Callback FAQ: Difference between revisions

From voipsupport
Jump to navigation Jump to search
(Created page with "===Q. What are the prerequisites for using the callback script?=== There are no additional prerequisites beyond those needed for Asterisk and FreePBX. If you use the CALLBACK...")
 
No edit summary
Line 5: Line 5:
===Q. Are there security implications in using the callback script?===
===Q. Are there security implications in using the callback script?===


The use of callback potentially opens up functions of your system which are normally reserved to internal users, it is important to thoroughly test your callback configuration.


The CALLBACK_ALLOWED configuration can help to increase security by restricting the numbers which will be called back.


The script is provided "as-is" without any kind of warranty. I'm happy to receive feedback and correct issues that are found in the script. Because the use of callback potentially opens up functions of your system which are normally reserved to internal users, it is important to thoroughly test your callback configuration. If you use the mysql lookup available from version 0.4 please be aware that the this means the db has to be available for the callback to succeed and therefore adds an additional point of failure/availability requirement. Also, use of a mysql database to read allowable callback numbers has security implications, since you open callback up to whoever is able to write into the sql table you are using. You should test the query thoroughly to ensure that it does not return rows in the case of unknown numbers or unauthorized numbers. The use of the CALLBACK_ALLOWED parameter is only secure if the callerid you receive comes from a trusted source. If your provider that does not guard against spoofing of callerids on incoming calls then CALLBACK_ALLOWED will not protect you fully. As a further precaution, where the callback destination is DISA, consider using a further level of protection via a PIN code which can be set up in Freepbx GUI.
If you use the MySQL database to store allowed callback numbers then you open callback up to whoever is able to write into the sql table you are using. You should test the query thoroughly to ensure that it does not return rows in the case of unknown numbers or unauthorized numbers.  
 
The use of the CALLBACK_ALLOWED parameter is only secure if the callerid you receive comes from a trusted source. If your provider that does not guard against spoofing of callerids on incoming calls then CALLBACK_ALLOWED will not protect you fully.  
 
As a further precaution, where the callback destination is DISA, consider using a further level of protection via a PIN code which can be set up in FreePBX GUI.
 
===When reporting a problem what information should I provide?===
 
Please see [[Callback Support|here]]

Revision as of 15:07, 13 June 2016

Q. What are the prerequisites for using the callback script?

There are no additional prerequisites beyond those needed for Asterisk and FreePBX. If you use the CALLBACK_ALLOWED configuration to point to a database, then that will introduce additional requirements (the database availability) for call processing.

Q. Are there security implications in using the callback script?

The use of callback potentially opens up functions of your system which are normally reserved to internal users, it is important to thoroughly test your callback configuration.

The CALLBACK_ALLOWED configuration can help to increase security by restricting the numbers which will be called back.

If you use the MySQL database to store allowed callback numbers then you open callback up to whoever is able to write into the sql table you are using. You should test the query thoroughly to ensure that it does not return rows in the case of unknown numbers or unauthorized numbers.

The use of the CALLBACK_ALLOWED parameter is only secure if the callerid you receive comes from a trusted source. If your provider that does not guard against spoofing of callerids on incoming calls then CALLBACK_ALLOWED will not protect you fully.

As a further precaution, where the callback destination is DISA, consider using a further level of protection via a PIN code which can be set up in FreePBX GUI.

When reporting a problem what information should I provide?

Please see here