The purpose of this application is to serve as a "watchdog" of an Asterisk system so that it can detect attempted attacks and update the firewall rules to prevent further attack. When an attack is detected, the application will inform Sinologic.net to introduce the attacker in a public list to report to other users who use this application and can ban IP addresses that attackers always considered a real danger and thus preempt to attack.
The operation is very simple, sipcheck, once configured, will parse the file 'messages' Asterisk for lines that show attempts to attack:
[show some examples]
Once it has identified a number of attempts from the same IP address, the system will activate the defense system:
- Activating the shields (entering the IP address in the firewall)
- Spreading the information (sending that IP address to Sinologic)
- Sending countermeasures (running a specific code when it detects an attacker IP)
Downloading the application:
git clone https://github.com/sinologicnet/sipcheck
Installing the applicacion:
cd sipcheck python setup.py install
We could get new user account to use shared lists.
When you use a shared list features, you will need a "key user" that you will configure into configuration file.
This "key" will be used for ranking and fiability of the ips reported.
During the beta version time, you can get your "temporal key" entering in this page:
http://sipcheck.sinologic.net/getKey
Although you can set "key" field as anonymous we recommend that register and use your own key.
[general] messagefile=/var/log/asterisk/messages ; Asterisk message file. Sure you that you log errors loglevel=debug ; useiptables=True ; If you want insert into iptables. minticks=5 ; Num of try before consider an attack logfile=/tmp/sipcheck.log ; Log file[shared] enable=True ; Enable this if you want to report attackers to a common list key=494949 ; Personal KEY
[database] file=/tmp/sipcheck.db ; Local database where all information is storaged
[ignore] ; List of host and network to ignored if they are detected as attackers own=178.60.201.227/32,127.0.0.1/32,192.168.0.0/16,10.0.0.0/12
[gui] ; On construction... enable=True port=8081 user=admin pass=sipcheck listen=127.0.0.1
Execute the application
./bin/sipcheck -c ./etc/sipcheck.conf* Enable IPv6 support