GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → SentryPeer → SentryPeer

SentryPeer / SentryPeer

Licence: other
A distributed peer to peer list of bad actor IP addresses and phone numbers collected via a SIP Honeypot.

Programming Languages

c
50402 projects - #5 most used programming language
javascript
184084 projects - #8 most used programming language
Vue
7211 projects
M4
1887 projects
perl
6916 projects
Makefile
30231 projects

Labels

securitymachine-learningsiphoneypotpeer-to-peerp2pcybersecuritysoftware-engineeringvoipfraud-preventionpeer-communicationsecurity-scannerphonenumbertelecommunicationsfraud-detectionsecurity-toolsfraudpeer-discoverytelecoms-intelligencesentrypeer

Projects that are alternatives of or similar to SentryPeer

xgboost-smote-detect-fraud
Can we predict accurately on the skewed data? What are the sampling techniques that can be used. Which models/techniques can be used in this scenario? Find the answers in this code pattern!
Stars: ✭ 59 (-45.37%)
Mutual labels:  fraud-prevention, fraud-detection, fraud
univoice
Voice chat/VoIP solution for unity. P2P implementation included.
Stars: ✭ 192 (+77.78%)
Mutual labels:  peer-to-peer, p2p, voip
awesome-rtc
📡 A curated list of awesome Real Time Communications resources
Stars: ✭ 196 (+81.48%)
Mutual labels:  sip, voip, telecommunications
Univoice
P2P VoIP in Unity
Stars: ✭ 128 (+18.52%)
Mutual labels:  peer-to-peer, p2p, voip
IDVerification
"Very simple but works well" Computer Vision based ID verification solution provided by LibraX.
Stars: ✭ 44 (-59.26%)
Mutual labels:  fraud-prevention, fraud-detection, fraud
sems-yeti
YETI application for SEMS core
Stars: ✭ 15 (-86.11%)
Mutual labels:  sip, voip, telecommunications
Misp
MISP (core software) - Open Source Threat Intelligence and Sharing Platform
Stars: ✭ 3,485 (+3126.85%)
Mutual labels:  cybersecurity, fraud-prevention, fraud-detection
Katari
Katari - Python Session Initiated Protocol Framework
Stars: ✭ 29 (-73.15%)
Mutual labels:  sip, voip, telecommunications
tordam
A library for peer discovery inside the Tor network
Stars: ✭ 13 (-87.96%)
Mutual labels:  peer-to-peer, p2p, peer-discovery
Stun
A Go implementation of STUN
Stars: ✭ 141 (+30.56%)
Mutual labels:  sip, peer-to-peer, voip
Kalbi
Kalbi - Golang Session Initiated Protocol Framework
Stars: ✭ 85 (-21.3%)
Mutual labels:  sip, voip, telecommunications
pop
Run a point-of-presence within Myel, the community powered content delivery network.
Stars: ✭ 28 (-74.07%)
Mutual labels:  peer-to-peer, p2p
CARE-GNN
Code for CIKM 2020 paper Enhancing Graph Neural Network-based Fraud Detectors against Camouflaged Fraudsters
Stars: ✭ 121 (+12.04%)
Mutual labels:  fraud-prevention, fraud-detection
husarnet
Husarnet is a Peer-to-Peer VPN to connect your laptops, servers and microcontrollers over the Internet with zero configuration.
Stars: ✭ 128 (+18.52%)
Mutual labels:  peer-to-peer, p2p
humble
A humble, and fast, security-oriented HTTP headers analyzer
Stars: ✭ 17 (-84.26%)
Mutual labels:  cybersecurity, security-scanner
bitcloutDAO
Decentralized Social Network Money Frauds/Scams including BitClout / DeSo, Twetch, Steemit, PeakD
Stars: ✭ 29 (-73.15%)
Mutual labels:  fraud-prevention, fraud
The-Kademlia-Protocol-Succinctly
This is the companion repo for The Kademlia Protocol Succinctly by Marc Clifton. Published by Syncfusion.
Stars: ✭ 28 (-74.07%)
Mutual labels:  peer-to-peer, p2p
ascii-chat
A terminal-based peer-to-peer (P2P) end-to-end-encrypted (E2EE) video chat application with text messaging, written in OCaml. Supports up to 4 clients. Supports connections over internet and LAN.
Stars: ✭ 20 (-81.48%)
Mutual labels:  peer-to-peer, p2p
deepAD
Detection of Accounting Anomalies in the Latent Space using Adversarial Autoencoder Neural Networks - A lab we prepared for the KDD'19 Workshop on Anomaly Detection in Finance that will walk you through the detection of interpretable accounting anomalies using adversarial autoencoder neural networks. The majority of the lab content is based on J…
Stars: ✭ 65 (-39.81%)
Mutual labels:  fraud-prevention, fraud-detection
libjuice
JUICE is a UDP Interactive Connectivity Establishment library
Stars: ✭ 197 (+82.41%)
Mutual labels:  sip, peer-to-peer
View All Similar Projects ➔

SentryPeer®

SentryPeer Logo

A distributed list of bad actor IP addresses and phone numbers collected via a SIP Honeypot.

Stability: Active GitHub release (latest SemVer) Docker Hub Copr build status Coverity Scan Build Status Build and Test CodeQL Clang Static Analysis Language grade: C Total alerts Language grade: JavaScript CII Best Practices

Introduction

SentryPeer is a fraud detection tool. It lets bad actors try to make phone calls and saves the IP address they came from and number they tried to call. Those details can then be used to raise notifications at the service providers network and the next time a user/customer tries to call a collected number, you can act anyway you see fit.

For example:

Let's say you are running your own VoIP PBX on site. What SentryPeer will allow you to do in this context, is dip into the list of phone numbers (using the RESTful API) when your users are making outbound calls. If you get a hit, you'll get a heads-up that potentially a device within your network is trying to call known probing phone numbers that have either been:

  1. Numbers collected by SentryPeer nodes you are running yourself
  2. Numbers seen by other SentryPeer nodes which have been replicated to your node via the peer to peer network

This would allow you to generate a notification from your monitoring systems before you rack up any expensive calls or something worse happens.

What would lead to this scenario?

  1. Potential voicemail fraud. This can happen if you allow calling an inbound number (your DID/DDI) to get to your voicemail system, then prompt for a PIN. This PIN is weak and the voicemail system allows you to press '*' to call back the Caller ID that left a voicemail. The attacker has left a voicemail, and they then guess your PIN and call it back. The CLI is a known number that SentryPeer has seen. You can alert on it.
  2. A device has been hijacked and/or a softphone or similar is using the credentials they stole off the phone's GUI and is trying to register to your system and make calls to a number seen by SentryPeer.
  3. An innocent user is calling a phishing number or known expensive number etc. that SentryPeer has seen before.

Traditionally this data is shipped to a central place, so you don't own the data you've collected. This project is all about Peer to Peer sharing of that data. The user owning the data and various Service Provider / Network Provider related feeds of the data is the key bit for me. I'm sick of all the services out there that keep it and sell it. If you've collected it, you should have the choice to keep it and/or opt in to share it with other SentryPeer community members via p2p methods.

Talks

Adoption

Matrix slack SentryPeer on Twitter

Design

I started this because I wanted to do C network programming as all the projects I use daily are in C like PostgreSQL, OpenLDAP, FreeSWITCH, OpenSIPS, Asterisk etc. See Episode 414: Jens Gustedt on Modern C for why C is a good choice. For those interested, see my full podcast show list (https://www.se-radio.net/team/gavin-henry/) for Software Engineering Radio

Screenshots

Here's a mockup of the web UI which is subject to change.

SentryPeer Web GUI mock up

Goals

  • All code Free/Libre and Open Source Software
  • FAST
  • User owns their data
  • User can submit their own data if they want to (you need to enable p2p mode - -p)
  • User gets other users' data ONLY IF they opt in to submit their data to the pool
  • Embedded Distributed Hash Table (DHT) node using OpenDHT (-p cli option)
  • Peer to Peer sharing of collected bad_actors using OpenDHT (default on)
  • Peer to Peer data replication to receive collected bad_actors using OpenDHT (default on)
  • Set your own DHT bootstrap node (-b cli option)
  • Multithreaded
  • UDP transport
  • TCP transport
  • TLS transport
  • JSON logging to a file
  • SIP mode can be disabled. This allows you to run SentryPeer in API mode or DHT mode only etc. i.e. not as a honeypot, but as a node in the SentryPeer community or to just serve replicated data
  • SIP responsive mode can be enabled to collect data - cli / env flag
  • Local data copy for fast access - cli / env db location flag
  • Local API for fast access - cli / env flag
  • Local Web GUI for fast access - cli / env flag
  • Query API for IP addresses of bad actors
  • Query API for IPSET of bad actors
  • Query API for a particular IP address of a bad actor
  • Query API for attempted phone numbers called by bad actors
  • Query API for an attempted phone number called by a bad actor
  • Fail2Ban support via syslog as per feature request
  • Local sqlite database - feature / cli flag
  • Analytics - opt in
  • SDKs/libs for external access - CGRateS to start with or our own firewall with nftables
  • Small binary size for IoT usage
  • Cross-platform
  • Firewall options to use distributed data in real time - DHT?
  • Container on Docker Hub for latest build
  • BGP agent to peer with for blackholing collected IP addresses (similar to Team Cymru Bogon Router Server Project)
  • SIP agent to return 404 or default destination for SIP redirects

Docker

You can run the latest version of SentryPeer with Docker. The latest version is available from Docker Hub. Or build yourself:

sudo docker build --no-cache -t sentrypeer .
sudo docker run -d -p 5060:5060/udp -p 8082:8082 -p 4222:4222/udp sentrypeer:latest

Then you can check at http://localhost:8082/ip-addresses and http://localhost:8082/health-check to see if it's running.

Environment Variables

ENV SENTRYPEER_DB_FILE=/my/location/sentrypeer.db
ENV SENTRYPEER_API=1
ENV SENTRYPEER_WEB_GUI=1
ENV SENTRYPEER_SIP_RESPONSIVE=1
ENV SENTRYPEER_SIP_DISABLE=1
ENV SENTRYPEER_SYSLOG=1
ENV SENTRYPEER_PEER_TO_PEER=1
ENV SENTRYPEER_BOOTSTRAP_NODE=mybootstrapnode.com
ENV SENTRYPEER_JSON_LOG=1
ENV SENTRYPEER_JSON_LOG_FILE=/my/location/sentrypeer_json.log
ENV SENTRYPEER_VERBOSE=1
ENV SENTRYPEER_DEBUG=1

Either set these in the Dockerfile or in your Dockerfile.env file or docker run command.

Installation

Debian or Fedora packages are always available from the release page for the current version of SentryPeer:

https://github.com/SentryPeer/SentryPeer/releases

Homebrew (macOS or Linux):

We have a Homebrew Tap for this project (until we get more popular):

brew tap sentrypeer/sentrypeer
brew install sentrypeer

Alpine Linux:

SentryPeer is in testing on Alpine Linux, so you can install it with the following command:

apk -U add --no-cache -X https://dl-cdn.alpinelinux.org/alpine/edge/testing sentrypeer

Ubuntu Package

You can install SentryPeer from our Ubuntu PPD which is currently for Ubuntu 20 LTS (Focal Fossa):

sudo apt install software-properties-common
sudo add-apt-repository ppa:gavinhenry/sentrypeer
sudo apt-get update

This PPA can be added to your system manually by copying the lines below and adding them to your system's software sources:

deb https://ppa.launchpadcontent.net/gavinhenry/sentrypeer/ubuntu focal main 
deb-src https://ppa.launchpadcontent.net/gavinhenry/sentrypeer/ubuntu focal main

Then you can install SentryPeer:

sudo apt-get install sentrypeer

Building from source

You have two options for installation from source. CMake or autotools. Autotools is recommended at the moment. A release is an autotools build.

If you are a Fedora user, you can install this via Fedora copr:

https://copr.fedorainfracloud.org/coprs/ghenry/SentryPeer/

If you are going to build from this repository, you will need to have the following installed:

  • git, autoconf, automake and autoconf-archive (Debian/Ubuntu)
  • libosip2-dev (Debian/Ubuntu) or libosip2-devel (Fedora)
  • libsqlite3-dev (Debian/Ubuntu) or sqlite-devel (Fedora)
  • uuid-dev (Debian/Ubuntu) or libuuid-devel (Fedora)
  • libmicrohttpd-dev (Debian/Ubuntu) or libmicrohttpd-devel (Fedora)
  • libjansson-dev (Debian/Ubuntu) or jansson-devel (Fedora)
  • libpcre2-dev (Debian/Ubuntu) or pcre2-devel (Fedora)
  • libcurl-dev (Debian/Ubuntu) or libcurl-devel (Fedora)
  • libcmocka-dev (Debian/Ubuntu) or libcmocka-devel (Fedora) - for unit tests

Debian/Ubuntu:

sudo apt-get install git build-essential autoconf-archive autoconf automake libosip2-dev libsqlite3-dev \
libcmocka-dev uuid-dev libcurl-dev libpcre2-dev libjansson-dev libmicrohttpd-dev

Fedora:

sudo dnf install git autoconf automake autoconf-archive libosip2-devel libsqlite3-devel libcmocka-devel \
libuuid-devel libmicrohttpd-devel jansson-devel libcurl-devel pcre2-devel

macOS:

brew install git autoconf automake autoconf-archive libosip cmocka libmicrohttpd jansson curl pcre2

then (make check is highly recommended):

./bootstrap.sh
./configure
make
make check
make install

Running SentryPeer

Once built, you can run like so to start in debug mode, respond to SIP probes, enable the RESTful API, enable the Web GUI SPA and enable syslog logging (use a package if you want systemd):

./sentrypeer -drawps
SentryPeer node id: e5ac3a88-3d52-4e84-b70c-b2ce83992d02
Starting sentrypeer...
API mode enabled, starting http daemon...
Web GUI mode enabled...
SIP mode enabled...
Peer to Peer DHT mode enabled...
Starting peer to peer DHT mode using OpenDHT-C lib version '2.4.0'...
Configuring local address...
Creating sockets...
Binding sockets to local address...
Listening for incoming UDP connections...
SIP responsive mode enabled. Will reply to SIP probes...
Listening for incoming TCP connections...
Peer to peer DHT mode started.
DHT InfoHash for key 'bad_actors' is: 14d30143330e2e0e922ed4028a60ff96a59800ad
Bootstrapping the DHT
Waiting 5 seconds for bootstrapping to bootstrap.sentrypeer.org...
Listening for changes to the bad_actors DHT key

when you get a probe request, you can see something like the following in the terminal:

Received (411 bytes): OPTIONS sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 91.223.3.152:5173;branch=z9hG4bK-515761064;rport
Content-Length: 0
From: "sipvicious"<sip:[email protected].1>;tag=6434396633623535313363340131363131333837383137
Accept: application/sdp
User-Agent: friendly-scanner
To: "sipvicious"<sip:[email protected].1>
Contact: sip:[email protected]:5173
CSeq: 1 OPTIONS
Call-ID: 679894155883566215079442
Max-Forwards: 70


read_packet_buf size is: 1024: 
read_packet_buf length is: 468: 
bytes_received size is: 411: 

Bad Actor is:
Event Timestamp: 2021-11-23 20:13:36.427515810
Event UUID: fac3fa20-8c2c-445b-8661-50a70fa9e873
SIP Message: OPTIONS sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 91.223.3.152:5173;branch=z9hG4bK-515761064;rport
From: "sipvicious" <sip:[email protected].1>;tag=6434396633623535313363340131363131333837383137
To: "sipvicious" <sip:[email protected].1>
Call-ID: 679894155883566215079442
CSeq: 1 OPTIONS
Contact: <sip:[email protected]:5173>
Accept: application/sdp
User-agent: friendly-scanner
Max-forwards: 70
Content-Length: 0


Source IP: 193.107.216.27
Called Number: 100
SIP Method: OPTIONS
Transport Type: UDP
User Agent: friendly-scanner
Collected Method: responsive
Created by Node Id: fac3fa20-8c2c-445b-8661-50a70fa9e873
SentryPeer db file location is: sentrypeer.db
Destination IP address of UDP packet is: xx.xx.xx.xx

You can see the data in the sqlite3 database called sentrypeer.db using sqlitebrowser or sqlite3 command line tool.

Here's a screenshot of the database opened using sqlitebrowser (it's big, so I'll just link to the image):

sqlitebrowser exploring the sentrypeer.db

RESTful API

The RESTful API is almost complete and the web UI is coming soon. Please click the Watch button to be notified when they are ready and hit Like to follow the development :-)

Endpoint /health-check

Query the API to see if it's alive:

curl -v -H "Content-Type: application/json" http://localhost:8082/health-check

* Connected to localhost (127.0.0.1) port 8082 (#0)
> GET /health-check HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 24 Apr 2022 11:16:25 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< X-Powered-By: SentryPeer
< X-SentryPeer-Version: 1.4.0
< Content-Length: 81
< 
{
  "status": "OK",
  "message": "Hello from SentryPeer!",
  "version": "1.0.0"
}

Endpoint /ip-addresses

List all the IP addresses that have been seen by SentryPeer:

curl -v -H "Content-Type: application/json" http://localhost:8082/ip-addresses

* Connected to localhost (127.0.0.1) port 8082 (#0)
> GET /ip-addresses HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 24 Jan 2022 11:17:05 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< X-Powered-By: SentryPeer
< X-SentryPeer-Version: 1.0.0
< Content-Length: 50175
< 
{
  "ip_addresses_total": 396,
  "ip_addresses": [
    {
      "ip_address": "193.107.216.27",
      "seen_last": "2022-01-11 13:30:48.703603359",
      "seen_count":	"1263"
    },
    {
      "ip_address": "193.46.255.152"
      "seen_last": "2022-01-11 13:28:27.348926406",
      "seen_count": "3220"      
    }
    ...
  ]
}

Endpoint /ip-address/{ip-address}

Query a single IP address:

curl -v -H "Content-Type: application/json" http://localhost:8082/ip-address/8.8.8.8

* Connected to localhost (127.0.0.1) port 8082 (#0)
> GET /ip-addresses/8.8.8.8 HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Mon, 24 Jan 2022 11:17:57 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< X-Powered-By: SentryPeer
< X-SentryPeer-Version: 1.0.0
< Content-Length: 33
< 
* Connection #0 to host localhost left intact
{
  "message": "No bad actor found"
}

Endpoint /numbers/{phone-number}

Query a phone number a bad actor tried to call with optional + prefix:

curl -v -H "Content-Type: application/json" http://localhost:8082/numbers/8784946812410967

* Connected to localhost (127.0.0.1) port 8082 (#0)
> GET /numbers/8784946812410967 HTTP/1.1
> Host: localhost:8082
> User-Agent: curl/7.79.1
> Accept: */*
> Content-Type: application/json
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 24 Jan 2022 11:19:53 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< X-Powered-By: SentryPeer
< X-SentryPeer-Version: 1.0.0
< Content-Length: 46
< 
{
  "phone_number_found": "8784946812410967"
}

Syslog and Fail2ban

With sentrypeer -s, you parse syslog and use Fail2Ban to block the IP address of the bad actor:

Nov 30 21:32:16 localhost.localdomain sentrypeer[303741]: Source IP: 144.21.55.36, Method: OPTIONS, Agent: sipsak 0.9.7

JSON Log Format

With sentrypeer -j, you can produce a JSON log file of the bad actor's IP address and the phone number they tried to call plus other metadata (set a custom log file location with -l):

{
   "app_name":"sentrypeer",
   "app_version":"v1.4.0",
   "event_timestamp":"2022-02-22 11:19:15.848934346",
   "event_uuid":"4503cc92-26cb-4b3e-bb33-69a83fa09321",
   "created_by_node_id":"4503cc92-26cb-4b3e-bb33-69a83fa09321",
   "collected_method":"responsive",
   "transport_type":"UDP",
   "source_ip":"45.134.144.128",
   "destination_ip":"XX.XX.XX.XX",
   "called_number":"0046812118532",
   "sip_method":"OPTIONS",
   "sip_user_agent":"friendly-scanner",
   "sip_message":"full SIP message"
}

Command Line Options

./sentrypeer -h
Usage: sentrypeer [-h] [-V] [-w] [-j] [-p] [-b bootstrap.example.com] [-f fullpath for sentrypeer.db] [-l fullpath for sentrypeer_json.log] [-r] [-R] [-a] [-s] [-v] [-d]

Options:
  -h,      Print this help
  -V,      Print version
  -f,      Set 'sentrypeer.db' location or use SENTRYPEER_DB_FILE env
  -j,      Enable json logging or use SENTRYPEER_JSON_LOG env
  -p,      Enable Peer to Peer mode or use SENTRYPEER_PEER_TO_PEER env
  -b,      Set Peer to Peer bootstrap node or use SENTRYPEER_BOOTSTRAP_NODE env
  -a,      Enable RESTful API mode or use SENTRYPEER_API env
  -w,      Enable Web GUI mode or use SENTRYPEER_WEB_GUI env
  -r,      Enable SIP responsive mode or use SENTRYPEER_SIP_RESPONSIVE env
  -R,      Disable SIP mode completely or use SENTRYPEER_SIP_DISABLE env
  -l,      Set 'sentrypeer_json.log' location or use SENTRYPEER_JSON_LOG_FILE env
  -s,      Enable syslog logging or use SENTRYPEER_SYSLOG env
  -v,      Enable verbose logging or use SENTRYPEER_VERBOSE env
  -d,      Enable debug mode or use SENTRYPEER_DEBUG env

Report bugs to https://github.com/SentryPeer/SentryPeer/issues

See https://sentrypeer.org for more information.

IPv6 Multicast Address

The project has an IANA IPv6 multicast address for the purpose of sending messages between SentryPeer peers.

Addresses: FF0X:0:0:0:0:0:0:172
Description: SentryPeer
Contact: Gavin Henry <ghenry at sentrypeer.org>
Registration Date: 2022-01-26

Please see http://www.iana.org/assignments/ipv6-multicast-addresses

The assigned variable-scope address -- which can also be listed as "FF0X::172" for short -- the "X" denotes any possible scope.

License

Great reading - How to choose a license for your own work

This work is dual-licensed under GPL 2.0 and GPL 3.0.

SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only

Contributing

See CONTRIBUTING

Project Website

https://sentrypeer.org

Trademark

SENTRYPEER is a registered trademark of Gavin Henry

Questions, Bug reports, Feature Requests

New issues can be raised at:

https://github.com/SentryPeer/SentryPeer/issues

It's okay to raise an issue to ask a question.

Special Thanks

Special thanks to:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].