<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18852"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=558092422-16112009><FONT color=#0000ff
size=2 face=Arial>Proposed patches are up at <A
href="https://issues.asterisk.org/view.php?id=15101">https://issues.asterisk.org/view.php?id=15101</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=558092422-16112009><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=558092422-16112009><FONT color=#0000ff
size=2 face=Arial>Of which satisfy most of my initial
concerns.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=558092422-16112009><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=558092422-16112009><FONT color=#0000ff
size=2 face=Arial>Alec Davis</FONT></SPAN></DIV><FONT color=#0000ff size=2
face=Arial></FONT><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B> asterisk-dev-bounces@lists.digium.com
[mailto:asterisk-dev-bounces@lists.digium.com] <B>On Behalf Of </B>Alec
Davis<BR><B>Sent:</B> Thursday, 12 November 2009 8:34 p.m.<BR><B>To:</B>
asterisk-dev@lists.digium.com<BR><B>Subject:</B> [asterisk-dev] Security Request
for discussion: Should sip.conf allowguest=yes be the
default<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>At Tilghman's
request.</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>We need to agree to
change the sip.conf default from allowguest=yes to
allowguest=no</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>and extensions.conf
to have a warning in the [default] section that sip.conf may have allowguest=yes
or nothing which will default of yes.</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009></SPAN><SPAN
class=801181907-12112009></SPAN><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial>Reference mantis bugs;</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><A
href="https://issues.asterisk.org/view.php?id=15101"><FONT size=2
face=Arial>https://issues.asterisk.org/view.php?id=15101</FONT></A><FONT size=2
face=Arial> SIP allowguest defaults to yes with 'make samples'
</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><A
href="https://issues.asterisk.org/view.php?id=16226"><FONT size=2
face=Arial>https://issues.asterisk.org/view.php?id=16226</FONT></A><FONT size=2
face=Arial> 1.4.26.3 security issue - Chinese IPs somehow are making calls
without authentication </FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>There are many
installations out there where newbies are playing in the [default] context
in their dialplan, getting things working, then opening port 5060 in their
firewall without understanding what they've just done.</FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>Initially
I thought it was great that we allow any SIP phone to connect to
asterisk, with no configuration required at the astrisk end, how wrong I
was. </FONT></SPAN></DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2
face=Arial></FONT></SPAN> </DIV>
<DIV><SPAN class=801181907-12112009><FONT size=2 face=Arial>Alec
Davis</FONT></SPAN></DIV></BODY></HTML>