Difference between revisions of "OpenBSD as SIP trap"
Jump to navigation
Jump to search
(Created page with "Below is a small python script that allows you to host a VOIP RBL on your own system. <pre> #!/usr/bin/python # Created by: anexit @ 9/17/2019:1047 import binascii import s...") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 17: | Line 17: | ||
from twisted.internet.protocol import Protocol, Factory, DatagramProtocol | from twisted.internet.protocol import Protocol, Factory, DatagramProtocol | ||
from twisted.internet import reactor | from twisted.internet import reactor | ||
| − | |||
| − | |||
| − | |||
| − | |||
#You need to specify your interface and name id. | #You need to specify your interface and name id. | ||
| − | interface = ' | + | interface = '1.1.1.1' |
myid = 'sip' | myid = 'sip' | ||
| Line 65: | Line 61: | ||
It will create a log file called anexitsip.log which will show you something like the following; | It will create a log file called anexitsip.log which will show you something like the following; | ||
| + | <pre> | ||
2019-09-17 13:27:47.1120: The attacking host at 80.211.251.174 (5075/UDP) is trying to initiate a SIP connection... | 2019-09-17 13:27:47.1120: The attacking host at 80.211.251.174 (5075/UDP) is trying to initiate a SIP connection... | ||
2019-09-17 13:34:20.1345: The attacking host at 77.247.110.99 (5088/UDP) is trying to initiate a SIP connection... | 2019-09-17 13:34:20.1345: The attacking host at 77.247.110.99 (5088/UDP) is trying to initiate a SIP connection... | ||
| Line 71: | Line 68: | ||
2019-09-17 14:05:31.0667: The attacking host at 77.247.108.204 (5356/UDP) is trying to initiate a SIP connection... | 2019-09-17 14:05:31.0667: The attacking host at 77.247.108.204 (5356/UDP) is trying to initiate a SIP connection... | ||
2019-09-17 14:34:48.1639: The attacking host at 77.247.110.214 (5062/UDP) is trying to initiate a SIP connection... | 2019-09-17 14:34:48.1639: The attacking host at 77.247.110.214 (5062/UDP) is trying to initiate a SIP connection... | ||
| + | </pre> | ||
Since I use OpenBSD all I needed was the twisted python package (pkg_add py-twisted) From there you can parse the file and load it into PF. | Since I use OpenBSD all I needed was the twisted python package (pkg_add py-twisted) From there you can parse the file and load it into PF. | ||
| − | Something like <pre> grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" anexitsip.log | sort -u </pre> should do the trick! | + | Something like <pre> grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" anexitsip.log | sort -u >> someipfile </pre> should do the trick! If you want you can also let fail2ban digest it and create a simple regex.. which might be more feasible as it can also have an ignore list. |
Latest revision as of 13:40, 17 September 2019
Below is a small python script that allows you to host a VOIP RBL on your own system.
#!/usr/bin/python
# Created by: anexit @ 9/17/2019:1047
import binascii
import sys
import time
import struct
import socket
import random
import thread
import unicodedata
import logging
from logging.handlers import TimedRotatingFileHandler
from twisted.internet.protocol import Protocol, Factory, DatagramProtocol
from twisted.internet import reactor
#You need to specify your interface and name id.
interface = '1.1.1.1'
myid = 'sip'
lastSIPPER = ''
def logprint(x):
now = time.time()
t = time.strftime("%Y-%m-%d %H:%M:%S") + ("%1.4f" % (now - int(now)))[1:] + ": "
logger.info(t + x)
def logprint2(x):
try:
logger.info(x)
except TypeError:
pass
class uFakeSIP(DatagramProtocol):
def datagramReceived(self, data, (host, port)):
global lastSIPPER
global gi
logprint('The attacking host at %s (%d/UDP) is trying to initiate a SIP connection...' % (host, port))
if(lastSIPPER != host):
lastSIPPER = host
#If you want to log SIP Data
#logprint('SIP Data from: %s (%d/UDP):\n%s' % (host, port, data))
random.seed()
logger = logging.getLogger('Rotating Log')
logger.setLevel(logging.INFO)
handler = TimedRotatingFileHandler('anexitsip.log', when='midnight', interval=1)
logger.addHandler(handler)
logprint('Starting up...')
reactor.listenUDP(5060, uFakeSIP(), interface = interface)
reactor.run()
logprint('Shutting down...')
It will create a log file called anexitsip.log which will show you something like the following;
2019-09-17 13:27:47.1120: The attacking host at 80.211.251.174 (5075/UDP) is trying to initiate a SIP connection... 2019-09-17 13:34:20.1345: The attacking host at 77.247.110.99 (5088/UDP) is trying to initiate a SIP connection... 2019-09-17 13:43:12.0315: The attacking host at 77.247.108.218 (5076/UDP) is trying to initiate a SIP connection... 2019-09-17 13:52:26.3259: The attacking host at 183.2.202.41 (5071/UDP) is trying to initiate a SIP connection... 2019-09-17 14:05:31.0667: The attacking host at 77.247.108.204 (5356/UDP) is trying to initiate a SIP connection... 2019-09-17 14:34:48.1639: The attacking host at 77.247.110.214 (5062/UDP) is trying to initiate a SIP connection...
Since I use OpenBSD all I needed was the twisted python package (pkg_add py-twisted) From there you can parse the file and load it into PF.
Something like
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" anexitsip.log | sort -u >> someipfile should do the trick! If you want you can also let fail2ban digest it and create a simple regex.. which might be more feasible as it can also have an ignore list.