field from the authentication line
                               ; instead of the From: field.

More information about the asterisk-dev mailing list