Hi Cody, >From John's post your CNET (Collector's Network) is IAX2 based, and he >explained things well. Enabling the Adaptive Ban plugin is still useful for >IAX2 .
You ask a good general question, for most all other situations SIP is used, here are some security measures that can be used: 1) Using the Adaptive Ban plugin is a great first step. 2) If you had a known list of static IPv4 address that need remote SIP access use the Firewall sub-tap to "Pass EXT->Local" UDP 5060 for only those IP's. Don't use Source: 0/0 in this case. 3) If you had a known list of dynamic hostnames that need remote SIP access use the Firewall DynDNS Host Open plugin to DYNDNS_HOST_OPEN_UDP="sip1.example.com~5060 sip2.example.com~5060" etc. 4) You can either blacklist or whitelist access by SIP User-Agent strings by using the Firewall SIP User-Agent plugin. Keep in mind if your AstLinux box is at the edge (public IPv4 address) and it is only accessing a SIP trunk upstream by registering (ie. no remote SIP clients), then the stateful firewall will automatically track the upstream SIP server connections and *no* SIP related firewall rules need to be added. If this is the case none of the security measures 1-4 above are needed for Asterisk. Security by obscurity, use SIP TCP/TLS for remote SIP clients, and don't expose UDP 5060 externally. If your ISP offers native IPv6, only expose IPv6 SIP (assuming all SIP clients have native IPv6 access). Finally, this applies to most every situation, make use of the *.netset Blocklists, at least firehol_level1 and voipbl are good basic choices which should not usually cause false-positive blocking. More info ... Firewall External Block List https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list Lonnie On Sep 1, 2017, at 10:38 AM, Cody Alderson <aldersona...@gmail.com> wrote: > Hi, > > I am connected to CNET (Collector's Network) and have one incoming VoIP line > running in Astlinux. Outgoing calls over the VoIP number have been > redundantly disabled in Asterisk and at the VoIP service providers setup > options. My Astlinux is constantly bombarded with attempts to get in by > unauthorized users. I currently have Adaptive Ban enabled, and, with help > already received here, have set the system to keep a record of the IP > addresses for the bans to persist after a reboot. > > I was wondering what other security I should implement. Keep in mind that the > box is an older HP thin client, but the traffic is very minimal. I get a lot > more traffic trying to break in than the box needs to handle for legitimate > use. :) > > If you suggest enabling another security feature, would you be so kind as to > point me to some instructions on configuring it? > > Thank you in advance, > > -Cody ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
