On Dec 1, 2008, at 11:53 PM, Martin Rogers wrote:
Tod Fitch wrote:On Dec 1, 2008, at 3:58 PM, Jose Colin wrote:HI. martin. I have seen that you said that if is SIP you should set allowguest=no so where does that command should be set ? in arnot firewall or where ? i am insterested in put that extra protection an havent seen where is the default yes On Sun, Nov 16, 2008 at 3:51 AM, Martin Rogers <[EMAIL PROTECTED]> wrote:If you are using SIP you should also be paranoid and set allowguest=no,as this defaults to yes. MartIn the default sip.conf is this line:;allowguest=no ; Allow or reject guest calls (default is yes)But that brings up a question: Don't you need this to be the "yes" (thedefault) if you wish to terminate ENUM calls? And if you have the default SIP context only allow local extensions what would be the security issue?As I understand the behaviour of this setting, if you have thought through the security implications of the default context then thissetting set =yes should not be a problem. The reason I mentioned it is that I think that a default of yes is dangerous if you are not aware ofit, and have not planned your default context accordingly. Mart
If you allow calls to your default context to be relayed back out then you can be in a position where unregistered entities can use your machine to make free calls. I guess this is a "security issue". Certainly that can be an issue that one should be careful of when setting up a PBX.
But when I hear the the term "security" and I am on a computer the first thing that comes to my mind is an attack vector for taking control of the machine itself. For example an ill-formed packet or sequence of packets that cause the server application to crash in such a way that executes part of your packet data left on the stack.
From your response, I am I correct in believing that the issue is in allowing guests is in the former (free calls) rather than in the latter (taking control of your Asterisk box)?
Thank you for any clarification.And, by the way, I was and am still a little take aback by seeing that everything except a spawned session of mini_httpd runs as root in my AstLinux box. I would much prefer that Asterisk run as its own unprivileged user.
Tod
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [EMAIL PROTECTED]
