[asterisk-users] security on localhost connections
Tilghman Lesher
tilghman at mail.jeffandtilghman.com
Sat Aug 30 20:00:49 CDT 2008
On Saturday 30 August 2008 19:15:36 David Burgess wrote:
> Now we've discovered a new problem: Asterisk lets these non-existent
> make calls even though they are not listed as users in sip.conf. We
> suspect that is happening because they are all localhost connections,
> and therefore bypassing some kind of authentication check. These
> calls also show up in the CDR, but with the SIP ids of real,
> provisioned SIP users instead of the IMSIs of the phones that are
> actually making the calls. Any ideas how this is happening or how to
> fix it?
Generally, this is because your SIP users don't have passwords. Force
passwords on all of your SIP devices, and alternate SIP endpoints won't
be able to make calls without that corresponding user/password. The
reason this happens is due to the matching sequence, where Asterisk
prefers a match with no password (and where the host is dynamic) when
all other searches fail to produce a match.
--
Tilghman
More information about the asterisk-users
mailing list