SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot
Hi all, I hope you don't mind the post, but thought this might be of use and in the spirit of release early, release often I've done an alpha release: https://github.com/SentryPeer/SentryPeer There's a presentation too if you'd like to watch/read where I hope to go with this: https://blog.tadsummit.com/2021/11/17/sentrypeer/ Working on the API and web UI next, then the p2p part of it. Feel free to submit any feature requests or have a play :-) Thanks for reading and any feedback is welcome! -- Kind Regards, Gavin Henry.
Anecdotally, anyone that's had reason to manually go through logs for port 5060 SIP for any public facing ipv4 /32 will see the vast amounts of random "things" out there on the internet trying common extension password combos to register. It's been a large amount of background noise on the internet for a very log time now. On Wed, Nov 24, 2021 at 5:20 PM Gavin Henry <ghenry@suretec.co.uk> wrote:
Hi all,
I hope you don't mind the post, but thought this might be of use and in the spirit of release early, release often I've done an alpha release:
https://github.com/SentryPeer/SentryPeer
There's a presentation too if you'd like to watch/read where I hope to go with this:
https://blog.tadsummit.com/2021/11/17/sentrypeer/
Working on the API and web UI next, then the p2p part of it. Feel free to submit any feature requests or have a play :-)
Thanks for reading and any feedback is welcome!
-- Kind Regards, Gavin Henry.
On Thu, 25 Nov 2021 at 00:53, Eric Kuhnke <eric.kuhnke@gmail.com> wrote:
Anecdotally, anyone that's had reason to manually go through logs for port 5060 SIP for any public facing ipv4 /32 will see the vast amounts of random "things" out there on the internet trying common extension password combos to register.
It's been a large amount of background noise on the internet for a very log time now.
Hi Eric, Have you done anything with this data before? Thanks.
Hi Gavin, I thought to do something similar ;) As I can see in the code, you count somebody as a bad actor just because of one UDP packet is received. It is a bad idea, because it is easy to spoof that packet and make a DoS against some good actor. Right way: you have to simulate a SIP dialog with this actor, i.e. reply them something and wait for the reaction. If the reaction will be like in a normal SIP call processing - congratulations, you found a hacker! If not, like you sent them a packet they do not expect - it is a DoS and a spoofed packet. 24.11.21 23:19, Gavin Henry пише:
Hi all,
I hope you don't mind the post, but thought this might be of use and in the spirit of release early, release often I've done an alpha release:
https://github.com/SentryPeer/SentryPeer
There's a presentation too if you'd like to watch/read where I hope to go with this:
https://blog.tadsummit.com/2021/11/17/sentrypeer/
Working on the API and web UI next, then the p2p part of it. Feel free to submit any feature requests or have a play :-)
Thanks for reading and any feedback is welcome!
On Fri, 26 Nov 2021, 18:59 Max Tulyev, <maxtul@netassist.ua> wrote:
Hi Gavin,
Hi Max,
I thought to do something similar ;)
What stopped you creating something? Or did you? Interested :)
As I can see in the code, you count somebody as a bad actor just because of one UDP packet is received. It is a bad idea, because it is easy to spoof that packet and make a DoS against some good actor.
The next stage is to tag these probes as passive, then reply in SIP, like you say and allow registrations and calls etc then mark them as aggressive. I'm not actually replying to the packets, so no reflection attacks.
Right way: you have to simulate a SIP dialog with this actor, i.e. reply them something and wait for the reaction. If the reaction will be like in a normal SIP call processing - congratulations, you found a hacker! If not, like you sent them a packet they do not expect - it is a DoS and a spoofed packet.
Agreed! Thank you for reading and your reply.
Hi all, Come a long way since Nov: https://github.com/SentryPeer/SentryPeer/releases/tag/v1.4.0 Peer to peer bad_actor replication is now released. Deutsche Telekom "T-Pot - The All In One Honeypot Platform" included SentryPeer (https://github.com/telekom-security/tpotce/tree/22.x) and Kali Linux is coming - https://bugs.kali.org/view.php?id=7523#c15939 Would love to have some testers onboard! Thanks, Gavin.
Hi, I've just released https://sentrypeer.com About SentryPeerHQ -> https://sentrypeer.com/about Fully Open Source -> https://github.com/SentryPeer/SentryPeerHQ Always free -> https://sentrypeer.com/pricing (for those that contribute data by running an official SentryPeer node or their own honeypot) Thanks, Gavin. On Tue, 29 Mar 2022 at 20:39, Gavin Henry <ghenry@suretec.co.uk> wrote:
Hi all,
Come a long way since Nov:
https://github.com/SentryPeer/SentryPeer/releases/tag/v1.4.0
Peer to peer bad_actor replication is now released. Deutsche Telekom "T-Pot - The All In One Honeypot Platform" included SentryPeer (https://github.com/telekom-security/tpotce/tree/22.x) and Kali Linux is coming - https://bugs.kali.org/view.php?id=7523#c15939
Would love to have some testers onboard!
Thanks, Gavin.
-- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 330 44 50 000 D +44 (0) 330 44 55 007 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretec.co.uk Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: The James Gregory Centre, Campus 2, Balgownie Road, Aberdeen. AB22 8GU. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html OpenPGP (GPG/PGP) Public Key: 0x8CFBA8E6 - Import from hkp:// pool.subkeys.pgp.net or http://www.suretecgroup.com/0x8CFBA8E6.gpg
participants (3)
-
Eric Kuhnke
-
Gavin Henry
-
Max Tulyev