[asterisk-security] Honeypot Project

Jack Honey Pot jack at asteriskhoneypot.com
Wed Oct 12 14:54:30 CDT 2011


1) Bandwidth  ? Perhaps that IP should be blocked at firewall
2) Would also need to put some pressure on ISPs so that they will take it
seriously when they are blacklisted
3) Simple way for network guys to manage is to download a trusted list of
blacklisted IPs and block them. Fastest & Safest

On Thu, Oct 13, 2011 at 3:09 AM, Chad <ccolumbu at hotmail.com> wrote:

> I think we should create a honeypot type, instead of a global blacklist.
> The idea is that you create a fake common extension to catch bad guys and
> let them think they did something, but then block them from doing anything
> really.
>
> Here is what I propose, create a new honeypot type, and add an entry in the
> sip.conf like this:
> [Honeypot]
> type=honeypot
> username=1001
> port=5060
> attempt_count=5
>
> The honeypot type creates a random "password attempt allow" per IP that
> tries to login using the honeypot extension/username.
> What this means is that it selects a random number between 1 and
> attempt_count for each IP that tries to access the username.
> When the bad guy reaches the "password attempt allow" it lets them in by
> passing them a valid registration message.
> Then the bad guy can dial all the numbers they want, but all it does is
> ring forever, or is directed to a context of your choosing.
> It also adds the bad guy's IP to the blacklist, so if that IP tries to
> login with any other username it blocks it, even if they get the password
> correct.
>
> This reduces the need for a global blacklist, the bad guys will build the
> blacklist for you, simply by behaving badly.
>
> ^C
> Chad
>
>
> On 10/12/2011 11:52 AM, Jack Honey Pot wrote:
>
>>
>>    -What is to stop your 'harvesters' from supplying IPs of known good
>> hosts (for whatever reason)?
>>
>> Have not figure out how to find good harvesters and nice people, do
>> provide some suggestions?
>>
>>    -What process is in place to get an IP/subnet removed from your list if
>> it does not belong there?
>>
>> To be honest, I have not figure out yet. Have just working on it for past
>> 5 hours but open to ideas and policies suggestions.
>>
>>    -Is this a personal project, or is there a commercial entity 'behind
>> the scenes'?
>>
>> Community project, myself is a victim to it. Do not intend to make it
>> commercial at all. Looking to work with experienced Asterisk security
>> developers who are
>> active here and open to ideas and suggestions.
>>
>>
>>    --Tim
>>
>>    --
>>    ______________________________**______________________________**
>> _________
>>    -- Bandwidth and Colocation Provided by http://www.api-digital.com <
>> http://www.api-digital.com/> --
>>
>>
>>    asterisk-security mailing list
>>    To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/**mailman/listinfo/asterisk-**security<http://lists.digium.com/mailman/listinfo/asterisk-security>
>>
>>
>>
>>
>> --
>> ______________________________**______________________________**_________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-security mailing list
>> To UNSUBSCRIBE or update options visit:
>>    http://lists.digium.com/**mailman/listinfo/asterisk-**security<http://lists.digium.com/mailman/listinfo/asterisk-security>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-security/attachments/20111013/7e5c7978/attachment.htm>


More information about the asterisk-security mailing list