Skip to end of metadata
Go to start of metadata

Dialplan Security

First and foremost remember this:

Icon

USE THE EXTENSION CONTEXTS TO ISOLATE OUTGOING OR TOLL SERVICES FROM ANY INCOMING CONNECTIONS.

You should consider that if any channel, incoming line, etc can enter an extension context that it has the capability of accessing any extension within that context.

Therefore, you should NOT allow access to outgoing or toll services in contexts that are accessible (especially without a password) from incoming channels, be they IAX channels, FX or other trunks, or even untrusted stations within you network. In particular, never ever put outgoing toll services in the "default" context. To make things easier, you can include the "default" context within other private contexts by using:

in the appropriate section. A well designed PBX might look like this:

Icon

DON'T FORGET TO TAKE THE DEMO CONTEXT OUT OF YOUR DEFAULT CONTEXT. There isn't really a security reason, it just will keep people from wanting to play with your Asterisk setup remotely.

  • No labels

2 Comments

  1. Andrew Latham

    Note that the extensions.conf and extensions.ael are both loaded by Asterisk and merged. Removing the demo from the extensions.conf will not automatically remove it from extensions.ael.

  2. Alexander Litnitskiy

    Try to avoid using "." or "!" in patterns. Because it will match ANY string including '&'.  So if you have e.g.

    exten => _NXXXXX.,1,Dial(SIP/mytrunk/${EXTEN})

    and somebody will dial "22222222222&SIP/mytrunk/0011111111111" Astersik will execute

    Dial(SIP/mytrunk/22222222222&SIP/mytrunk/0011111111111)

    And will dial both numbers silmutaneouly. Of course an attacker must know your trunk name, but it is very easy to guess or brute-force it.

    So it's better to use _XXXXXXXXXX instead of _XXXXX.