[asterisk-users] allowguest defaults to yes for SIP

Lee Howard faxguy at howardsilvan.com
Thu Nov 12 09:53:17 CST 2009 

Tilghman Lesher wrote:
> On Thursday 12 November 2009 07:47:34 Lee Howard wrote:
>   
>> In your sip.conf file allowguest defaults to yes.  This means that
>> anyone that can reach the SIP ports on that system has access to make
>> unauthenticated calls, by default.  The administrator actually has to go
>> in and turn it off to prevent unauthenticated SIP calls (in whatever
>> context [general] points at).
>>     
>
> Actually, they only have access to your default context.  Whether you make
> available outgoing calls in your default context is your choice.  By default,
> there is no capability of making outgoing calls from your default context.
>   

Well, yes, the default configuration is useless.  But, let's say I 
follow doc/security.txt exactly and have this:

[default]
exten => 6123,Dial(Zap/1)

... therefore, by default, an unauthenticated user from anywhere can 
call the extension Zap/1.  It's not my point whether or not this poses a 
financial risk.  My point is that this is an insecure default behavior 
to have allowguest=yes.


>> Does anyone else agree with me that this is a poor default?  I'd like to
>> see the default setting changed.
>>     
>
> The purpose of the allowguest option is to allow persons to call into your
> system from a zero-knowledge position.  This allows you to publish a general
> SIP address as a point of contact.

These people should need to deliberately use allowguest=yes.  I would 
venture to guess that these people already know who they are and 
deliberately have this set.  I would venture to guess that there are 
far, far more people who have it turned on by default who really don't 
want it that way than there are who expected it to be that way and 
desire it to so be.

> The reason why it is set that way in the
> sample configuration is to make it easy for new users to get to that magic
> moment when Asterisk first responds to their call (in essence, to get the user
> "hooked").
>   

This is a poor excuse for a poor default security setting.

>> It seems to me that this default is the reason behind the
>> doc/security.txt bias against using the "default" context for toll calls.
>>     
>
> Correct, you should be using something like "internal" instead.

And yet this point is not even made clear in the doc/security.txt file.  
It says to not use "default" for anything you don't want to get abused, 
but it doesn't say *why*.  So I can envision, then, someone reading the 
document and then changing context=internal in the [general] section of 
sip.conf... and thinking that they responded correctly to what the 
document said.

If this default is to persist then I think that it behooves the 
developers to at least make this exposure clear to the users.  
Therefore, the in the [general] section of sip.conf the context should 
not be set to "default", but rather to "unauthorized" or "public" or 
"open" or "free" or something that makes it clear that this is where 
unauthenticated SIP calls go.

Thanks,

Lee.

More information about the asterisk-users mailing list