On Apr 13, 2010, at 8:04 AM, Hans Witvliet wrote: > On Tue, 2010-04-13 at 09:47 +0100, Gordon Henderson wrote: >> On Tue, 13 Apr 2010, Alyed wrote: >> >>> Think we need some solution WITHIN the Asterisk core. Roderick A. suggested >>> something that looks nice using iptables, some others have pointed out using >>> RBL or fail2ban, but the best would be to have some generic solution not >>> dependant on third party programs. >> >> I'd strongly disagree with this. (And I was the OP of this thread and had >> my home/office network connection taken down due to it) >> >> But then, I'm an old worldy Unix sysadmin and the philosophy of having a >> program do one thing well is still etched into my core... >> >> http://en.wikipedia.org/wiki/Unix_philosophy >> >> So get asterisk to do what it does well, then get something else that does >> what you need to do just as well - built-in to Linux are the iptables >> firewall rules. Use them! They are very effective and do work. (And you >> have a choice!) > > I'll agree with you here. > Any aditional security within * is fine, but if someone is simply > drowning your bandwith, action must be taken at a lower level. > Otherwise you endup re-inventing the wheel for D.o.s. attackes for voip, > mail, ssh, ldap, http, rsync, (or any other service you might be > running) > > So a proper job for ip(6)tables, imho > > --
+1 for outside of asterisk. I want something that blocks it before it gets to the Asterisk processes. I've posted a little script on Team Forrest for how I'm blocking the traffic (using a quick perl script, iptables, and cron). The script is at http://bit.ly/cDHlLq ---fred http://qxork.com -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
