[asterisk-security] Honeypot Project

Kevin P. Fleming kpfleming at digium.com
Wed Oct 12 14:44:30 CDT 2011 

On 10/12/2011 02:10 PM, Chris Miller wrote:
> On 10/12/2011 11:40 AM, Tim Nelson wrote:
>> While ambitious, there have always been questions surrounding projects of this type. Namely:
>>
>> -What is to stop your 'harvesters' from supplying IPs of known good hosts (for whatever reason)?
>> -What process is in place to get an IP/subnet removed from your list if it does not belong there?
>> -Is this a personal project, or is there a commercial entity 'behind the scenes'?
>
> All good points. RBLs are generally administered by someone. All of
> our Asterisk boxes get hit with these scans. I'm thinking one
> iteration of this (use at your own risk) could be
>
> 1. Use fail2ban as an agent that reports unauthorized IP addresses
> to the central database which is updated in real time
> 2. Use a script via cron to download the database to your server
> 3. Configure a separate filter in fail2ban (call it honeypot) to
> watch this file and block these IP addresses
>
> Fail2ban already allows a whitelist which will prevent you from
> getting locked out of your own servers. Each user could configure a
> download interval and block time to their comfort level. The
> honeypot database should purge offending IP addresses at a
> reasonable interval beyond the last report. If a particular IP
> address continues to hammer on any of these servers, the IP address
> will remain persistent automatically. This seems like a fairly
> decent start for a fully autonomous realtime blacklist.
>
> I'm willing to do the fail2ban work, possibly even the server side
> submission component. I'll contact Jack privately...

I'm surprised nobody has mentioned the existing efforts in this area 
that are up and running. Two I am aware of are the ones run by Humbug 
Labs and J Oquendo, respectively.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

More information about the asterisk-security mailing list