[asterisk-users] Security issue

Eric Fort eric.fort at gmail.com
Sat Feb 7 20:32:10 CST 2009


use IP tables and start with deny all.  Follow this by allowing only
the protocols/ports you want and only the source/destination ip's you
wish to allow.  these can be combined to say allow ssh from anywhere
but only allow sip (and it's range of ports) to/from a very limited
set of ip's belonging to say your ITSP.  for users that move about a
bunch they can use vpn to an allowed subnet.

Eric

On Sat, Feb 7, 2009 at 5:47 PM, oumar ndiaye <ondiaye at antg.com> wrote:
> David,
> Thanks in advance. Where do I change the user/peers definition? Is it in the
> firewall of the OS? In that case that won't work because the server host
> other services such as ssh http that are open to any IP as long as the user
> has the correct credentials. Doesn't asterisk itself has built in security
> filters?
>
> If the only choice is to do in the OS's firewall, then I will need to
> include the port numbers of SIP, IAX in my firewall rules. In this case,
> which ports should I block to keep unwanted SIP/IAX connections from
> specific IP's.
> Thanks.
>
> On Sat, Feb 7, 2009 at 9:29 AM, David fire <ddfire at gmail.com> wrote:
>>
>> you have many options but you should use it together.
>> firewall
>>
>> in the user/peers definitions add host=<ip>
>> and/or
>> deny=0.0.0.0/0.0.0.0
>> permit=<ip>/<mask>
>>
>> change the ip of your server.
>>
>> use something like ossec to avoid force brute.
>>
>> David
>>
>> 2009/2/6 oumar ndiaye <ond4444 at gmail.com>
>>>
>>> Is there a way to restrict connection to my asterisk server to users
>>> based on their IP addresses, and not just password. I have some hackers who
>>> connect to my server to make illegitimate solicitation calls to people. I
>>> had to shutdown the server for now until I find a solution. ANY HELP?
>>> Thanks.
>>> ond
>>> _______________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>>
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>>
>> --
>> (\__/)
>> (='.'=)This is Bunny. Copy and paste bunny into your
>> (")_(")signature to help him gain world domination.
>>
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>
> --
> Oumar Ndiaye
> CTO
> ANTG Telecom
> www.antg.com
> ondiaye at antg.com
> ondiaye at alum.mit.edu
> ond4444 at gmail.com
> Tel: +1-919-291-8742
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>



More information about the asterisk-users mailing list