Default: Disallow anonymous, allow guests - reason?


(Simon Telephonics) #1

On a fresh install the default SIP configuration is to disallow anonymous, allow guests:

image

This default doesn’t make sense to me so I am looking to the community for reasons why this might be useful. If none I will submit a ticket to request it be changed to No/No (which I think makes the most sense).


(Jared Busch) #2

I agree, I have never understood this default, but also never bothered to make a report or comment on it.


#3

It seems reasonable to me, at least for an initial install. Calls that don’t match a trunk get an audible error announcement, making for easier debugging. However, there is no access to ‘regular’ dial plan, which might have errors allowing fraudulent calls.

If your firewall is whitelist based, it’s probably ok to leave it this way indefinitely. If other constraints force a blacklist based firewall, Allow SIP Guests can be a problem, because attempted attacks will use a lot of resources.


(Lorne Gaetz) #4

I’ve wondered this as well. It’s a really old setting, and looking at the context from-sip-external, I think it might have been set up this way in order to create a log line with the source IP of the invite in order for fail2ban to act on the INVITE attempt. Without this, you’re relying on Asterisk to block the INVITE which would be more resource intensive.


(Simon Telephonics) #5

That’s useful information. If that’s the main reason, I would suggest this default only be done for Distro.

On non-Distro, the result is a bunch of logs and CDR from scanners. Disabling guest eliminates all that noise.


#6

And fail2ban can use the ‘security’ category which wasn’t a thing back then. So even non-distro’s don’t need it anymore


(Lorne Gaetz) #7

Request for comments, either here or in the ticket:
https://issues.freepbx.org/browse/FREEPBX-22914