[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
James H. Thompson
jht at lj.net
Wed Apr 28 01:12:03 MST 2004
I think the problem is that using permit= alone does nothing.
You need to combine it with a deny= as in:
deny=0.0.0.0/0.0.0.0 ; deny all
permit=123.123.123.123 ; allow only this address - netmask defaults to: /255.255.255.255
order matters, the deny needs to come first.
for reference here is the code from acl.c that checks the rules:
int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin)
{
/* Start optimistic */
int res = AST_SENSE_ALLOW;
while(ha) {
/* For each rule, if this address and the netmask = the net address
apply the current rule */
if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == (ha->netaddr.s_addr)
res = ha->sense;
ha = ha->next;
}
return res;
}
Jim
James H. Thompson
jht at lava.net
----- Original Message -----
From: "William Zhang" <w_w_zhang at yahoo.com>
To: <asterisk-users at lists.digium.com>
Sent: Tuesday, April 27, 2004 2:43 PM
Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
> I had tried many ways with some advanced user help, but without
> success(at one point I thought I had it worked).
>
> Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> file, there are a lot of entries with just "host=a.b.c.d", thinking
> that * will only accept calls from host "a.b.c.d", but in my test, no
> mater how you set up the sip.conf entries, either * will NOT accept
> calls for that user account at all, or it will accept calls from any
> where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
> so long the sip userid is the username in sip.conf. This post a very
> serious security problem.
>
> Of course we can put "secret=" for each entries, but giving Asterisk GW
> and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> otherwise it increase the SIP traffic quite a bit.
>
> Following are the 4 different entries that I had tried:
> #Notice that in the "general" section, context is pointed to a none
> existant context "INVALID".
>
> ;
> ; SIP Configuration for Asterisk
> ;
> [general]
> port = 5060 ; Port to bind to
> bindaddr = 212.213.66.68
> context = INVALID ;
> ;srvlookup = yes ; Enable SRV lookups on outbound calls
> ;pedantic = yes ; Enable slow, pedantic checking for
> Pingtel
> ;tos=lowdelay
> ;tos=184
> ;maxexpirey=3600 ; Max length of incoming registration
> we allow
> ;defaultexpirey=120 ; Default length of incoming/outoing
> registration
> ;notifymimetype=text/plain ; Allow overriding of mime type in
> NOTIFY
> ;videosupport=yes ; Turn on support for SIP video
> disallow=all ; Disallow all codecs
> allow=ulaw ; Allow codecs in order of preference
> allow=g729
> allow=ilbc
> ;
> ;dtmfmode=info
> ;dtmfmode=inband
> dtmfmode=rfc2833
>
>
>
> [20034]
> type=friend
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes ; This phone may be natted
> canreinvite=no
>
> [20035]
> type=peers
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes ; This phone may be natted
> canreinvite=no
>
> [20036]
> type=friend
> context=default
> callerid=TEST <61331045>
> host=212.213.65.66
> permit=212.213.65.66
> nat=yes ; This phone may be natted
> canreinvite=no
>
> [20037]
> type=peers
> context=default
> callerid=TEST <61331045>
> permit=212.213.65.66
> nat=yes ; This phone may be natted
> canreinvite=no
>
> Thank you in advance.
>
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
More information about the asterisk-users
mailing list