addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupsimageimagesinstagramlinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1outlookpersonJoin Group on CardStartprice-ribbonImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruseryahoo

Re: [atlaug] iax2 termination etc.

From: Jeff O.
Sent on: Tuesday, April 24, 2012 5:30 PM

too many registration attempts used up too many resources -- denial of service, essentially...

I'm not completely opposed to sip, I suppose fail2ban could work.  iax2 has been *so easy*, though...


On Tue, Apr 24, 2012 at 4:53 PM, John Knight <[address removed]> wrote:
Or perhaps offer me a reason why I should consider SIP?  (Every time I open port 5060 up my * gets attacked.)

You're pretty clear in your bias against iax2 so I'm not going to argue there.  :D  If you want to continue using iax, that's your business and none of us can tell you which method of trunking is a one-true-way best practice. 

But I am genuinely curious:  in opening port 5060 were you actually hacked or did you get ddos-ed?  If you were hacked, what method was used?

I've deployed a large number of hosted Asterisk systems and beyond someone using a poor peer password I've never seen sip get hacked merely for being open and we're pretty much constantly getting new scans sent our way from RIPE. 

A strict regiment of security practices (no all-numerical passwords, not allowing anonymous sip connections, etc) has never failed me in the past. 

ddos attacks are another matter (though not inherent to sip, this can certainly happen with other services) and I find this problem is best handled externally from the actual pbx via the use of a firewall.  Some people swear by fail2ban but that doesn't actually help much for thousands of attempted registrations clogging up the systems. 


John Knight
Classic City Telco LLC
Email: [address removed] | Main: (706)[masked]
Direct: (706)[masked] | Mobile: (678) [masked]

CCT Enterprise Linux[masked] is released! Click here to learn more

On 4/24/2012 4:27 PM, Jeff Otterson wrote:
It looks like Junction Networks is jacking their monthly rates beyond the pain point for a poor home pbx operator.

They've been good, and quite inexpensive, for years, but it seems I must part ways with them now.

Can anybody recommend a reasonably affordable source for iax termination/origination?

Or perhaps offer me a reason why I should consider SIP?  (Every time I open port 5060 up my * gets attacked.)



Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Jeff Otterson ([address removed]) from The Atlanta Asterisk Users Group.
To learn more about Jeff Otterson, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy