[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default

Atis Lezdins atis at iq-labs.net
Tue Nov 17 11:09:47 CST 2009 

On Tue, Nov 17, 2009 at 6:57 PM, Kai Hoerner <kai at ciphron.de> wrote:
> Hi,
>
> Tzafrir Cohen wrote:
>> Sounds like we could really use a dummy entry for the "guest user"[2]
>> in sip.conf . So you could set up context, extra variables, language and
>> whatever. This sounds so simple and obvoius, that there must be some
>> sound technical reasons why it won't work well.
>
> Great idea. 1+
> Waiting for comments from Olle on technical reasons.
>

Actually, as Tzafrir mentioned before, this isn't affecting only SIP,
you could have the same
kind of security risk with anonymous pass-through also on DAHDI, mobile, etc..

>>> With the solution as-is, both of them end up in the default context.
>
>>> I do not understand how unintended relay applies at all to this topic.
>>> Isn't bad dialplan design a configuration issue?
>
>> This whole problem is about bad dialplan design. It is about beginners
>> not planning their dialplan well.
>
> I thought this discussion was about the sample configs, and how they can
> aid beginners in using them as a starting point in a more secure manner
> without further knowledge.
> Bad dialplan design by beginners is not avoidable, but we can aid them
> to start with a better sample design.
>
>> I want to allow random Joe SIP user call my phone. I consider this a
>> feature. This call takes out a bit of my bandwidth. But if this is a
>> problem, I can hang up.
>
>> I do not want Joe to call into my PBX and from there out through another
>> trunk.
>
> Still agreed.
>
>>> It is, but this difficulty can be aided by adding more control over what
>>> calls go into which context.
>
>> The dialplan already gives you good control.
>
> Only if you know how to use your tools properly, which i believe beginners
> do not.
>
> One can check if the call comes from an authenticated peer in dialplan. Agreed.
>
> But i thought the discussion was about how to aid beginners who don't know
> such things.
>
>> [1] Or rather: there maybe some actions that the sysadmin thinks are
>> unauthorized but sadly are authorized.
>
> Thx for the correction, that is exactly what i intended to say.
>


-- 
Atis Lezdins,
VoIP Project Manager / Developer,
IQ Labs Inc,
atis at iq-labs.net
Skype: atis.lezdins
Cell Phone: +371 28806004
Cell Phone: +1 800 7300689
Work phone: +1 800 7502835

More information about the asterisk-dev mailing list