[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Tzafrir Cohen tzafrir.cohen at xorcom.com
Fri Nov 13 05:55:21 CST 2009


On Fri, Nov 13, 2009 at 10:39:38AM +0200, Kaloyan Kovachev wrote:
> On Thu, 12 Nov 2009 20:00:44 +0000 (UTC), Jeff LaCoursiere wrote
> > On Thu, 12 Nov 2009, Atis Lezdins wrote:
> > 
> > > On Thu, Nov 12, 2009 at 8:34 PM, Tzafrir Cohen <tzafrir.cohen at xorcom.com>
> wrote:
> > >>
> > >> Please explain to me why exactly allowing guests is a bad thing. How can
> > >> I allow people to call me from the internet? Create a local account for
> > >> each and every one in my addressbook?
> > >>
> > >
> > > How about creating context "guest" or "public", and setting it as
> > > default in samples? That would make user to think much more before
> > > adding some code there.
> > >
> 
> That was exactly my suggestion here -
> http://lists.digium.com/pipermail/asterisk-dev/2009-November/040571.html
> 
> demo is now included in default ... leave default with only invalid and
> timeout instead and include the demo in unauthenticated_call and default in
> both ... this is how i make my configs with s,i,t,T,h being the only
> extensions in default and included everywhere

What's insecure in the demo context?

Is it a problem that someone can make you relay a test IAX2 to Digium?
Leave a voicemail message?

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-dev mailing list