[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
John Fraizer
tvo at enterzone.net
Tue Apr 27 23:51:51 MST 2004
William Zhang wrote:
> I had tried many ways with some advanced user help, but without
> success(at one point I thought I had it worked).
>
> Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> file, there are a lot of entries with just "host=a.b.c.d", thinking
> that * will only accept calls from host "a.b.c.d", but in my test, no
> mater how you set up the sip.conf entries, either * will NOT accept
> calls for that user account at all, or it will accept calls from any
> where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
> so long the sip userid is the username in sip.conf. This post a very
> serious security problem.
>
> Of course we can put "secret=" for each entries, but giving Asterisk GW
> and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> otherwise it increase the SIP traffic quite a bit.
Um, how is it that you consider this a security flaw? By omitting
secret=, you are telling Asterisk to not authenticate the call.
John
More information about the asterisk-users
mailing list