Am 13.04.2010 10:47, schrieb Gordon Henderson: > I'd strongly disagree with this. (And I was the OP of this thread and had > my home/office network connection taken down due to it) > > But then, I'm an old worldy Unix sysadmin and the philosophy of having a > program do one thing well is still etched into my core... > > http://en.wikipedia.org/wiki/Unix_philosophy > > So get asterisk to do what it does well, then get something else that does > what you need to do just as well - built-in to Linux are the iptables > firewall rules. Use them! They are very effective and do work. (And you > have a choice!) > > The biggest issue I see is that people are installing Asterisk and other > high-level applications on top of Linux (and other *nix'es) without the > experience of "sysadmin" - then when something goes wrong they want the > application to fix it rather than apply some basic and pretty fundamental > sysadmin techniques to solve the issue. > > And that means that even having permit= and deny= in sip.conf and > iax.conf, etc. is too much. With proper OS level firewalling they're > simply not needed and do nothing more than add another potential point of > failure and add yet more code to maintain. > > Gordon > > I definitely do to agree with Gordon!
"If you have to get your car over a river, try to find a bridge or ferry instead of trying to teach the car swimming" O.k., maybe this was a bit polemic. But in some way, it reminds me of Linux. What I really love ist the very high flexibility. And I definitely can see Gordon's point, not adding functionality to programs which somehow "doesn't belong there". My thought is: It's very easy to write a program/script which connects to any random IP:port adress and sends packets there. Regardless if the remote side is responding or not. This way you can easily eat up the remote side's bandwith and/or data volume limit. And there's nothing the remote side can do against it except pulling the plug. If someone is sending millions of registers triyng to find an entry into a phone server, the problem is related to asterisk. But as soon as a firewall can block that, (or even as long as asterisk's security is strong enough to not let them in), the issue is NOT related to asterisk any more. From that moment on it is reduced to a "bandwith eat-up problem" and "belongs" to the area of network administration. This moves into the direction of an academic discussion titled "what can I do if someone else eats up my bandwith/data-volume-limit? " My 2 cents.. BTW, the good news: had no attack here within the last 48 hours. I implemented the iptables rules to drop packets from various adress ranges. But log them first. I'd like to see if the bot is continuing if it doen't get any reponses or if it gives up. But no attack so far.... Norbert -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
