[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.

Kelvin Chua kchua at up.edu.ph
Tue May 4 03:14:28 MST 2004 

uhm, strange but does this work on your setup? even with permit and
deny, if a user is not matched in the conf, it is allowed access to the
default context stated in the conf. 

On Wed, 2004-04-28 at 16:12, James H. Thompson wrote:
> I think the problem is that using permit= alone does nothing.
> You need to combine it with a deny=  as in:
> 
> deny=0.0.0.0/0.0.0.0          ; deny all
> permit=123.123.123.123  ; allow only this address - netmask defaults to: /255.255.255.255
> 
> order matters, the deny needs to come first.
> 
> for reference here is the code from acl.c that checks the rules:
> 
> int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin)
> {
>     /* Start optimistic */
>     int res = AST_SENSE_ALLOW;
>     while(ha) {
>         /* For each rule, if this address and the netmask = the net address
>            apply the current rule */
>         if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == (ha->netaddr.s_addr)
>             res = ha->sense;
>         ha = ha->next;
>     }
>     return res;
> }
> 
> 
> Jim
> 
> James H. Thompson
> jht at lava.net
> 
> ----- Original Message ----- 
> From: "William Zhang" <w_w_zhang at yahoo.com>
> To: <asterisk-users at lists.digium.com>
> Sent: Tuesday, April 27, 2004 2:43 PM
> Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
> 
> 
> > I had tried many ways with some advanced user help, but without
> > success(at one point I thought I had it worked).
> > 
> > Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf
> > file, there are a lot of entries with just "host=a.b.c.d", thinking
> > that * will only accept calls from host "a.b.c.d", but in my test, no
> > mater how you set up the sip.conf entries, either * will NOT accept
> > calls for that user account at all, or it will accept calls from any
> > where without VERIFYING the source IP(whether it is "a.b.c.d" or not),
> > so long the sip userid is the username in sip.conf. This post a very
> > serious security problem.
> > 
> > Of course we can put "secret=" for each entries, but giving Asterisk GW
> > and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary,
> > otherwise it increase the SIP traffic quite a bit.
> > 
> > Following are the 4 different entries that I had tried:
> > #Notice that in the "general" section, context is pointed to a none
> > existant context "INVALID".
> > 
> > ;
> > ; SIP Configuration for Asterisk
> > ;
> > [general]
> > port = 5060                     ; Port to bind to
> > bindaddr = 212.213.66.68
> > context = INVALID               ;
> > ;srvlookup = yes                ; Enable SRV lookups on outbound calls
> > ;pedantic = yes                 ; Enable slow, pedantic checking for
> > Pingtel
> > ;tos=lowdelay
> > ;tos=184
> > ;maxexpirey=3600                ; Max length of incoming registration
> > we allow
> > ;defaultexpirey=120             ; Default length of incoming/outoing
> > registration
> > ;notifymimetype=text/plain      ; Allow overriding of mime type in
> > NOTIFY
> > ;videosupport=yes               ; Turn on support for SIP video
> > disallow=all                    ; Disallow all codecs
> > allow=ulaw                      ; Allow codecs in order of preference
> > allow=g729
> > allow=ilbc
> > ;
> > ;dtmfmode=info
> > ;dtmfmode=inband
> > dtmfmode=rfc2833
> > 
> > 
> > 
> > [20034]
> > type=friend
> > callerid=TEST <61331045>
> > host=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > [20035]
> > type=peers
> > callerid=TEST <61331045>
> > host=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > [20036]
> > type=friend
> > context=default
> > callerid=TEST <61331045>
> > host=212.213.65.66
> > permit=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > [20037]
> > type=peers
> > context=default
> > callerid=TEST <61331045>
> > permit=212.213.65.66
> > nat=yes                        ; This phone may be natted
> > canreinvite=no
> > 
> > Thank you in advance.
> > 
> > 
> > _______________________________________________
> > Asterisk-Users mailing list
> > Asterisk-Users at lists.digium.com
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> > To UNSUBSCRIBE or update options visit:
> >    http://lists.digium.com/mailman/listinfo/asterisk-users
> > 
> > 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list