Hi All For the scenario of a single asterisk server that needs to serve clients on the net, as well as local office clients, I would be very interested in people's views of the best method to handle security to prevent net based attacks while still allowing the client access.
Some of the challenges I see are: - preventing brute force and bot type attacks - monitoring for unusual events and notifying and acting appropriately - limiting damage if someone does get in - avoiding a Denial or degradation of service on your asterisk platform - making it easy for staff to use Some of this can be done with - firewall control - but its hard to limit where your clients will come from, besides restricting ports - scripts monitoring logs, I saw a recipe for checking password failures then blocking that ip after x failures, I imagine this could get quite sophisticated - using separate restrictions for offnet users but this kind of makes it harder for the staff members. - using a proxy in front of asterisk for SIP, to limit the available extensions and minimise the scanning impact on the asterisk box. I am hoping this could detect and prevent illegitimate or poorly formed requests or unknown user agents. Staff should be using a standard set. - using iax softclients to shift the attack requirements - I don't know much about how well these work - running all clients over a vpn e.g open vpn, but this is not so good for wireless handsets or other devices that can't do a vpn I am interested in all views and recommendations Thanks very much Cheers Duncan _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users