[cisco-voip] SIP port open on CCME by default?
Kelemen Zoltan
keli at carocomp.ro
Wed Jan 16 06:34:23 EST 2008
My tests so far show that
- by default SIP ports are open, even though nothing related shows up in
the configuration.
- the CCME will obediently route all incoming SIP calls, without any
authentication whatsoever (again, this is a default config, where you
might have been in the illusion, that you had not configured anything
SIP related)
SIP port /can be disabled/ explicitly, using:
(config)#sip-ua
(config-sip-ua)#no transport tcp
(config-sip-ua)#no transport udp
- similarly, H.323 is also running and wide open, by default. to disable
it (if you don't need it of course)
(config)#voice service voip
(conf-voi-serv)#h323
(conf-serv-h323)#call service stop
I'm well aware, that there were a bunch of things we should have been
aware of and a bunch of things we should have done differently right
from the beginning, *but I still cannot believe, that this can be an
acceptable default behavior on a CCME*.
In short, be /very/ aware, what are you running with a public IP, and
verify it, no matter what reason says.
regards,
Zoltan
ps. and a new (for me) cisco command I've learned today :)
sh tcp brief all numeric
(netstat like output)
Kelemen Zoltan wrote:
> Hi,
>
> We have a few CCME installations
>
> (Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version
> 12.4(11)T1, RELEASE SOFTWARE (fc5))
>
> and we had some unpleasant surprise when we found one of them was
> routing unknown calls as mad.
>
> It *seems*, calls were entering through SIP, since the routers have
> public IPs.
>
> However, the router has no SIP related configuration whatsoever and SIP
> wasn't ever intended to be used on it. To our surprise, however,
> 5060/tcp, the SIP port was open on the router, and another CCME I have
> verified has it open as well (again, not configured for SIP)
>
> Is this normal to have the SIP port open?
>
> If so, is it possible to have unauthenticated calls injected into the
> CCME this way?
>
> And last but not the least, how can it be turned off? (ACLs and/or
> firewalls can be used of course -- and we killed off the port like that
> -- but I was thinking killing the service itself that keeps the port open)
>
> I have tried using "no" form of a few sip commands but it doesn't help
> and it doesn't appear in the config (thus I suppose they were off by
> default, anyway)
>
> thanks,
> Zoltan
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
More information about the cisco-voip
mailing list