Sippot - The SIP Honeypot

Since we started building, installing and supporting Linux / Asterisk based PBX systems, there has been a very pressing need to effectively block SIP hacking while still providing our clients with a PBX system that is flexible and user friendly. To accomplish this task we decided to create a SIP honeypot application that attracts SIP scanners and brute force password attempts. Since no one should ever be logging into our network of dedicated SIP honeypot servers for any reason, we know that any login attempt is malicious. Our application logs all login attempts and maintains a list of all attacking IP addresses. We provide this list of IP addresses here as a service as well as downloads of our full Sippot application. To use our SIP blocklist with your Linux based Asterisk PBX follow the client install instructions below.

The Sippot RBL is currently blocking 1498 IP addresses which have been used to initiate SIP scanning or brute force attacks against Asterisk based PBX servers.

Install the Sippot RBL client on your Linux / Asterisk PBX server

Follow the steps outlined here to install and configure our Sippot RBL client application on your server or contact us to request assistance. Begin by downloading the latest Sippot client software from here.

You must become root to complete the installation and configuration or enter all commands using sudo. All Sippot files must be owned by root and are as such when extracted from the archive file.

Move the sippotclient.latest.tgz file to /opt and extract it's contents.

mv sippotclient.latest.tgz /opt
cd /opt
tar -xvzf sippotclient.latest.tgz

Add a crontab entry to restart the Sippot scripts daily.

crontab -e

Add a line that looks like this to restart the Sippot scripts at 1am nightly:
0 1 * * * /opt/sippotclient/scripts/sippotclient_start.sh >/dev/null 2>&1
Save the crontab file and quit the editor.

Add an entry to the servers rc.local (I use Ubuntu Linux for this example. You may need to add this command to an alternate file.) to start Sippot automatically when the system is booted.

vim /etc/rc.local

Add this line before the file exits:
/opt/sippotclient/scripts/sippotclient_start.sh
Save and quit the editor.

Finally start the Sippot client.

/opt/sippotclient/scripts/sippotclient_start.sh

After a few moments (there are a lot of rules to load) you should now see the blocked IP addresses when you list your iptables configuration.

iptables -nL

That's it. The Sippot client will update it's RBL list every two hours.

Create you own SIP honeypot using our Sippot server application

You can download our full Sippot server application from here to build your own SIP honeypots. This application running on your own Linux based Asterisk servers will turn them into SIP honeypots that will record and track SIP attacking IP addresses. Follow the setup instructions within the applications README file to get started or contact us if you'd like our assistance.

NOTE: The Sippot server application will turn your Linux based Asterisk server into a SIP honeypot meaning that you cannot continue to use it for SIP services. It will block ALL SIP REGISTRATION ATTEMPTS. To use Sippot on a production server please use the Sippot RBL client.

The Sippot RBL client and SIppot server applications are provided free of charge as a community service without any guarantee or warranty. Both are licensed under the GPL.