That's fantastic, Lonnie. Thank you for bringing this up with AIF. Hopefully, this will come to fruition!
Dan On 10/13/2010 1:33 PM, Lonnie Abelbeck wrote: > Dan, > > A new config variable, SIP_VOIP_REMOTE_HOSTS has been added to the sip-voip > plugin in the next AIF. > > https://rocky.eld.leidenuniv.nl/trac/aif/changeset/434/ > > Thanks for the suggestion. > > Lonnie > > > On Oct 13, 2010, at 10:26 AM, Dan Ryson wrote: > >> So it's that simple? I really like simple. >> >> Adaptive-ban has been very effective. However, since I only have the >> one outside user, I'd also like to block the ports at the firewall. >> >> Thanks as always for your insight. >> >> Dan >> >> On 10/13/2010 10:44 AM, Lonnie Abelbeck wrote: >>> On Oct 13, 2010, at 9:15 AM, Dan Ryson wrote: >>> >>>> All, >>>> >>>> I wonder if I may, once again, ask for your help. >>>> >>>> Using the GUI to configure the firewall, my intent was to open only one >>>> "Source IP" to port 5060, for an off-site IP phone. I'm depending on >>>> frequent& regular registration traffic to keep port 5060 open to >>>> providers. Despite this, I see the occasional registration attempt from >>>> elsewhere, as shown below. >>>> >>>> Oct 13 04:23:36 sip local0.notice asterisk[2776]: NOTICE[2776]: >>>> chan_sip.c:16474 in handle_request_register: Registration from >>>> '"1010161682"<sip:1010161...@169.25.161.29>' failed for '140.117.176.226' >>>> - No matching peer found >>>> >>>> >>>> So, with all other source IPs closed to port 5060, how might a >>>> registration request from '140.117.176.226' be reaching Asterisk? >>>> >>>> The only thing that looked a bit suspicious in iptables, is this: >>>> >>>> Chain EXT_INPUT_CHAIN (2 references) >>>> target prot opt source destination >>>> ACCEPT udp -- anywhere anywhere udp >>>> dpts:5060:5080 >>>> >>>> >>>> However, it looks like the above is merely the result of settings in the >>>> SIP-VOIP plugin, which specifies ports 5060:5080. When disabling >>>> SIP-VOIP, the above entry goes away. >>>> >>>> Your thoughts? >>>> >>>> Thanks for considering my question. >>>> >>>> Dan >>> Don't enable the sip-voip plugin. :-) >>> >>> The sip-voip plugin may have it's place, (it basically automatically opens >>> the RTP voice ports) but I personally don't enable it. >>> >>> So, if you disable the sip-voip plugin you will need to allow a UDP range >>> matching your asterisk rtp.conf range. (make it smaller than the default) >>> >>> Or, keep the sip-voip plugin enabled and also enable the adaptive-ban >>> plugin to ban the attack probes. >>> >>> Lonnie >>> >>> PS: A better long term solution would be to add a SIP_VOIP_SOURCE="0/0" >>> variable to the sip-voip plugin, so you can limit by the source address... >>> I'll try to get that in the next version of AIF. >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Beautiful is writing same markup. Internet Explorer 9 supports >>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2& L3. >>> Spend less time writing and rewriting code and more time creating great >>> experiences on the web. Be a part of the beta today. >>> http://p.sf.net/sfu/beautyoftheweb >>> _______________________________________________ >>> Astlinux-users mailing list >>> Astlinux-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/astlinux-users >>> >>> Donations to support AstLinux are graciously accepted via PayPal to >>> pay...@krisk.org. >> >> ------------------------------------------------------------------------------ >> Beautiful is writing same markup. Internet Explorer 9 supports >> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2& L3. >> Spend less time writing and rewriting code and more time creating great >> experiences on the web. Be a part of the beta today. >> http://p.sf.net/sfu/beautyoftheweb >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. >> >> > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2& L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
