William Zhang
2004-Apr-27 17:43 UTC
[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
I had tried many ways with some advanced user help, but without success(at one point I thought I had it worked). Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf file, there are a lot of entries with just "host=a.b.c.d", thinking that * will only accept calls from host "a.b.c.d", but in my test, no mater how you set up the sip.conf entries, either * will NOT accept calls for that user account at all, or it will accept calls from any where without VERIFYING the source IP(whether it is "a.b.c.d" or not), so long the sip userid is the username in sip.conf. This post a very serious security problem. Of course we can put "secret=" for each entries, but giving Asterisk GW and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary, otherwise it increase the SIP traffic quite a bit. Following are the 4 different entries that I had tried: #Notice that in the "general" section, context is pointed to a none existant context "INVALID". ; ; SIP Configuration for Asterisk ; [general] port = 5060 ; Port to bind to bindaddr = 212.213.66.68 context = INVALID ; ;srvlookup = yes ; Enable SRV lookups on outbound calls ;pedantic = yes ; Enable slow, pedantic checking for Pingtel ;tos=lowdelay ;tos=184 ;maxexpirey=3600 ; Max length of incoming registration we allow ;defaultexpirey=120 ; Default length of incoming/outoing registration ;notifymimetype=text/plain ; Allow overriding of mime type in NOTIFY ;videosupport=yes ; Turn on support for SIP video disallow=all ; Disallow all codecs allow=ulaw ; Allow codecs in order of preference allow=g729 allow=ilbc ; ;dtmfmode=info ;dtmfmode=inband dtmfmode=rfc2833 [20034] type=friend callerid=TEST <61331045> host=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no [20035] type=peers callerid=TEST <61331045> host=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no [20036] type=friend context=default callerid=TEST <61331045> host=212.213.65.66 permit=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no [20037] type=peers context=default callerid=TEST <61331045> permit=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no Thank you in advance.
John Fraizer
2004-Apr-27 23:51 UTC
[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
William Zhang wrote:> I had tried many ways with some advanced user help, but without > success(at one point I thought I had it worked). > > Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf > file, there are a lot of entries with just "host=a.b.c.d", thinking > that * will only accept calls from host "a.b.c.d", but in my test, no > mater how you set up the sip.conf entries, either * will NOT accept > calls for that user account at all, or it will accept calls from any > where without VERIFYING the source IP(whether it is "a.b.c.d" or not), > so long the sip userid is the username in sip.conf. This post a very > serious security problem. > > Of course we can put "secret=" for each entries, but giving Asterisk GW > and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary, > otherwise it increase the SIP traffic quite a bit.Um, how is it that you consider this a security flaw? By omitting secret=, you are telling Asterisk to not authenticate the call. John
James H. Thompson
2004-Apr-28 01:12 UTC
[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
I think the problem is that using permit= alone does nothing. You need to combine it with a deny= as in: deny=0.0.0.0/0.0.0.0 ; deny all permit=123.123.123.123 ; allow only this address - netmask defaults to: /255.255.255.255 order matters, the deny needs to come first. for reference here is the code from acl.c that checks the rules: int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin) { /* Start optimistic */ int res = AST_SENSE_ALLOW; while(ha) { /* For each rule, if this address and the netmask = the net address apply the current rule */ if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == (ha->netaddr.s_addr) res = ha->sense; ha = ha->next; } return res; } Jim James H. Thompson jht@lava.net ----- Original Message ----- From: "William Zhang" <w_w_zhang@yahoo.com> To: <asterisk-users@lists.digium.com> Sent: Tuesday, April 27, 2004 2:43 PM Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.> I had tried many ways with some advanced user help, but without > success(at one point I thought I had it worked). > > Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf > file, there are a lot of entries with just "host=a.b.c.d", thinking > that * will only accept calls from host "a.b.c.d", but in my test, no > mater how you set up the sip.conf entries, either * will NOT accept > calls for that user account at all, or it will accept calls from any > where without VERIFYING the source IP(whether it is "a.b.c.d" or not), > so long the sip userid is the username in sip.conf. This post a very > serious security problem. > > Of course we can put "secret=" for each entries, but giving Asterisk GW > and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary, > otherwise it increase the SIP traffic quite a bit. > > Following are the 4 different entries that I had tried: > #Notice that in the "general" section, context is pointed to a none > existant context "INVALID". > > ; > ; SIP Configuration for Asterisk > ; > [general] > port = 5060 ; Port to bind to > bindaddr = 212.213.66.68 > context = INVALID ; > ;srvlookup = yes ; Enable SRV lookups on outbound calls > ;pedantic = yes ; Enable slow, pedantic checking for > Pingtel > ;tos=lowdelay > ;tos=184 > ;maxexpirey=3600 ; Max length of incoming registration > we allow > ;defaultexpirey=120 ; Default length of incoming/outoing > registration > ;notifymimetype=text/plain ; Allow overriding of mime type in > NOTIFY > ;videosupport=yes ; Turn on support for SIP video > disallow=all ; Disallow all codecs > allow=ulaw ; Allow codecs in order of preference > allow=g729 > allow=ilbc > ; > ;dtmfmode=info > ;dtmfmode=inband > dtmfmode=rfc2833 > > > > [20034] > type=friend > callerid=TEST <61331045> > host=212.213.65.66 > nat=yes ; This phone may be natted > canreinvite=no > > [20035] > type=peers > callerid=TEST <61331045> > host=212.213.65.66 > nat=yes ; This phone may be natted > canreinvite=no > > [20036] > type=friend > context=default > callerid=TEST <61331045> > host=212.213.65.66 > permit=212.213.65.66 > nat=yes ; This phone may be natted > canreinvite=no > > [20037] > type=peers > context=default > callerid=TEST <61331045> > permit=212.213.65.66 > nat=yes ; This phone may be natted > canreinvite=no > > Thank you in advance. > > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >
Kelvin Chua
2004-May-04 03:14 UTC
[Asterisk-Users] Security Issue in Asterisk with sip.conf configuration.
uhm, strange but does this work on your setup? even with permit and deny, if a user is not matched in the conf, it is allowed access to the default context stated in the conf. On Wed, 2004-04-28 at 16:12, James H. Thompson wrote:> I think the problem is that using permit= alone does nothing. > You need to combine it with a deny= as in: > > deny=0.0.0.0/0.0.0.0 ; deny all > permit=123.123.123.123 ; allow only this address - netmask defaults to: /255.255.255.255 > > order matters, the deny needs to come first. > > for reference here is the code from acl.c that checks the rules: > > int ast_apply_ha(struct ast_ha *ha, struct sockaddr_in *sin) > { > /* Start optimistic */ > int res = AST_SENSE_ALLOW; > while(ha) { > /* For each rule, if this address and the netmask = the net address > apply the current rule */ > if ((sin->sin_addr.s_addr & ha->netmask.s_addr) == (ha->netaddr.s_addr) > res = ha->sense; > ha = ha->next; > } > return res; > } > > > Jim > > James H. Thompson > jht@lava.net > > ----- Original Message ----- > From: "William Zhang" <w_w_zhang@yahoo.com> > To: <asterisk-users@lists.digium.com> > Sent: Tuesday, April 27, 2004 2:43 PM > Subject: [Asterisk-Users] Security Issue in Asterisk with sip.conf configuration. > > > > I had tried many ways with some advanced user help, but without > > success(at one point I thought I had it worked). > > > > Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf > > file, there are a lot of entries with just "host=a.b.c.d", thinking > > that * will only accept calls from host "a.b.c.d", but in my test, no > > mater how you set up the sip.conf entries, either * will NOT accept > > calls for that user account at all, or it will accept calls from any > > where without VERIFYING the source IP(whether it is "a.b.c.d" or not), > > so long the sip userid is the username in sip.conf. This post a very > > serious security problem. > > > > Of course we can put "secret=" for each entries, but giving Asterisk GW > > and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary, > > otherwise it increase the SIP traffic quite a bit. > > > > Following are the 4 different entries that I had tried: > > #Notice that in the "general" section, context is pointed to a none > > existant context "INVALID". > > > > ; > > ; SIP Configuration for Asterisk > > ; > > [general] > > port = 5060 ; Port to bind to > > bindaddr = 212.213.66.68 > > context = INVALID ; > > ;srvlookup = yes ; Enable SRV lookups on outbound calls > > ;pedantic = yes ; Enable slow, pedantic checking for > > Pingtel > > ;tos=lowdelay > > ;tos=184 > > ;maxexpirey=3600 ; Max length of incoming registration > > we allow > > ;defaultexpirey=120 ; Default length of incoming/outoing > > registration > > ;notifymimetype=text/plain ; Allow overriding of mime type in > > NOTIFY > > ;videosupport=yes ; Turn on support for SIP video > > disallow=all ; Disallow all codecs > > allow=ulaw ; Allow codecs in order of preference > > allow=g729 > > allow=ilbc > > ; > > ;dtmfmode=info > > ;dtmfmode=inband > > dtmfmode=rfc2833 > > > > > > > > [20034] > > type=friend > > callerid=TEST <61331045> > > host=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > [20035] > > type=peers > > callerid=TEST <61331045> > > host=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > [20036] > > type=friend > > context=default > > callerid=TEST <61331045> > > host=212.213.65.66 > > permit=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > [20037] > > type=peers > > context=default > > callerid=TEST <61331045> > > permit=212.213.65.66 > > nat=yes ; This phone may be natted > > canreinvite=no > > > > Thank you in advance. > > > > > > _______________________________________________ > > Asterisk-Users mailing list > > Asterisk-Users@lists.digium.com > > http://lists.digium.com/mailman/listinfo/asterisk-users > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > > > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users