[asterisk-biz] PBX Hacker IP List

John Todd jtodd at digium.com
Mon Mar 16 19:18:18 CDT 2009 

[cc'ed Phil Schwartz of DenyHosts and Cyril Jaquier of Fail2Ban]

On Mar 16, 2009, at 12:05 PM, JR Richardson wrote:

>> No matter how the system is set up there should be a way to easily  
>> add
>> known-good IP as they relate to a particular installation.
>>
> The Project Honey Pot looks great.
>
> I'm not too keen on white listing though.  It would be hard to verify
> an attacker's IP's that hasn't been identified as bad yet.  I'm sure
> some hackers would troll the black list and try to add their IP's as
> known good.  I don't think this would be some automated mechanism for
> PBX server subscription, at least not yet.
>
> I'm thinking more along the lines of a central list, updated by
> community participants, to add IP's that have attacked them, with
> date/time of the attack.  It would be up to the PBX admin to employ a
> filter with those black listed IP's or disregard the list all
> together.
>
> Thanks
>
> JR
> --
> JR Richardson
> Engineering for the Masses


[Phil and Cyril - the quick synopsis here is that Asterisk systems are  
being hit with some frequency with brute-force SIP password or  
extension guessing attacks.  Asterisk can output logfiles (non- 
customizable) of failures.]

JR and I had been having parts of this conversation off-line, but it's  
probably worth bringing it up here.

I am of the opinion that a "blacklist" is probably useful for some  
people, as an optional method to automatically configure certain  
firewall filters or other ACLs which would deny certain IP addresses  
from reaching the SIP stack.  This could be triggered by quantity of  
requests within a certain time period, or number of failures, or  
whatever.  In fact, there are people who have configured Fail2Ban  
already to serve locally as a prophylactic for their own machines.   
JR's point is that there would optimally be some distributed mechanism  
which would serve to collect the IP addresses as reported by a wide  
variety of endpoints, such that badly acting IP addresses would be  
denied even the first step in blocking.

The Honey Pot Project seems interesting, but it's not quite the right  
collection method - they seem to be fairly mail-focused, and their  
input comes from dormant accounts that they run themselves.  Or am I  
missing how they could be easily used for SIP?

It seems that the combination of Fail2Ban and DenyHosts would provide  
a fairly strong method of both detecting and then centrally storing  
"bad" IP addresses.  I don't know enough about either to say if one  
duplicates the other as far as functionality, so I'm hoping the  
authors/members of those packages might chime in here.  If I can get  
some good comments, I'll make this a blog post and maybe we can have a  
session or two on this at Astricon (hint, hint - JR, you're on the  
hook!)

Lastly, this again doesn't seem to be specific to Asterisk except for  
inputs of logfile data which would be standardized and reported back  
up the reporting path to the repository.  This is an opportunity for  
anyone with SIP devices to start contributing to a new database.  If  
we can get some interest and a beta platform in place using Asterisk  
logfiles and something like iptables, then I'd hope to start bringing  
in people from other SIP platforms such as Kamailio/SER/OpenSER,  
FreeSwitch, Cisco, SIPxchange, and others so we could all benefit from  
this effort.

I'm hesitant to create any sort of human-regulated system such as a  
mailing list or even a wiki as the repository for IP address data of  
elements, because I think that data will be difficult to collect,  
difficult to integrate into existing systems, and impossible to update  
in a way that is fair to people who may be incorrectly added (or who  
inherit "bad" IP addresses via DHCP or whatever.)  Automation seems  
the only reasonable solution.  I could be convinced otherwise, and of  
course anyone can start such a manual process if they think it would  
lead to rapid problem resolution.  However, I don't think it is a long- 
term viable method of IP address tagging and I hope that some method  
might arise with tools that mostly already exist.

Resources:
   http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
   http://denyhosts.sourceforge.net/index.html


JT


---
John Todd                       email:jtodd at digium.com
Digium, Inc. | Asterisk Open Source Community Director
445 Jan Davis Drive NW -  Huntsville AL 35806  -   USA
direct: +1-256-428-6083         http://www.digium.com/

More information about the asterisk-biz mailing list