[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Kai Hoerner kai at ciphron.de
Thu Nov 12 05:06:40 CST 2009 

Hi Olle,

IMO this will help a lot of beginners to configure their asterisk "the 
right way".
I really appreciate this and can fully understand why changing the 
default behaviour is too risky.

I feel very comfortable with the new security note right at the 
beginning of the file.

But I would feel even more comfortable with changing the value of 
"allowguest" to "no" in the default config.
For beginners, this would have nearly the same effect as changing the 
default behaviour.

I suggest an additional comment to that option, again mentioning the 
risk of having allowguest=yes.
That way, if any beginner removes the line from the config (or comments 
it out), he should be aware of what he's doing.

The current comment below "allowguest" tries to inform the reader about 
the risks of having this setting.
But i think it doesn't get that clear to most beginners. There should be 
a sentence like:

"ATTENTION: If your Asterisk is connected to the internet and you have 
allowguest=yes, everybody out there may use your default context without 
authentication. In that case you want to double check which services you 
offer to the world."

I've seen some expensive phone bills, that could have been easily 
avoided by such a simple, clear and direct information.


Thx,
Kaii



Olle E. Johansson schrieb:
> I've changed the sip.conf.sample in trunk to say the following.
>
> Like Tzafrir, I don't want to change the channel setting in the code which might break current installations.
>
> If enough people are behind it, we can change sip.conf.sample to have allowguest=no as a default setting
> without the semicolon in front.
>
> Feedback?
>
> /O
>
> Modified: trunk/configs/sip.conf.sample
> URL: http://svnview.digium.com/svn/asterisk/trunk/configs/sip.conf.sample?view=diff&rev=229606&r1=229605&r2=229606
> ==============================================================================
> --- trunk/configs/sip.conf.sample (original)
> +++ trunk/configs/sip.conf.sample Thu Nov 12 04:22:30 2009
> @@ -1,5 +1,17 @@
> ;
> ; SIP Configuration example for Asterisk
> +;
> +; Note: Please read the security documentation for Asterisk in order to
> +; 	understand the risks of installing Asterisk with the sample
> +;	configuration. If your Asterisk is installed on a public
> +;	IP address connected to the Internet, you will want to learn
> +;	about the various security settings BEFORE you start
> +;	Asterisk. 
> +;	Specially note the following settings:
> +;		- Allowguest (default enabled)
> +;		- Permit/deny - IP address filters
> +;		- Contactpermit/contactdeny - IP address filters for registrations
> +;		- Context - Which set of services you offer various users
> ;
> ; SIP dial strings
> ;-----------------------------------------------------------
> @@ -87,6 +99,10 @@
> [general]
> context=default                 ; Default context for incoming calls
> ;allowguest=no                  ; Allow or reject guest calls (default is yes)
> +				; If your Asterisk is connected to the Internet
> +				; and you have allowguest=yes
> +				; you want to check which services you offer everyone
> +				; out there, by enabling them in the default context (see below).
> ;match_auth_username=yes        ; if available, match user entry using the
>                                ; 'username' field from the authentication line
>                                ; instead of the From: field.
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev
>
>

More information about the asterisk-dev mailing list