|
SIP SECURITY WARNING Version: v1-0 (cvs today) Problem: sip context in general section ignored - goes to default
- allowing unauthorized sip devices to place calls in default context Fix [workaround]: Remove or rename “default” context in extensions.conf Notes: I am not sure what other asterisk functionality may be affected by this
– review your other config files for references to the “default”
context. Test your configurations to ensure calls are landing in the
correct context. I suggest removing “default” and creating
others like sip-default which include demo and then testing from a sip channel
to make sure you still hit the demo from a registered device but, not from
unregistered devices. Repeat for other channels as necessary. Detail: I have been working with asterisk for a while now but, had never
tested/noticed this scenario – I had always created device entries in
sip.conf for any devices I tested so I never ran into this. Today on a
new config the phone came up before I had put anything in sip.conf and I
thought – let’s see what happens if we try to call someone –
and it WORKED which was the least expected behavior. I am using a cisco 7960 with SIP firmware v6.3 (dosen’t really
matter any sip phone will do this) With a bare asterisk build and setup of v1-0
(pulled from cvs today) on FC3 minimal + asterisk requirements + up2date and
the configs (sip, extensions) below. Without placing any peer,friend,user entries in sip.conf for the phone
device/extension, I am able to make calls through the “default”
context. In the below example dialing “500” from a sip phone
will execute the inter asterisk connection test (IAX) to digium even though the
context defined in the general section of sip.conf is “sip-unauthorized”
which should play congestion and hang up (as was suggested in “Getting started
with asterisk”). Removing or renaming the “default” context in
extensions.conf appears to resolve this issue – congestion is played.
However, adding a real extension such as 900 and mapping it to something like
voicemail shows that the context sip-unauthorized is not being used - also the
following error is logged on the console (verbose = 7) which hints to this as
well – and explains why congestion was played. Instead of looking
for sip-unauthorized as expected it looked for the missing default and then
played congestion when default was not found. Dec 3 20:26:42 NOTICE[15447]: pbx.c:1318
pbx_extension_helper: Cannot find extension context 'default' Sip.conf [general] contex=sip-unauthorized port=5060 bindaddr=0.0.0.0 localnet=172.16.0.0/255.255.255.0 <eof> Extensions.conf [general] static=yes writeprotect=no [globals] ;CONSOLE=Console/dsp ;
Console interface for demo IAXINFO=guest ;
IAXtel username/password ;TRUNK=Zap/g2 ;
Trunk interface ;TRUNKMSD=1 ;
MSD digits to strip (usually 1 or 0) [macro-stdexten]; ; ; Standard extension macro: ; ${ARG1} -
Extension (we could have used ${MACRO_EXTEN} here as well ; ${ARG2} -
Device(s) to ring ; exten =>
s,1,Dial(${ARG2},20) ;
Ring the interface, 20 seconds maximum exten =>
s,2,Goto(s-${DIALSTATUS},1) ;
Jump based on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER) exten =>
s-NOANSWER,1,Voicemail(u${ARG1}) ;
If unavailable, send to voicemail w/ unavail announce exten =>
s-NOANSWER,2,Goto(default,s,1) ;
If they press #, return to start exten => s-BUSY,1,Voicemail(b${ARG1}) ;
If busy, send to voicemail w/ busy announce exten =>
s-BUSY,2,Goto(default,s,1) ;
If they press #, return to start exten =>
_s-.,1,Goto(s-NOANSWER,1) ;
Treat anything else as no answer exten =>
a,1,VoicemailMain(${ARG1}) ;
If they press *, send the user into VoicemailMain [default] exten =>
500,1,Playback(demo-abouttotry); Let them know what's going on exten =>
500,2,Dial(IAX2/[EMAIL PROTECTED]/[EMAIL PROTECTED]) ; Call the
Asterisk demo exten =>
500,3,Playback(demo-nogo) ; Couldn't connect to the demo site exten => 500,4,Goto(s,6) ;
Return to the start over message. [sip-unauthorized] ;An important point here, if
you do not have a sip aware ;firewall and are just using
port forwarding then ensure ;that your context points to
somewhere like invalidcalls. ;If you do not do this then
someone could call one of your ;extensions direct from the
Internet. If you had an FXO card ;in the machine, this could
lead to them being able to make PSTN calls!! ;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767] exten => s,1,Answer exten =>
s,2,Playtones(congestion) exten => s,3,Congestion exten =>
900,1,VoicemailMain exten => 900,2,Hangup <eof> |
_______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
