OpenBSD as VOIP-RBL/BL
Jump to navigation
Jump to search
Below is a small python script that allows you to host a VOIP RBL on your own system.
#!/usr/bin/python
# Created by: anexit @ 9/17/2019:1047
import binascii
import sys
import time
import struct
import socket
import random
import thread
import unicodedata
import logging
from logging.handlers import TimedRotatingFileHandler
from twisted.internet.protocol import Protocol, Factory, DatagramProtocol
from twisted.internet import reactor
#You need to specify your interface and name id.
interface = '1.1.1.1'
myid = 'sip'
lastSIPPER = ''
def logprint(x):
now = time.time()
t = time.strftime("%Y-%m-%d %H:%M:%S") + ("%1.4f" % (now - int(now)))[1:] + ": "
logger.info(t + x)
def logprint2(x):
try:
logger.info(x)
except TypeError:
pass
class uFakeSIP(DatagramProtocol):
def datagramReceived(self, data, (host, port)):
global lastSIPPER
global gi
logprint('The attacking host at %s (%d/UDP) is trying to initiate a SIP connection...' % (host, port))
if(lastSIPPER != host):
lastSIPPER = host
#If you want to log SIP Data
#logprint('SIP Data from: %s (%d/UDP):\n%s' % (host, port, data))
random.seed()
logger = logging.getLogger('Rotating Log')
logger.setLevel(logging.INFO)
handler = TimedRotatingFileHandler('anexitsip.log', when='midnight', interval=1)
logger.addHandler(handler)
logprint('Starting up...')
reactor.listenUDP(5060, uFakeSIP(), interface = interface)
reactor.run()
logprint('Shutting down...')
It will create a log file called anexitsip.log which will show you something like the following;
2019-09-17 13:27:47.1120: The attacking host at 80.211.251.174 (5075/UDP) is trying to initiate a SIP connection... 2019-09-17 13:34:20.1345: The attacking host at 77.247.110.99 (5088/UDP) is trying to initiate a SIP connection... 2019-09-17 13:43:12.0315: The attacking host at 77.247.108.218 (5076/UDP) is trying to initiate a SIP connection... 2019-09-17 13:52:26.3259: The attacking host at 183.2.202.41 (5071/UDP) is trying to initiate a SIP connection... 2019-09-17 14:05:31.0667: The attacking host at 77.247.108.204 (5356/UDP) is trying to initiate a SIP connection... 2019-09-17 14:34:48.1639: The attacking host at 77.247.110.214 (5062/UDP) is trying to initiate a SIP connection...
Since I use OpenBSD all I needed was the twisted python package (pkg_add py-twisted) From there you can parse the file and load it into PF.
Something like
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" anexitsip.log | sort -u >> someipfile should do the trick! If you want you can also let fail2ban digest it and create a simple regex.. which might be more feasible as it can also have an ignore list.
TCP SIP TRAP SIMPLE
from twisted.internet import reactor, protocol
from twisted.python import log
from twisted.python.logfile import DailyLogFile
class Echo(protocol.Protocol):
def dataReceived(self, data):
log.msg("Received data from hacker: {}".format(data))
self.transport.write(data)
class EchoFactory(protocol.Factory):
def buildProtocol(self, addr):
return Echo()
if __name__ == "__main__":
# Set up logging
log.startLogging(DailyLogFile("tcp_server.log", "."))
# Start the server
reactor.listenTCP(22, EchoFactory())
log.msg("Server started on port 22")
reactor.run()