Then I would think IPtables should work just fine for you. You have local access to the * box? Even a simple NAT should probably work OK with a little config tweaking.
Have a look here http://swik.net/iptables+sip Thanks, Steve On Thu, Jun 12, 2008 at 7:03 AM, Mark Adams <[EMAIL PROTECTED]> wrote: > Thanks for the response. > > I have a tellabs 8813 switch provided from time warner. No I currently do > not have access to the switch. I am in the process of converting from analog > based dialers using dialogic hardware TO asterisk/ vicidial systems > > I am strictly placing sip calls to my termination provider. I do not use the > linux box for anything else. This fiber connection is dedicated to sip g729 > calls entirely. > > Yes the fiber terminates directly to the switch. > > There are 6 analog to voip gateways (audiocodes and mediatrix) and 1 > asterisk server. The gateways and 1 asterisk server are connected to the > tellabs switch, security was never an issue because for the last 2 years we > only connected analog to voip gateways to the open fiber connection. > > Now we want to get out of the dialogic junk and replace those systems with > asterisk servers. Security has become troublesome while testing the first > 50-80 channel server we have. > > Our asterisk server has fedora 8, x windows, asterisk 1.4 I believe. > > > Mark > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Steve Totaro > Sent: Thursday, June 12, 2008 6:40 AM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re: [asterisk-users] aSTERISK / Vicidial systems over 4MB fiber > > What services do you need exposed to the internet and on what machines? > > Does the fiber just terminate into your "switch" then? What type of > switch? Can you get access to the switch? If so you can probably > create access control lists. > > You could put your own router in front to act as a firewall or/and NAT > and add your own ACLs. > > As already suggested, turn off all unused services. Do not use some > all in one rolled up ISO such as Trixbox. Change your ssh port. > > If at all possible, use OpenVPN (or whatever VPN) to connect all the > machines together, as well as trusted clients then block all traffic > in your ACLs (or firewall) except VPN, NTP, DNS, HTTP, and whatever I > am missing. > > BTW I am no security expert. I had a box compromised exactly as you > described but the IRC junk was pegging the CPU, not Asterisk. > > Thanks, > Steve > > On Thu, Jun 12, 2008 at 4:23 AM, Mark Adams > <[EMAIL PROTECTED]> wrote: >> I appreciate the responses thus far but I am looking to find out what type >> of security I should implement for the future. Being new to linux, not to >> mention asterisk I didn't realize that someone could brute force into the >> box and upload crap. With that in mind it seems that I would want to get a >> hardware firewall such as a hotbrick or a sonicwall firewall. >> >> My situation seems unique because I am not using a router even at this >> point. I was given a sheet of ip addresses and was told just to provision > by >> devices with the given ip's and they would handle the rest. My devices are >> hooked directly to their switch in my location. >> >> This hasn't been an issue up until now because I only had analog > (mediatrix >> and audiocodes 24 port gateways x 4) connected to the switch. Now I am > going >> to a software based dialer (i.e. asterisk/ vicidial) and have run into > these >> problems. >> >> Thanks again, >> >> Mark >> >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Steve > Edwards >> Sent: Wednesday, June 11, 2008 11:25 PM >> To: Asterisk Users Mailing List - Non-Commercial Discussion >> Subject: Re: [asterisk-users] aSTERISK / Vicidial systems over 4MB fiber >> >> On Wed, 11 Jun 2008, Mark Adams wrote: >> >>> (I know there are security issues as they have been additional users >>> created on my server and irc junk was put in the home folder) >> >> If the box has been compromised, the only recourse is to erase the drives >> and start over. You can't trust anything on the box. >> >> Off the top of my head, this is how I would approach the problem. >> >> 1) Identify how the box was compromised. (A client box was recently (last >> 30 days) hacked. It was an old AAH installed by the client. The hacker >> used the default password on the admin account to exploit a buffer >> overflow in crond to gain root.) >> >> 2) Save any essential data -- and only the data, no executables. >> >> 3) Take the box off the Internet. >> >> 4) Boot DBAN and let it do it's thing. >> >> 5) Install a minimal OS from CD/DVD. >> >> 6) Clean up after the install -- turn off services, delete users, delete >> packages, add packages, etc. >> >> 7) Bring up to current patch level from your private repository. >> >> 8) Expose the box to the Internet. >> >> 9) Cross your fingers and actively monitor the box. >> >> Thanks in advance, >> ------------------------------------------------------------------------ >> Steve Edwards [EMAIL PROTECTED] Voice: +1-760-468-3867 PST >> Newline Fax: +1-760-731-3000 >> >> _______________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> >> _______________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >> > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
