I think we should create a honeypot type, instead of a global blacklist.
The idea is that you create a fake common extension to catch bad guys and let
them think they did something, but then block them from doing anything really.
Here is what I propose, create a new honeypot type, and add an entry in the
sip.conf like this:
[Honeypot]
type=honeypot
username=1001
port=5060
attempt_count=5
The honeypot type creates a random "password attempt allow" per IP that tries
to login using the honeypot extension/username.
What this means is that it selects a random number between 1 and attempt_count
for each IP that tries to access the username.
When the bad guy reaches the "password attempt allow" it lets them in by
passing them a valid registration message.
Then the bad guy can dial all the numbers they want, but all it does is ring
forever, or is directed to a context of your choosing.
It also adds the bad guy's IP to the blacklist, so if that IP tries to login
with any other username it blocks it, even if they get the password correct.
This reduces the need for a global blacklist, the bad guys will build the
blacklist for you, simply by behaving badly.
^C
Chad
On 10/12/2011 11:52 AM, Jack Honey Pot wrote:
-What is to stop your 'harvesters' from supplying IPs of known good hosts
(for whatever reason)?
Have not figure out how to find good harvesters and nice people, do provide
some suggestions?
-What process is in place to get an IP/subnet removed from your list if it
does not belong there?
To be honest, I have not figure out yet. Have just working on it for past 5
hours but open to ideas and policies suggestions.
-Is this a personal project, or is there a commercial entity 'behind the
scenes'?
Community project, myself is a victim to it. Do not intend to make it
commercial at all. Looking to work with experienced Asterisk security
developers who are
active here and open to ideas and suggestions.
--Tim
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com
<http://www.api-digital.com/> --
asterisk-security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-security mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-security
