From: Larry Alkoff <[EMAIL PROTECTED]>
Date: Wed, 21 Feb 2007 20:00:52 -0600
...
"You should consider that if any channel, incoming line, etc can enter an
extension context that it has the capability of accessing any extension
within that context.
Therefore, you should NOT allow access to outgoing or toll services in
contexts that are accessible (especially without a password) from incoming
channels "
Doesn't that mean that
1. I have to have context=toll-access]
in any phone that can make toll calls
2, There is no way to give access to all internal phones unless I violate
voip-info's security directive above?
Not really. The voip-info warning is about "incoming channels". But
definition they exclude any of your internal phones. The key is to use a
one context for your phones and a different one for your incoming line.
For example, suppose all your internal phones are SIP phones, and you use an
FXO channel for incoming. Then your sip.conf would include
"context=toll-access" with all devices, but the general section would have
"context=incoming". Your zapata.conf would also include "context=incoming".
Your extensions.conf may look like:
[general]
sippy1=SIP/phone1; living room
sippy2=SIP/phone2; kitchen
sippy3=SIP/phone3; bedroom
sippy4=SIP/phone4; laundry room
[incoming]
exten => s,1,NoOp(no dialing out allowd)
exten => s,n,Answer()
exten => s,n,Background(press-1-for-living-room&press-2-for-kitchen&...)
exten => s,n,Dial(${sippy1}&${sippy3},15); ring living room and bedroom
first
exten => s,n,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all
exten => s,n,Hangup
exten => 1,1,Dial(${sippy1}); 1 is for living room
exten => 2,1,Dial(${sippy2}); 2 for kitchen
exten => 3,1,Dial(${sippy3}); 3 rings bedroom
exten => 4,1,Dial(${sippy4}); 4 rings laundry room
exten => 0,1,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all
[toll-access]
; allow toll access and internal calls
exten => _Z.,1,Dial(Zap/1/${EXTEN}); anything other than [0-4] will go to
toll
exten => _[0-4],1,Goto(incoming,${EXTEN},1); internal "extensions"
Since I can give a password from sip.conf, is there an easy way to
automatically give that password in calls made from my internal phones
in such a way that external callers won't know the password even if they
breach the system?
Once you separate the contexts, there is no need for internal password.
How do people breach a system anyway? I've heard about hitting an
For example, if instead of separate contexts, your sip.conf has general
context and device context all in [default] (and zapata.conf has FXO channel
also in [default] context). Your [default] will look something like:
[default]
exten => s,1,Answer()
exten => s,n,Background(press-1-for-living-room&press-2-for-kitchen&...)
exten => s,n,Dial(${sippy1}&${sippy3},15); ring living room and bedroom
first
exten => s,n,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all
exten => s,n,Hangup
exten => _Z.,1,Dial(Zap/1/${EXTEN}); anything other than [0-4] will go to
toll
exten => 1,1,Dial(${sippy1}); 1 is for living room
exten => 2,1,Dial(${sippy2}); 2 for kitchen
exten => 3,1,Dial(${sippy3}); 3 rings bedroom
exten => 4,1,Dial(${sippy4}); 4 rings laundry room
exten => 0,1,Dial(${sippy1}&${sippy3}&${sippy2}&${sippy4}); ring 'em all
Now, some random SIP dialers on the net may land on your Asterisk SIP
address. This will invoke extension [EMAIL PROTECTED] If the caller dials 1
during your announcement after Asterisk answers, only living room rings.
But if the caller starts to dial 011315158005, Asterisk will transfer to
that extension, which will be matched by _Z. and dials out from your FXO
(Zap/1). Even if you don't have a lengthy announcement like illustrated
above, there's still a possibility that Asterisk intercepts the toll number
the caller dials in between priorities before priorities in s extension.
Even if you don't use Answer at all, there's a possibility that Asterisk
intercepts the toll number after you hang up but before the dial plan is
taken to h priority. The less IVR functions you implement, the lower the
risk. But there's always this possibility.
This is my understanding. More knowledgeable please correct me if I'm
wrong.
Yuan Liu
'*' as soon as the connection is made but don't understand it.
Or much else apparently <g>.
Larry
--
Larry Alkoff N2LA - Austin TX
Using Thunderbird on Linux
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
