<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Kelemen,<br>
<br>
I only work with IOS occasionally but do know that SIP ports are open
by default. Some more information on the SIP service and disabling is
available in the announcement here:<br>
<a class="moz-txt-link-freetext" href="http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml#@ID">http://www.cisco.com/warp/public/707/cisco-sa-20070131-sip.shtml#@ID</a><br>
<br>
In the workaround section in case it doesn't come through in the link<br>
<br>
/Wes<br>
<br>
Kelemen Zoltan wrote:
<blockquote cite="mid:478DEBBF.5050607@carocomp.ro" type="cite">
<pre wrap="">My tests so far show that
- by default SIP ports are open, even though nothing related shows up in
the configuration.
- the CCME will obediently route all incoming SIP calls, without any
authentication whatsoever (again, this is a default config, where you
might have been in the illusion, that you had not configured anything
SIP related)
SIP port /can be disabled/ explicitly, using:
(config)#sip-ua
(config-sip-ua)#no transport tcp
(config-sip-ua)#no transport udp
- similarly, H.323 is also running and wide open, by default. to disable
it (if you don't need it of course)
(config)#voice service voip
(conf-voi-serv)#h323
(conf-serv-h323)#call service stop
I'm well aware, that there were a bunch of things we should have been
aware of and a bunch of things we should have done differently right
from the beginning, *but I still cannot believe, that this can be an
acceptable default behavior on a CCME*.
In short, be /very/ aware, what are you running with a public IP, and
verify it, no matter what reason says.
regards,
Zoltan
ps. and a new (for me) cisco command I've learned today :)
sh tcp brief all numeric
(netstat like output)
Kelemen Zoltan wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
We have a few CCME installations
(Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version
12.4(11)T1, RELEASE SOFTWARE (fc5))
and we had some unpleasant surprise when we found one of them was
routing unknown calls as mad.
It *seems*, calls were entering through SIP, since the routers have
public IPs.
However, the router has no SIP related configuration whatsoever and SIP
wasn't ever intended to be used on it. To our surprise, however,
5060/tcp, the SIP port was open on the router, and another CCME I have
verified has it open as well (again, not configured for SIP)
Is this normal to have the SIP port open?
If so, is it possible to have unauthenticated calls injected into the
CCME this way?
And last but not the least, how can it be turned off? (ACLs and/or
firewalls can be used of course -- and we killed off the port like that
-- but I was thinking killing the service itself that keeps the port open)
I have tried using "no" form of a few sip commands but it doesn't help
and it doesn't appear in the config (thus I suppose they were off by
default, anyway)
thanks,
Zoltan
_______________________________________________
cisco-voip mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
cisco-voip mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>
<a class="moz-txt-link-freetext" href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
</blockquote>
</body>
</html>