So it's that simple? I really like simple. Adaptive-ban has been very effective. However, since I only have the one outside user, I'd also like to block the ports at the firewall.
Thanks as always for your insight. Dan On 10/13/2010 10:44 AM, Lonnie Abelbeck wrote: > On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote: > >> All, >> >> I wonder if I may, once again, ask for your help. >> >> Using the GUI to configure the firewall, my intent was to open only one >> "Source IP" to port 5060, for an off-site IP phone. I'm depending on >> frequent& regular registration traffic to keep port 5060 open to >> providers. Despite this, I see the occasional registration attempt from >> elsewhere, as shown below. >> >> Oct 13 04:23:36 sip local0.notice asterisk[2776]: NOTICE[2776]: >> chan_sip.c:16474 in handle_request_register: Registration from >> '"1010161682"<sip:1010161...@169.25.161.29>' failed for '140.117.176.226' - >> No matching peer found >> >> >> So, with all other source IPs closed to port 5060, how might a >> registration request from '140.117.176.226' be reaching Asterisk? >> >> The only thing that looked a bit suspicious in iptables, is this: >> >> Chain EXT_INPUT_CHAIN (2 references) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere udp >> dpts:5060:5080 >> >> >> However, it looks like the above is merely the result of settings in the >> SIP-VOIP plugin, which specifies ports 5060:5080. When disabling >> SIP-VOIP, the above entry goes away. >> >> Your thoughts? >> >> Thanks for considering my question. >> >> Dan > Don't enable the sip-voip plugin. :-) > > The sip-voip plugin may have it's place, (it basically automatically opens > the RTP voice ports) but I personally don't enable it. > > So, if you disable the sip-voip plugin you will need to allow a UDP range > matching your asterisk rtp.conf range. (make it smaller than the default) > > Or, keep the sip-voip plugin enabled and also enable the adaptive-ban plugin > to ban the attack probes. > > Lonnie > > PS: A better long term solution would be to add a SIP_VOIP_SOURCE="0/0" > variable to the sip-voip plugin, so you can limit by the source address... > I'll try to get that in the next version of AIF. > > > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2& L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
