[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Chris Lee cslee-list at cybericom.co.uk
Tue Nov 17 08:30:08 CST 2009 


Tzafrir Cohen wrote:
> On Mon, Nov 16, 2009 at 09:55:33AM +0100, Kai Hoerner wrote:
>   
>> Hi Olle and others,
>>
>> Olle E. Johansson schrieb:
>>     
>>>> If we allowguest=yes, unauthenticated calls will end up in the default
>>>> context _as well_ but it's not guaranteed only unauthenticated calls go
>>>> there.
>>>>
>>>> For that reason i suggest another, more clear context name: "unconfigured"
>>>>     
>>>>         
>>> For trunk, we can separate the default context, that is inherited to unconfigured devices from the context that is used for calls where we can not match anyone. Like "guestcontext". That would make things very clear. 
>>>       
>> Agreed.
>>
>>     
>>> Guestcontext can default to the default context, but the sample configuration could have an activated setting. 
>>>       
>> This would impose the exact same behaviour for beginners:
>> if they start adding things like dialout in the default context, the 
>> world can use it.
>>
>> i suggest we change the extensions.conf sample too.
>> there should be a [demo] context, an [unconfigured] and a [default] 
>> context. Both the [unconfigured] and [default] contexts include [demo].
>> in [demo] there would be a comment telling beginners to not use [demo] 
>> for messing around. (with the note that it is included for 
>> unauthenticated calls)
>>
>> that way, if they add anything like dialout in [default], the 
>> [unconfigured] context would still be "secure".
>>
>>     
>>> but the sample configuration could have an activated setting. 
>>>   
>>>       
>> IMO the sip.conf.sample should contain an activated "allowguest=no"
>>
>>     
>>> While this would not work with released versions, it might make things better with future releases.
>>>       
>> Agreed.
>>     
>
> I still don't agree. I believe that focusing on guests here misses the
> target. The problem is not guest users. The problem is unintended relays
> from one trunk to another. If you unintentionally allow authenticated
> incomming SIP calls to make outgoing paid calls[1].
>
> The basic tool Asterisk has for authorization[2] is dialplan contexts.
>
>   
In that case could a restriction not be placed on the contexts so that 
only users in the local subnet can make calls as guest type users unless 
a variable is set to allow guests from outside the local subnet? That 
way you protect newbies ability to play without getting too badly hurt 
but allow the operation when it is desired.

Something like
RemoteGuest=No

in sip.conf.

Regards,
Chris.

More information about the asterisk-dev mailing list