[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Thu Nov 12 08:22:24 CST 2009

On 09:01, Thu 12 Nov 09, Leif Madsen wrote:
> Kai Hoerner wrote:
> > "ATTENTION: If your Asterisk is connected to the internet and you have 
> > allowguest=yes, everybody out there may use your default context without 
> > authentication. In that case you want to double check which services you 
> > offer to the world."
> 
> 
> I don't think this is a bad idea, and I've created the following documentation 
> patch which implements this note. I've also changed (in my patch) the 
> sip.conf.sample file which has 'allowguest=no' uncommented, but which preserves 
> the note and code to keep allowguest=yes the default.
> 
> I know many people start with the sample configurations and then work from there 
> because there is a lot going on, and most of it is commented out anyways. The 
> things we leave uncommented should probably keep new users as safe as possible.
> 
> This is my suggested change, and think this is something (along with the 
> documentation Olle added to trunk) to be backported to 1.4, 1.6.0, etc.. as well.
> 
> 
> Index: sip.conf.sample
> ===================================================================
> --- sip.conf.sample	(revision 229639)
> +++ sip.conf.sample	(working copy)
> @@ -98,7 +98,7 @@
> 
>   [general]
>   context=default                 ; Default context for incoming calls
> -;allowguest=no                  ; Allow or reject guest calls (default is yes)
> +allowguest=no                   ; Allow or reject guest calls (default is yes)
>   				; If your Asterisk is connected to the Internet
>   				; and you have allowguest=yes
>   				; you want to check which services you offer everyone
> Index: extensions.conf.sample
> ===================================================================
> --- extensions.conf.sample	(revision 229638)
> +++ extensions.conf.sample	(working copy)
> @@ -615,6 +615,13 @@
> 
>   [default]
>   ;
> +; ATTENTION: If your Asterisk is connected to the internet and you have
> +; allowguest=yes, everybody out there may use your default context without
> +; authentication. In that case you want to double check which services you
> +; offer to the world. Also note that if you do not define allowguest=no
> +; in sip.conf, that the default is allowguest=yes.
> +;
> +;
>   ; By default we include the demo.  In a production system, you
>   ; probably don't want to have the demo there.
>   ;
> 

Looks good to me.
As Jared mentioned, you should probably add the warning you have in
sip.conf.sample to at least iax.conf.sample (and I dont know if there
are other channeldrivers that have this kind of functionality)
-- 

Michiel van Baak
michiel at vanbaak.eu
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD

"Why is it drug addicts and computer aficionados are both called users?"