<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Dear Brett<BR>
<BR>
Many thanks for your comment.<BR>
<BR>
any method that reads logs to detect a failrude auth , may be suitable , fail2ban make this <BR>
or just reading files from logs directory ( register and messages files ). to know if were any intents refused and then block the src ip..<BR>
<BR>
with any script that works on this could be found the ip from where come the intents. <BR>
<BR>
<BR>
cat \etc\asterisk\messages | grep Reg | grep @my.domian <BR>
<BR>
or <BR>
<BR>
cat \etc\asterisk\messages | grep Reg | grep my.ip.add.res<BR>
<BR>
processing it could be add the iip to the iptables ruiles for block...<BR>
<BR>
<BR>
<BR>
in this process, like ever , former we must chose the path to follow , from two possibles to implement .<BR>
<BR>
1) closed netowroks , denny all , enables some host to connect. simple, not flexible, not suitbale continuous changing networks, <BR>
<BR>
2) open networks, accept all , we must detect intrussion+ attacks and denny all ip for any attack detected o not trusted .. need much intelligence, resources and efforts to identify and blocks anything that seem dangerous <BR>
<BR>
<BR>
<BR>
this breif comment was aimed to help some guys that were tryiing to get works some iptables conf to avoid undesired conections.<BR>
<BR>
in short:<BR>
<BR>
YES...publics DDNS, have some delay to progress in refresh cache. there is no doubt about that.<BR>
<BR>
<BR>
>From my own expeirencie I have dns server from own from fixed ip, but some PBXs from some customers are pointed trough ddns servers to my switch , using no-ip, and they are conected by cable modem with dhcp . when ip changes take a few minutes , yes , its a quite slow. but it's so SIMPLE, SO CHEAP and not requiere advanced acknowledgements, i think that is a suitable way to connect a some sip users that haven't a fixed ip , but this has some delay to update changes. it wiil be shure <BR>
<BR>
Better solution more efective and fast , could be make a kind of simple DDNS service running on your ouwn server, with any TCP client just need to open any TCP conection to your server reporting user and pass and then catching the source ip , ... it willbe automated version so fast , and reliable , but need more expertise like programming, beyond from them were asking about basic option form iptbales to avoid calls from undesired ips .<BR>
<BR>
Without go so for, ALSO CAN USE A FORM IN A HTTPS SERVER CONNECTION for something like loggin , THAT WILL START THE SCRIPT FOR RENEWING after send the form, the action started by the CGI just must include the same , the action for reload modules after renews ips <BR>
<BR>
yes, its no automatic , but really works too. fast and enable to get a cheap way to get closer TO a "closed network" , but in open ambient, because any user authenticate using in secure tuinnel tosend the usr and pss and with that update te ip for peer , but it will requiere user action , <BR>
<BR>
like i said earlier <BR>
All this is a mix, branded with less expensive options for bring up something to get better.. <BR>
<BR>
Marcos<BR>
Thanks again <BR>
<BR>
<BR>
<BR>
<BR>
<BR> <BR>> From: brett@voicefoxtelephony.com<BR>> To: brett@voicefoxtelephony.com<BR>> Subject: Re: [asterisk-biz] 87.230.80.186<BR>> Date: Sun, 27 Jun 2010 21:15:02 -0500<BR>> CC: asterisk-biz@lists.digium.com; asterisk-biz@lists.digium.com; sisint2005@hotmail.com<BR>> <BR>> Yow,<BR>> Sorry list for the trigger happy reply...<BR>> <BR>> What I was saying is that it's an interesting idea but I think DNS <BR>> caching will make it not really feasible.<BR>> <BR>> For me fail2ban + good passwords works as a really good system where a <BR>> VPN can't be used.<BR>> <BR>> <BR>> -Brett<BR>> <BR>> On Jun 27, 2010, at 9:10 PM, Brett Nemeroff <BR>> <brett@voicefoxtelephony.com> wrote:<BR>> <BR>> > Interesting idea, but I think DBS caching will make this not really <BR>> > usable.<BR>> ><BR>> ><BR>> > For me, fail2<BR>> ><BR>> ><BR>> ><BR>> > On Jun 27, 2010, at 8:54 PM, Calleasy BsAS <sisint2005@hotmail.com> <BR>> > wrote:<BR>> ><BR>> >><BR> <br /><hr />No importa si es pesado o liviano. Con Hotmail Skydrive tenés 25 GB para guardar todo. <a href='http://www.descubrehotmail.com/almacenamiento.asp ' target='_new'>Clic aquí</a></body>
</html>