[VoiceOps] SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot

Fred Posner fred at palner.com
Mon Jan 3 10:14:13 EST 2022


Hi All,

Re APIBAN...

APIBAN has two main ways that it's used... with a simple block of IP
addresses through firewall or iptables being the most used aspect.

Briefly, through honeypots (global) IP addresses sending SIP or non-SIP
(like dns, fuzz, or malformed SIP) are identified. We capture the
commonly used SIP listener ports with UDP, TCP, and TLS.

Most users utilize the apiban client to automatically block these IPs in
iptables. There is also methods to check individual ip's by API as well
as grabbing all active IPs, etc.

We looked into a community submission, but decided against it as it was
too easily poisoned. The main goal here is quality of the data and
making sure that we're not distributing any valid IP as something that
should be blocked.

I like the idea of community submission, but the poisoning was
determined to be too big of a risk for us.

I also like the idea of sharing some data of numbers being called,
etc... but like that for analysis and approaching hardening in a
non-realtime scenario.

With best regards,

Fred Posner | palner.com
Matrix: @fred:matrix.lod.com
o: +1 (212) 937-7844

On 1/3/22 4:34 AM, Gavin Henry wrote:
> On Mon, 3 Jan 2022, 03:22 Jim O'Brien, <jimdoesvoip at gmail.com
> <mailto:jimdoesvoip at gmail.com>> wrote:
> 
>     Hi Gavin,
>       Thanks for sharing.  In many ways your project reminds me of Fred
>     Posner’s APIBAN.  I like your approach here with SentryPeer allowing
>     an operator to run their own systems and choose to share with and
>     receive IPs from others!  These piecs are fantastic!  Once the crush
>     of coming back from holidays is over I cannot wait to give this a try.
> 
>     Best,
> 
>     Jim
> 
> 
> Thanks Jim. APIBAN, for now, doesn't publish B numbers. I just added
> responsive mode (replying to probes so they then try proper INVITEs),
> but haven't committed it yet and the numbers API so you can check
> customer calling attempts. 
> 
> I'm also adding a SIP agent mode too for SIP redirects. The plan is you
> just run in agent mode with replication on (replication coming soon) as
> a mini SIP proxy etc.
> 
> https://www.linkedin.com/posts/surevoip_sip-sip-fraudprevention-activity-6882708550662070272-9HDL
> <https://www.linkedin.com/posts/surevoip_sip-sip-fraudprevention-activity-6882708550662070272-9HDL>
> 
> I've also done an RPM and Dockerfile / Dockerhub container and my first
> ever proper debian package! That was a long time dream of mine as I
> thought debs were so hard compared to an RPM spec. 
> 
> https://github.com/SentryPeer/SentryPeer/releases/tag/v0.0.4
> <https://github.com/SentryPeer/SentryPeer/releases/tag/v0.0.4>
> 
> Just got Debian salsa git repo access this morning too so I can start to
> get it into Debian proper, hopefully. 
> 
> Gavin. 
> 
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
> 


More information about the VoiceOps mailing list