Securing asterisk - whilst having a remote extension - asterisk

I'd like to install asterisk on a friend's computer but wish to do so without the computer being permanently bombarded with scammers. Locking down all the ports would be the obvious answer but this would mean that the remote client installed on a Android phone would then no longer work.
I do not want to have to use something like OpenVPN I would rather the remote extension reaches the asterisk box without the need for a VPN. Apopse from anything else not having to use a VPN would mean I could continue to benefit from push notification.
Security iptables particularly using something like m string matching - matching on keywords which may include the name of the client I am currently using on my Android and accepting incoming connections on detection of that word maybe one way of doing things blocking all IP addresses outside of the UK maybe another but of course nothing beats a VPN connection...
For an asterisk installation which will only serve one person, what is the ideal way of securing the installation whilst allowing reliable access from a remote extension which will not have a fixed IP but rather a dynamic one issued by the 3G connection it is running from.

You can do via versa:
1) setup iptables open port to provider
2) allow from other ips REGISTER only when UserAgent match your selected android app.

Related

Nested port forwarding

This is first time I setup ftp server and I'm not really clever at network thing.
How do i want my connection to look like.
HOME > INTERNET > OFFICE_ROUTER > OFFICE_WORKSTATION > FTP_SERVER
OFFICE_WORKSTATION has 2 NIC: connection to FTP_SERVER and internet connection by OFFICE_ROUTER, FTP_SERVER has only connetion to OFFICE_WORKSTATION (localNetwork)
What I already did is vsftpd on FTP_SERVER with tls and it's already accesible from localNetwork - OFFICE_WORKSTATION (e.g by using totalCommander > 10.10.10.10:21)
I did port and ip forwarding on OFFICE_ROUTER (let's say its public ip is 192.192.192.1 and local 192.168.10.1)
So when I connect from HOME to OFFICE_ROUTER it sends me further to OFFICE_WORKSTATION.
Then i setup netsh on OFFICE_WORKSTATION ( localNetwork ip 10.10.10.50, inernetNetwork ip 192.168.10.10) to get 192.168.10.10:21 from internet and send it to 10.10.10.10:21 which is my FTP_SERVER. But such setup gives me "500 illegal PORT command"
Maybe it's because FTP_SERVER don't know how to send data back ? Because now it should respond from 10.10.10.10:21 (FTP_SERVER) to 10.10.10:50 OFFICE_WORKSTATION) and here netsh should take care of it and output it to OFFICE_ROUTER
I already know that ftp uses two ports data and command. Maybe i shoud forward both ports ?
I did test where my OFFICE_WORKSTATION serve FTP and I was able to connect it by HOME station by using single portForwarding on OFFICE_ROUTER.
With totalCommander from OFFICE_WORKSTATION i connect to 10.10.10.10:21 and it works, but if i try (also from OFFICE_WORKSTATION) in totalCommander to use those configured ports ( 192.168.10.10:21 > 10.10.10.10:21 ) I've got same error "500 illegal PORT command"
I want my OFFICE_WORKSTATION to serve as portForwarding (i don't even know how to call it). So at the end I think problem lies in error/problem in portForwarding configuration.
I would be very pleased if someone could give me some hints.
This is first time I setup ftp server
Don't.
Please, do not use FTP. You really, really do not want to use FTP. We do not want you to use FTP. Vint Cerf does not want you to use FTP. Bill Gates does not want you to use FTP. Even FTPS (which I'm guessing is what you are trying to say).
There are few things worse than FTP. FTPS is one of them. Setting up FTPS with any sort of NAT is really difficult for an expert systems admin.
There are lots of better solutions - SFTP (note order of letters - it's completely different) for one.

How to suppress the Windows Security Alert for Windows Firewall?

When I create the Hello World example in C++ from The Guide on ZeroMQ found here:
http://zguide.zeromq.org/page:all#Ask-and-Ye-Shall-Receive
and run the application, I get a Windows Security Alert that asks if I would like to allow the application to communicate on public or private networks.
It looks like this:
Here is where things get interesting.
I only need my program to listen on port 5555 for connections from localhost and I do NOT need to allow incoming connections on port 5555. This is because I only want to communicate between applications on the localhost.
Client and server are both running on the same machine.
Here is my current process. I start the server, the Windows Security Alert comes up, since I am running the application as a non-administrator account, I only have standard permissions. Then I click Cancel on the Alert.
Clicking cancel on the alert puts an explicit deny inbound rule on all ports for HelloWorldServer.exe. This is totally fine.
Then I start the client. Since the client is connecting to the localhost. I actually does not need to send messages outside of the local machine, and all of its messages arrive at the server just fine.
Given an explicit deny rule on incoming connections to HelloWorldServer.exe, the messages can still arrive from the client on the local host. This is a desirable result.
Now the question becomes is there anyway to automatically respond to the Windows Security Alert to click cancel? Is there any way to suppress it from popping up since the allow is not needed?
The prompt is undesirable because it implies that the application needs to create a vulnerability when it does not.
Please assume that Named Pipes are not a valid alternative to tcp as a means of inter-process communication.
When binding the socket the caller may specify the IP address the socket is bound to. The coding samples provided by ZeroMQ specify
socket.bind ("tcp://*:5555");
where * appears to be specify all possible addresses (INADDR_ANY in BSD socket-derived parlance) which will trigger the Windows firewall as it allows remote and local addresses.
Calling socket.bind with the localhost address 127.0.0.1
socket.bind ("tcp://127.0.0.1:5555");
limits the sockets allowed to connect to the local machine and should silence the firewall warning for most Windows firewall configurations.

How to make My PC work as Host Server?

I have an ASP.NET web application that has been hosted in IIS local Machine.
My Question is :
Is there any free or paid method that allows browsing this web
application from the internet as Host Server ?
Thanks
The easiest way to to publish it directly onto the internet. You do run the risk of attackers then being able to attach your machine, so you will need to brush up on your security skills. It might be worth looking into one of the free hosting options from AWS, Azure or Google Cloud.
To use your local machine as a web server, first, configure it to use a static IP. Its been a while since I've done it on windows, but this looks about right http://www.howtogeek.com/howto/19249/how-to-assign-a-static-ip-address-in-xp-vista-or-windows-7/.
Next you will need to configure port forwarding on your model. You want to send all traffic on port 80 to your machine, using its new fixed IP address. If your using HTTPS as well, configure port 443 to go to your machine. There are too many different modem brands, all of which handle this slightly differently, to consider offering any more help on this. You will need to do some reading up on your particular modem for step-by-step instructions.
If your internet connection is using a fixed IP, then you can stop here.
If not, or if you just want a domain name, then its worth signing up for a dynamic dns service. I use No-ip, its free, it integrates with my modem and I haven't had any problems with it in the last few years. Once this is in place, you will be able to hit your webserver just like a real one. Using something like "http://mypc.no-ip.biz/mydemoapp/
But again, be warned about exposing your machine on the internet. There are nasty people out there who love to hijack other peoples computers.
Update:
This should give you some guidance on port forwarding
http://www.howtogeek.com/66214/how-to-forward-ports-on-your-router/
Try http://www.noip.com I just logged in and it seemed happy. Otherwise, have a click through all the settings in your modem looking for ddns or dynamic DNS. There is usually a drop down of all the providers that it will talk to. And some providers have apps that you run on your PC , which is easier that working with the modem for some. (Or for models that don't support ddns.)

Is there a network communication protocol whose use won't require an app's user to grant permissions in Windows Firewall?

I want my client program to communicate with a server without making the user add an exception to Windows Firewall in elevated mode. Is there a way to do this? HTTP? For instance, uTorrent and Google Chrome can both be installed by a regular (non-admin) user, and both programs network quite extensively - how do they do this? Am I missing something about how the firewall and/or ports works?
Yes there is a way. Assuming that your client program is the one running on the users machine and that your client program is the one initiating communication with the server then your client program generally would not need to require end user to open any exceptions in the windows firewall as long as you stick to using http over port 80. Http on port 80 is generally open for outbound traffic (initiated by the client) and therefor you could build your communication (and if needed your own protocol) on top of the http protocol. This is the typical scenario for webserver and webbrowsers (clients).
If you need the server to initiate the communication it becomes more complex and a lot of different approaches could be used. Choice of communication channels and structure should depend on factors like whether you would want to communicate to one client at a time or many (broadcast/multicast), do you need encryption, what are your needs for speed (throughput and latency), what kind of system are you trying to build and so on.
Many webapplications achieve an effect of a server initiated communication by using special techniques called polling, long polls, comet, websockets and so on. these work through http on top of tcp/ip on port 80. Other systems employs subscription mechanisms to be able to get notified through a third part if something new has happened. If you need server initiated communications please let me now and i will try to give a better explanation on the options.

How to connect to localhost with DSL IP forward

I'm trying to connect to wamp from other computer.
I have a tp-link TD-8811. Is there any way to open my localhost from out
also i dont have a static IP.
A quick look at the specs for your TP-link device show that it is capable of DMZ and Virtual Server configurations. Please see here for a Step-by-Step: http://www.tp-link.com/en/article/?faqid=205 I input your model number in the search and came up with this article. I hope this helps.
There are many options for accessing a dynamic IP from outside.
Almost all services that do CNAME aliases for dynamic IPs offer both free and paid services. I never felt the need to pay for a service that i only used occasionally... The paid packages are usually geared to make your life easier.
Look at: no-ip.com -or- dyndns.com -or- google: "connect to dynamic ip address" and take your pick from the results.
After all of this is done, I'd seriously consider setting up (as an absolute minimum) a quick and dirty encrypted channel for your security. Your Router does not support IPsec/VPN, but that doesn't mean that you cannot ssh to your computer (regardless of host/client OS). There are also port-knocking methods to "speak" to your PC's firewall and instruct it to open your desired data port. You'll need to forward a few more ports from your router to get this set up, but if you'll achieve a closed system that you can open and close again on demand.
Apologies for the non-howto style of this answer, I hope it helps.

Resources