I've got a security issue

Hi,

I am running an Asterisk server and I’ve defined some users…
For some of them, on the road, I have declared an account without ALLOW=… and DENY=… in order to allow any specific IP address.

However, I would imagine , that with a wrong password, I wouldn’t be able to make any phone calls…
With Linephone, if your password is wrong… you can make phone calls ???

Any idea what is wrong ?
I want any users with a wrong password NOT to make phone calls… ’ setup on the server !! and not on the phone … which would be useless

Thanks

Steve

I think that setting “allowguest” to “no” will solve the problem for you.

You also might want to browse the numerous forum topics on security. If you want to run Asterisk on a publicly available server, your really MUST KNOW what you are doing :wink: .

Hi,

thansk for your reply…
Apprently, this is not enough :frowning:… I still have the problem…

Just one point. this is not for a user defined into the SIP.conf but into USERS.CONF file…
Should I add this “alloguest=no” as well ?
or the general section into the sip.conf is also valid for users.conf ?

Regards

users.conf is bad; you really should avoid it.

Oh really ?

I decided to collect everybody inside the company ( so with NAT=no)
So, for security reasons, NAT declaration was in the general rules…
Guys outside the company, were in Users.conf : Were NAT=yes in the general condition

Do you recommand to gather everybody in the sip.conf ?

  1. is that better to add people adding NAT feature in each account ?
  2. any reason why users.conf is bad ? in that case, for what are you using it ?

Ta.

nat= may not be needed, It might better be called NAT Hacks, as it is is there to work round specific problems. You should really only use it when you have those problems.

You can use templates in sip.conf if a number of entries have similar configurations.