On 5/18/2011 3:55 PM, anorexicpoodle wrote:
its funny, I have used this approach on several personal servers that got an undeserved amount of attention from APNIC. Originally I followed similar methodology of simply blocking, but after a while I began having fun and using the script to have IP tables NAT all of the attackers back at one of them randomly. Admittedly these were mostly attacks against TCP based services.
It was a lot like having an ant farm full of scammers and software pirates.
Sorry for getting sorta off-topic....
-anorexicpoodle
There is the phorensix dialplan/context/honeypot slash Incident Response ;) (http://www.infiltrated.net/scripts/phorensix) I once swapped over a comprised account into that context and out of boreDumb did some interesting things: "In order to place this call please enter a callback" wish at the time I had that in Egyptian. Nevertheless you'd be surprised at how many "scamsters" dial their own numbers trying to test whether or not an account they compromised works. I also did some not so interesting and outright juvenile things - made a dialplan that had them conversate with Les Grossman (http://www.google.com/search?q=les+grossman) to play back the captured sound :D Hey I get bored!. Anyhow, I noticed while doing all of this, there was A LOT of potential to do some interesting things. The biggest gripe I have with Asterisk and other open source based PBXs, is the symmetry in logs. Its not fluid. One of the reasons I never built an "all out" honeypot. I have to modify so much across different versions. However, this is also the beauty of Asterisk and similar open source type PBXs, there is so much you can do but it almost always needs to be custom. I also have an insane expect to .bashrc script back to expect + ssh key script which runs on an SBC, parses some of the SBC logs, pushes the output to a Linux machine, gets re-parsed on the Linux box, triggers alert (right now to my SIP Blackberry client & Snom) based on predefined params (volume of calls, destination of calls) and has the capability of doing trigger based blocking (expect). Right now though, its only running on our nCite SBCs and once I become more comfortable with our Acme's logging capabilities, I may do the same type of scripting: From syslog based machine, parse elsewhere, sort out, pick out a trigger, create a rule, send it via expect to some defense mechanism. Depends on how REALLY bored I get and whether or not I actually even start looking at our Acmes. (Personally, I'd rather leave this to my colleague ;)) -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF