[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Tzafrir Cohen tzafrir.cohen at xorcom.com
Tue Nov 17 03:59:27 CST 2009 

On Mon, Nov 16, 2009 at 09:55:33AM +0100, Kai Hoerner wrote:
> Hi Olle and others,
> 
> Olle E. Johansson schrieb:
> >> If we allowguest=yes, unauthenticated calls will end up in the default
> >> context _as well_ but it's not guaranteed only unauthenticated calls go
> >> there.
> >>
> >> For that reason i suggest another, more clear context name: "unconfigured"
> >>     
> > For trunk, we can separate the default context, that is inherited to unconfigured devices from the context that is used for calls where we can not match anyone. Like "guestcontext". That would make things very clear. 
> 
> Agreed.
> 
> > Guestcontext can default to the default context, but the sample configuration could have an activated setting. 
> 
> This would impose the exact same behaviour for beginners:
> if they start adding things like dialout in the default context, the 
> world can use it.
> 
> i suggest we change the extensions.conf sample too.
> there should be a [demo] context, an [unconfigured] and a [default] 
> context. Both the [unconfigured] and [default] contexts include [demo].
> in [demo] there would be a comment telling beginners to not use [demo] 
> for messing around. (with the note that it is included for 
> unauthenticated calls)
> 
> that way, if they add anything like dialout in [default], the 
> [unconfigured] context would still be "secure".
> 
> > but the sample configuration could have an activated setting. 
> >   
> 
> IMO the sip.conf.sample should contain an activated "allowguest=no"
> 
> > While this would not work with released versions, it might make things better with future releases.
> Agreed.

I still don't agree. I believe that focusing on guests here misses the
target. The problem is not guest users. The problem is unintended relays
from one trunk to another. If you unintentionally allow authenticated
incomming SIP calls to make outgoing paid calls[1].

The basic tool Asterisk has for authorization[2] is dialplan contexts.


So, consider a sample context such as:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

[incoming]
; A separate context for incoming calls:
; We don't trust those callers, and thus only allow them the things they
; really need:
include => demo
; Make sure this context will not allow outgoing calls through a paid
; trunk.

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

We must remember that the sample dialplan is mostly documentation. There 
are those who use it, but most people just write dialplan from scratch.

[1] I use "paid calls" for the sake of clarity. It may be paid PSTN
calls, paid SIP calls, or maybe some unpaid calls you assume those
incling callers should not be able to do. For instance, a special
extension to switch between day-time and night-time.

[2] don't mix authorization and authentication.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-dev mailing list