[asterisk-users] Being attacked by an Amazon EC2 ...
Gordon Henderson
gordon+asterisk at drogon.net
Tue Apr 13 03:47:23 CDT 2010
On Tue, 13 Apr 2010, Alyed wrote:
> Think we need some solution WITHIN the Asterisk core. Roderick A. suggested
> something that looks nice using iptables, some others have pointed out using
> RBL or fail2ban, but the best would be to have some generic solution not
> dependant on third party programs.
I'd strongly disagree with this. (And I was the OP of this thread and had
my home/office network connection taken down due to it)
But then, I'm an old worldy Unix sysadmin and the philosophy of having a
program do one thing well is still etched into my core...
http://en.wikipedia.org/wiki/Unix_philosophy
So get asterisk to do what it does well, then get something else that does
what you need to do just as well - built-in to Linux are the iptables
firewall rules. Use them! They are very effective and do work. (And you
have a choice!)
The biggest issue I see is that people are installing Asterisk and other
high-level applications on top of Linux (and other *nix'es) without the
experience of "sysadmin" - then when something goes wrong they want the
application to fix it rather than apply some basic and pretty fundamental
sysadmin techniques to solve the issue.
And that means that even having permit= and deny= in sip.conf and
iax.conf, etc. is too much. With proper OS level firewalling they're
simply not needed and do nothing more than add another potential point of
failure and add yet more code to maintain.
Gordon
More information about the asterisk-users
mailing list