use IP tables and start with deny all. Follow this by allowing only the protocols/ports you want and only the source/destination ip's you wish to allow. these can be combined to say allow ssh from anywhere but only allow sip (and it's range of ports) to/from a very limited set of ip's belonging to say your ITSP. for users that move about a bunch they can use vpn to an allowed subnet.
Eric On Sat, Feb 7, 2009 at 5:47 PM, oumar ndiaye <ondi...@antg.com> wrote: > David, > Thanks in advance. Where do I change the user/peers definition? Is it in the > firewall of the OS? In that case that won't work because the server host > other services such as ssh http that are open to any IP as long as the user > has the correct credentials. Doesn't asterisk itself has built in security > filters? > > If the only choice is to do in the OS's firewall, then I will need to > include the port numbers of SIP, IAX in my firewall rules. In this case, > which ports should I block to keep unwanted SIP/IAX connections from > specific IP's. > Thanks. > > On Sat, Feb 7, 2009 at 9:29 AM, David fire <ddf...@gmail.com> wrote: >> >> you have many options but you should use it together. >> firewall >> >> in the user/peers definitions add host=<ip> >> and/or >> deny=0.0.0.0/0.0.0.0 >> permit=<ip>/<mask> >> >> change the ip of your server. >> >> use something like ossec to avoid force brute. >> >> David >> >> 2009/2/6 oumar ndiaye <ond4...@gmail.com> >>> >>> Is there a way to restrict connection to my asterisk server to users >>> based on their IP addresses, and not just password. I have some hackers who >>> connect to my server to make illegitimate solicitation calls to people. I >>> had to shutdown the server for now until I find a solution. ANY HELP? >>> Thanks. >>> ond >>> _______________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> >> >> -- >> (\__/) >> (='.'=)This is Bunny. Copy and paste bunny into your >> (")_(")signature to help him gain world domination. >> >> >> _______________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- > Oumar Ndiaye > CTO > ANTG Telecom > www.antg.com > ondi...@antg.com > ondi...@alum.mit.edu > ond4...@gmail.com > Tel: +1-919-291-8742 > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users