[kwlug-disc] Blocking SIP registrations

L.D. Paniak ldpaniak at fourpisolutions.com
Tue Jan 13 20:58:46 EST 2015 

In the past I was able to overcome the dynamic remote client problem by
using dyndns.
Just reference the remote client in the firewall by dyndns fqdn (usually
a no-no) and periodically check to see if the associated IP address has
changed.  If it has, restart the firewall.  The script I used to do this
with shorewall is/was:

#!/bin/bash

checkfile="/tmp/fourpi-mobile.current"
host="fourpi-mobile.dyndns.org"

if [ ! -e $checkfile ]
then
  host $host |awk '{ print $NF }' > $checkfile
else
 if
   [ $(host $host |awk '{ print $NF }')  != $(cat $checkfile) ]
 then
    /sbin/shorewall restart &> /dev/null
    host $host |awk '{ print $NF }' > $checkfile
 fi
fi

Typically dynamic IPs come from a fixed range of addresses.  Even being
able to restrict access up to a /16 will greatly improve the security of
your server.


On 01/13/2015 08:29 PM, Herman Gruetzmacher wrote:
> I like voip.ms and use them too along with Unlimitel. But I am using 8
> sip phones as extensions off of my FreePBX including remote extensions
> (outside of my home). The ip address of the remote extension changes
> as the ip address is dynamic so I need to open up my firewall to allow
> remote sip registration. fail2ban will block external ip addresses
> after 3 unsuccessful attempts but there are many more registration
> attempts which appear to be coming directly from my own wan, ie my
> external Rogers IP address. I was thinking of using non standard sip
> udp ports as a starting point and port forwarding them, is that
> enough? I saw this SecAst product but it appears quite involved to
> set-up and was wondering if anyone else has used it.
>
> Thanks
>
> Herman
>
> -----Original Message----- From: William Park
> Sent: Tuesday, January 13, 2015 7:01 PM
> To: kwlug-disc at kwlug.org
> Subject: Re: [kwlug-disc] Blocking SIP registrations
>
> Off topic question...
>
> Why do you need to be your own telephone company?  Can't you get away
> with using voip.ms or others?  I've attended a voip.ms demo, and it
> seems like you're running your own telophone company through voip.ms,
> because they allow you to resell.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20150113/6388e8ee/attachment.sig>

More information about the kwlug-disc mailing list