[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default
Tzafrir Cohen
tzafrir.cohen at xorcom.com
Tue Nov 17 08:59:23 CST 2009
On Tue, Nov 17, 2009 at 02:30:08PM +0000, Chris Lee wrote:
>
>
> Tzafrir Cohen wrote:
> > I still don't agree. I believe that focusing on guests here misses the
> > target. The problem is not guest users. The problem is unintended relays
> > from one trunk to another. If you unintentionally allow authenticated
> > incomming SIP calls to make outgoing paid calls[1].
> >
> > The basic tool Asterisk has for authorization[2] is dialplan contexts.
> >
> >
> In that case could a restriction not be placed on the contexts so that
> only users in the local subnet can make calls as guest type users unless
> a variable is set to allow guests from outside the local subnet? That
> way you protect newbies ability to play without getting too badly hurt
> but allow the operation when it is desired.
>
> Something like
> RemoteGuest=No
>
> in sip.conf.
My toy box is behind NAT. I'm a complete newb and did not set up any
forwarding. Is there any reason I should fear the l33t internet
attackers? Do I have to explicitly set my subnet mask in sip.conf for
all phones for things to work?
Also: what about incoming calls from:
* PSTN
* an IAX2 trunk
* a H.323 trunk (is there such a beast?)
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.cohen at xorcom.com
+972-50-7952406 mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com iax:guest at local.xorcom.com/tzafrir
More information about the asterisk-dev
mailing list