[Asterisk-Users] Asterisk security problem: authorized SIP users
can fake any callerid!
Tom Samplonius
tom.samplonius at gmail.com
Tue Mar 15 00:26:49 MST 2005
On Tue, 15 Mar 2005 02:03:54 +1100 (EST), Duane <duane at e164.org> wrote:
>
> On Mon, March 14, 2005 17:06, Andres said:
>
> > You might want to try the steps provided above yourself Peter. Because
> > even if we have a context that leads to never never land at the top of
> > sip.conf, I am still able to make free calls. A "sip debug" clearly
>
> Welcome to the wonderful world of stateless UDP connections...
No, the INVITE should be challenged, and forced to use MD5 digest.
Nothing to do with UDP vs. TCP. Not that Asterisk supports SIP over
TCP.
I think sip.conf has gotten far to convuluted in order easily build
a sane SIP implementation.
Not that SER is easy (requires understanding of the SIP RFC), but at
least you can configure MD5 digest auth on all invites easily, and it
is pretty clear in the config that you are doing things properly. And
SER supports SIP over TCP.
> --
> Best regards,
> Duane
Tom
More information about the asterisk-users
mailing list