Goo day all I'm going to put a asterisk server running sip in at a client.The server is going to have a public ip so that it can talk to another server. My question is how do I secure asterisk/sip. I got a firewall only allowing tcp/udp 5060? I got sip to work with md5 What more? Please Advice Thanks a million
I assume it has iptables? if it is only talking to that one other machine you could justin use a -d your.machine.ip! -s your.other.machine! --dport 5060 -j DROP in your statement. this would allow only your other * machine to talk to the new one, all others would get dead air. On Wed, 2004-09-29 at 07:17, Altus Syman wrote:> Goo day all > I'm going to put a asterisk server running sip in at a client.The server > is going to have a public ip so that it can talk to another server. > My question is how do I secure asterisk/sip. > I got a firewall only allowing tcp/udp 5060? > I got sip to work with md5 > What more? > Please Advice > Thanks a million > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
On Wed, 29 Sep 2004 14:17:10 +0200, Altus Syman <altus@stormcorp.co.za> wrote:> My question is how do I secure asterisk/sip. > I got a firewall only allowing tcp/udp 5060?In that case you are blocking the voice traffic. Although SIP is advertised as a VoIP protocol, it doesn't handle any voice at all. It only handles signalling. Voice is handled by another protocol, RTP, and by default the ports RTP uses for the voice traffic are determined at random. Therefore, you will need to either customise your setup and fix the RTP ports at both ends or you will have to open up all ports that RTP could possibly be using (typically 10000-20000, sometimes 5000-8000). Personally, if you are concerned about security, I would recommend you don't use SIP over the WAN. Use IAX between the servers. Alternatively, use IPsec and build a tunnel between the two servers. See also my other post in another thread called "NAT Traversal" or something like that. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed.