[asterisk-users] Securing Asterisk
CDR
venefax at gmail.com
Wed Jul 27 11:11:23 CDT 2011
This is turning into a political issue such as the one in Washington
and the impending default on US debt. The point is that a minor change
in the code would have a dramatic effect on security, and carry a
lower impact on CPU that using Iptables. The simplicity of the change
cannot understated. The hackers do not continue sending packets with
new REGISTER attempts unless they see a response. The would move on.
Digium is being monarchical about this. It looks like a loss of
contact with reality. The vast ecosystem of Digium is made of hundreds
of people like me. I am being forced now to place Opensips in front of
Asterisk, in port 5060, set Asterisk to listen at Port 5061, and block
access to 5061 from outside. Instead of a minor change, I have to
bring a second application to the picture.
The reason why I find useless using iptables and a rule that bans an
IP address if it communicates more than a threshold of times, is
simple. I have customers that hit me 10+ times per seconds from the
same IP. It would look like a hacker, and it is not. I use a cluster
of Asterisk in the same box, a big server, and each asterisks listens
in its own network interface, and responds from it. It does work. But
iptables or fail2ban would not work in a wholesale scenario.
Any way, thanks for your attention.
More information about the asterisk-users
mailing list