[asterisk-users] Using type=friend a mistake?

Nick Khamis symack at gmail.com
Mon Mar 25 15:55:16 CDT 2013


Hello Everyone,

Just looking to secure our * box, and stumbled on the following

"This advice may run counter to the majority of documentation, sample
files and examples shown on the voip-info.org site and on Asterisk
forums, but you’ll have to take my word for it – using “type=friend”
is a big mistake! It will make your Asterisk server much more
vulnerable because “type=friend” actually causes two objects to be
created – a SIP peer and a SIP user. This gives the potential hacker
two entrance doors into your PBX, one of which has comparatively weak
security. The problem is that a “user” is allowed to connect from any
remote IP address, not just the address specified in the host
parameter. Even if you want to allow connections from any address, it
is much better to use “host=dynamic” than to use “type=friend”.",
http://kb.smartvox.co.uk/asterisk/secure-asterisk-pbx-part-2/

Is this true? Before I update all my "type" to "peer", what are some
of the things we needs to keep in mind when using friend vs. peer from
a security standpoint?

Thanks in Advance,

Nick.



More information about the asterisk-users mailing list