vicidial.org

[xtdirect]

Install Information:
Standalone
Vicibox redux 32bit preload 3.1.15
VERSION: 2.6-372a
BUILD: 120713-2123
Sangoma CPD
All sip g729

Issue:
We have been happily using vicidial behind the latest PfSense firewall without issue for years..
Because we have agents that log in from home, we have a fair number of users that do not have a static IP address.
For this reason our firewall approach has been to keep a watchful eye and blacklist offending IP with PfBlocker to aid in the task.

Recently, however we have been crushed with attacks attempting to log into our asterisk servers…..

Ideally we want to whitelist, but need an automated way to allow at home agents to log in when their IP changes.

In PfSense there is a way to create an Alias that contains whitelisted IPs, however it only updates once a day.

I built a solution that would require the at home agent to authenticate to a website which would ssh into the PfSense box and update the Alias whitelist with the new IP address, but it does not constantly allow the traffic after the update… so the solution is not effective.

I have also considered using Fail2ban, but know the pitfalls and potential to have legitimate traffic get blocked by a stupid user…. Whitelisting is what I am after...

What is the best way to accomplish this task?

VPN adds a level of complexity to the agents, as well as processing overhead and requires updating as agents come and go..

ANY suggestions are greatly appreciated….

Thanks!!

[rrb555]

you may refer to http://vicidial.org/VICIDIALforum/viewt ... =4&t=27329

[xtdirect]

I wrote my own real time authentication gateway for pfSense.
Here is a link to an overview of how it was done:
http://www.hwdevelopment.com/blog/20-real-time-pfsense-whitelisting-application-using-coldfusion