1 Patron privacy and the SIP protocol
2 -----------------------------------
4 SIP traffic includes a lot of patron information, and is not
5 encrypted by default. It is strongly recommended that you
6 encrypt any SIP traffic.
8 SIP server configuration
9 ~~~~~~~~~~~~~~~~~~~~~~~~
11 On the SIP server, use `iptables` or `etc/hosts` to allow SSH connections on port 22 from the SIP client machine. You will probably want to have very restrictive rules
12 on which IP addresses can connect to this server.
15 SSH tunnels on SIP clients
16 ~~~~~~~~~~~~~~~~~~~~~~~~~~
18 SSH tunnels are a good fit for use cases like self-check machines, because it is relatively easy to automatically open the connection. Using a VPN is another option,
19 but many VPN clients require manual steps to open the VPN connection.
21 . If the SIP client will be on a Windows machine, install cygwin on the SIP client.
22 . On the SIP client, use `ssh-keygen` to generate an SSH key.
23 . Add the public key to /home/my_sip_user/.ssh/authorized_keys on your SIP server to enable logins without using the UNIX password.
24 . Configure an SSH tunnel to open before every connection. You can do this in several ways:
25 .. If the SIP client software allows you to run an arbitrary command before
26 each SIP connection, use something like this:
30 ssh -f -L 6001:localhost:6001 my_sip_user@my_sip_server.com sleep 10
33 .. If you feel confident that the connection won't get interrupted, you can have something like this run at startup:
37 ssh -f -N -L 6001:localhost:6001 my_sip_user@my_sip_server.com
40 .. If you want to constantly poll to make sure that the connection is still running, you can do something like this as a cron job or scheduled task on the SIP client machine:
44 instances=`/bin/ps -ef | /bin/grep ssh | /bin/grep -v grep | /bin/wc -l`
45 if [ $instances -eq 0 ]; then
46 echo "Restarting ssh tunnel"
47 /usr/bin/ssh -L 6001:localhost:6001 my_sip_user@my_sip_server.com -f -N
projects / Evergreen.git / blob