Have you tried using:
permit= deny=
entries in the sip.conf file? you can have as many of those as you need to create an ACL
The host= command does not limit access. It tells Asterisk where to find your client if the client doesn't register with Asterisk. It's for outbound calls, where Asterisk calls the phone.
/O
----- Original Message ----- From: "William Zhang" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 27, 2004 5:31 PM
Subject: [Asterisk-Dev] Security Issue in Asterisk with sip.conf
configuration.
I had tried many ways with some advanced user help, but without success(at one point I thought I had it worked).
Here Asterisk is working as a SIP PSTN Gateway, and in the sip.conf file, there are a lot of entries with just "host=a.b.c.d", thinking that * will only accept calls from host "a.b.c.d", but in my test, no mater how you set up the sip.conf entries, either * will NOT accept calls for that user account at all, or it will accept calls from any where without VERIFYING the source IP(whether it is "a.b.c.d" or not), so long the sip userid is the username in sip.conf. This post a very serious security problem.
Of course we can put "secret=" for each entries, but giving Asterisk GW and SIP proxy are in 2 TRUSTED IPs, no Authentication is neccessary, otherwise it increase the SIP traffic quite a bit.
Following are the 4 different entries that I had tried: #Notice that in the "general" section, context is pointed to a none existant context "INVALID".
; ; SIP Configuration for Asterisk ; [general] port = 5060 ; Port to bind to bindaddr = 212.213.66.68 context = INVALID ; ;srvlookup = yes ; Enable SRV lookups on outbound calls ;pedantic = yes ; Enable slow, pedantic checking for Pingtel ;tos=lowdelay ;tos=184 ;maxexpirey=3600 ; Max length of incoming registration we allow ;defaultexpirey=120 ; Default length of incoming/outoing registration ;notifymimetype=text/plain ; Allow overriding of mime type in NOTIFY ;videosupport=yes ; Turn on support for SIP video disallow=all ; Disallow all codecs allow=ulaw ; Allow codecs in order of preference allow=g729 allow=ilbc ; ;dtmfmode=info ;dtmfmode=inband dtmfmode=rfc2833
[20034] type=friend callerid=TEST <61331045> host=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no
[20035] type=peers callerid=TEST <61331045> host=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no
[20036] type=friend context=default callerid=TEST <61331045> host=212.213.65.66 permit=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no
[20037] type=peers context=default callerid=TEST <61331045> permit=212.213.65.66 nat=yes ; This phone may be natted canreinvite=no
Thank you in advance.
_______________________________________________ Asterisk-Dev mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-dev To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
_______________________________________________ Asterisk-Dev mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-dev To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
-- Olle E. Johansson, Edvina.net AB, [EMAIL PROTECTED] ----- Phone +46 8 594 788 10, Cell phone: +46 70 593 68 51 ----- IP phone: sip:[EMAIL PROTECTED] ----- Address: Runbovägen 10, SE-192 48 Sollentuna, Sweden ----- Web: http://edvina.net _______________________________________________ Asterisk-Dev mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-dev To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev