[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.

James H. Thompson jht at lj.net
Wed Apr 28 01:12:03 MST 2004


I think the problem is that using permit= alone does nothing.
You need to combine it with a deny=  as in:

deny=0.0.0.0/0.0.0.0          ; deny all
permit=123.123.123.123  ; allow only this address - netmask defaults to: /255.255.255.255

order matters, the deny needs to come first.

for reference here is the code from acl.c that checks the rules:

int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin)
{
    /* Start optimistic */
    int res = AST_SENSE_ALLOW;
    while(ha) {
        /* For each rule, if this address and the netmask = the net address
           apply the current rule */
        if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == (ha->netaddr.s_addr)
            res = ha->sense;
        ha = ha->next;
    }
    return res;
}


Jim

James H. Thompson
jht at lava.net

----- Original Message ----- 
From: "William Zhang" <w_w_zhang at yahoo.com>
To: <asterisk-users at lists.digium.com>
Sent: Tuesday, April 27, 2004 2:43 PM
Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.


> I had tried many ways with some advanced user help, but without
> success(at one point I thought I had it worked).
> 
> Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> file, there are a lot of entries with just "host=a.b.c.d", thinking
> that * will only accept calls from host "a.b.c.d", but in my test, no
> mater how you set up the sip.conf entries, either * will NOT accept
> calls for that user account at all, or it will accept calls from any
> where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
> so long the sip userid is the username in sip.conf. This post a very
> serious security problem.
> 
> Of course we can put "secret=" for each entries, but giving Asterisk GW
> and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> otherwise it increase the SIP traffic quite a bit.
> 
> Following are the 4 different entries that I had tried:
> #Notice that in the "general" section, context is pointed to a none
> existant context "INVALID".
> 
> ;
> ; SIP Configuration for Asterisk
> ;
> [general]
> port = 5060                     ; Port to bind to
> bindaddr = 212.213.66.68
> context = INVALID               ;
> ;srvlookup = yes                ; Enable SRV lookups on outbound calls
> ;pedantic = yes                 ; Enable slow, pedantic checking for
> Pingtel
> ;tos=lowdelay
> ;tos=184
> ;maxexpirey=3600                ; Max length of incoming registration
> we allow
> ;defaultexpirey=120             ; Default length of incoming/outoing
> registration
> ;notifymimetype=text/plain      ; Allow overriding of mime type in
> NOTIFY
> ;videosupport=yes               ; Turn on support for SIP video
> disallow=all                    ; Disallow all codecs
> allow=ulaw                      ; Allow codecs in order of preference
> allow=g729
> allow=ilbc
> ;
> ;dtmfmode=info
> ;dtmfmode=inband
> dtmfmode=rfc2833
> 
> 
> 
> [20034]
> type=friend
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> [20035]
> type=peers
> callerid=TEST <61331045>
> host=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> [20036]
> type=friend
> context=default
> callerid=TEST <61331045>
> host=212.213.65.66
> permit=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> [20037]
> type=peers
> context=default
> callerid=TEST <61331045>
> permit=212.213.65.66
> nat=yes                        ; This phone may be natted
> canreinvite=no
> 
> Thank you in advance.
> 
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> 



More information about the asterisk-users mailing list