00:01.12 | *** join/#asterisk Janos (~textual@201.204.94.76) |
02:14.09 | *** join/#asterisk paulgrmn (~paulgrmn@c-98-250-183-21.hsd1.mi.comcast.net) |
02:36.59 | *** join/#asterisk TulaZula (TulaZula@gateway/vpn/privateinternetaccess/tulazula) |
02:57.28 | *** join/#asterisk tsal (~tsal@i59F4D4F9.versanet.de) |
03:37.24 | *** join/#asterisk akp55 (~akp55@c-73-148-15-31.hsd1.va.comcast.net) |
03:42.37 | *** join/#asterisk electronic_eel (~quassel@213.240.182.147) |
03:53.05 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
04:03.55 | *** join/#asterisk electronic_eel (~quassel@213.240.182.138) |
04:19.27 | *** join/#asterisk electronic_eel (~quassel@213.240.182.164) |
04:54.31 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
05:20.42 | *** join/#asterisk FH_thecat (~FH_thecat@75.11.25.212.ftth.as8758.net) |
05:27.18 | *** join/#asterisk akp55_ (~akp55@c-73-148-15-31.hsd1.va.comcast.net) |
05:27.27 | *** join/#asterisk gerhard7_ (~gerhard7@86.87.238.48) |
05:28.06 | *** join/#asterisk saint__ (~saint_@unaffiliated/saint-/x-0540772) |
05:28.50 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
05:57.14 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
06:08.52 | *** join/#asterisk saint_ (~saint_@unaffiliated/saint-/x-0540772) |
06:10.56 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
06:50.33 | *** join/#asterisk jkroon (~jkroon@165.16.203.101) |
08:02.03 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
08:33.19 | *** join/#asterisk GoldenBear (~gb@titan.pathogen.is) |
09:12.46 | *** join/#asterisk Cory (~Cory@unaffiliated/cory) |
09:58.07 | *** join/#asterisk rpifan (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de) |
11:48.04 | *** join/#asterisk rpifan (~rpifan@p4fca2adc.dip0.t-ipconnect.de) |
12:23.00 | *** join/#asterisk pvoigt (~Linux@unaffiliated/pvoigt) |
12:37.06 | *** join/#asterisk drathir_tor (~drathir@gateway/tor-sasl/drathir) |
12:51.06 | *** join/#asterisk rpifan_ (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de) |
12:52.49 | *** join/#asterisk jayjo- (jayjo@gateway/vpn/privateinternetaccess/jayjo) |
12:53.59 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
12:54.00 | *** join/#asterisk Posterdati (~posterdat@host-79-37-129-8.retail.telecomitalia.it) |
12:59.38 | *** join/#asterisk Pasha (~Cory@unaffiliated/cory) |
13:16.39 | *** join/#asterisk segnior (segnior@gateway/shell/xshellz/x-cltybdmhdxtxfita) |
14:36.01 | *** join/#asterisk drathir_tor (~drathir@gateway/tor-sasl/drathir) |
15:12.13 | *** join/#asterisk rpifan_ (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de) |
16:40.06 | *** join/#asterisk electronic_eel (~quassel@dslb-088-066-013-004.088.066.pools.vodafone-ip.de) |
17:05.20 | igcewieling | Verizon is so awesome. A dozen trouble tickets on a circuit down since 2020-12-28 and service was finally restored today. |
17:06.59 | igcewieling | According to VZ the circuit is fine or has a loopback on it or the CPE is down or the smartjack has problem or DS3 the circuit rides on is down. |
17:20.29 | *** join/#asterisk tsal_ (~tsal@i59F4D4F9.versanet.de) |
17:21.18 | *** join/#asterisk pchero (~pchero@211.178.226.108) |
17:35.29 | *** join/#asterisk akp55 (~akp55@c-73-148-15-31.hsd1.va.comcast.net) |
17:42.55 | *** join/#asterisk electronic_eel_ (~quassel@213.240.182.193) |
17:45.49 | *** join/#asterisk electronic_eel (~quassel@213.240.182.193) |
18:00.22 | *** join/#asterisk rpifan (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de) |
18:07.48 | *** join/#asterisk drathir_tor (~drathir@gateway/tor-sasl/drathir) |
18:15.27 | *** join/#asterisk akp55_ (~akp55@c-73-148-15-31.hsd1.va.comcast.net) |
18:17.10 | *** join/#asterisk akp55 (~akp55@c-73-148-15-31.hsd1.va.comcast.net) |
18:26.20 | *** join/#asterisk Posterdati (~posterdat@host-79-37-129-8.retail.telecomitalia.it) |
19:03.17 | *** join/#asterisk joako (~joako@opensuse/member/joak0) |
19:14.08 | *** join/#asterisk cloud9 (~cloud9@c-24-21-228-102.hsd1.or.comcast.net) |
19:21.48 | cloud9 | hey everyone, looking for your thoughts regarding have asterisk ports open to the world. I've always kept mine locked down and only allowed certain IP's through. I have a new project where managing all the changing IP's would become a nightmare. I know that there's plrenty of hardening tutorials out there but just asking for some real input. Are my greatest concenrns someone hacking a |
19:21.48 | cloud9 | registration or DDos? Is fail2ban what everyone is using to mitigate people scanning for weak passwords? |
19:23.27 | *** join/#asterisk cybrNaut (~cybrNaut@unaffiliated/cybrnaut) |
19:29.21 | igcewieling | cloud9: I use fail2ban and sometimes add a static ban to a /8 or /16 for persistent network blocks I know I'll never need to accept connections from. |
19:32.07 | cloud9 | igcewieling: thanks for the input. so assuming I'm on current version and have fail2ban actively blocking scanners, should be ok public facing? I understand there's always some level of potential for a breach. sounds like it's mostly a non issue |
19:36.19 | igcewieling | "OK" is a strong term when talking about attacks, but it is the best you will get without getting more complicated. You could look at the FreePBX firewall iptables and see how the create whitelists of successfully registered IPs if you want to add some more security. |
19:37.11 | cloud9 | Understood. Thanks for the tip |
19:39.14 | igcewieling | Here is an iptables to block the most common attacking user agents. https://pastebin.com/03FCGW3a |
19:42.09 | Samot | You should never rely on fail2ban as your security measure. |
19:43.09 | cloud9 | Thanks igcewieling |
19:43.55 | cloud9 | Samot: yes obviosly there's layers. what's at the top of your list? |
19:44.12 | Samot | Well.. |
19:44.31 | Samot | I don't have any need for anyone outside of the ARIN space to have access to my network. |
19:44.38 | Samot | So they don't. |
19:45.18 | cloud9 | ya makes sense |
19:45.33 | Samot | Even then most of my end users are static IPs so that helps. |
19:45.47 | Samot | However, I have those that are not and those that use mobile devices. |
19:45.54 | cloud9 | for sure, exactly |
19:45.58 | Samot | So proper rate limiting, monitoring.. |
19:46.27 | Samot | I also use Kamailio in front of everything to have more control. |
19:46.43 | cloud9 | got it. but with the measures you have in place, you are comfortable having the required ports "open" |
19:47.01 | cloud9 | oh ok Kamailio, I'll check it out |
19:47.31 | Samot | Yes, I'm comfortable with it. |
19:49.15 | cloud9 | using calls_per_sec for rate limiting? is there a number there that's considered best practice? |
19:51.08 | igcewieling | The most important thing to do is not block ports, it is making sure nobody makes international calls that should not be able to and if that fails, make sure to limit the damage. |
19:53.05 | Samot | Well and watch high cost US destination. |
19:53.23 | Samot | Which is happening more than International, if you're in the US. |
19:53.25 | cloud9 | I see. I've read that alot. So I don't have the ability to call internationally in my dialplan at the current moment. Is there some way a successfully registered SIP endpoint can place an international call without it being in the dialplan? |
19:53.41 | Samot | No. |
19:53.50 | cloud9 | got it |
19:54.14 | cloud9 | thanks for all the info, really appreciate it the direction |
20:04.39 | igcewieling | cloud9: can users dial 1-809-xxx-xxxx? If so, that is an international call. |
20:13.01 | cloud9 | nope |
20:30.18 | *** join/#asterisk TulaZula (TulaZula@gateway/vpn/privateinternetaccess/tulazula) |
20:32.20 | *** join/#asterisk Jesterboxboy (~Thunderbi@84-115-150-8.cable.dynamic.surfer.at) |
20:37.37 | *** join/#asterisk rpifan (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de) |
20:41.51 | *** join/#asterisk scampbell (~scampbell@mail.scampbell.net) |
21:41.07 | *** join/#asterisk catphish_ (~charlie@unaffiliated/catphish) |
21:42.20 | catphish_ | is it possible to "qualify" realtime peers straight from the database these days with pjsip? |
21:57.04 | igcewieling | cation21: you mean before they register? |
21:57.16 | igcewieling | well, re-register |
22:04.59 | catphish_ | igcewieling: yes |
22:05.47 | catphish_ | the reason for my question is that i'm trying to set up a redundant pair of asterisks, and wondering if i need to use a proxy in front of them for registration, or whether i can do all this with asterisk |
22:07.05 | catphish_ | (similarly, wondering if i can do what i want to do with billing, probably using AGI, or whether i need a proxy for that too), but today's question is about registrations of roaming UAs |
22:07.14 | *** join/#asterisk jkroon (~jkroon@165.16.203.101) |
22:18.17 | Samot | catphish_: When do you want to qualify the peers? |
22:21.30 | catphish_ | Samot: ideally, all the time, including as soon as contacts are added or updated unexpectedly in the database, however since this is for an active-passive failover scenario, i'd also potentially be happy with loading a list from the database at startup |
22:22.58 | igcewieling | catphish_: many people generate .conf files from databases rather than use realtime. |
22:23.04 | catphish_ | qualiying from the "inactive" server is pointless, as it won't be able to bind to the necessary virtual IP, so i guess loading them at startup is sufficient |
22:23.43 | catphish_ | igcewieling: actually in my previous deployment i abandoned realtime precisely because qualify didn't work well with it |
22:24.06 | catphish_ | but i also didn't have a good failover mechanism then |
22:24.23 | Samot | Do you have one now? |
22:24.30 | igcewieling | I suspect, if you want food failover you'll need to use Kamailio |
22:24.39 | igcewieling | I suspect, if you want good failover you'll need to use Kamailio |
22:24.46 | catphish_ | i don't have anything right now, i'm trying to design correctly from day one |
22:25.01 | catphish_ | my suspicion is that i'll want to use kamailio for registrations |
22:25.23 | catphish_ | but anything i can do in asterisk is preferred, because it's dramatically simpler in most cases |
22:26.31 | Samot | Well the client is what is going to have to do this. |
22:26.49 | catphish_ | the client? |
22:26.51 | Samot | The device is what is going to try to send a request to the host it has. |
22:27.04 | Samot | If there isn't a response, what does the device do? |
22:27.12 | Samot | Outside of return a "408 Timeout" |
22:27.50 | catphish_ | there's no reason anything would fail to get a response |
22:28.00 | Samot | You have failover |
22:28.03 | Samot | For this reason. |
22:28.25 | Samot | If the host is set to Asterisk A, how will it know to use Asterisk B when Asterisk A is down? |
22:28.42 | catphish_ | VRRP |
22:28.54 | catphish_ | i would assume both asterisks would bind to the same address |
22:29.07 | Samot | So you're going to float the IP |
22:29.10 | catphish_ | yes |
22:29.19 | catphish_ | which does preclude both running at the same time |
22:29.26 | catphish_ | making the realtime question slightly simpler |
22:29.55 | Samot | You set the qualify_frequency in the aor section |
22:30.21 | catphish_ | that's fine, but then the question though is whether is will load realtime peers at startup |
22:32.15 | Samot | I'm not sure. I don't use realtime |
22:32.22 | catphish_ | much of the reason i stopped using realtime previously is that there was no "SELECT *" at startup, so a server taking over in a floating IP scenario was not aware of any peers until they next registered |
22:33.01 | catphish_ | i suspect i'm answering my own question here, i need to look at kamailio for this, and keep the asterisk config and peers static |
22:33.15 | Samot | Oh so you want the backup to start up and write out existing contacts? |
22:33.17 | igcewieling | Not even Sangoma FreePBX nor Bicom PBXware use realtime. |
22:33.35 | catphish_ | Samot: not write out, read in |
22:33.52 | catphish_ | ie read all contacts from mysql and start sending OPTIONS to them immediately |
22:33.54 | *** join/#asterisk CatCow97 (~mine9@c-73-96-109-206.hsd1.or.comcast.net) |
22:35.21 | catphish_ | if everyone else also abandoned realtime i suspect i won't risk using it for now :) |
22:35.36 | catphish_ | will look at using kamailio for billing and registrations |
23:57.24 | *** join/#asterisk paulgrmn (~paulgrmn@c-98-250-183-21.hsd1.mi.comcast.net) |