Steve Edwards wrote:
On Tue, 29 Jun 2010, James Sharp wrote:
Or make your changes to the iptables config file, then run:
/etc/init.d/iptables restart; sleep 15; /etc/init.d/iptables stop
The crontab trick is neat, but you can set yourself up with some
possible race conditions.
Ahh,
On Tue, 29 Jun 2010, James Sharp wrote:
Or make your changes to the iptables config file, then run:
/etc/init.d/iptables restart; sleep 15; /etc/init.d/iptables stop
The crontab trick is neat, but you can set yourself up with some
possible race conditions.
Ahh, Unix -- always more than 1
Thanks for that Steve. This works. However, what if I do this (would I block
myself from SSH 22):
--
sudo iptables\
--append INPUT\
--match tcp\
--protocol tcp\
--dport 22\
On Tue, 29 Jun 2010, bruce bruce wrote:
Thanks for that Steve. This works. However, what if I do this (would I
block myself from SSH 22):
--
sudo iptables\
--append INPUT\
--match tcp\
Thanks for the amazing cronjob advice.
On Tue, Jun 29, 2010 at 4:26 PM, Steve Edwards asterisk@sedwards.comwrote:
On Tue, 29 Jun 2010, bruce bruce wrote:
Thanks for that Steve. This works. However, what if I do this (would I
block myself from SSH 22):
Any time you are fiddling with iptables, it would be prudent to add
something like this to root's crontab:
# Min hourDOM month DOW command
*/05* * * * /etc/init.d/iptables stop
In case you blow it, you can get
How can you set up a firewall if you have some users on dynamic IP addresses?
--
_
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-biz mailing list
To UNSUBSCRIBE or update options visit:
Its called a VPN. Other Solutions include TLS, IPSEC, or even private line
~
Andrew lathama Latham
lath...@gmail.com
* Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software
* Learn more about Linux http://en.wikipedia.org/wiki/Linux
* Learn more about Tux
If you're running an ITSP with a bunch of end users out there, are you
seriously going to want to create a firewall rule for everyone's dynamic
IP?
vs.
Yes. Just because it take more time / resources to manage a network
,it's no reason to be lazy and let security lapse.
I think for most
-Original Message-
From: asterisk-biz-boun...@lists.digium.com [mailto:asterisk-biz-
boun...@lists.digium.com] On Behalf Of Andrew Latham
Sent: Sunday, June 27, 2010 3:31 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] 87.230.80.186
Its
Of Andrew Latham
Sent: Sunday, June 27, 2010 3:31 PM
To: Commercial and Business-Oriented Asterisk Discussion
Subject: Re: [asterisk-biz] 87.230.80.186
Its called a VPN. Other Solutions include TLS, IPSEC, or even private
line
So you give every customer with 1 SIP account and 1 DID a VPN
From an intra-industrial perspective, unless you're providing
end-to-end managed connections and hardware or software packaging,
you're obviously not going to limit SIP to particular IP addresses,
though you will most certainly, most emphatically restrict SSH and
other services that way.
As
Andrew Latham wrote:
SIP TLS or a nice SNOM phone with VPN will do the trick...
No it won't. Transport layer encryption won't solve the problem of
brute forcing weak passwords, which is what I believe this whole
discussion started with.
The SNOM phone is a little stronger, but only through
On Sun, 2010-06-27 at 15:53 -0400, James Sharp wrote:
Andrew Latham wrote:
SIP TLS or a nice SNOM phone with VPN will do the trick...
No it won't. Transport layer encryption won't solve the problem of
brute forcing weak passwords, which is what I believe this whole
discussion started
Dear friends, like someone said before me in the list : neither of both extrems
could be pretty good!!
one for dangerous the other for heavy dutty requeirements in maintenance for
users changes...
thus leave the system open with out Firewall+ IDS system this will be
dangerous
,
options for bring up
something to get better..
Marcos
Thanks again
From: br...@voicefoxtelephony.com
To: br...@voicefoxtelephony.com
Subject: Re: [asterisk-biz] 87.230.80.186
Date: Sun, 27 Jun 2010 21:15:02 -0500
CC: asterisk-biz@lists.digium.com; asterisk-biz
On Fri, Jun 25, 2010 at 10:41 PM, James Sharp jsh...@psychoses.org wrote:
If you're running an ITSP with a bunch of end users out there, are you
seriously going to want to create a firewall rule for everyone's dynamic IP?
Yes. Just because it take more time / resources to manage a network
Since my last posting didn't seem make it?
That IP did succeeded in gaining access to our Asterisk Server.
Call center type traffic started. I caught it after about $20 in calls
generated. So not too bad...
I stopped letting users pick their passwords after that.
Kevin
--
On 06/25/2010 06:46 PM, Paul Belanger wrote:
On Fri, Jun 25, 2010 at 5:47 PM, Muugm...@lighteningsys.ca wrote:
That IP did succeeded in gaining access to our Asterisk Server.
I don't understand why people put unprotected Asterisk servers on a
public interface with no ACLs or firewall.
On 6/25/10 6:46 PM, Paul Belanger wrote:
On Fri, Jun 25, 2010 at 5:47 PM, Muugm...@lighteningsys.ca wrote:
That IP did succeeded in gaining access to our Asterisk Server.
I don't understand why people put unprotected Asterisk servers on a
public interface with no ACLs or
Alex Balashov wrote:
On 06/25/2010 06:46 PM, Paul Belanger wrote:
On Fri, Jun 25, 2010 at 5:47 PM, Muugm...@lighteningsys.ca wrote:
That IP did succeeded in gaining access to our Asterisk Server.
I don't understand why people put unprotected Asterisk servers on a
public interface with no
On 06/24/2010 07:52 AM, Dovid Bender wrote:
Hi all,
Just as a heads up the list the IP above was trying to register with
random names to some of our servers and were flooding them with
registration requests.
Perhaps you should install fail2ban on your Asterisk box. PBXinaFlash
has the
7:52 AM
Subject: [asterisk-biz] 87.230.80.186 - Trying to register
Hi all,
Just as a heads up the list the IP above was trying to register with random
names to some of our servers and were flooding them with registration requests.
Dovid
__ Information provenant d'ESET NOD32
@lists.digium.com
Sent: Thursday, June 24, 2010 7:52 AM
Subject: [asterisk-biz] 87.230.80.186 - Trying to register
Hi all,
Just as a heads up the list the IP above was trying to register with random
names to some of our servers and were flooding them with registration requests.
Dovid
On Friday 25 June 2010 07:24:57 Josef Grand wrote:
re:
only for your informations this IP (
87.230.80.186) is located in germany ISP: hosteurop and is using Suse Linux
with plex installed
thanks
ISTR some discussion on the list about setting up an equivalent of Team
Cymru's bogon feed
This is just one of the many IPs. On my server it'll automatically blocked
by Fail2ban. We should have a central location where we could pulish all
such IPs for everyone's benefit.
Zeeshan A Zakaria
--
www.ilovetovoip.com
On 2010-06-24 5:43 AM, Alexander Harrowell
On 06/24/2010 06:44 AM, Zeeshan Zakaria wrote:
This is just one of the many IPs. On my server it'll automatically
blocked by Fail2ban. We should have a central location where we could
pulish all such IPs for everyone's benefit.
Easiest way to do this might be to have a special ENUM zone for
What would be the other workaround other than fail2ban? what commands should
be run for IPTABLES to ban this IP from trying to register to SIP?
On Thu, Jun 24, 2010 at 2:24 AM, Patrick Lists
asterisk-l...@puzzled.xs4all.nl wrote:
On 06/24/2010 07:52 AM, Dovid Bender wrote:
Hi all,
Just as
iptables -A INPUT -p TCP -s 87.230.90.5 --dport 5060 REJECT
Zeeshan A Zakaria
--
www.ilovetovoip.com
On 2010-06-24 1:03 PM, bruce bruce bruceb...@gmail.com wrote:
What would be the other workaround other than fail2ban? what commands should
be run for IPTABLES to ban this IP from trying to
Un-top-posting...
On 2010-06-24 1:03 PM, bruce bruce bruceb...@gmail.com wrote:
What would be the other workaround other than fail2ban? what commands
should be run for IPTABLES to ban this IP from trying to register to
SIP?
On Thu, 24 Jun 2010, Zeeshan Zakaria wrote:
iptables -A INPUT
Despite doing that, if you still see many registration attempts coming onto
the box what could be the problem?
I have also done iptables-save and service iptables restart.
Should the server be restarted?
Thanks
On Thu, Jun 24, 2010 at 1:07 PM, Zeeshan Zakaria zisha...@gmail.com wrote:
On Thu, 24 Jun 2010, bruce bruce wrote:
Despite doing that, if you still see many registration attempts coming onto the
box what could be the problem?
I have also done iptables-save and service iptables restart.
Should the server be restarted?
No.
--
Thanks in advance,
On Thu, 24 Jun 2010, bruce bruce wrote:
Despite doing that, if you still see many registration attempts coming
onto the box what could be the problem? I have also done iptables-save
and service iptables restart.
Did your save save or overwrite your new rules?
(BTW, I don't like
Please don't mention about restarting the server, you are not dealing with
MS Windows.
For further investigation,
Zeeshan A Zakaria
--
www.ilovetovoip.com
On 2010-06-24 2:34 PM, Steve Edwards asterisk@sedwards.com wrote:
On Thu, 24 Jun 2010, bruce bruce wrote:
Despite doing that, if you
For further investigation, I guess you'll have to do some network sniffing
to see what is going on with the registrations. Why not simply setup
fail2ban, its easy, all instructions are there on voip-info.org.
Zeeshan A Zakaria
--
www.ilovetovoip.com
On 2010-06-24 2:34 PM, Steve Edwards
Perhaps you forgot to the output from iptables-save back to the
iptables config file? do man iptables-save for more info.
On 06/24/2010 01:56 PM, bruce bruce wrote:
Despite doing that, if you still see many registration attempts coming
onto the box what could be the problem?
I have also done
On Thu, Jun 24, 2010 at 12:56 PM, bruce bruce bruceb...@gmail.com wrote:
What would be the other workaround other than fail2ban? what commands should
be run for IPTABLES to ban this IP from trying to register to SIP?
A workaround / solution would be to move your equipment off the
Internet and
I think that you need add some changes in the RULE sentence or add some other,
iptables -I INPUT -p TCP -s 87.230.90.5 --dport 5060 -j REJECT ( yes need the
-j)
former needs the -j in any rules this tell iptables modules to which target
JUMP when the condition was matched or
On Thu, Jun 24, 2010 at 5:01 PM, Calleasy BsAS sisint2...@hotmail.com wrote:
[snipped, hugely]
i appologize for extesion :-) , but if it could help .
Marcos
I posted an example on using this with perl... the idea was to make a
chain called asterisk:
iptables -N asterisk
iptables -A
On Thu, 24 Jun 2010, Fred Posner wrote:
I posted an example on using this with perl... the idea was to make a
chain called asterisk:
[snip]
this way you have some idea of reason for dropping, etc.
I like the idea of having some idea why I'm dropping someone, but I prefer
to do it in-line
On Thu, 24 Jun 2010, Calleasy BsAS wrote:
[snip]
then, for exceute this any time that you restart the computer you must
to include in rc.local ( placed into /etc/rc.d folder ) THIS SENTENCE
iptables-restore /folder-where-you-has-save/my-config
OR also may include the original command
On Thu, Jun 24, 2010 at 5:50 PM, Steve Edwards
asterisk@sedwards.com wrote:
On Thu, 24 Jun 2010, Fred Posner wrote:
I posted an example on using this with perl... the idea was to make a
chain called asterisk:
[snip]
this way you have some idea of reason for dropping, etc.
I like the
Hi all,
Just as a heads up the list the IP above was trying to register with random
names to some of our servers and were flooding them with registration requests.
Dovid--
_
-- Bandwidth and Colocation Provided by
43 matches
Mail list logo