Dear Brett
Many thanks for your comment. any method that reads logs to detect a failrude auth , may be suitable , fail2ban make this or just reading files from logs directory ( register and messages files ). to know if were any intents refused and then block the src ip.. with any script that works on this could be found the ip from where come the intents. cat \etc\asterisk\messages | grep Reg | grep @my.domian or cat \etc\asterisk\messages | grep Reg | grep my.ip.add.res processing it could be add the iip to the iptables ruiles for block... in this process, like ever , former we must chose the path to follow , from two possibles to implement . 1) closed netowroks , denny all , enables some host to connect. simple, not flexible, not suitbale continuous changing networks, 2) open networks, accept all , we must detect intrussion+ attacks and denny all ip for any attack detected o not trusted .. need much intelligence, resources and efforts to identify and blocks anything that seem dangerous this breif comment was aimed to help some guys that were tryiing to get works some iptables conf to avoid undesired conections. in short: YES...publics DDNS, have some delay to progress in refresh cache. there is no doubt about that. >From my own expeirencie I have dns server from own from fixed ip, but some >PBXs from some customers are pointed trough ddns servers to my switch , >using no-ip, and they are conected by cable modem with dhcp . when ip >changes take a few minutes , yes , its a quite slow. but it's so SIMPLE, >SO CHEAP and not requiere advanced acknowledgements, i think that is a >suitable way to connect a some sip users that haven't a fixed ip , but this >has some delay to update changes. it wiil be shure Better solution more efective and fast , could be make a kind of simple DDNS service running on your ouwn server, with any TCP client just need to open any TCP conection to your server reporting user and pass and then catching the source ip , ... it willbe automated version so fast , and reliable , but need more expertise like programming, beyond from them were asking about basic option form iptbales to avoid calls from undesired ips . Without go so for, ALSO CAN USE A FORM IN A HTTPS SERVER CONNECTION for something like loggin , THAT WILL START THE SCRIPT FOR RENEWING after send the form, the action started by the CGI just must include the same , the action for reload modules after renews ips yes, its no automatic , but really works too. fast and enable to get a cheap way to get closer TO a "closed network" , but in open ambient, because any user authenticate using in secure tuinnel tosend the usr and pss and with that update te ip for peer , but it will requiere user action , like i said earlier All this is a mix, branded with less expensive options for bring up something to get better.. Marcos Thanks again > From: [email protected] > To: [email protected] > Subject: Re: [asterisk-biz] 87.230.80.186 > Date: Sun, 27 Jun 2010 21:15:02 -0500 > CC: [email protected]; [email protected]; > [email protected] > > Yow, > Sorry list for the trigger happy reply... > > What I was saying is that it's an interesting idea but I think DNS > caching will make it not really feasible. > > For me fail2ban + good passwords works as a really good system where a > VPN can't be used. > > > -Brett > > On Jun 27, 2010, at 9:10 PM, Brett Nemeroff > <[email protected]> wrote: > > > Interesting idea, but I think DBS caching will make this not really > > usable. > > > > > > For me, fail2 > > > > > > > > On Jun 27, 2010, at 8:54 PM, Calleasy BsAS <[email protected]> > > wrote: > > > >> _________________________________________________________________ Ahora Hotmail es un 70% más rápido. Para que chequear correos sea cada vez más fácil. Ver más http://www.descubrehotmail.com/velocidad.asp
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
