[asterisk-users] allowguest defaults to yes for SIP

Tilghman Lesher tlesher at digium.com
Thu Nov 12 11:42:04 CST 2009 

On Thursday 12 November 2009 09:53:17 Lee Howard wrote:
> Tilghman Lesher wrote:
> > On Thursday 12 November 2009 07:47:34 Lee Howard wrote:
> >> In your sip.conf file allowguest defaults to yes.  This means that
> >> anyone that can reach the SIP ports on that system has access to make
> >> unauthenticated calls, by default.  The administrator actually has to go
> >> in and turn it off to prevent unauthenticated SIP calls (in whatever
> >> context [general] points at).
> >
> > Actually, they only have access to your default context.  Whether you
> > make available outgoing calls in your default context is your choice.  By
> > default, there is no capability of making outgoing calls from your
> > default context.
>
> Well, yes, the default configuration is useless.  But, let's say I
> follow doc/security.txt exactly and have this:
>
> [default]
> exten => 6123,Dial(Zap/1)
>
> ... therefore, by default, an unauthenticated user from anywhere can
> call the extension Zap/1.  It's not my point whether or not this poses a
> financial risk.  My point is that this is an insecure default behavior
> to have allowguest=yes.
>
> >> Does anyone else agree with me that this is a poor default?  I'd like to
> >> see the default setting changed.
> >
> > The purpose of the allowguest option is to allow persons to call into
> > your system from a zero-knowledge position.  This allows you to publish a
> > general SIP address as a point of contact.
>
> These people should need to deliberately use allowguest=yes.  I would
> venture to guess that these people already know who they are and
> deliberately have this set.  I would venture to guess that there are
> far, far more people who have it turned on by default who really don't
> want it that way than there are who expected it to be that way and
> desire it to so be.

And the people who use this probably believe that YOU should be the one
who has to deliberately turn this option off.  I would venture to guess that
90% of all statistics are made up on the spot, including this one and the
two you specified above.

> > The reason why it is set that way in the
> > sample configuration is to make it easy for new users to get to that
> > magic moment when Asterisk first responds to their call (in essence, to
> > get the user "hooked").
>
> This is a poor excuse for a poor default security setting.

It's not a security setting; it's a functionality setting.  You see it behind
rose-tinted spectacles because in your specific case, you don't have a
use for it.  That's fine, but please do not extrapolate from your limited
use cases what the global settings should be.

> >> It seems to me that this default is the reason behind the
> >> doc/security.txt bias against using the "default" context for toll
> >> calls.
> >
> > Correct, you should be using something like "internal" instead.
>
> And yet this point is not even made clear in the doc/security.txt file.
> It says to not use "default" for anything you don't want to get abused,
> but it doesn't say *why*.  So I can envision, then, someone reading the
> document and then changing context=internal in the [general] section of
> sip.conf... and thinking that they responded correctly to what the
> document said.

You've just made a case for enhancing the documentation, not for changing
the defaults.  If you contribute documentation changes to this effect on the
issue tracker, I would be more than happy to commit them.

-- 
Tilghman Lesher
Digium, Inc. | Senior Software Developer
twitter: Corydon76 | IRC: Corydon76-dig (Freenode)
Check us out at: www.digium.com & www.asterisk.org

More information about the asterisk-users mailing list