1) Bandwidth ? Perhaps that IP should be blocked at firewall<br>2) Would also need to put some pressure on ISPs so that they will take it seriously when they are blacklisted<br>3) Simple way for network guys to manage is to download a trusted list of blacklisted IPs and block them. Fastest & Safest<br>
<br><div class="gmail_quote">On Thu, Oct 13, 2011 at 3:09 AM, Chad <span dir="ltr"><<a href="mailto:ccolumbu@hotmail.com">ccolumbu@hotmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I think we should create a honeypot type, instead of a global blacklist.<br>
The idea is that you create a fake common extension to catch bad guys and let them think they did something, but then block them from doing anything really.<br>
<br>
Here is what I propose, create a new honeypot type, and add an entry in the sip.conf like this:<br>
[Honeypot]<br>
type=honeypot<br>
username=1001<br>
port=5060<br>
attempt_count=5<br>
<br>
The honeypot type creates a random "password attempt allow" per IP that tries to login using the honeypot extension/username.<br>
What this means is that it selects a random number between 1 and attempt_count for each IP that tries to access the username.<br>
When the bad guy reaches the "password attempt allow" it lets them in by passing them a valid registration message.<br>
Then the bad guy can dial all the numbers they want, but all it does is ring forever, or is directed to a context of your choosing.<br>
It also adds the bad guy's IP to the blacklist, so if that IP tries to login with any other username it blocks it, even if they get the password correct.<br>
<br>
This reduces the need for a global blacklist, the bad guys will build the blacklist for you, simply by behaving badly.<br>
<br>
^C<br>
Chad<div class="im"><br>
<br>
On 10/12/2011 11:52 AM, Jack Honey Pot wrote:<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
-What is to stop your 'harvesters' from supplying IPs of known good hosts (for whatever reason)?<br>
<br>
Have not figure out how to find good harvesters and nice people, do provide some suggestions?<br>
<br>
-What process is in place to get an IP/subnet removed from your list if it does not belong there?<br>
<br>
To be honest, I have not figure out yet. Have just working on it for past 5 hours but open to ideas and policies suggestions.<br>
<br>
-Is this a personal project, or is there a commercial entity 'behind the scenes'?<br>
<br>
Community project, myself is a victim to it. Do not intend to make it commercial at all. Looking to work with experienced Asterisk security developers who are<br>
active here and open to ideas and suggestions.<br>
<br>
<br>
--Tim<br>
<br>
--<br>
______________________________<u></u>______________________________<u></u>_________<br></div>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> <<a href="http://www.api-digital.com/" target="_blank">http://www.api-digital.com/</a>> --<div class="im">
<br>
<br>
asterisk-security mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-security" target="_blank">http://lists.digium.com/<u></u>mailman/listinfo/asterisk-<u></u>security</a><br>
<br>
<br>
<br>
<br>
--<br>
______________________________<u></u>______________________________<u></u>_________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
<br>
asterisk-security mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-security" target="_blank">http://lists.digium.com/<u></u>mailman/listinfo/asterisk-<u></u>security</a><br>
</div></blockquote>
</blockquote></div><br>