I’m looking into adding the ability to call me at email@example.com on my Asterisk 11 box. Does anyone have any tips or dialplan snippets to allow this kind of access as securely as possible?
Well, if you want anybody to call you, you need to leave it open to the public. Meaning, you can’t really secure it. Obviously, don’t have any outbound trunks configured on the box so that the only location some could dial would be your extension.
Thanks for your feedback Paul. The not having outbound trunks is going to be a challenge. So next to fail2ban I guess I’ll cook up some dialplan logic that records IP addresses, keeps track of the amount of failed password attempts etc. and block the offending IP addresses together with max simultaneous outband calls and anything else I can think of to beef up security and limit potential damage.
Yes that is indeed what they are for but in the case “they” find a loophole or exploit a bug then not having outbound trunks is much safer.
A few iptables rules can protect you from access from China, North Korea, Iran, Iraq, xxxistan, Russia, Nigeria, and any other country you’re not expecting calls from.
Eliminate 90% of the problem at the front door and you can focus more clearly on the remaining 10%.
Yes that’s one of the tricks in my bag. Unfortunately it seems that the IP ranges from ip-deny.com are no longer available and even their website has disappeared.
Would you mind sharing where you get the per country IP ranges from?
I confess I ‘brute forced’ it by entering ‘/8s’ into ARIN’s web page and noting if the block had been assigned to a ‘foreign’ NIC — not really a reliable and robust methodology, but it worked for me.
A great way to kill time while on hold for customer dis-service.
If it works… 🙂
Definitely. If any of the calls lasted more than entering 20 /8s I hope it was to cancel the service.
I found another solution: install the geoip kernel module from xtables-addons, install the MaxMind GeoIP country database and add some rules to the iptables config to block a country.