You might know I'm a bit of a security freak
@VoIPTek wrote: Excellent work Rob! I think this is great for certain people, @bgroper mentioned he keeps his equipment behind a firewall, which of course is my favorite way to do things, however we...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@xrobau wrote: editor: I hope you'll be able to add dynamic DNS addresses 100% confirmed that will be a feature. Read full topic
View ArticleYou might know I'm a bit of a security freak
@bgroper wrote: I remain interested in Rob's FreePBX firewall developments too.FWIW, in another firewall we're starting to experiment with geo blocking using ipset, and ipdeny tables.See...
View ArticleYou might know I'm a bit of a security freak
@dicko wrote: Any ipset needs to be trustworthy and useful, if you have one you trust it is trivial to set up, As I keep on saying the threat is no longer geolocated they are on the same cloud servers...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@xrobau wrote: dicko: the threat is no longer geolocated they are on the same cloud servers that you use. M7i0H2W.png831x296 44.7 KB Exactly! Read full topic
View ArticleYou might know I'm a bit of a security freak
@dicko wrote: There is a nice blossoming of Fail2ban with a cluster concept if you have a few servers, you will benefit all on your own , if you trust buanzo then this could go far . . . . Start here...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@xrobau wrote: xrobau: I just need to do some back end programming now. There's been some discussions in IRC about DoS attacks on Cloud-based FreePBX machines, and @drmessano mentioned that he uses...
View ArticleYou might know I'm a bit of a security freak
@dicko wrote: I am sure you are aware but just pointing out that there is more than just asterisk/SIP running on your boxen, likely all sorts of java not to mention the various other "applications"...
View ArticleYou might know I'm a bit of a security freak
@dicko wrote: Another prophylaxis I would deem essential is port scanning detection and immediate blocking of the culprit, such behavior is often a precursor to "directed" attacks, and should never be...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@dicko wrote: Perhaps to preempt any reply I take a more holistic approach, pretty well every "application"/service returned by:- netstat -nplut|grep -v 127.0.0.1 needs individual attention at the...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@el_es wrote: @xrobau : maybe set the max allowed packet rate to (max number of packets the register process needs to succeed, including possible retransmits) * (min(how often the peer(s) needs to...
View ArticleYou might know I'm a bit of a security freak
@VoIPTek wrote: I do this with mail servers and I think this is also an important feature. Read full topic
View ArticleClik here to view.
You might know I'm a bit of a security freak
@xrobau wrote: el_es: maybe set the max allowed packet rate to (max number of packets the register process needs to succeed, including possible retransmits) * (min(how often the peer(s) needs to...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@el_es wrote: xrobau: Once a device has registered successfully, it's not going to be rate limited at all. This is only going to be for unknown devices. I don't want to just block it straight away,...
View ArticleYou might know I'm a bit of a security freak
@el_es wrote: (the opposite is also true and more important, I think: if you DON'T set the default to accommodate for values calculated from SIP settings (the general SIP settings and/or the SIP...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@bgroper wrote: dicko: As I keep on saying the threat is no longer geolocated they are on the same cloud servers that you use. True of course, but simple examination of our logs reveals that most (not...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@dicko wrote: So allow only US addresses with ipset (it's too big for traditional iptables) wait till tomorrow, then revise your current plan as being ineffective and pissing of your clients who go...
View ArticleYou might know I'm a bit of a security freak
@jfinstrom wrote: Bugs are inevitable and security is never perfect.~Linus Torvalds Read full topic
View ArticleClik here to view.
You might know I'm a bit of a security freak
@xrobau wrote: I actually thought we discussed IPv6 here, but I'm guessing it was on IRC. My original statement was 'It probably won't work with IPv6 on its first release', but then I looked at IPv6...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@el_es wrote: Symbolic/object names for the networks/hosts ? so it's possible to use a network by object name in other rules (including networks assigned dynamically) Read full topic
View ArticleClik here to view.
You might know I'm a bit of a security freak
@xrobau wrote: el_es: Symbolic/object names for the networks/hosts ? The ability to do reverse DNS lookups will happen. I realise it's something people want. Read full topic
View ArticleClik here to view.
You might know I'm a bit of a security freak
@el_es wrote: That too, but I mean an ability to assign an 'object label' to an address or multiple addresses / address group / address list (be it a single address, a subnet, interface address or...
View ArticleClik here to view.
You might know I'm a bit of a security freak
@xrobau wrote: el_es: That too, but I mean an ability to assign an 'object label' to an address or multiple addresses / address group / address list That's what that screenshot I just posted above...
View ArticleYou might know I'm a bit of a security freak
@xrobau wrote: Ahha! It's Labor Day in the US tomorrow! This means I get TWO DAYS to Finish off Firewall. For those that aren't watching this on IRC, this is how the evolution of FreePBX Firewall has...
View ArticleYou might know I'm a bit of a security freak
@el_es wrote: +1 for iptables l) (and the rest of this post is just to pass 20char limit, ignore) Read full topic
View Article
