Kali Linux

SentryPeer : A Distributed Peer To Peer List Of Bad Actor IP Addresses And Phone Numbers Collected

SentryPeer is basically a fraud detection tool. It lets bad actors try to make phone calls and saves the IP address they came from and number they tried to call. Those details are then used to block them at the service providers network and the next time a user/customer tries to call a collected number, it’s blocked.

Traditionally this data is shipped to a central place, so you don’t own the data you’ve collected. This project is all about Peer to Peer sharing of that data. The user owning the data and various Service Provider / Network Provider related feeds of the data is the key bit for me. I’m sick of all the services out there that keep it and sell it. If you’ve collected it, you should have the choice to keep it and/or opt in to share it with other SentryPeer community members via p2p methods.

The sharing part…you only get other users’ data if you share yours. That’s the key. It could be used (the sharing of data logic/feature) in many projects too if I get it right.

Screenshots

Here’s a mockup of the web UI which is subject to change.

Goals

  • All code Free/Libre and Open Source Software
  • FAST
  • User owns their data
  • User can submit their own data if they want to – opt out (default is to submit data)
  • User gets other users’ data (Tit for tat?) ONLY IF they opt in to submit their data to the pool (DHT? – need to do a PoC)
  • Embedded Distributed Hash Table (DHT) node using OpenDHT (-p cli option)
  • Peer to Peer sharing of collected bad_actors using OpenDHT (default on)
  • Peer to Peer data replication to receive collected bad_actors using OpenDHT (default on)
  • Multithreaded
  • UDP transport
  • TCP transport
  • TLS transport
  • JSON logging to a file
  • Data is max 7(?) days old as useless otherwise
  • SIP mode can be disabled. This allows you to run SentryPeer in API mode or DHT mode only etc. i.e. not as a honeypot, but as a node in the SentryPeer community or to just serve replicated data
  • SIP responsive mode can be enabled to collect data – cli / env flag
  • Local data copy for fast access – cli / env db location flag
  • Local API for fast access – cli / env flag
  • Local Web GUI for fast access – cli / env flag
  • Query API for IP addresses of bad actors
  • Query API for IPSET of bad actors
  • Query API for a particular IP address of a bad actor
  • Query API for attempted phone numbers called by bad actors
  • Query API for an attempted phone number called by a bad actor
  • Fail2Ban support via syslog as per feature request
  • Local sqlite database – feature / cli flag
  • Analytics – opt in
  • SDKs/libs for external access – CGRateS to start with or our own firewall with nftables
  • Small binary size for IoT usage
  • Cross-platform
  • Firewall options to use distributed data in real time – DHT?
  • Container on Docker Hub for latest build
  • BGP agent to peer with for blackholing collected IP addresses (similar to Team Cymru Bogon Router Server Project)
  • SIP agent to return 404 or default destination for SIP redirects

Design

TBD 🙂

I started this because I wanted to do C network programming as all the projects I use daily are in C like PostgreSQL, OpenLDAP, FreeSWITCH, OpenSIPS, Asterisk etc. See Episode 414: Jens Gustedt on Modern C for why C is a good choice. For those interested, see my full podcast show list (https://www.se-radio.net/team/gavin-henry/) for Software Engineering Radio

Talks

  • TADSummit 2021 – https://blog.tadsummit.com/2021/11/17/sentrypeer/
  • CommCon 2021 – https://2021.commcon.xyz/talks/sentrypeer-a-distributed-peer-to-peer-list-of-bad-ip-addresses-and-phone-numbers-collected-via-a-sip-honeypot

Docker

You can run the latest version of SentryPeer with Docker. The latest version is available from Docker Hub. Or build yourself:

sudo docker build -t sentrypeer .
sudo docker run -d -p 5060:5060 -p 8082:8082 sentrypeer:latest

Then you can check at http://localhost:8082/ip-addresses and http://localhost:5060/health-check to see if it’s running.

Environment Variables

ENV SENTRYPEER_DB_FILE=/my/location/sentrypeer.db
ENV SENTRYPEER_API=1
ENV SENTRYPEER_WEB_GUI=1
ENV SENTRYPEER_SIP_RESPONSIVE=1
ENV SENTRYPEER_SIP_DISABLE=1
ENV SENTRYPEER_SYSLOG=1
ENV SENTRYPEER_PEER_TO_PEER=1
ENV SENTRYPEER_JSON_LOG=1
ENV SENTRYPEER_JSON_LOG_FILE=/my/location/sentrypeer_json.log
ENV SENTRYPEER_VERBOSE=1
ENV SENTRYPEER_DEBUG=1

Either set these in the Dockerfile or in your Dockerfile.env file or docker run command.

Installation

Debian or Fedora packages are always available from the release page for the current version of SentryPeer:

https://github.com/SentryPeer/SentryPeer/releases

Ubuntu Package

You can install SentryPeer from our Ubuntu PPD which is currently for Ubuntu 20 LTS (Focal Fossa):

sudo add-apt-repository ppa:gavinhenry/sentrypeer
sudo apt-get update

This PPA can be added to your system manually by copying the lines below and adding them to your system’s software sources:

deb https://ppa.launchpadcontent.net/gavinhenry/sentrypeer/ubuntu focal main
deb-src https://ppa.launchpadcontent.net/gavinhenry/sentrypeer/ubuntu focal main

Building from source

You have two options for installation from source. CMake or autotools. Autotools is recommended at the moment. A release is an autotools build.

If you are a Fedora user, you can install this via Fedora copr:

https://copr.fedorainfracloud.org/coprs/ghenry/SentryPeer/

If you are going to build from this repository, you will need to have the following installed:

  • git, autoconf, automake and autoconf-archive (Debian/Ubuntu)
  • libosip2-dev (Debian/Ubuntu) or libosip2-devel (Fedora)
  • libsqlite3-dev (Debian/Ubuntu) or sqlite-devel (Fedora)
  • uuid-dev (Debian/Ubuntu) or libuuid-devel (Fedora)
  • libmicrohttpd-dev (Debian/Ubuntu) or libmicrohttpd-devel (Fedora)
  • libjansson-dev (Debian/Ubuntu) or jansson-devel (Fedora)
  • libpcre2-dev (Debian/Ubuntu) or pcre2-devel (Fedora)
  • libcurl-dev (Debian/Ubuntu) or libcurl-devel (Fedora)
  • libcmocka-dev (Debian/Ubuntu) or libcmocka-devel (Fedora) – for unit tests

Debian/Ubuntu:

sudo apt-get install git build-essential autoconf-archive autoconf automake libosip2-dev libsqlite3-dev \
libcmocka-dev uuid-dev libcurl-dev libpcre2-dev libjansson-dev libmicrohttpd-dev

Fedora:

sudo dnf install git autoconf automake autoconf-archive libosip2-devel libsqlite3-devel libcmocka-devel \
libuuid-devel libmicrohttpd-devel jansson-devel libcurl-devel pcre2-devel

Download
R K

Leave a Comment
Share
Published by
R K
Tags: IP AddressesPeer To PeerSentryPeer
3 years ago

Recent Posts

Bomber : Navigating Security Vulnerabilities In SBOMs

bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…

10 hours ago

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In PNG Files

Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…

10 hours ago

Exploit Street – Navigating The New Terrain Of Windows LPEs

Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…

2 days ago

ShadowDumper – Advanced Techniques For LSASS Memory Extraction

Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…

3 days ago

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago