Thanks again for the depth of knowledge you are offering. So, I am taking a pass on the firewall since it won't do what I need but I understand that it can do country block etc...thought not a full proof still.
I am really not worried about DoS or more importantly DDoS as I have no hope those can be prevented anyhow....been hit by one on a pfSense router and it was just absorb as much as you can. I like the different port idea though with the current scattered ATAs and SIP phones it's unpractical for me to ask them all to change to a random port. Quote,* "How do the users register to begin with, if their REGISTER requests won't be processed unless their IP is already known to be a registrant? :-)"* Well, unfortunately I don't have the luxury of knowing their IP and the closest I know is their IP range. But I guess this is what is as I have seen big providers also return back DECLINED from their gateways if one is not on their authorized list. So, my final questions: 1- So, you are saying that either of OpenSER/Kamailio/OpenSIPS actually give me the full capability to the SIP stack to do the sort of thing I was asking for? And this can run on the same server as Asterisk is running? Thanks a bunch On Fri, Jul 22, 2011 at 10:18 PM, Alex Balashov <[email protected]>wrote: > On 07/22/2011 10:11 PM, Bruce B wrote: > > Vast number of scattered users all over the globe. I hate to think >> there is no way to not announce ourselves as a SIP server to >> un-trusted users. >> > > Not easily. This is a problem all service providers have to deal with, and > so do you. You have to have your SIP services open to the world, but they > don't necessarily need to be easy to DoS or dictionary scan. > > Intra-industrially, the solution is usually some form of SBC or other > administrative border/edge security element. In the open-source world, a > lot of the steeling, rate-limiting, etc. can be done with > OpenSER/Kamailio/OpenSIPS. > > (Shameless plug: That's what we do all day commercially.) > > A common strategy is to use a non-standard SIP port ('bindport' in > sip.conf). No, it doesn't stop all scans, but in our experience, it will > stop a good 95%+ of them. When almost everyone does use the standard SIP > port, and thus there are so many low-hanging targets, it's not worth > bothering with a full ~65k UDP port scan. Certainly, the average SIPvicious > scanner won't bother with anything but 5060. > > > Or is there something else that can be done with the firewall to all >> "dynamic" trust IPs and drop packets from unregistered sources? >> > > That raises an interesting question: > > How do the users register to begin with, if their REGISTER requests won't > be processed unless their IP is already known to be a registrant? :-) > > -- > Alex Balashov - Principal > Evariste Systems LLC > 260 Peachtree Street NW > Suite 2200 > Atlanta, GA 30303 > Tel: +1-678-954-0670 > Fax: +1-404-961-1892 > Web: http://www.evaristesys.com/ > > -- > ______________________________**______________________________**_________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/**mailman/listinfo/asterisk-**users<http://lists.digium.com/mailman/listinfo/asterisk-users> >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
