Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
On Wed, 15 Jan 2014, Patrick Lists wrote: Would you mind sharing where you get the per country IP ranges from? I confess I 'brute forced' it by entering '/8s' into ARIN's web page and noting if the block had been assigned to a 'foreign' NIC -- not really a reliable and robust methodology, but it worked for me. A great way to kill time while on hold for customer dis-service. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
Hi Steve, On 15-01-14 18:53, Steve Edwards wrote: On Wed, 15 Jan 2014, Patrick Lists wrote: Would you mind sharing where you get the per country IP ranges from? I confess I 'brute forced' it by entering '/8s' into ARIN's web page and noting if the block had been assigned to a 'foreign' NIC -- not really a reliable and robust methodology, but it worked for me. If it works... :-) A great way to kill time while on hold for customer dis-service. Definitely. If any of the calls lasted more than entering 20 /8s I hope it was to cancel the service. I found another solution: install the geoip kernel module from xtables-addons, install the MaxMind GeoIP country database and add some rules to the iptables config to block a country. Regards, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
On 14 Jan 2014, at 02:19, Patrick Lists asterisk-l...@puzzled.xs4all.nl wrote: Thanks for your feedback Paul. The not having outbound trunks is going to be a challenge. Why? it’s what contexts were invented for. Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
Hi Steve, On 14-01-14 10:39, Steven Howes wrote: On 14 Jan 2014, at 02:19, Patrick Lists asterisk-l...@puzzled.xs4all.nl wrote: Thanks for your feedback Paul. The not having outbound trunks is going to be a challenge. Why? it’s what contexts were invented for. Yes that is indeed what they are for but in the case they find a loophole or exploit a bug then not having outbound trunks is much safer. Regards, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
On Tue, 14 Jan 2014, Patrick Lists wrote: ...I guess I'll cook up some dialplan logic that records IP addresses, keeps track of the amount of failed password attempts etc. and block the offending IP addresses... A few iptables rules can protect you from access from China, North Korea, Iran, Iraq, xxxistan, Russia, Nigeria, and any other country you're not expecting calls from. Eliminate 90% of the problem at the front door and you can focus more clearly on the remaining 10%. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
Hi Steve, On 15-01-14 02:44, Steve Edwards wrote: On Tue, 14 Jan 2014, Patrick Lists wrote: ...I guess I'll cook up some dialplan logic that records IP addresses, keeps track of the amount of failed password attempts etc. and block the offending IP addresses... A few iptables rules can protect you from access from China, North Korea, Iran, Iraq, xxxistan, Russia, Nigeria, and any other country you're not expecting calls from. Eliminate 90% of the problem at the front door and you can focus more clearly on the remaining 10%. Yes that's one of the tricks in my bag. Unfortunately it seems that the IP ranges from ip-deny.com are no longer available and even their website has disappeared. Would you mind sharing where you get the per country IP ranges from? Regards, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
Hi all, I'm looking into adding the ability to call me at m...@mydomain.org on my Asterisk 11 box. Does anyone have any tips or dialplan snippets to allow this kind of access as securely as possible? Thanks, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
On Mon, Jan 13, 2014 at 9:24 AM, Patrick Lists asterisk-l...@puzzled.xs4all.nl wrote: Hi all, I'm looking into adding the ability to call me at m...@mydomain.org on my Asterisk 11 box. Does anyone have any tips or dialplan snippets to allow this kind of access as securely as possible? Well, if you want anybody to call you, you need to leave it open to the public. Meaning, you can't really secure it. Obviously, don't have any outbound trunks configured on the box so that the only location some could dial would be your extension. -- Paul Belanger | PolyBeacon, Inc. Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Allowing calls to m...@mydomain.org securely on Asterisk 11 box?
On 14-01-14 02:36, Paul Belanger wrote: On Mon, Jan 13, 2014 at 9:24 AM, Patrick Lists asterisk-l...@puzzled.xs4all.nl wrote: Hi all, I'm looking into adding the ability to call me at m...@mydomain.org on my Asterisk 11 box. Does anyone have any tips or dialplan snippets to allow this kind of access as securely as possible? Well, if you want anybody to call you, you need to leave it open to the public. Meaning, you can't really secure it. Obviously, don't have any outbound trunks configured on the box so that the only location some could dial would be your extension. Thanks for your feedback Paul. The not having outbound trunks is going to be a challenge. So next to fail2ban I guess I'll cook up some dialplan logic that records IP addresses, keeps track of the amount of failed password attempts etc. and block the offending IP addresses together with max simultaneous outband calls and anything else I can think of to beef up security and limit potential damage. Thanks, Patrick -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users