[arm-allstar] Restrict Inbound Connections by Node Number?

Joel x-rad at frontier.com
Thu Mar 3 14:27:22 EST 2016 

Doug Crompton via arm-allstar wrote:
> Think twice about blocking people. I can see Echolink where it is the
> wild west but Allstar is a different community.

Doug,

I understand your point - and what I've done is not really to stop Allstar nodes from connecting in. Rarely had a need to do that - and when we did - just dropped a single REJECT rule for that - with an "at" job to remove it in a couple days.

But if you spend anytime sniffing border routers for UDP/4569  (or other ports close to that 4569) I have seen a fair amount of traffic poking/probing looking for Asterisk boxes. It's even worse on port 5060 (sip). Most often (90% of the time) the sources are networks either in Asia, or Russia. These are not hams trying to connect - but sleeze bags looking for vulnerable Asterisk boxes to abuse. Since Allstar is based on a pretty old version of Asterisk I'm a bit paranoid to let them just poke away and hope there are no buffer overflows or other issues hiding somewhere they could avail themselves of. I realize if they did get in - there is no PSTN circuits behind it - which is what they are after. Either way, my thinking was to at least ban outside of North America and keep that garbage traffic that even touches Asterisk to a minimum.

I personally had a PBX hacked once - and it wasn't even over the IP network - but DTMF on the PSTN side. That was due to a undocumented back-door the vendor left in the Voice mail system and never told anyone about. They managed to use that to re-route international calls for themselves - up to 8 at one time. I've also had other boxes compromised in the past on the IP side because of unpatched buffer overflows. Once I was too busy planning my Dad funeral to get a daemon patched same-day a vulnerable was announced. Couple days later I've got a server distributing porn via that hole they used to get in! The old saying "there are only two types of system administrators - the paranoid and the incompetent" comes to mind. Just trying to stay more on the Paranoid side myself!

73's
Joel/N7GLV

More information about the arm-allstar mailing list