Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5
5 posts

Wannabe Geek


  Reply # 863021 21-Jul-2013 14:33
Send private message

Cheers.
Have put  qualify=no in peer setting for trunk & it stopped the useless traffic.
I only presume that was the correct thing to do .

Barry

26927 posts

Uber Geek
+1 received by user: 6360

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 863027 21-Jul-2013 14:46
Send private message

BarryP: Cheers.
Have put  qualify=no in peer setting for trunk & it stopped the useless traffic.
I only presume that was the correct thing to do .

Barry


You obviously just need to be aware of the implications of this. Based on that comment I'm not sure if fully are.

Your PBX should be behind a secure firewall and should not have port 5060 exposed to the internet. Qualify sends a SIP OPTIONS query which not only lets Asterisk know if the peer is available, this also performs a major role in allowing your PBX to work behind a NAT firewall by keeping a NAT pinhole open. if this IP doesn't exist in the NAT table then unitiated inbound UDP traffic (ie an inbound VoIP call) will potentially be blocked.


5 posts

Wannabe Geek


  Reply # 863035 21-Jul-2013 15:04
Send private message

Hi,
I am behind DD-WRT & I 
Am Forwarding 5060  &  12000..20000  to FREEPBX .
I also have some other Ports being redirected to 5060.
If I don't open 5060 to the big wide world , My mobile won't be able to register when outside my network.


3594 posts

Uber Geek
+1 received by user: 79

Trusted
WorldxChange

  Reply # 863041 21-Jul-2013 15:11
Send private message

but unless you know what your doing with restrictions from external IP's and SIP you leave yourself wide open to being hacked, the amount of people we have seen getting hacked because their system was hacked from the external big bad world is scary, and basically its because unfortunately people do not properly know how to secure their freeware PABX systems,




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications

26927 posts

Uber Geek
+1 received by user: 6360

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 863043 21-Jul-2013 15:13
Send private message

I'm not going to lecture you on security other than to say you should never have port 5060 open unless you fully understand the risks. Without appropiate security in place it's not a matter of if you'll have your system compromised, but when.


5 posts

Wannabe Geek


  Reply # 863055 21-Jul-2013 15:33
Send private message

eek .. Dual warnings in a matter of minutes.
I Obviously want to keep the versatility of what I have .
IP based restrictions can't work for me.
I have just done search & found this.
http://highsecurity.blogspot.co.nz/2012/05/freepbx-and-asterisk-basic-security.html
Will have a look thru it & see how I stack up.
If there is another recommended document .. please share the link
 

5 posts

Wannabe Geek


  Reply # 863126 21-Jul-2013 17:45
Send private message

Well...
Thanks Again for the Heads up ..
I went thru the security stuff & didn't score very well  !
I've remedied a number basic security things like passwords.

Also got Fail2Ban running.
Half an hour later  .. got an email of the first Banned IP 176.31.103.97  (France)



26927 posts

Uber Geek
+1 received by user: 6360

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 863141 21-Jul-2013 18:13
Send private message

If you're wanting remote access use a VPN.. My other suggestion of a SBC will clearly be beyond your budget!


26927 posts

Uber Geek
+1 received by user: 6360

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 863144 21-Jul-2013 18:16
Send private message

BarryP: Well...
Thanks Again for the Heads up ..
I went thru the security stuff & didn't score very well  !
I've remedied a number basic security things like passwords.

Also got Fail2Ban running.
Half an hour later  .. got an email of the first Banned IP 176.31.103.97  (France)




If you didn't have something basic like fail2ban already in place you could easily expect to see a few hundred IP's blocked per week until the bots stop attacking your system.


6 posts

Wannabe Geek


  Reply # 863330 22-Jul-2013 07:13
Send private message

damn,  shame I didn't see this thread several days ago.

I got this E-mail back from Slingshot last night:

Other customers using Asterisk have had similar problems recently that have been fixed by updating the following setting:
 
fromdomain=hlz.italk.co.nz
 
So see if updating this fixes your issue, and if it doesn't then please email again to let me know and further troubleshooting will need to be carried out.


So at least they are giving out good advice.  Just a shame there wasn't any warning/notification, I spent hours trying to get it working.  I did an update on RasPBX around the same time as this issue appeared, so (incorrectly) assumed that was at fault, even though I didn't see any notes mentioning this fault.

3594 posts

Uber Geek
+1 received by user: 79

Trusted
WorldxChange

  Reply # 863336 22-Jul-2013 07:35
Send private message

lol good advice... so it looks like italk need to come to Geekzone to find the solution to the problem they don't know they have .... seems something quite funny and wrong with that




Yes I am a employee of WxC (My Profile) ... but I do have my own opinions as well Wink

             

https://www.facebook.com/wxccommunications



19 posts

Geek


  Reply # 863351 22-Jul-2013 08:59
Send private message

Thanks everybody , especially Maverick and Rabsoft, I came in the morning , made the change to the host and bingo - we are back in action. 

I only changed the host as per Rabsofts suggestion to the IP , should I put in the "fromdomain=akl.italk.co.nz" as well?  

Now would be a good time to get the perfect peer details for future use - this is what I have:

type=friend
secret={secret}
username=649974xxxx
fromuser=649974xxxx
host=203.184.16.2
dtmfmode=rfc2833
insecure=very
nat=yes
canreinvite=no
disallow=all
allow=ulaw&alaw
qualify=yes

649974xxxx:{secret}@203.184.16.2


Once again if I had listened to the Italk CSR , my system would be in pieces and a complete rebuild needed, only apathy saved me.

PDE 



176 posts

Master Geek
+1 received by user: 11


  Reply # 863364 22-Jul-2013 09:38
Send private message

I only changed the host as per Rabsofts suggestion to the IP , should I put in the "fromdomain=akl.italk.co.nz" as well? 


You should not use the IP address, because you are then vulnerable to potential sudden failure if slingshot make another change.
Put in the fromdomain, and set host back to akl.italk.co.nz, and you'll be right as rain.


176 posts

Master Geek
+1 received by user: 11


  Reply # 863366 22-Jul-2013 09:39
Send private message

maverick: lol good advice... so it looks like italk need to come to Geekzone to find the solution to the problem they don't know they have .... seems something quite funny and wrong with that


They should give me a month free, for all my efforts.   And they should also give a month free to all their customers I've ended up retaining for them by finding the solution for them.



19 posts

Geek


  Reply # 863454 22-Jul-2013 11:39
Send private message

Correction...

If I use fromdomain=akl.italk.co.nz and change the host and register string to match, I can only make outgoing call, incoming goes to busy.

So i have changed my host to host=203.184.16.2 ( as per Rabsofts original ) , remarked fromdomain out and put on the ip adddress in the register string, this works both ways but the delay into my trunks in noticeable but it works fine, my main line goes to an IVR - I am not sure if this is creating the delay or not.

Anyone have any ideas?  ( I can live with it, but it would be nice to get rid of the delay)

PDE 

1 | 2 | 3 | 4 | 5
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.