IRC log for #asterisk on 20210206

00:01.12*** join/#asterisk Janos (~textual@201.204.94.76)
02:14.09*** join/#asterisk paulgrmn (~paulgrmn@c-98-250-183-21.hsd1.mi.comcast.net)
02:36.59*** join/#asterisk TulaZula (TulaZula@gateway/vpn/privateinternetaccess/tulazula)
02:57.28*** join/#asterisk tsal (~tsal@i59F4D4F9.versanet.de)
03:37.24*** join/#asterisk akp55 (~akp55@c-73-148-15-31.hsd1.va.comcast.net)
03:42.37*** join/#asterisk electronic_eel (~quassel@213.240.182.147)
03:53.05*** join/#asterisk pchero (~pchero@211.178.226.108)
04:03.55*** join/#asterisk electronic_eel (~quassel@213.240.182.138)
04:19.27*** join/#asterisk electronic_eel (~quassel@213.240.182.164)
04:54.31*** join/#asterisk pchero (~pchero@211.178.226.108)
05:20.42*** join/#asterisk FH_thecat (~FH_thecat@75.11.25.212.ftth.as8758.net)
05:27.18*** join/#asterisk akp55_ (~akp55@c-73-148-15-31.hsd1.va.comcast.net)
05:27.27*** join/#asterisk gerhard7_ (~gerhard7@86.87.238.48)
05:28.06*** join/#asterisk saint__ (~saint_@unaffiliated/saint-/x-0540772)
05:28.50*** join/#asterisk pchero (~pchero@211.178.226.108)
05:57.14*** join/#asterisk pchero (~pchero@211.178.226.108)
06:08.52*** join/#asterisk saint_ (~saint_@unaffiliated/saint-/x-0540772)
06:10.56*** join/#asterisk pchero (~pchero@211.178.226.108)
06:50.33*** join/#asterisk jkroon (~jkroon@165.16.203.101)
08:02.03*** join/#asterisk pchero (~pchero@211.178.226.108)
08:33.19*** join/#asterisk GoldenBear (~gb@titan.pathogen.is)
09:12.46*** join/#asterisk Cory (~Cory@unaffiliated/cory)
09:58.07*** join/#asterisk rpifan (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de)
11:48.04*** join/#asterisk rpifan (~rpifan@p4fca2adc.dip0.t-ipconnect.de)
12:23.00*** join/#asterisk pvoigt (~Linux@unaffiliated/pvoigt)
12:37.06*** join/#asterisk drathir_tor (~drathir@gateway/tor-sasl/drathir)
12:51.06*** join/#asterisk rpifan_ (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de)
12:52.49*** join/#asterisk jayjo- (jayjo@gateway/vpn/privateinternetaccess/jayjo)
12:53.59*** join/#asterisk pchero (~pchero@211.178.226.108)
12:54.00*** join/#asterisk Posterdati (~posterdat@host-79-37-129-8.retail.telecomitalia.it)
12:59.38*** join/#asterisk Pasha (~Cory@unaffiliated/cory)
13:16.39*** join/#asterisk segnior (segnior@gateway/shell/xshellz/x-cltybdmhdxtxfita)
14:36.01*** join/#asterisk drathir_tor (~drathir@gateway/tor-sasl/drathir)
15:12.13*** join/#asterisk rpifan_ (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de)
16:40.06*** join/#asterisk electronic_eel (~quassel@dslb-088-066-013-004.088.066.pools.vodafone-ip.de)
17:05.20igcewielingVerizon is so awesome.  A dozen trouble tickets on a circuit down since 2020-12-28 and service was finally restored today.
17:06.59igcewielingAccording to VZ the circuit is fine or has a loopback on it or the CPE is down or the smartjack has problem or  DS3 the circuit rides on is down.
17:20.29*** join/#asterisk tsal_ (~tsal@i59F4D4F9.versanet.de)
17:21.18*** join/#asterisk pchero (~pchero@211.178.226.108)
17:35.29*** join/#asterisk akp55 (~akp55@c-73-148-15-31.hsd1.va.comcast.net)
17:42.55*** join/#asterisk electronic_eel_ (~quassel@213.240.182.193)
17:45.49*** join/#asterisk electronic_eel (~quassel@213.240.182.193)
18:00.22*** join/#asterisk rpifan (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de)
18:07.48*** join/#asterisk drathir_tor (~drathir@gateway/tor-sasl/drathir)
18:15.27*** join/#asterisk akp55_ (~akp55@c-73-148-15-31.hsd1.va.comcast.net)
18:17.10*** join/#asterisk akp55 (~akp55@c-73-148-15-31.hsd1.va.comcast.net)
18:26.20*** join/#asterisk Posterdati (~posterdat@host-79-37-129-8.retail.telecomitalia.it)
19:03.17*** join/#asterisk joako (~joako@opensuse/member/joak0)
19:14.08*** join/#asterisk cloud9 (~cloud9@c-24-21-228-102.hsd1.or.comcast.net)
19:21.48cloud9hey everyone, looking for your thoughts regarding have asterisk ports open to the world. I've always kept mine locked down and only allowed certain IP's through. I have a new project where managing all the changing IP's would become a nightmare. I know that there's plrenty of hardening tutorials out there but just asking for some real input. Are my greatest concenrns someone hacking a
19:21.48cloud9registration or DDos? Is fail2ban what everyone is using to mitigate people scanning for weak passwords?
19:23.27*** join/#asterisk cybrNaut (~cybrNaut@unaffiliated/cybrnaut)
19:29.21igcewielingcloud9: I use fail2ban and sometimes add a static ban to a /8 or /16 for persistent network blocks I know I'll never need to accept connections from.
19:32.07cloud9igcewieling: thanks for the input. so assuming I'm on current version and have fail2ban actively blocking scanners, should be ok public facing? I understand there's always some level of potential for a breach. sounds like it's mostly a non issue
19:36.19igcewieling"OK" is a strong term when talking about attacks, but it is the best you will get without getting more complicated.    You could look at the FreePBX firewall iptables and see how the create whitelists of successfully registered IPs if you want to add some more security.
19:37.11cloud9Understood. Thanks for the tip
19:39.14igcewielingHere is an iptables to block the most common attacking user agents.  https://pastebin.com/03FCGW3a
19:42.09SamotYou should never rely on fail2ban as your security measure.
19:43.09cloud9Thanks igcewieling
19:43.55cloud9Samot: yes obviosly there's layers. what's at the top of your list?
19:44.12SamotWell..
19:44.31SamotI don't have any need for anyone outside of the ARIN space to have access to my network.
19:44.38SamotSo they don't.
19:45.18cloud9ya makes sense
19:45.33SamotEven then most of my end users are static IPs so that helps.
19:45.47SamotHowever, I have those that are not and those that use mobile devices.
19:45.54cloud9for sure, exactly
19:45.58SamotSo proper rate limiting, monitoring..
19:46.27SamotI also use Kamailio in front of everything to have more control.
19:46.43cloud9got it. but with the measures you have in place, you are comfortable having the required ports "open"
19:47.01cloud9oh ok Kamailio, I'll check it out
19:47.31SamotYes, I'm comfortable with it.
19:49.15cloud9using calls_per_sec for rate limiting? is there a number there that's considered best practice?
19:51.08igcewielingThe most important thing to do is not block ports, it is making sure nobody makes international calls that should not be able to and if that fails, make sure to limit the damage.
19:53.05SamotWell and watch high cost US destination.
19:53.23SamotWhich is happening more than International, if you're in the US.
19:53.25cloud9I see. I've read that alot. So I don't have the ability to call internationally in my dialplan at the current moment. Is there some way a successfully registered SIP endpoint can place an international call without it being in the dialplan?
19:53.41SamotNo.
19:53.50cloud9got it
19:54.14cloud9thanks for all the info, really appreciate it the direction
20:04.39igcewielingcloud9: can users dial 1-809-xxx-xxxx?  If so, that is an international call.
20:13.01cloud9nope
20:30.18*** join/#asterisk TulaZula (TulaZula@gateway/vpn/privateinternetaccess/tulazula)
20:32.20*** join/#asterisk Jesterboxboy (~Thunderbi@84-115-150-8.cable.dynamic.surfer.at)
20:37.37*** join/#asterisk rpifan (~rpifan@p200300d2671bda003836ac30b39637fa.dip0.t-ipconnect.de)
20:41.51*** join/#asterisk scampbell (~scampbell@mail.scampbell.net)
21:41.07*** join/#asterisk catphish_ (~charlie@unaffiliated/catphish)
21:42.20catphish_is it possible to "qualify" realtime peers straight from the database these days with pjsip?
21:57.04igcewielingcation21: you mean before they register?
21:57.16igcewielingwell, re-register
22:04.59catphish_igcewieling: yes
22:05.47catphish_the reason for my question is that i'm trying to set up a redundant pair of asterisks, and wondering if i need to use a proxy in front of them for registration, or whether i can do all this with asterisk
22:07.05catphish_(similarly, wondering if i can do what i want to do with billing, probably using AGI, or whether i need a proxy for that too), but today's question is about registrations of roaming UAs
22:07.14*** join/#asterisk jkroon (~jkroon@165.16.203.101)
22:18.17Samotcatphish_: When do you want to qualify the peers?
22:21.30catphish_Samot: ideally, all the time, including as soon as contacts are added or updated unexpectedly in the database, however since this is for an active-passive failover scenario, i'd also potentially be happy with loading a list from the database at startup
22:22.58igcewielingcatphish_: many people generate .conf files from databases rather than use realtime.
22:23.04catphish_qualiying from the "inactive" server is pointless, as it won't be able to bind to the necessary virtual IP, so i guess loading them at startup is sufficient
22:23.43catphish_igcewieling: actually in my previous deployment i abandoned realtime precisely because qualify didn't work well with it
22:24.06catphish_but i also didn't have a good failover mechanism then
22:24.23SamotDo you have one now?
22:24.30igcewielingI suspect, if you want food failover you'll need to use Kamailio
22:24.39igcewielingI suspect, if you want good failover you'll need to use Kamailio
22:24.46catphish_i don't have anything right now, i'm trying to design correctly from day one
22:25.01catphish_my suspicion is that i'll want to use kamailio for registrations
22:25.23catphish_but anything i can do in asterisk is preferred, because it's dramatically simpler in most cases
22:26.31SamotWell the client is what is going to have to do this.
22:26.49catphish_the client?
22:26.51SamotThe device is what is going to try to send a request to the host it has.
22:27.04SamotIf there isn't a response, what does the device do?
22:27.12SamotOutside of return a "408 Timeout"
22:27.50catphish_there's no reason anything would fail to get a response
22:28.00SamotYou have failover
22:28.03SamotFor this reason.
22:28.25SamotIf the host is set to Asterisk A, how will it know to use Asterisk B when Asterisk A is down?
22:28.42catphish_VRRP
22:28.54catphish_i would assume both asterisks would bind to the same address
22:29.07SamotSo you're going to float the IP
22:29.10catphish_yes
22:29.19catphish_which does preclude both running at the same time
22:29.26catphish_making the realtime question slightly simpler
22:29.55SamotYou set the qualify_frequency in the aor section
22:30.21catphish_that's fine, but then the question though is whether is will load realtime peers at startup
22:32.15SamotI'm not sure.  I don't use realtime
22:32.22catphish_much of the reason i stopped using realtime previously is that there was no "SELECT *" at startup, so a server taking over in a floating IP scenario was not aware of any peers until they next registered
22:33.01catphish_i suspect i'm answering my own question here, i need to look at kamailio for this, and keep the asterisk config and peers static
22:33.15SamotOh so you want the backup to start up and write out existing contacts?
22:33.17igcewielingNot even Sangoma FreePBX nor Bicom PBXware use realtime.
22:33.35catphish_Samot: not write out, read in
22:33.52catphish_ie read all contacts from mysql and start sending OPTIONS to them immediately
22:33.54*** join/#asterisk CatCow97 (~mine9@c-73-96-109-206.hsd1.or.comcast.net)
22:35.21catphish_if everyone else also abandoned realtime i suspect i won't risk using it for now :)
22:35.36catphish_will look at using kamailio for billing and registrations
23:57.24*** join/#asterisk paulgrmn (~paulgrmn@c-98-250-183-21.hsd1.mi.comcast.net)

Generated by irclog2html.pl Modified by Tim Riker to work with infobot.