Thanks, guy. I was looking for a better pf tutorial. Hopefully there
is something advanced on reserving SIP channel bandwidth because I just
don't seem to be able to get that to work somehow. There must also be a
decent web admin interface for pf around by now. I don't seem to mind
working from the CLI but it would be nice to see something more advanced.
Peter M.
Ian Darwin wrote:
None of this surprises me somehow.
Peter MacFarlane wrote:
You should really have a firewall that filters out most of these
going to the Internet. As a general rule, only open to the outside
what is required for access. That is the best default for security.
There is an application or option you can add to your Linux server
that cuts off ssh login attempts from an IP after so many attempts.
I don't know what it is at the moment but I saw it used. Works well.
I use OpenBSD and the pf firewall allows traffic to be directed to
specific servers. Hopefully the cracker robots can be cut off there
as well. I'll have to check that out. Strong passwords are one of
your best assets. I hear that OpenBSD runs Asterisk well also, if you
don't need card drivers. That might be a nice two-in-one box.
Yes, pf has an option
max-src-conn-rate <number> / <seconds>
Limit the rate of new connections over a time interval. The con-
nection rate is an approximation calculated as a moving average.
See Peter Hansteen's excellent pf tutorial. Start at the page
http://www.bgnett.no/~peter/pf/en/bruteforce.html
for details on this option in particular, or go to that directory and
read the whole thing.
And yes, I run my "production" (but low volume) Asterisk server on
OpenBSD, using hard phones, the odd ATA, and DID service from Unlimitel.
Ian
--
Peter L. MacFarlane, ACP
C & P Consulting 2000
Charlottetown PEI
