[asterisk-dev] Security Request for discussion: Should sip.confallowguest=yes be the default

Alec Davis sivad.a at paradise.net.nz
Wed Nov 18 03:01:11 CST 2009


'allowguest=local' may not have been the best keyword. But you got the idea.

If the source (not SIP source) were one of the non routable ipaddress
ranges, (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 or 169.254.0.0/16), then
it should be 'fairly' safe that this is 'local' access, and if
allowguest=local then allow a guest connection.

The flaw: Some shared cable networks may use the 'non routeable' address
ranges, leaving you open to other users on your cable network, maybe easier
to trace abuse with help from your local service provider, maybe not?

But still you have to change the extensions.conf [default] context to have
any damage done.

Alec

-----Original Message-----
From: asterisk-dev-bounces at lists.digium.com
[mailto:asterisk-dev-bounces at lists.digium.com] On Behalf Of Tzafrir Cohen
Sent: Wednesday, 18 November 2009 9:39 a.m.
To: asterisk-dev at lists.digium.com
Subject: Re: [asterisk-dev] Security Request for discussion: Should
sip.confallowguest=yes be the default

On Wed, Nov 18, 2009 at 08:07:20AM +1300, Alec Davis wrote:
> I've been pondering what has been suggested in this email since I sent 
> the original request for discussion.
> 
> The idea is to default 'allowguest to 'local' using the following.
> 
> 'allowguest=local'
> 	only computers on the same subnet as asterisk, 'That magic moment is

> still preserved when first connecting to asterisk.

Where is that subnet defined? "localnet" or something more automatic?

> 'allowguest=no'
> 	A locked down system, where you definately don't want guest.
> 'allowguest=yes'
> 	You know what your doing, and guests are allowed.

-- 
               Tzafrir Cohen
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--

asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev




More information about the asterisk-dev mailing list