[asterisk-security] Honeypot Project

Chad ccolumbu at hotmail.com
Wed Oct 12 14:09:41 CDT 2011 

I think we should create a honeypot type, instead of a global blacklist.
The idea is that you create a fake common extension to catch bad guys and let them think they did something, but then block them from doing anything really.

Here is what I propose, create a new honeypot type, and add an entry in the sip.conf like this:
[Honeypot]
type=honeypot
username=1001
port=5060
attempt_count=5

The honeypot type creates a random "password attempt allow" per IP that tries to login using the honeypot extension/username.
What this means is that it selects a random number between 1 and attempt_count for each IP that tries to access the username.
When the bad guy reaches the "password attempt allow" it lets them in by passing them a valid registration message.
Then the bad guy can dial all the numbers they want, but all it does is ring forever, or is directed to a context of your choosing.
It also adds the bad guy's IP to the blacklist, so if that IP tries to login with any other username it blocks it, even if they get the password correct.

This reduces the need for a global blacklist, the bad guys will build the blacklist for you, simply by behaving badly.

^C
Chad

On 10/12/2011 11:52 AM, Jack Honey Pot wrote:
>
>     -What is to stop your 'harvesters' from supplying IPs of known good hosts (for whatever reason)?
>
> Have not figure out how to find good harvesters and nice people, do provide some suggestions?
>
>     -What process is in place to get an IP/subnet removed from your list if it does not belong there?
>
> To be honest, I have not figure out yet. Have just working on it for past 5 hours but open to ideas and policies suggestions.
>
>     -Is this a personal project, or is there a commercial entity 'behind the scenes'?
>
> Community project, myself is a victim to it. Do not intend to make it commercial at all. Looking to work with experienced Asterisk security developers who are
> active here and open to ideas and suggestions.
>
>
>     --Tim
>
>     --
>     _____________________________________________________________________
>     -- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
>
>     asterisk-security mailing list
>     To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-security
>
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-security mailing list
> To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-security

More information about the asterisk-security mailing list