[VoiceOps] SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot

Mike Hammett voiceops at ics-il.net
Mon Jan 3 10:39:27 EST 2022


*nods* being UDP, it could be easy to spoof someone else to get them blocked. When I automated honeypot -> ACL, I shut myself out of Google's authoritative DNS servers, assuming because of spoofing. There could have been more than I didn't even realize. 


Gotta protect against that kind of stuff. 





----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



Midwest Internet Exchange 
http://www.midwest-ix.com 



----- Original Message -----

From: "Fred Posner" <fred at palner.com> 
To: voiceops at voiceops.org 
Sent: Monday, January 3, 2022 9:14:13 AM 
Subject: Re: [VoiceOps] SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot 

Hi All, 

Re APIBAN... 

APIBAN has two main ways that it's used... with a simple block of IP 
addresses through firewall or iptables being the most used aspect. 

Briefly, through honeypots (global) IP addresses sending SIP or non-SIP 
(like dns, fuzz, or malformed SIP) are identified. We capture the 
commonly used SIP listener ports with UDP, TCP, and TLS. 

Most users utilize the apiban client to automatically block these IPs in 
iptables. There is also methods to check individual ip's by API as well 
as grabbing all active IPs, etc. 

We looked into a community submission, but decided against it as it was 
too easily poisoned. The main goal here is quality of the data and 
making sure that we're not distributing any valid IP as something that 
should be blocked. 

I like the idea of community submission, but the poisoning was 
determined to be too big of a risk for us. 

I also like the idea of sharing some data of numbers being called, 
etc... but like that for analysis and approaching hardening in a 
non-realtime scenario. 

With best regards, 

Fred Posner | palner.com 
Matrix: @fred:matrix.lod.com 
o: +1 (212) 937-7844 

On 1/3/22 4:34 AM, Gavin Henry wrote: 
> On Mon, 3 Jan 2022, 03:22 Jim O'Brien, <jimdoesvoip at gmail.com 
> <mailto:jimdoesvoip at gmail.com>> wrote: 
> 
> Hi Gavin, 
> Thanks for sharing. In many ways your project reminds me of Fred 
> Posner’s APIBAN. I like your approach here with SentryPeer allowing 
> an operator to run their own systems and choose to share with and 
> receive IPs from others! These piecs are fantastic! Once the crush 
> of coming back from holidays is over I cannot wait to give this a try. 
> 
> Best, 
> 
> Jim 
> 
> 
> Thanks Jim. APIBAN, for now, doesn't publish B numbers. I just added 
> responsive mode (replying to probes so they then try proper INVITEs), 
> but haven't committed it yet and the numbers API so you can check 
> customer calling attempts. 
> 
> I'm also adding a SIP agent mode too for SIP redirects. The plan is you 
> just run in agent mode with replication on (replication coming soon) as 
> a mini SIP proxy etc. 
> 
> https://www.linkedin.com/posts/surevoip_sip-sip-fraudprevention-activity-6882708550662070272-9HDL 
> <https://www.linkedin.com/posts/surevoip_sip-sip-fraudprevention-activity-6882708550662070272-9HDL> 
> 
> I've also done an RPM and Dockerfile / Dockerhub container and my first 
> ever proper debian package! That was a long time dream of mine as I 
> thought debs were so hard compared to an RPM spec. 
> 
> https://github.com/SentryPeer/SentryPeer/releases/tag/v0.0.4 
> <https://github.com/SentryPeer/SentryPeer/releases/tag/v0.0.4> 
> 
> Just got Debian salsa git repo access this morning too so I can start to 
> get it into Debian proper, hopefully. 
> 
> Gavin. 
> 
> _______________________________________________ 
> VoiceOps mailing list 
> VoiceOps at voiceops.org 
> https://puck.nether.net/mailman/listinfo/voiceops 
> 
_______________________________________________ 
VoiceOps mailing list 
VoiceOps at voiceops.org 
https://puck.nether.net/mailman/listinfo/voiceops 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/voiceops/attachments/20220103/da208d46/attachment.htm>


More information about the VoiceOps mailing list