HOWTO: Thwarting SIP Scanners during Set-up

<< < (5/20) > >>

Jackson:
I have Anveo for a backup + e911.    Took me a bit to figure out what those pesky rings were.

Simply followed this advice:

Quote

I presume Anveo uses anycast IP addresses, because they seem to only use one IP address for each server location.

So with Anveo, set the corresponding X_AccessList to 72.9.149.69,67.212.84.21,176.9.39.206


Just like to say thanks.  Seems like the problem has gone away.

ontwowheels:
Question...can't this issue of SIP Scanners be addressed on the router/firewall that the Obi is behind?  I run DD-WRT and it has a kazillion options.

Shale:
Quote from: ontwowheels on June 14, 2013, 05:42:27 am

Question...can't this issue of SIP Scanners be addressed on the router/firewall that the Obi is behind?  I run DD-WRT and it has a kazillion options.


I think that it probably can, but I am not quite sure. It seems that a "full cone" router can protect its ports from being accessed by an IP other than the one  which the port was opened for. Since most routers don't have that, and trying to understand that, is daunting, I decided to not put that into the initial posting at this point. Your experiences could change that. See  Reply #13 and #14  on this thread.

ontwowheels:
Quote from: Shale on June 14, 2013, 07:14:28 am

Quote from: ontwowheels on June 14, 2013, 05:42:27 am

Question...can't this issue of SIP Scanners be addressed on the router/firewall that the Obi is behind?  I run DD-WRT and it has a kazillion options.


I think that it probably can, but I am not quite sure. It seems that a "full cone" router can protect its ports from being accessed by an IP other than the one  which the port was opened for. Since most routers don't have that, and trying to understand that, is daunting, I decided to not put that into the initial posting at this point. Your experiences could change that. See  Reply #13 and #14  on this thread.


Interesting.  I have been using Tomato and DD-WRT for years, configuring them as repeaters range extenders, client bridges etc.  I have never heard the term cone router.  Unless you have the Obi in your DMZ, or have setup wide open port forwards to the Obi I can't see having this issue.

Scan away, not going to find my Obi behind my DD-WRT router.   ;)

Felix:
Quote from: ontwowheels on June 15, 2013, 05:43:36 pm

Scan away, not going to find my Obi behind my DD-WRT router.   ;)

You may be right; however, you don't explain why you think this way... When your ATA accepts calls, it essentially opens a port for incoming traffic (say, on port 5060, but it could be some other port, of course). So, if you don't do anything, SIP scanners will find your OBi.

This whole thread and several others are discussing how to protect against it (although with Oleg's embarrassingly simple solution, - unless you want to accept direct IP calls - the conversation is pretty much over). DD-WRT is a very smart OS (I personally prefer OpenWRT, but it's a matter of taste) - and you can configure firewall there to blacklist VSP's IP address. But it seems much more straightforward to do it on OBi

Navigation

[0] Message Index

[#] Next page

[*] Previous page