[asterisk-security] Honeypot Project
Chris Miller
asterisk-security at scratchspace.com
Wed Oct 12 14:10:15 CDT 2011
On 10/12/2011 11:40 AM, Tim Nelson wrote:
> While ambitious, there have always been questions surrounding projects of this type. Namely:
>
> -What is to stop your 'harvesters' from supplying IPs of known good hosts (for whatever reason)?
> -What process is in place to get an IP/subnet removed from your list if it does not belong there?
> -Is this a personal project, or is there a commercial entity 'behind the scenes'?
All good points. RBLs are generally administered by someone. All of
our Asterisk boxes get hit with these scans. I'm thinking one
iteration of this (use at your own risk) could be
1. Use fail2ban as an agent that reports unauthorized IP addresses
to the central database which is updated in real time
2. Use a script via cron to download the database to your server
3. Configure a separate filter in fail2ban (call it honeypot) to
watch this file and block these IP addresses
Fail2ban already allows a whitelist which will prevent you from
getting locked out of your own servers. Each user could configure a
download interval and block time to their comfort level. The
honeypot database should purge offending IP addresses at a
reasonable interval beyond the last report. If a particular IP
address continues to hammer on any of these servers, the IP address
will remain persistent automatically. This seems like a fairly
decent start for a fully autonomous realtime blacklist.
I'm willing to do the fail2ban work, possibly even the server side
submission component. I'll contact Jack privately...
Regards,
Chris
Chris Miller
President - Rocket Scientist
ScratchSpace Inc.
(831) 621-7928
http://www.scratchspace.com
More information about the asterisk-security
mailing list