[asterisk-dev] Security Request for discussion: Should sip.conf allowguest=yes be the default
Alec Davis
sivad.a at paradise.net.nz
Tue Nov 17 13:07:20 CST 2009
I've been pondering what has been suggested in this email since I sent the
original request for discussion.
The idea is to default 'allowguest to 'local' using the following.
'allowguest=local'
only computers on the same subnet as asterisk, 'That magic moment is
still preserved when first connecting to asterisk.
'allowguest=no'
A locked down system, where you definately don't want guest.
'allowguest=yes'
You know what your doing, and guests are allowed.
Alec Davis
-----Original Message-----
From: asterisk-dev-bounces at lists.digium.com
[mailto:asterisk-dev-bounces at lists.digium.com] On Behalf Of Chris Lee
Sent: Wednesday, 18 November 2009 3:30 a.m.
To: asterisk-dev at lists.digium.com
Subject: Re: [asterisk-dev] Security Request for discussion: Should sip.conf
allowguest=yes be the default
Tzafrir Cohen wrote:
> On Mon, Nov 16, 2009 at 09:55:33AM +0100, Kai Hoerner wrote:
>
>> Hi Olle and others,
>>
>> Olle E. Johansson schrieb:
>>
>>>> If we allowguest=yes, unauthenticated calls will end up in the
>>>> default context _as well_ but it's not guaranteed only
>>>> unauthenticated calls go there.
>>>>
>>>> For that reason i suggest another, more clear context name:
"unconfigured"
>>>>
>>>>
>>> For trunk, we can separate the default context, that is inherited to
unconfigured devices from the context that is used for calls where we can
not match anyone. Like "guestcontext". That would make things very clear.
>>>
>> Agreed.
>>
>>
>>> Guestcontext can default to the default context, but the sample
configuration could have an activated setting.
>>>
>> This would impose the exact same behaviour for beginners:
>> if they start adding things like dialout in the default context, the
>> world can use it.
>>
>> i suggest we change the extensions.conf sample too.
>> there should be a [demo] context, an [unconfigured] and a [default]
>> context. Both the [unconfigured] and [default] contexts include [demo].
>> in [demo] there would be a comment telling beginners to not use
>> [demo] for messing around. (with the note that it is included for
>> unauthenticated calls)
>>
>> that way, if they add anything like dialout in [default], the
>> [unconfigured] context would still be "secure".
>>
>>
>>> but the sample configuration could have an activated setting.
>>>
>>>
>> IMO the sip.conf.sample should contain an activated "allowguest=no"
>>
>>
>>> While this would not work with released versions, it might make things
better with future releases.
>>>
>> Agreed.
>>
>
> I still don't agree. I believe that focusing on guests here misses the
> target. The problem is not guest users. The problem is unintended
> relays from one trunk to another. If you unintentionally allow
> authenticated incomming SIP calls to make outgoing paid calls[1].
>
> The basic tool Asterisk has for authorization[2] is dialplan contexts.
>
>
In that case could a restriction not be placed on the contexts so that only
users in the local subnet can make calls as guest type users unless a
variable is set to allow guests from outside the local subnet? That way you
protect newbies ability to play without getting too badly hurt but allow the
operation when it is desired.
Something like
RemoteGuest=No
in sip.conf.
Regards,
Chris.
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
More information about the asterisk-dev
mailing list