[asterisk-security] Honeypot Project

Chad ccolumbu at hotmail.com
Wed Oct 12 22:23:28 CDT 2011 

Jack,
You need to think of this problem in the same way we think of spam.
Multiple approaches are needed, and different solutions are needed for different server systems.
Global blacklists are only part of the solution. I agree that they are a needed part.

#1, Yes you can block them at the firewall once they are detected, that is a simple script and can be part of the block trigger or an AGI script in the context 
they are redirected to. If you are going to block them I would block them from all ports so they can't switch their attack to another type (like e-mail or ssh).
#2, There are a lot of ISPs in the world, if it was simple to get everyone coordinated there would be no spam. So expect to have to protect yourself and not to 
rely on ISPs to do it for you.
#3, While you are correct that it is "Fastest & Safest" to block a blacklist, it is only effective against known IPs, not new ones. Global blacklists should not 
be the only way to protect the box. We still need a way to identify and protect from new threats. What I propose will give systems ongoing protection and does 
not require an administrator to trust a 3rd party to provide a blacklist (if they don't want). They will have their own list generated and controlled by them, 
which they can then choose to share with your global blacklist or not. Just like grey listing or spamassassin's RBL lists.

^C


On 10/12/2011 12:54 PM, Jack Honey Pot wrote:
> 1) Bandwidth  ? Perhaps that IP should be blocked at firewall
> 2) Would also need to put some pressure on ISPs so that they will take it seriously when they are blacklisted
> 3) Simple way for network guys to manage is to download a trusted list of blacklisted IPs and block them. Fastest & Safest
>
> On Thu, Oct 13, 2011 at 3:09 AM, Chad <ccolumbu at hotmail.com <mailto:ccolumbu at hotmail.com>> wrote:
>
>     I think we should create a honeypot type, instead of a global blacklist.
>     The idea is that you create a fake common extension to catch bad guys and let them think they did something, but then block them from doing anything really.
>
>     Here is what I propose, create a new honeypot type, and add an entry in the sip.conf like this:
>     [Honeypot]
>     type=honeypot
>     username=1001
>     port=5060
>     attempt_count=5
>
>     The honeypot type creates a random "password attempt allow" per IP that tries to login using the honeypot extension/username.
>     What this means is that it selects a random number between 1 and attempt_count for each IP that tries to access the username.
>     When the bad guy reaches the "password attempt allow" it lets them in by passing them a valid registration message.
>     Then the bad guy can dial all the numbers they want, but all it does is ring forever, or is directed to a context of your choosing.
>     It also adds the bad guy's IP to the blacklist, so if that IP tries to login with any other username it blocks it, even if they get the password correct.
>
>     This reduces the need for a global blacklist, the bad guys will build the blacklist for you, simply by behaving badly.
>
>     ^C
>     Chad
>
>
>     On 10/12/2011 11:52 AM, Jack Honey Pot wrote:
>
>
>             -What is to stop your 'harvesters' from supplying IPs of known good hosts (for whatever reason)?
>
>         Have not figure out how to find good harvesters and nice people, do provide some suggestions?
>
>             -What process is in place to get an IP/subnet removed from your list if it does not belong there?
>
>         To be honest, I have not figure out yet. Have just working on it for past 5 hours but open to ideas and policies suggestions.
>
>             -Is this a personal project, or is there a commercial entity 'behind the scenes'?
>
>         Community project, myself is a victim to it. Do not intend to make it commercial at all. Looking to work with experienced Asterisk security developers
>         who are
>         active here and open to ideas and suggestions.
>
>
>             --Tim
>
>             --
>             _________________________________________________________________________
>             -- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> --
>
>
>             asterisk-security mailing list
>             To UNSUBSCRIBE or update options visit:
>         http://lists.digium.com/__mailman/listinfo/asterisk-__security <http://lists.digium.com/mailman/listinfo/asterisk-security>
>
>
>
>
>         --
>         _________________________________________________________________________
>         -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
>         asterisk-security mailing list
>         To UNSUBSCRIBE or update options visit:
>         http://lists.digium.com/__mailman/listinfo/asterisk-__security <http://lists.digium.com/mailman/listinfo/asterisk-security>
>
>

More information about the asterisk-security mailing list