1) you can configure freeswitch to only allow inbound calling, no risk
of toll fraud if outbound if not enabled. Also set 5060 to only
accept packets with the ip address of ITSP.
2) Your dialplan controls what calls complete. In my configs the only
conferences that can be setup by inbound DIDs are active BBB sessions
that already exist, and controlled by pin (custom dialplan script) You
can't create adhoc conferences period.
3) The BBB client is talking to red5, which talks to freeswitch on
separate port (profile) If you have no demo pages on server, you need
to authenticate with BBB api with a valid checksum, so salt is needed
to create a rogue session. and the checksum is unique for every
attempt when params are changed.
You should change the ESL, and SIP username/password to something
other than defaults.
Lastly if your business or application needs Security compliance,
secure the network with a VPN.
Regards,
Stephen
http;//
hostbbb.com
On May 17, 11:44 pm, Daniel Zhou <
daniel.yanjun.z...@gmail.com> wrote:
> That's a lot of great info. Thank you very much, Walter, Stephen and Fred.
> YDefinitely I will look into it. As you know, I am new to this field, lots
> for me to learn....
>
> read more »
>
> Regarding
> "If you allow people to dial in by phone then yes the security is suddenly
> much less, limited to 100.000 combinations. You can disable calling in,
> most people can/could/would use BBB as a webonly conference system. "
>
> No, I am not talking about allowing people to call in. If you have a
> connection to bbb-voice, you can then do a remote procedure call to call
> into Freeswitch. The bbb-voice application has a SIP call agent, through
> RPC call (remoting) a client can make a SIP call to Freeswitch. So in this
> scenario, the rate limiting commands with iptables won't be able to fend
> off the attack. All the client need is one connection to bbb-voice, from
> there it can launch many SIP calls to Freeswitch, which are all internal to
> the server. Clients may even be able to establish parasite conferences
> without bbb-web knowing it. This will steal resources from the server, and
> interfere with ongoing conferences.
>
> Daniel
>
>
>
> On Fri, May 17, 2013 at 6:24 AM, Fred Dixon <
ffdi...@gmail.com> wrote:
> > Excellent discussion.
>
> > Regards,... Fred
> > --
> > BigBlueButton Developer
> >
http://bigbluebutton.org/
> >
http://code.google.com/p/bigbluebutton
> > BigBlueButton on twitter: @bigbluebutton
>
> >> > >> to- Hide quoted text -
>
> - Show quoted text -