[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default
Leif Madsen
leif.madsen at asteriskdocs.org
Thu Nov 12 08:01:09 CST 2009
Kai Hoerner wrote:
> "ATTENTION: If your Asterisk is connected to the internet and you have
> allowguest=yes, everybody out there may use your default context without
> authentication. In that case you want to double check which services you
> offer to the world."
I don't think this is a bad idea, and I've created the following documentation
patch which implements this note. I've also changed (in my patch) the
sip.conf.sample file which has 'allowguest=no' uncommented, but which preserves
the note and code to keep allowguest=yes the default.
I know many people start with the sample configurations and then work from there
because there is a lot going on, and most of it is commented out anyways. The
things we leave uncommented should probably keep new users as safe as possible.
This is my suggested change, and think this is something (along with the
documentation Olle added to trunk) to be backported to 1.4, 1.6.0, etc.. as well.
Index: sip.conf.sample
===================================================================
--- sip.conf.sample (revision 229639)
+++ sip.conf.sample (working copy)
@@ -98,7 +98,7 @@
[general]
context=default ; Default context for incoming calls
-;allowguest=no ; Allow or reject guest calls (default is yes)
+allowguest=no ; Allow or reject guest calls (default is yes)
; If your Asterisk is connected to the Internet
; and you have allowguest=yes
; you want to check which services you offer everyone
Index: extensions.conf.sample
===================================================================
--- extensions.conf.sample (revision 229638)
+++ extensions.conf.sample (working copy)
@@ -615,6 +615,13 @@
[default]
;
+; ATTENTION: If your Asterisk is connected to the internet and you have
+; allowguest=yes, everybody out there may use your default context without
+; authentication. In that case you want to double check which services you
+; offer to the world. Also note that if you do not define allowguest=no
+; in sip.conf, that the default is allowguest=yes.
+;
+;
; By default we include the demo. In a production system, you
; probably don't want to have the demo there.
;
More information about the asterisk-dev
mailing list