Re: [asterisk-users] Access PBX from internet - best practice
If remote users *only* need to call contacts *within the office*, then whatever other precautions you take, make sure they land in a context which does not allow outside calls. Yes, but this is not sufficient. When transfers are allowed, the outside channel will operate in the local context (typically from-internal). You also need to set the transfer options properly, or this could be abused. jg -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Access PBX from internet - best practice
On Thursday 17 October 2013, richard.seg...@marisec.ca wrote: > The endpoints do not have a fixed IP, and a VPN tunnel wouldn't work under > this scenario. Basically this setup is for people who are traveling, and > may be using a smart phone at an airport (or something similar). The idea > is that our system can be used to reduce toll costs, and provide access to > internal resources. If remote users *only* need to call contacts *within the office*, then whatever other precautions you take, make sure they land in a context which does not allow outside calls. If you're feeling sufficiently evil, use Audacity to create a file with a few seconds of ringing-out tone followed by a deathly silence; and play this to remote users calling numbers they shouldn't, before doing a Hangup(). -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Access PBX from internet - best practice
On 13-10-17 08:13 AM, richard.seg...@marisec.ca wrote: > The endpoints do not have a fixed IP, and a VPN tunnel wouldn't work under > this scenario. Basically this setup is for people who are traveling, and may > be using a smart phone at an airport (or something similar). The idea is > that our system can be used to reduce toll costs, and provide access to > internal resources. > A VPN would be perfect for this situation - you certainly don't need fixed IPs on the endpoints. I quite happily pass calls over my VPN from my smartphone. -- Looking for (employment|contract) work in the Internet industry, preferably working remotely. Building / Supporting the net since 2400 baud was the hot thing. Ask for a resume! ispbuil...@gmail.com -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Access PBX from internet - best practice
The endpoints do not have a fixed IP, and a VPN tunnel wouldn't work under this scenario. Basically this setup is for people who are traveling, and may be using a smart phone at an airport (or something similar). The idea is that our system can be used to reduce toll costs, and provide access to internal resources. Thank you for the recommendations on fail2ban, IPtables, and the device naming scheme... I am not overly found of having a device name (ex: 101) that corresponds to the extension being used, so I will be using user and devices under freebpbx to name them differently. -Original Message- From: "Administrator TOOTAI" Sent: Thursday, October 17, 2013 6:56am To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] Access PBX from internet - best practice Le 17/10/2013 12:30, richard.seg...@marisec.ca a écrit : > Hello, Hello > > I have a question about best practice (or recommended practice) for allowing > SIP registrations from the Internet. Registrations from Internet is vague: - are EP with fixed IP: define the extension in SIP.conf with host = . You can even add an iptables rule to allow the to connect to port 5060 in udp (if your setup is this one) - are EP travellers => fail2ban or through VPN. OpenVPN is a good solution. > This is what I was thinking of implementing: > 1. Use OpenSips for the SBC, enable SRTP and TLS All clients doesn't support SRTP > 2. Allow limited access to the actual Asterisk PBX (behind firewall) via > OpenSips > > Is there anything that I am missing that probably should be implemented? In all cases I would recommend: - a strong extension definition eg [MyFav0Rite-prefiX_123] instead of [123] - always use fail2ban [...] -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Access PBX from internet - best practice
Le 17/10/2013 12:30, richard.seg...@marisec.ca a écrit : Hello, Hello I have a question about best practice (or recommended practice) for allowing SIP registrations from the Internet. Registrations from Internet is vague: - are EP with fixed IP: define the extension in SIP.conf with host = IP>. You can even add an iptables rule to allow the to connect to port 5060 in udp (if your setup is this one) - are EP travellers => fail2ban or through VPN. OpenVPN is a good solution. This is what I was thinking of implementing: 1. Use OpenSips for the SBC, enable SRTP and TLS All clients doesn't support SRTP 2. Allow limited access to the actual Asterisk PBX (behind firewall) via OpenSips Is there anything that I am missing that probably should be implemented? In all cases I would recommend: - a strong extension definition eg [MyFav0Rite-prefiX_123] instead of [123] - always use fail2ban [...] -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Access PBX from internet - best practice
Hello, I have a question about best practice (or recommended practice) for allowing SIP registrations from the Internet. This is what I was thinking of implementing: 1. Use OpenSips for the SBC, enable SRTP and TLS 2. Allow limited access to the actual Asterisk PBX (behind firewall) via OpenSips Is there anything that I am missing that probably should be implemented? Thanks, Richard -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users