It's known that YOU DO this: sip.conf you do [general] context=from-sip
extensions.conf: [from-sip] exten => s,1,Congestion This is a config issue. Not really a security issue. bkw > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:asterisk-users- > [EMAIL PROTECTED] On Behalf Of Andy Reinke > Sent: Friday, December 03, 2004 6:48 PM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: [Asterisk-Users] SIP SECURITY WARNING: v1-0 (cvs today) sip > contextin general section ignored goes to default instead - > allowingunauthorized sip devices to place calls in default context > > SIP SECURITY WARNING > > > > Version: v1-0 (cvs today) > > > > Problem: sip context in general section ignored - goes to default - > allowing unauthorized sip devices to place calls in default context > > > > Fix [workaround]: > > > > Remove or rename "default" context in extensions.conf > > > > Notes: > > > > I am not sure what other asterisk functionality may be affected by this - > review your other config files for references to the "default" context. > Test your configurations to ensure calls are landing in the correct > context. I suggest removing "default" and creating others like sip- > default which include demo and then testing from a sip channel to make > sure you still hit the demo from a registered device but, not from > unregistered devices. Repeat for other channels as necessary. > > > > Detail: > > > > I have been working with asterisk for a while now but, had never > tested/noticed this scenario - I had always created device entries in > sip.conf for any devices I tested so I never ran into this. Today on a > new config the phone came up before I had put anything in sip.conf and I > thought - let's see what happens if we try to call someone - and it WORKED > which was the least expected behavior. > > > > I am using a cisco 7960 with SIP firmware v6.3 (dosen't really matter any > sip phone will do this) With a bare asterisk build and setup of v1-0 > (pulled from cvs today) on FC3 minimal + asterisk requirements + up2date > and the configs (sip, extensions) below. > > > > Without placing any peer,friend,user entries in sip.conf for the phone > device/extension, I am able to make calls through the "default" context. > In the below example dialing "500" from a sip phone will execute the inter > asterisk connection test (IAX) to digium even though the context defined > in the general section of sip.conf is "sip-unauthorized" which should play > congestion and hang up (as was suggested in "Getting started with > asterisk"). > > > > Removing or renaming the "default" context in extensions.conf appears to > resolve this issue - congestion is played. However, adding a real > extension such as 900 and mapping it to something like voicemail shows > that the context sip-unauthorized is not being used - also the following > error is logged on the console (verbose = 7) which hints to this as well - > and explains why congestion was played. Instead of looking for sip- > unauthorized as expected it looked for the missing default and then played > congestion when default was not found. > > > > Dec 3 20:26:42 NOTICE[15447]: pbx.c:1318 pbx_extension_helper: Cannot > find extension context 'default' > > > > > > > > Sip.conf > > [general] > > contex=sip-unauthorized > > port=5060 > > bindaddr=0.0.0.0 > > localnet=172.16.0.0/255.255.255.0 > > > > <eof> > > > > Extensions.conf > > [general] > > static=yes > > writeprotect=no > > > > [globals] > > ;CONSOLE=Console/dsp ; Console interface for demo > > IAXINFO=guest ; IAXtel username/password > > ;TRUNK=Zap/g2 ; Trunk interface > > ;TRUNKMSD=1 ; MSD digits to strip (usually 1 > or 0) > > > > [macro-stdexten]; > > ; > > ; Standard extension macro: > > ; ${ARG1} - Extension (we could have used ${MACRO_EXTEN} here as well > > ; ${ARG2} - Device(s) to ring > > ; > > exten => s,1,Dial(${ARG2},20) ; Ring the > interface, 20 seconds maximum > > exten => s,2,Goto(s-${DIALSTATUS},1) ; Jump based > on status (NOANSWER,BUSY,CHANUNAVAIL,CONGESTION,ANSWER) > > > > exten => s-NOANSWER,1,Voicemail(u${ARG1}) ; If unavailable, > send to voicemail w/ unavail announce > > exten => s-NOANSWER,2,Goto(default,s,1) ; If they press #, > return to start > > > > exten => s-BUSY,1,Voicemail(b${ARG1}) ; If busy, send to > voicemail w/ busy announce > > exten => s-BUSY,2,Goto(default,s,1) ; If they > press #, return to start > > > > exten => _s-.,1,Goto(s-NOANSWER,1) ; Treat anything > else as no answer > > > > exten => a,1,VoicemailMain(${ARG1}) ; If they > press *, send the user into VoicemailMain > > > > [default] > > exten => 500,1,Playback(demo-abouttotry); Let them know what's going on > > exten => 500,2,Dial(IAX2/[EMAIL PROTECTED]/[EMAIL PROTECTED]) ; Call the > Asterisk demo > > exten => 500,3,Playback(demo-nogo) ; Couldn't connect to the demo site > > exten => 500,4,Goto(s,6) ; Return to the start over message. > > > > [sip-unauthorized] > > ;An important point here, if you do not have a sip aware > > ;firewall and are just using port forwarding then ensure > > ;that your context points to somewhere like invalidcalls. > > ;If you do not do this then someone could call one of your > > ;extensions direct from the Internet. If you had an FXO card > > ;in the machine, this could lead to them being able to make PSTN calls!! > > ;[from http://www.automated.it/guidetoasterisk.htm#_Toc49248767] > > > > exten => s,1,Answer > > exten => s,2,Playtones(congestion) > > exten => s,3,Congestion > > > > exten => 900,1,VoicemailMain > > exten => 900,2,Hangup > > > > <eof> > > _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
