Security – Using Linksys PAP2T from outside with a dynamic IP is there anyway to block all other traffic but those of the PAP2T?

Home » Asterisk Users » Security – Using Linksys PAP2T from outside with a dynamic IP is there anyway to block all other traffic but those of the PAP2T?
Asterisk Users 13 Comments

Hi Everyone

I think PAP2T supports DynDNS and other Dynamic DNS providers. I have a box
that needs to be secured at all times. Currently it’s not connected to the
internet. If it were connected, I would have iptables block any and all
traffic from outside but I want a single device – Linksys PAP2T – to be able
to connect back to the server. That is a stand alone device and doesn’t
support VPN and I don’t have the luxury of putting a VPN client on the PAP2T
side to connect back to the server. Is there any way I can DynDNS on the
PAP2T to somehow notify the Asterisk Server that it’s a safe device coming
in?

I do use fail2ban but that is not what I am looking for at this moment. And
since the IP is dynamic on the PAP2T, I can’t just use the iptables to let
it in as it might change all a sudden.

Thanks

13 thoughts on - Security – Using Linksys PAP2T from outside with a dynamic IP is there anyway to block all other traffic but those of the PAP2T?

  • do the dyndns on whatever router is in front of the pap2t
    or
    get some other box that supports it.

    other than that you are looking for some sort of magic bullet

  • Hi,

    Can you please explain the DynDNS part. How would I put that in my Asterisk
    server as an identified party? Usually it comes to me with IP address
    (dynamic). Or do add something like this in sip_nat.conf:

    externip=mybox.dyndns.org
    localnet=192.168.0.0/255.255.255.0

    ???

    Thansk again,

  • every time the address changes you have to have some script to make the
    change in your firewall.

  • I was confusing the asterisk server side of sip_nat with the PAP2T. So,
    PAP2T can only register to DynDNS and that’s all.

    What sort of a script would I be looking for? something to query DynDNS for
    the new IP of the device to add to firewall? This might however bring down
    time if inquiry is not successful.

    Or can I setup my own Dyndns server on the Asterisk server and have those
    PAP2T units registered to it and then work it from there when their IPs
    change?

    Thanks

  • Can’t I in my ip tables just accept the pap2t.dyndns.org if that is bind to
    the PAP2T? do you think the devices comes in with it’s external IP rather
    than the dyndns domain?

    Thanks

  • Yes. An IP datagram carries only the source and destination IP
    addresses, not the DNS names associated with them. Your firewall _may_
    be able to accept a DNS name to block or allow rather than an IP
    address, but most don’t, and doing so makes you vulnerable to DNS
    spoofing attacks.

    To go further would be thoroughly off-topic for this list.

    Roger

  • I’m puzzled. Do you want the pap2t to connect directly to the internet?
    If so, then what does this have to do with asterisk or your box?

    If you want the pap2t to be connected to asterisk on your box, then the
    box has two interfaces. One is internal and open to a static address on
    pap2t, the other on the internet and subject to iptables. You can port
    forward to the pap2t.

    Or am I missing something?

    sean

  • Thanks Roger.

    I will be trying this box to see what I can do. Otherwise, I’d probably have
    to find a list of all of the Rogers (The ISP providing internet to these
    boxes) IPs to at least limit the attacks to Rogers ISP.

    hmmm….

    Or maybe secure is using DNS like this:
    sdlfjdsfJ#@$523k4j98sd7fkjh324#@$832.dyndns.org

    ^^^^^^^^^^^^^^^^^^^^isn’t that a security feature in itself?

    Thanks

  • You’re not going to be able to put a dns hostname in the iptables, but you
    could have a script that runs at times and gets the ip address for your
    dynamic hostname and allows that.

  • On Sat, 2 Oct 2010 14:56:11 -0400, bruce bruce wrote

    The PAP2T does not include DynDns (or any other dynamic DNS client) support.  Mostly because it really does not need to.  Asterisk gets the IP address of the PAP2T when it registers so it does not need anything else to find it.  If you are unwilling or unable to open/expose the necessary ports to the Internet then there is no way for the PAP2T to communicate with your Asterisk server.

    Maybe you could have a SIP proxy on the outside on a static IP and then allow that Proxy to relay the PAP2T into your network?

  • Almost.

    You can put a host name in iptables, but it is resolved when loaded.

    You could restart iptables when your dynamic host name changes and it will
    be resolved correctly with the new IP address.

  • Thanks for the input guys.

    So, the IP is resolved only when IPTABLES is loaded or reloaded. Therefore,
    the best approach would be to ping the hostname every let’s say 3 seconds
    and see if the IP is still the same and if it is then move on, otherwise
    update the iptables with the new IP address. This sounds it would work but I
    am not sure how fast DynDns can resolve the IP for me (delay) and I am
    looking to connect 40 PAP2T to this system. So, all in all that is 40
    queries to DynDNS each 3 seconds.

    As I mentioned earlier, wouldn’t it be more solid if I run my own Dynamic
    DNS server on the same box as Asterisk (is that even possible?) and what
    sort of other security holes would I be exposing doing that?

    Thanks again for all the great input.

    -Bruce

    href=”mailto:sedwards@sedwards.com”>sedwards@sedwards.com Voice: +1-760-468-3867 PST