How many connections should be made per minute on port 5060 by a legitimate client? For example, If I fire up Linphone and connect to my server I would expect that 5060 is used only once to authenticate me, and then I am handed off to another port and my TCP state becomes established. Is this correct? I am writing an iptables rule to block connections from an IP if it exceeds what would be considered a normal number of connections. For example, on all of my Linux systems (including this Gentoo laptop) I limit SSH connections to 3 per minute. This is in the NEW state. It ignores related and established connections since those already passed the login. This works well and is only two lines of code. I intend to do this for Asterisk also, only specifying port 5060 instead of 22.
So what is a reasonable number of connections per minute for any single device/app to Asterisk?
EDIT
Here is what I intend to do.
iptables -A INPUT -p tcp -m multiport --dports 22,5060 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp -m multiport --dports 22,5060 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
This would drop connections from any single IP which tried to connect to SSH or Asterisk more than three times every minute.
By default UDP, not TCP is used, so there are only dialogues, not connections. As such, the normal number of connections per minute is 0.00000.
I’m not sure it is strictly correct, but some initial servers will set up a separate connection when they take on the role of client (SIP entities can take both roles during one call - this is normal).
If you do configure for TCP, the TCP connection to port 5060 will normally be held for the whole call. For UDP, assuming the server doesn’t redirect it in a Contact header, which is not something that Asterisk would do, as far as the port number is concerned, all call control will take place on 5060 for the duration of the call. That includes, DTMF sent with INFO, re-invites for direct media, re-invites for connected line updates, re-invites for holds from the phone, and re-invites for session timers.
The only situation in which Asterisk may be involved in a hand off, is if the original transaction arrived via an inbound proxy. However that will not change the port number used at the Asterisk end, but just result in a new connection (if TCP) from the real address of the caller.
Yes I read that once two clients (assume two Linphone users) are on the line, they communicate directly with each other. My experience is with TCP and you are correct, TCP is not used by default and it is not enabled on my system. This puts me back into the dark at how the heck I can keep people out.
You did raise another question with your answer though. Assume my two clients cannot make a direct connection and instead go through my server on 5060. What happens when a second call on that trunk comes in? Does it simply go to 5061?