Re: [asterisk-security] Honeypot Project

Wed, 12 Oct 2011 12:45:16 -0700 

On 10/12/2011 02:10 PM, Chris Miller wrote:

On 10/12/2011 11:40 AM, Tim Nelson wrote:

While ambitious, there have always been questions surrounding projects of this 
type. Namely:

-What is to stop your 'harvesters' from supplying IPs of known good hosts (for 
whatever reason)?
-What process is in place to get an IP/subnet removed from your list if it does 
not belong there?
-Is this a personal project, or is there a commercial entity 'behind the 
scenes'?


All good points. RBLs are generally administered by someone. All of
our Asterisk boxes get hit with these scans. I'm thinking one
iteration of this (use at your own risk) could be

1. Use fail2ban as an agent that reports unauthorized IP addresses
to the central database which is updated in real time
2. Use a script via cron to download the database to your server
3. Configure a separate filter in fail2ban (call it honeypot) to
watch this file and block these IP addresses

Fail2ban already allows a whitelist which will prevent you from
getting locked out of your own servers. Each user could configure a
download interval and block time to their comfort level. The
honeypot database should purge offending IP addresses at a
reasonable interval beyond the last report. If a particular IP
address continues to hammer on any of these servers, the IP address
will remain persistent automatically. This seems like a fairly
decent start for a fully autonomous realtime blacklist.

I'm willing to do the fail2ban work, possibly even the server side
submission component. I'll contact Jack privately...
I'm surprised nobody has mentioned the existing efforts in this area that are up and running. Two I am aware of are the ones run by Humbug Labs and J Oquendo, respectively. 

--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at www.digium.com & www.asterisk.org

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-security mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-security

Reply via email to