Many thanks to all who have contributed to this thread. Some interesting comments to think about.
Mart Philip Prindeville wrote: > Gah. Meant to say "behind a router"... > > > Philip Prindeville wrote: >> Encryption shouldn't add more than 2ms. I have it on my Sipura SPA-94x >> phones. >> >> Or, if your phones are being a router, the router can do the encryption >> for you. >> >> Encryption is a bounded delay, and it's very constant, so jitter (which >> is as important as delay, and the delay is negligible in this case) >> isn't a problem. >> >> I suspect that in your ADSL scenario, the real culprit was lack of QoS, >> not encryption latency. >> >> -Philip >> >> >> Martin Rogers wrote: >> >>> Darrick, >>> >>> interesting point about the VPN. I have to have three classes of port >>> opened up for my AstLinux to work on the internet. A VPN solution would >>> certainly simplify things in this respect. >>> >>> However, in reality, how ubiquitous is VPN support on VOIP phones. I use >>> three types of phone (two PolyCom models and a Snom model) and none of >>> them seem to offer any VPN client support. >>> >>> The other point is that steam encryption is going to slow down >>> transmission of the media stream (to some extent anyway). I have >>> experienced some bad degradation running a couple of phones with >>> Asterisk through a PIX hardware VPN over a residential ADSL line. >>> Stuttery MOH is not nice. >>> >>> How practical is the VPN suggestion, does anyone actually use this. >>> What steps are others taking to secure AstLinux/Asterisk on public >>> networks. It would be useful if we could get a list of ideas together. >>> >>> My very short and inadequate list so far is as follows: >>> >>> -Limit the number of ports available >>> -Use UnionFS and change the root password >>> -Use hashed secrets >>> -Disable allowguest if using SIP >>> >>> >>> Thoughts anyone? >>> Thanks, >>> Mart >>> >>> >>> >>> Darrick Hartman wrote: >>> >>> >>>> David, >>>> >>>> You could use openvpn to secure the connection. MAC address >>>> restrictions are pretty weak and easy to spoof. >>>> >>>> Darrick >>>> >>>> David Kerr wrote: >>>> >>>> >>>>> I would like to permit a softphone on my laptop to connect to my >>>>> astlinux box from anywhere in the world. This would mean keeping port >>>>> 5060 open, which is a potential security risk? Is there a way to >>>>> restrict access by mac address? so that my softphone on *my* laptop can >>>>> connect, but no one else's can (even if they know the extension/password. >>>>> >>>>> Thanks. >>>>> David >>>>> >>>>> On Mon, Nov 10, 2008 at 2:40 PM, Daniel Aeberli <[EMAIL PROTECTED]> >>>>> wrote: >>>>> >>>>> Hi Darrick, >>>>> >>>>> You right, I had miss-configured my Firewall: I open the voip ports >>>>> when >>>>> I initially was try to my Asterisk trunk working. As I now know, the >>>>> trunk goes through a tunnel so I closed them just after my last post >>>>> and >>>>> everything still works (no duh). >>>>> >>>>> I still need to dig into my config (Firewall and Asterisk), I'm sure I >>>>> have other doors wide open why I tried to get things working. >>>>> >>>>> Many thanks for the reply though. >>>>> >>>>> Daniel >>>>> >>>>> >>>>> >>>>> Darrick Hartman a écrit : >>>>> > Daniel, >>>>> > >>>>> > Not necessarily. It sounds like you have the firewall >>>>> misconfigured. >>>>> > What ports are you opening? You should really only have your ssh >>>>> port >>>>> > and vpn port open. All others should be closed. How are these >>>>> people >>>>> > getting in? >>>>> > >>>>> > Darrick >>>>> > >>>>> > Daniel Aeberli wrote: >>>>> > >>>>> >> Sorry, just realised this is more an Astersik general question >>>>> than a >>>>> >> ASTLinux one ... of to search other forums... >>>>> >> >>>>> >> Daniel Aeberli a écrit : >>>>> >> >>>>> >>> Well after the brute force attack ssh login attempts, last >>>>> month, I have >>>>> >>> an undesirable outsider that successfully made calls from my >>>>> ASTlinux >>>>> >>> box. I locked out the brute force, by disabling WAN requests, >>>>> turning of >>>>> >>> WAN ping response and turning off ssh access, but obviously my >>>>> box is >>>>> >>> not secure. >>>>> >>> >>>>> >>> I'm not savvy enough to know how to secure by AstLinux box from >>>>> outside >>>>> >>> callers (hackers). I only use AstLinux to call my parents >>>>> AstLinux box >>>>> >>> via a VPN trunk over our ADSL lines. All my local calls go via >>>>> ISDN line >>>>> >>> (since I have to have it for the ADSL link and local call are >>>>> free). >>>>> >>> >>>>> >>> Could someone tell me how to lock outside calls (internet / >>>>> ADSL) from >>>>> >>> using my ISDN lines? >>>>> >>> >>>>> >>> Thanks >>>>> >>> >>>>> >>> Daniel >>>>> >>> >>>>> > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to [EMAIL > PROTECTED] > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [EMAIL PROTECTED]
