Sippot - The SIP HoneypotSince we started building, installing and supporting Linux / Asterisk based PBX systems, there has been a very pressing need to effectively block SIP hacking while still providing our clients with a PBX system that is flexible and user friendly. To accomplish this task we decided to create a SIP honeypot application that attracts SIP scanners and brute force password attempts. Since no one should ever be logging into our network of dedicated SIP honeypot servers for any reason, we know that any login attempt is malicious. Our application logs all login attempts and maintains a list of all attacking IP addresses. We provide this list of IP addresses here as a service as well as downloads of our full Sippot application. To use our SIP blocklist with your Linux based Asterisk PBX follow the client install instructions below.
The Sippot RBL is currently blocking 1498 IP addresses which have been used to initiate SIP scanning or brute force attacks against Asterisk based PBX servers.
Install the Sippot RBL client on your Linux / Asterisk PBX serverFollow the steps outlined here to install and configure our Sippot RBL client application on your server or contact us to request assistance. Begin by downloading the latest Sippot client software from here.
You must become root to complete the installation and configuration or enter all commands using sudo. All Sippot files must be owned by root and are as such when extracted from the archive file.
Move the sippotclient.latest.tgz file to /opt and extract it's contents.
mv sippotclient.latest.tgz /opt
tar -xvzf sippotclient.latest.tgz
crontab -eAdd a line that looks like this to restart the Sippot scripts at 1am nightly:
0 1 * * * /opt/sippotclient/scripts/sippotclient_start.sh >/dev/null 2>&1
Save the crontab file and quit the editor.
Add an entry to the servers rc.local (I use Ubuntu Linux for this example. You may need to add this command to an alternate file.) to start Sippot automatically when the system is booted.
vim /etc/rc.localAdd this line before the file exits:
Save and quit the editor.
Finally start the Sippot client.
/opt/sippotclient/scripts/sippotclient_start.shAfter a few moments (there are a lot of rules to load) you should now see the blocked IP addresses when you list your iptables configuration.
iptables -nLThat's it. The Sippot client will update it's RBL list every two hours.