[asterisk-security] Honeypot Project

Kevin P. Fleming kpfleming at digium.com
Fri Oct 14 14:21:41 CDT 2011


On 10/14/2011 02:13 PM, Roger Marquis wrote:
> Victor Villarreal wrote:
>> What if i modify at source code in channels/chan_sip.c the function
>> handle_request_register() in 1.4 branch to save in DB the IPs that
>> produce
>> a registration failed, or fire a .sh that update the IPTables rules of
>> the
>> machine....
>
> I'd prefer simply writing the failure message to a user-definable syslog
> facility then let the sysadmin take it from there. I doubt most
> sysadmins want yet another DB when a standard log file is more KIS and
> more than sufficient. As long as the log message format doesn't change
> this would also be easier to integrate with IDS like fail2ban and Splunk
> (though we get better mileage out of locally-authored python scripts).

In Asterisk 10 there is a 'security event' reporting framework in place, 
which has the ability to report AMI events and various chan_sip events 
(and of course could be extended to report many others). It was designed 
for just this purpose; the events can be emitted to a simple text log 
file, or a custom module could be written to send them to databases, 
monitoring systems, or anywhere else that would be useful.

-- 
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org



More information about the asterisk-security mailing list