For the past month or so, there has been a large discussion on the  Toronto Asterisk Users Group mailing list about SIP security and the increase in “brute force” attacks against hosts running Asterisk.  The generally accepted solution is to use something like fail2ban to monitor log files and and block the offending hosts.  This is a great way to add a layer of security to a server, but it’s reactive security, not proactive.

To help make things a bit more proactive, I’ve started a new project call CrowdSecure which aims to take intrusion attempt reports from users, aggregate the data, and produce a “blacklist” of hosts to proactively block at the firewall level before they even get a chance to start an attack.

The other benefit of the system is that unlike existing solutions (such as blockhosts) it is protocol agnostic, allowing users to report and obtain firewall rules for any protocol (HTTP, SIP, IMAP, SSH, etc).  As an added benefit it supports real time lookup of data about an IP via an easy to use REST interface which will allow blog or other website owners to check a host submitting data (say a blog comment) in real time.  For non-realtime applications, the system supports downloading of a list of hosts and the associated score, allowing system administrators to build firewall rules based on their own criteria.

I’m really excited about this project, and I hope I can get some momentum behind it.  I am currently looking for people to assist with development, web design, and other aspects of this project, so let me know if you are interested in helping out.

asterisk, crowd sourcing, network security Hide