[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default
Alexandre Cavalcante Alencar
alexandre.alencar at gmail.com
Thu Nov 12 10:59:40 CST 2009
Hi all
On Thu, Nov 12, 2009 at 4:33 AM, Alec Davis <sivad.a at paradise.net.nz> wrote:
> At Tilghman's request.
>
> We need to agree to change the sip.conf default from allowguest=yes to
> allowguest=no and extensions.conf to have a warning in the [default] section that sip.conf
> may have allowguest=yes or nothing which will default of yes.
>
I think it can be changed (hardcoded and config samples) to
allowguest=no for the next major release. In the past, Asterisk Team
changed and informed users about default behavior change and we (as
users) get the way to adjust our systems.
It will be very welcome to change the default insecure behavior to a
more secure one. But it's not the solution for all the security
problems out there.
> Reference mantis bugs;
> https://issues.asterisk.org/view.php?id=15101 SIP allowguest defaults to yes
> with 'make samples'
> https://issues.asterisk.org/view.php?id=16226 1.4.26.3 security issue -
> Chinese IPs somehow are making calls without authentication
>
> There are many installations out there where newbies are playing in the
> [default] context in their dialplan, getting things working, then opening
> port 5060 in their firewall without understanding what they've just done.
>
> Initially I thought it was great that we allow any SIP phone to connect to
> asterisk, with no configuration required at the astrisk end, how wrong I
> was.
>
> Alec Davis
--
Alexandre Alencar (Skarmeth)
http://blog.alexandrealencar.net/
http://www.alexandrealencar.net/
ITIL, CSM, LPI, MCP-I, MCP
More information about the asterisk-dev
mailing list