OpenBSD as VOIP-RBL/BL

From WTFwiki
Jump to navigation Jump to search

Below is a small python script that allows you to host a VOIP RBL on your own system.

#!/usr/bin/python
# Created by: anexit @ 9/17/2019:1047

import binascii
import sys
import time
import struct
import socket
import random
import thread
import unicodedata
import logging
from logging.handlers import TimedRotatingFileHandler

from twisted.internet.protocol import Protocol, Factory, DatagramProtocol
from twisted.internet import reactor

#You need to specify your interface and name id.
 
interface = '1.1.1.1'
myid = 'sip'

lastSIPPER = ''

def logprint(x):
    now = time.time()
    t = time.strftime("%Y-%m-%d %H:%M:%S") + ("%1.4f" % (now - int(now)))[1:] + ": "
    logger.info(t + x)

def logprint2(x):
    try:
        logger.info(x)
    except TypeError:
        pass

class uFakeSIP(DatagramProtocol):
    def datagramReceived(self, data, (host, port)):
        global lastSIPPER
        global gi
        logprint('The attacking host at %s (%d/UDP) is trying to initiate a SIP connection...' % (host, port))
        if(lastSIPPER != host):
            lastSIPPER = host
#If you want to log SIP Data
        #logprint('SIP Data from: %s (%d/UDP):\n%s' % (host, port, data))

random.seed()

logger = logging.getLogger('Rotating Log')
logger.setLevel(logging.INFO)
handler = TimedRotatingFileHandler('anexitsip.log', when='midnight', interval=1)
logger.addHandler(handler)

logprint('Starting up...')
reactor.listenUDP(5060, uFakeSIP(), interface = interface)
reactor.run()
logprint('Shutting down...')

It will create a log file called anexitsip.log which will show you something like the following;

2019-09-17 13:27:47.1120: The attacking host at 80.211.251.174 (5075/UDP) is trying to initiate a SIP connection...
2019-09-17 13:34:20.1345: The attacking host at 77.247.110.99 (5088/UDP) is trying to initiate a SIP connection...
2019-09-17 13:43:12.0315: The attacking host at 77.247.108.218 (5076/UDP) is trying to initiate a SIP connection...
2019-09-17 13:52:26.3259: The attacking host at 183.2.202.41 (5071/UDP) is trying to initiate a SIP connection...
2019-09-17 14:05:31.0667: The attacking host at 77.247.108.204 (5356/UDP) is trying to initiate a SIP connection...
2019-09-17 14:34:48.1639: The attacking host at 77.247.110.214 (5062/UDP) is trying to initiate a SIP connection...

Since I use OpenBSD all I needed was the twisted python package (pkg_add py-twisted) From there you can parse the file and load it into PF.

Something like

 grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" anexitsip.log | sort -u >> someipfile 

should do the trick! If you want you can also let fail2ban digest it and create a simple regex.. which might be more feasible as it can also have an ignore list.

TCP SIP TRAP SIMPLE

from twisted.internet import reactor, protocol
from twisted.python import log
from twisted.python.logfile import DailyLogFile

class Echo(protocol.Protocol):
    def dataReceived(self, data):
        log.msg("Received data from hacker: {}".format(data))
        self.transport.write(data)

class EchoFactory(protocol.Factory):
    def buildProtocol(self, addr):
        return Echo()

if __name__ == "__main__":
    # Set up logging
    log.startLogging(DailyLogFile("tcp_server.log", "."))

    # Start the server
    reactor.listenTCP(22, EchoFactory())
    log.msg("Server started on port 22")
    reactor.run()