[Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip
contextin general section ignored goes to default instead -
allowingunauthorized sip devices to place calls in default context
Brian West
brian at bkw.org
Fri Dec 3 18:02:59 MST 2004
It's known that YOU DO this:
sip.conf you do
[general]
context=from-sip
extensions.conf:
[from-sip]
exten => s,1,Congestion
This is a config issue. Not really a security issue.
bkw
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
> bounces at lists.digium.com] On Behalf Of Andy Reinke
> Sent: Friday, December 03, 2004 6:48 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Cc: support at voiceeclipse.com; asterisk-dev at lists.digium.com
> Subject: [Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip
> contextin general section ignored goes to default instead -
> allowingunauthorized sip devices to place calls in default context
>
> SIP SECURITY WARNING
>
>
>
> Version: v1-0 (cvs today)
>
>
>
> Problem: sip context in general section ignored - goes to default -
> allowing unauthorized sip devices to place calls in default context
>
>
>
> Fix [workaround]:
>
>
>
> Remove or rename "default" context in extensions.conf
>
>
>
> Notes:
>
>
>
> I am not sure what other asterisk functionality may be affected by this -
> review your other config files for references to the "default" context.
> Test your configurations to ensure calls are landing in the correct
> context. I suggest removing "default" and creating others like sip-
> default which include demo and then testing from a sip channel to make
> sure you still hit the demo from a registered device but, not from
> unregistered devices. Repeat for other channels as necessary.
>
>
>
> Detail:
>
>
>
> I have been working with asterisk for a while now but, had never
> tested/noticed this scenario - I had always created device entries in
> sip.conf for any devices I tested so I never ran into this. Today on a
> new config the phone came up before I had put anything in sip.conf and I
> thought - let's see what happens if we try to call someone - and it WORKED
> which was the least expected behavior.
>
>
>
> I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter any
> sip phone will do this) With a bare asterisk build and setup of v1-0
> (pulled from cvs today) on FC3 minimal + asterisk requirements + up2date
> and the configs (sip, extensions) below.
>
>
>
> Without placing any peer,friend,user entries in sip.conf for the phone
> device/extension, I am able to make calls through the "default" context.
> In the below example dialing "500" from a sip phone will execute the inter
> asterisk connection test (IAX) to digium even though the context defined
> in the general section of sip.conf is "sip-unauthorized" which should play
> congestion and hang up (as was suggested in "Getting started with
> asterisk").
>
>
>
> Removing or renaming the "default" context in extensions.conf appears to
> resolve this issue - congestion is played. However, adding a real
> extension such as 900 and mapping it to something like voicemail shows
> that the context sip-unauthorized is not being used - also the following
> error is logged on the console (verbose = 7) which hints to this as well -
> and explains why congestion was played. Instead of looking for sip-
> unauthorized as expected it looked for the missing default and then played
> congestion when default was not found.
>
>
>
> Dec 3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper: Cannot
> find extension context 'default'
>
>
>
>
>
>
>
> Sip.conf
>
> [general]
>
> contex=sip-unauthorized
>
> port=5060
>
> bindaddr=0.0.0.0
>
> localnet=172.16.0.0/255.255.255.0
>
>
>
> <eof>
>
>
>
> Extensions.conf
>
> [general]
>
> static=yes
>
> writeprotect=no
>
>
>
> [globals]
>
> ;CONSOLE=Console/dsp ; Console interface for demo
>
> IAXINFO=guest ; IAXtel username/password
>
> ;TRUNK=Zap/g2 ; Trunk interface
>
> ;TRUNKMSD=1 ; MSD digits to strip (usually 1
> or 0)
>
>
>
> [macro-stdexten];
>
> ;
>
> ; Standard extension macro:
>
> ; ${ARG1} - Extension (we could have used ${MACRO_EXTEN} here as well
>
> ; ${ARG2} - Device(s) to ring
>
> ;
>
> exten => s,1,Dial(${ARG2},20) ; Ring the
> interface, 20 seconds maximum
>
> exten => s,2,Goto(s-${DIALSTATUS},1) ; Jump based
> on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER)
>
>
>
> exten => s-NOANSWER,1,Voicemail(u${ARG1}) ; If unavailable,
> send to voicemail w/ unavail announce
>
> exten => s-NOANSWER,2,Goto(default,s,1) ; If they press #,
> return to start
>
>
>
> exten => s-BUSY,1,Voicemail(b${ARG1}) ; If busy, send to
> voicemail w/ busy announce
>
> exten => s-BUSY,2,Goto(default,s,1) ; If they
> press #, return to start
>
>
>
> exten => _s-.,1,Goto(s-NOANSWER,1) ; Treat anything
> else as no answer
>
>
>
> exten => a,1,VoicemailMain(${ARG1}) ; If they
> press *, send the user into VoicemailMain
>
>
>
> [default]
>
> exten => 500,1,Playback(demo-abouttotry); Let them know what's going on
>
> exten => 500,2,Dial(IAX2/guest at misery.digium.com/s at default) ; Call the
> Asterisk demo
>
> exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo site
>
> exten => 500,4,Goto(s,6) ; Return to the start over message.
>
>
>
> [sip-unauthorized]
>
> ;An important point here, if you do not have a sip aware
>
> ;firewall and are just using port forwarding then ensure
>
> ;that your context points to somewhere like invalidcalls.
>
> ;If you do not do this then someone could call one of your
>
> ;extensions direct from the Internet. If you had an FXO card
>
> ;in the machine, this could lead to them being able to make PSTN calls!!
>
> ;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767]
>
>
>
> exten => s,1,Answer
>
> exten => s,2,Playtones(congestion)
>
> exten => s,3,Congestion
>
>
>
> exten => 900,1,VoicemailMain
>
> exten => 900,2,Hangup
>
>
>
> <eof>
>
>
More information about the asterisk-users
mailing list