OpenBSD as VOIP-RBL/BL
Jump to navigation
Jump to search
Below is a small python script that allows you to host a VOIP RBL on your own system.
#!/usr/bin/python # Created by: anexit @ 9/17/2019:1047 import binascii import sys import time import struct import socket import random import thread import unicodedata import logging from logging.handlers import TimedRotatingFileHandler from twisted.internet.protocol import Protocol, Factory, DatagramProtocol from twisted.internet import reactor #You need to specify your interface and name id. interface = '1.1.1.1' myid = 'sip' lastSIPPER = '' def logprint(x): now = time.time() t = time.strftime("%Y-%m-%d %H:%M:%S") + ("%1.4f" % (now - int(now)))[1:] + ": " logger.info(t + x) def logprint2(x): try: logger.info(x) except TypeError: pass class uFakeSIP(DatagramProtocol): def datagramReceived(self, data, (host, port)): global lastSIPPER global gi logprint('The attacking host at %s (%d/UDP) is trying to initiate a SIP connection...' % (host, port)) if(lastSIPPER != host): lastSIPPER = host #If you want to log SIP Data #logprint('SIP Data from: %s (%d/UDP):\n%s' % (host, port, data)) random.seed() logger = logging.getLogger('Rotating Log') logger.setLevel(logging.INFO) handler = TimedRotatingFileHandler('anexitsip.log', when='midnight', interval=1) logger.addHandler(handler) logprint('Starting up...') reactor.listenUDP(5060, uFakeSIP(), interface = interface) reactor.run() logprint('Shutting down...')
It will create a log file called anexitsip.log which will show you something like the following;
2019-09-17 13:27:47.1120: The attacking host at 80.211.251.174 (5075/UDP) is trying to initiate a SIP connection... 2019-09-17 13:34:20.1345: The attacking host at 77.247.110.99 (5088/UDP) is trying to initiate a SIP connection... 2019-09-17 13:43:12.0315: The attacking host at 77.247.108.218 (5076/UDP) is trying to initiate a SIP connection... 2019-09-17 13:52:26.3259: The attacking host at 183.2.202.41 (5071/UDP) is trying to initiate a SIP connection... 2019-09-17 14:05:31.0667: The attacking host at 77.247.108.204 (5356/UDP) is trying to initiate a SIP connection... 2019-09-17 14:34:48.1639: The attacking host at 77.247.110.214 (5062/UDP) is trying to initiate a SIP connection...
Since I use OpenBSD all I needed was the twisted python package (pkg_add py-twisted) From there you can parse the file and load it into PF.
Something like
grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" anexitsip.log | sort -u >> someipfile
should do the trick! If you want you can also let fail2ban digest it and create a simple regex.. which might be more feasible as it can also have an ignore list.
TCP SIP TRAP SIMPLE from twisted.internet import reactor, protocol from twisted.python import log from twisted.python.logfile import DailyLogFile class Echo(protocol.Protocol): def dataReceived(self, data): log.msg("Received data from hacker: {}".format(data)) self.transport.write(data) class EchoFactory(protocol.Factory): def buildProtocol(self, addr): return Echo() if __name__ == "__main__": # Set up logging log.startLogging(DailyLogFile("tcp_server.log", ".")) # Start the server reactor.listenTCP(22, EchoFactory()) log.msg("Server started on port 22") reactor.run()