[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Leif Madsen leif.madsen at asteriskdocs.org
Thu Nov 12 08:01:09 CST 2009 

Kai Hoerner wrote:
> "ATTENTION: If your Asterisk is connected to the internet and you have 
> allowguest=yes, everybody out there may use your default context without 
> authentication. In that case you want to double check which services you 
> offer to the world."


I don't think this is a bad idea, and I've created the following documentation 
patch which implements this note. I've also changed (in my patch) the 
sip.conf.sample file which has 'allowguest=no' uncommented, but which preserves 
the note and code to keep allowguest=yes the default.

I know many people start with the sample configurations and then work from there 
because there is a lot going on, and most of it is commented out anyways. The 
things we leave uncommented should probably keep new users as safe as possible.

This is my suggested change, and think this is something (along with the 
documentation Olle added to trunk) to be backported to 1.4, 1.6.0, etc.. as well.


Index: sip.conf.sample
===================================================================
--- sip.conf.sample	(revision 229639)
+++ sip.conf.sample	(working copy)
@@ -98,7 +98,7 @@

  [general]
  context=default                 ; Default context for incoming calls
-;allowguest=no                  ; Allow or reject guest calls (default is yes)
+allowguest=no                   ; Allow or reject guest calls (default is yes)
  				; If your Asterisk is connected to the Internet
  				; and you have allowguest=yes
  				; you want to check which services you offer everyone
Index: extensions.conf.sample
===================================================================
--- extensions.conf.sample	(revision 229638)
+++ extensions.conf.sample	(working copy)
@@ -615,6 +615,13 @@

  [default]
  ;
+; ATTENTION: If your Asterisk is connected to the internet and you have
+; allowguest=yes, everybody out there may use your default context without
+; authentication. In that case you want to double check which services you
+; offer to the world. Also note that if you do not define allowguest=no
+; in sip.conf, that the default is allowguest=yes.
+;
+;
  ; By default we include the demo.  In a production system, you
  ; probably don't want to have the demo there.
  ;

More information about the asterisk-dev mailing list