[cisco-voip] SIP port open on CCME by default?

Kelemen Zoltan keli at carocomp.ro
Wed Jan 16 06:34:23 EST 2008 

My tests so far show that
- by default SIP ports are open, even though nothing related shows up in 
the configuration.
- the CCME will obediently route all incoming SIP calls, without any 
authentication whatsoever (again, this is a default config, where you 
might have been in the illusion, that you had not configured anything 
SIP related)

SIP port /can be disabled/ explicitly, using:
(config)#sip-ua
(config-sip-ua)#no transport tcp
(config-sip-ua)#no transport udp

- similarly, H.323 is also running and wide open, by default. to disable 
it (if you don't need it of course)
(config)#voice service voip
(conf-voi-serv)#h323
(conf-serv-h323)#call service stop

I'm well aware, that there were a bunch of things we should have been 
aware of and a bunch of things we should have done differently right 
from the beginning, *but I still cannot believe, that this can be an 
acceptable default behavior on a CCME*.

In short, be /very/ aware, what are you running with a public IP, and 
verify it, no matter what reason says.

regards,
Zoltan

ps. and a new (for me) cisco command I've learned today :)
sh tcp brief all numeric
(netstat like output)


Kelemen Zoltan wrote:
> Hi,
>
> We have a few CCME installations
>
> (Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 
> 12.4(11)T1, RELEASE SOFTWARE (fc5))
>
> and we had some unpleasant surprise when we found one of them was 
> routing unknown calls as mad.
>
> It *seems*, calls were entering through SIP, since the routers have 
> public IPs.
>
> However, the router has no SIP related configuration whatsoever and SIP 
> wasn't ever intended to be used on it. To our surprise, however, 
> 5060/tcp, the SIP port was open on the router, and another CCME I have 
> verified has it open as well (again, not configured for SIP)
>
> Is this normal to have the SIP port open?
>
> If so, is it possible to have unauthenticated calls injected into the 
> CCME this way?
>
> And last but not the least, how can it be turned off? (ACLs and/or 
> firewalls can be used of course -- and we killed off the port like that 
> -- but I was thinking killing the service itself that keeps the port open)
>
> I have tried using "no" form of a few sip commands  but it doesn't help 
> and it doesn't appear in the config (thus I suppose they were off by 
> default, anyway)
>
> thanks,
>   Zoltan
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

More information about the cisco-voip mailing list