Manualshelf

System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M
601602603604605606607608609610
[DEFAULT]
# Multiple addresses can be specified, separated by a space.
ignoreip = 127.0.0.1 10.1.1.1
destemail = youraddress@shifteight.org
Encrypted Media
Be aware that the audio for a Voice over IP call is typically transmitted in an unencrypted
format. Anyone that can capture the traffic can listen to the audio of the phone call.
Luckily, Asterisk supports encrypting the media of VoIP calls. If you are using SIP, you
can encrypt the media using SRTP. IAX2 supports fully encrypting calls, as well. De-
tailed information on encrypting media can be found in Chapter 7.
Tip #6: Encrypt the media for calls on untrusted networks using SRTP or IAX2
encryption.
Dialplan Vulnerabilities
The Asterisk dialplan is another area where taking security into consideration is critical.
The dialplan can be broken down into multiple contexts to provide access control to
extensions. For example, you may want to allow your office phones to make calls out
through your service provider. However, you do not want to allow anonymous callers
that come into your main company menu to be able to then dial out through your
service provider. Use contexts to ensure that only the callers you intend have access to
services that cost you money.
Tip #7: Build dialplan contexts with great care. Also, avoid putting any extensions that
could cost you money in the [default] context.
One of the more recent Asterisk dialplan vulnerabilities to have been discovered and
published is the idea of dialplan injection. A dialplan injection vulnerability begins with
an extension that has a pattern that ends with the match-all character, a period. Take
this extension as an example:
exten => _X.,1,Dial(IAX2/otherserver/${EXTEN},30)
The pattern for this extension matches all extensions (of any length) that begin with a
digit. Patterns like this are pretty common and convenient. The extension then sends
this call over to another server using the IAX2 protocol, with a dial timeout of 30 sec-
onds. Note the usage of the ${EXTEN} variable here. That’s where the vulnerability exists.
In the world of Voice over IP, there is no reason that a dialed extension must be numeric.
In fact, it is quite common using SIP to be able to dial someone by name. Since it is
possible for non-numeric characters to be a part of a dialed extension, what would
happen if someone sent a call to this extension?
1234&DAHDI/g1/12565551212
Dialplan Vulnerabilities | 571