http://downloads.asterisk.org/pub/security/AST-2010-002.html
I know this is 4 months old but I could not find any mention of it in the forums.
It basically means if you are exposing port 5060 to the internet and allowing anonymous inbound sip calls you are guaranteed to incur significant expenses.
In theory, most trixbox users should not have to worry about this. The whole idea of trixbox and FreePBX is to eliminate the need to be manually creating dial plans and allow the FreePBX GUI to do it. That being said, the present version of FreePBX in trixbox does not wrap dial plans in the Filter() function, as is recommended in the bulletin. Let's hope that changes in the near future.
But, before trxibox users start diddling with their dial plans, and really screw something up, there are two easy steps that completely mitigate this issue.
1. Unless you have external/remote extensions, you should not be port forwarding your VoIP protocols, specifically SIP(5060), IAX(4569) and in many cases SIP-RTP(10,000-20,000). Again, you should NOT forward.
2. Don't allow anonymous SIP. So many people can't get their gateways to work until the enable anonymous SIP. But, that just means that they have not configured it properly. Anonymous SIP is ONLY needed when you want strangers to be able to directly connect to your trixbox via SIP. It is NOT required to receives calls over a properly configured SIP trunk.
Copyright © 2011 Fonality
Fonality and trixbox are trademarks of Fonality. Trademark Policy. Privacy Policy.
Asterisk is a trademark of Digium, Inc. Fonality and trixbox are not affiliated with, nor endorsed by Digium, Inc.
Member Since:
2010-03-14