{"id":13840304,"url":"https://github.com/SentryPeer/SentryPeer","last_synced_at":"2025-07-11T07:33:10.727Z","repository":{"id":37823883,"uuid":"334776528","full_name":"SentryPeer/SentryPeer","owner":"SentryPeer","description":"Protect your SIP Servers from bad actors at https://sentrypeer.org","archived":false,"fork":false,"pushed_at":"2024-11-20T20:42:02.000Z","size":2339,"stargazers_count":169,"open_issues_count":15,"forks_count":17,"subscribers_count":12,"default_branch":"main","last_synced_at":"2024-11-20T21:33:34.160Z","etag":null,"topics":["cybersecurity","fraud","fraud-detection","fraud-prevention","honeypot","machine-learning","p2p","peer-communication","peer-discovery","peer-to-peer","phonenumber","security","security-scanner","security-tools","sentrypeer","sip","software-engineering","telecommunications","telecoms-intelligence","voip"],"latest_commit_sha":null,"homepage":"https://sentrypeer.org","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SentryPeer.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"COPYING","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null},"funding":{"liberapay":"sentrypeer"}},"created_at":"2021-01-31T23:08:36.000Z","updated_at":"2024-11-20T20:40:22.000Z","dependencies_parsed_at":"2023-02-06T06:02:33.235Z","dependency_job_id":"e3ce2572-fbd0-493c-b4bb-75d631086fca","html_url":"https://github.com/SentryPeer/SentryPeer","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SentryPeer%2FSentryPeer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SentryPeer%2FSentryPeer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SentryPeer%2FSentryPeer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SentryPeer%2FSentryPeer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SentryPeer","download_url":"https://codeload.github.com/SentryPeer/SentryPeer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225705345,"owners_count":17511272,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","fraud","fraud-detection","fraud-prevention","honeypot","machine-learning","p2p","peer-communication","peer-discovery","peer-to-peer","phonenumber","security","security-scanner","security-tools","sentrypeer","sip","software-engineering","telecommunications","telecoms-intelligence","voip"],"created_at":"2024-08-04T17:00:45.465Z","updated_at":"2025-07-11T07:33:10.720Z","avatar_url":"https://github.com/SentryPeer.png","language":"C","funding_links":["https://liberapay.com/sentrypeer"],"categories":["Security","C","Honeypots"],"sub_categories":["Security Exploitation/fuzzing Frameworks"],"readme":"## Protect your SIP Servers from bad actors\n\n\u003cimg alt=\"SentryPeer Logo\" src=\"https://raw.githubusercontent.com/SentryPeer/SentryPeer/main/web-gui-theme/src/assets/logo.svg\" width=\"100\" height=\"100\"\u003e\n\n[![Stability: Active](https://masterminds.github.io/stability/active.svg)](https://masterminds.github.io/stability/active.html)\n[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/sentrypeer/sentrypeer?sort=semver)](https://github.com/SentryPeer/SentryPeer/releases)\n[![Docker Hub](https://img.shields.io/badge/docker-hub-brightgreen.svg)](https://hub.docker.com/r/sentrypeer/sentrypeer)\n[![Coverity Scan Build Status](https://scan.coverity.com/projects/23969/badge.svg)](https://scan.coverity.com/projects/sentrypeer-sentrypeer)\n[![Build and Test](https://github.com/SentryPeer/SentryPeer/actions/workflows/main.yml/badge.svg)](https://github.com/SentryPeer/SentryPeer/actions/workflows/main.yml)\n[![CodeQL](https://github.com/SentryPeer/SentryPeer/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/SentryPeer/SentryPeer/actions/workflows/codeql-analysis.yml)\n[![Clang Static Analysis](https://github.com/SentryPeer/SentryPeer/actions/workflows/clang-analyzer.yml/badge.svg)](https://github.com/SentryPeer/SentryPeer/actions/workflows/clang-analyzer.yml)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5374/badge)](https://bestpractices.coreinfrastructure.org/projects/5374)\n[![gitleaks](https://github.com/SentryPeer/SentryPeer/actions/workflows/gitleaks.yml/badge.svg?branch=main)](https://github.com/SentryPeer/SentryPeer/actions/workflows/gitleaks.yml)\n\nSpecial thanks to [Deutsche Telekom Security GmbH](https://github.com/telekom-security) for sponsoring us! Very kind!\n\n_Why not give us a star and follow us on [Twitter](https://twitter.com/sentrypeer)!_ \n\n## Table of Contents\n* [Introduction](#introduction)\n* [Overview](#overview)\n* [Features](#features)\n* [Talks](#talks)\n* [Adoption](#adoption)\n* [Design](#design)\n* [Docker](#docker)\n * [Environment Variables](#environment-variables)\n* [Installation](#installation)\n * [Homebrew (macOS or Linux)](#homebrew-macos-or-linux)\n * [Alpine Linux](#alpine-linux)\n * [Ubuntu Package](#ubuntu-package)\n * [Building from source](#building-from-source)\n* [Running SentryPeer](#running-sentrypeer)\n* [WebHook](#webhook)\n* [RESTful API](#restful-api)\n * [Endpoint /health-check](#endpoint-health-check)\n * [Endpoint /ip-addresses](#endpoint-ip-addresses)\n * [Endpoint /ip-addressss/{ip-address}](#endpoint-ip-addressip-address)\n * [Endpoint /numbers](#endpoint-numbers)\n * [Endpoint /numbers/{phone-number}](#endpoint-numbersphone-number)\n* [Syslog and Fail2ban](#syslog-and-fail2ban)\n* [JSON Log Format](#json-log-format) \n* [Command Line Options](#command-line-options)\n* [IPv6 Multicast Address](#ipv6-multicast-address)\n* [License](#license)\n* [Contributing](#contributing)\n* [Project Website](#project-website)\n* [Trademark](#trademark)\n* [Questions, Bug reports, Feature Requests](#questions-bug-reports-feature-requests)\n* [Special Thanks](#special-thanks)\n* [Sponsorship](#sponsorship)\n\n### Introduction\n\nSentryPeer\u003csup\u003e\u0026reg;\u003c/sup\u003e is a fraud detection tool. It lets bad actors try to make phone calls and saves the IP address they came from and \nnumber they tried to call. Those details can then be used to raise notifications at the service providers network and the next \ntime a user/customer tries to call a collected number, you can act anyway you see fit.\n\nFor example:\n\nLet's say you are running your own VoIP PBX on site. What SentryPeer will allow you to do in this context, \nis dip into the list of phone numbers (using the RESTful API) when your users are making outbound calls. If you get a hit, \nyou'll get a heads-up that potentially a device within your network is trying to call known probing phone numbers that \nhave either been:\n\n1. Numbers collected by SentryPeer nodes you are running yourself\n2. Numbers seen by other SentryPeer nodes which have been replicated to your node via the peer to peer network\n\nThis would allow you to generate a notification from your monitoring systems before you rack \nup any expensive calls or something worse happens.\n\nWhat would lead to this scenario?\n\n1. Potential voicemail fraud. This can happen if you allow calling an\n inbound number (your DID/DDI) to get to your voicemail system, then\n prompt for a PIN. This PIN is weak and the voicemail system allows you\n to press '*' to call back the Caller ID that left a voicemail. The\n attacker has left a voicemail, and they then guess your PIN and call it\n back. The CLI is a known number that SentryPeer has seen. You can alert on it.\n2. A device has been hijacked and/or a softphone or similar is using\n the credentials they stole off the phone's GUI and is trying to\n register to your system and make calls to a number seen by SentryPeer.\n3. An innocent user is calling a phishing number or known expensive\n number etc. that SentryPeer has seen before.\n\nTraditionally, this data is shipped to a central place, so you don't own the data you've collected. This project is all about Peer to Peer sharing of that data. The user owning the data and various Service Provider / Network Provider related feeds of the data is the key bit for me. I'm sick of all the services out there that keep it and sell it. If you've collected it, you should have the choice to keep it and/or opt in to share it with other SentryPeer community members via p2p methods.\n\n### Overview\n\n#### SentryPeer Node\n\nHere we are using [Mermaid Sequence diagrams](https://mermaid.js.org/syntax/sequenceDiagram.html) to show the flow of data from a SentryPeer node to SentryPeerHQ.\n\n```mermaid\nsequenceDiagram\n actor A as Attacker\n participant S as SentryPeer Node\n participant DS as Data Store\n participant W as WebHook \u003cbr/\u003eEndpoint\n Note over DS: sqlite/json log/syslog \u003cbr/\u003e(if enabled)\n Note over W: if enabled\n A-\u003e\u003eS: SIP probe OPTIONS/REGISTER/etc\n S-\u003e\u003eDS: Save event\n S-\u003e\u003eW: Send event\n W-\u003e\u003eS: 200 OK\n S-\u003e\u003eA: 200 OK\n A-\u003e\u003eS: INVITE sip:00046500729221@\n```\n\n#### SentryPeer Node to SentryPeerHQ\n\n```mermaid\nsequenceDiagram\n actor A as Attacker\n participant S as SentryPeer Node\n participant DS as Data Store\n participant HQ as SentryPeerHQ\n Note over DS: sqlite/json log/syslog (if enabled)\n Note over HQ: OAuth2 creds required.\u003cbr/\u003e if using https://sentrypeer.com\n A-\u003e\u003eS: SIP probe OPTIONS/REGISTER/etc\n S-\u003e\u003eDS: Save event\n S-\u003e\u003eHQ: Send event\n HQ-\u003e\u003eS: 201 Created\n S-\u003e\u003eA: 200 OK\n A-\u003e\u003eS: INVITE sip:00046500729221@\n```\n\n#### Using the SentryPeer Node and SentryPeerHQ API\n\n```mermaid\nsequenceDiagram\n Actor U as User\n participant S as SentryPeer Node/HQ API\n Note over S: if enabled\n U-\u003e\u003eS: GET /numbers\n S-\u003e\u003eU: 200 OK Return all Phone numbers seen in database\n```\n\n#### Integrating with your own systems\n\n```mermaid\nsequenceDiagram\n participant D as Device\n participant P as PBX/ITSP/Carrier\n participant HQ as SentryPeer Node/HQ API\n participant N as NOC\n Note over P: Integration with \u003cbr/\u003eSentryPeer needed\n Note over N: Consumes alerts\n Note over HQ: OAuth2 creds required\u003cbr/\u003e if using SentryPeerHQ\n Note over P,HQ: API rate limiting if using SentryPeerHQ\n D-\u003e\u003eP: SIP INVITE\n P-\u003e\u003eHQ: Have you seen attackers call this number?\n HQ-\u003e\u003eP: Yes, this has been seen on SentryPeer Nodes\n HQ-\u003e\u003eN: WebHook/Email/Slack\n Note over HQ,N: Only if using SentryPeerHQ\n P-\u003e\u003eD: I'm blocking this call. Sorry\n```\n\n### :construction: Features\n\n- [x] All code [Free/Libre and Open Source Software](https://www.gnu.org/philosophy/floss-and-foss.en.html)\n- [x] FAST\n- [x] User _owns their_ data\n- [x] User can submit their own data if they want to (you need to enable p2p mode - `-p`) \n- [x] User gets other users' data **ONLY IF** they opt in to submit their data to the pool\n- [x] Embedded Distributed Hash Table (DHT) node using [OpenDHT](https://github.com/savoirfairelinux/opendht/wiki/Running-a-node-in-your-program) (`-p` cli option)\n- [x] Peer to Peer **sharing** of collected bad_actors using [OpenDHT](https://github.com/savoirfairelinux/opendht) (default off)\n- [x] Peer to Peer data replication to **receive** collected bad_actors using [OpenDHT](https://github.com/savoirfairelinux/opendht) (default off)\n- [x] Set your own DHT bootstrap node (`-b` cli option)\n- [x] Multithreaded\n- [x] UDP transport\n- [x] TCP transport\n- [x] TLS transport\n- [x] [JSON logging](#json-log-format) to a file\n- [x] SIP mode can be disabled. This allows you to run SentryPeer in API mode or DHT mode only etc. i.e.\n not as a honeypot, but as a node in the SentryPeer community or to just serve replicated data\n- [x] SIP responsive mode can be enabled to collect data - cli / env flag \n- [x] **Local** data copy for **fast access** - cli / env db location flag\n- [x] **Local** API for **fast access** - cli / env flag\n- [x] WebHook for POSTing bad actor json to a central location - cli / env flag\n- [x] Integration with [SentryPeerHQ](https://sentrypeer.com) via OAuth2 bearer token\n- [x] Query API for IP addresses of bad actors\n- [ ] Query API for IPSET of bad actors\n- [x] Query API for a particular IP address of a bad actor\n- [x] Query API for attempted phone numbers called by bad actors\n- [x] Query API for an attempted phone number called by a bad actor\n- [x] [Fail2Ban](https://www.fail2ban.org/wiki/index.php/Main_Page) support via `syslog` as per [feature request](https://github.com/SentryPeer/SentryPeer/issues/6)\n- [x] Local [sqlite](https://www.sqlite.org/index.html) database - feature / cli flag\n- [ ] Analytics - opt in\n- [ ] SDKs/libs for external access - [CGRateS](https://github.com/cgrates/cgrates) to start with or our own firewall with nftables\n- [x] Small binary size for IoT usage\n- [x] Cross-platform\n- [x] Firewall options to use distributed data in real time\n- [x] Container on [Docker Hub for latest build](https://hub.docker.com/r/sentrypeer/sentrypeer)\n- [ ] BGP agent to peer with for blackholing collected IP addresses (similar to [Team Cymru Bogon Router Server Project](https://team-cymru.com/community-services/bogon-reference/bogon-reference-bgp/))\n- [ ] SIP agent to return 404 or default destination for SIP redirects\n\n### Talks\n\n- ClueCon Weekly 2023 - https://www.youtube.com/watch?v=iuN_MtVfT6g\n- UKNOF49 2022 ([presentation slides](https://indico.uknof.org.uk/event/59/contributions/801/attachments/1033/1520/UKNOF-49-2022-SentryPeer.pdf)) - https://indico.uknof.org.uk/event/59/contributions/801/\n- ClueCon Weekly 2022 - https://youtu.be/DFxGHJI_0Wg\n- CommCon 2021 - https://2021.commcon.xyz/talks/sentrypeer-a-distributed-peer-to-peer-list-of-bad-ip-addresses-and-phone-numbers-collected-via-a-sip-honeypot\n- TADSummit 2021 - https://blog.tadsummit.com/2021/11/17/sentrypeer/\n- \n### Adoption\n\n* [Kali Linux](https://pkg.kali.org/pkg/sentrypeer)\n* Deutsche Telekom [T-Pot - The All In One Honeypot Platform](https://github.com/telekom-security/tpotce) [v22](https://github.com/telekom-security/tpotce/releases/tag/22.04.0) onwards \n\n![Matrix](https://img.shields.io/matrix/sentrypeer:matrix.org?label=matrix\u0026logo=matrix)\n[![slack](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true\u0026logo=slack\u0026colorB=brightgreen)](https://join.slack.com/t/sentrypeer/shared_invite/zt-zxsmfdo7-iE0odNT2XyKLP9pt0lgbcw)\n[![SentryPeer on Twitter](https://img.shields.io/badge/follow-twitter-blue)](https://twitter.com/SentryPeer)\n\n### Design\n\nI started this because I wanted to do [C network programming](https://github.com/codeplea/Hands-On-Network-Programming-with-C) as all the projects I use daily are in C like [PostgreSQL](https://www.postgresql.org/), [OpenLDAP](https://www.openldap.org/), [FreeSWITCH](https://freeswitch.com/), [OpenSIPS](https://opensips.org/),\n[Asterisk](https://www.asterisk.org/) etc. See\n[Episode 414: Jens Gustedt on Modern C](https://www.se-radio.net/2020/06/episode-414-jens-gustedt-on-modern-c/) for why [C](https://en.wikipedia.org/wiki/C_(programming_language)) is a good choice. For those interested, see my full podcast show list (https://www.se-radio.net/team/gavin-henry/) for [Software Engineering Radio](https://www.se-radio.net/)\n\n### Docker\n\nYou can run the latest version of SentryPeer with [Docker](https://www.docker.com/). The latest version is available from [Docker Hub](https://hub.docker.com/r/sentrypeer/sentrypeer/).\nOr build yourself:\n\n sudo docker build --no-cache -t sentrypeer .\n sudo docker run -d -p 5060:5060/tcp -p 5061:5061/tcp -p 5060:5060/udp -p 8082:8082 -p 4222:4222/udp sentrypeer:latest\n\nThen you can check at `http://localhost:8082/ip-addresses` and `http://localhost:8082/health-check` to see if it's running.\n\n#### Environment Variables\n\n ENV SENTRYPEER_CONFIG_FILE=/my/location/sentrypeer.toml\n ENV SENTRYPEER_DB_FILE=/my/location/sentrypeer.db\n ENV SENTRYPEER_API=1\n ENV SENTRYPEER_WEBHOOK=1\n ENV SENTRYPEER_WEBHOOK_URL=https://my.webhook.url/events\n ENV SENTRYPEER_OAUTH2_CLIENT_ID=1234567890\n ENV SENTRYPEER_OAUTH2_CLIENT_SECRET=1234567890\n ENV SENTRYPEER_SIP_RESPONSIVE=1\n ENV SENTRYPEER_SIP_DISABLE=1\n ENV SENTRYPEER_SYSLOG=1\n ENV SENTRYPEER_PEER_TO_PEER=1\n ENV SENTRYPEER_BOOTSTRAP_NODE=mybootstrapnode.com\n ENV SENTRYPEER_JSON_LOG=1\n ENV SENTRYPEER_JSON_LOG_FILE=/my/location/sentrypeer_json.log\n ENV SENTRYPEER_VERBOSE=1\n ENV SENTRYPEER_DEBUG=1\n ENV SENTRYPEER_CERT=/my/location/sentrypeer-crt.pem\n ENV SENTRYPEER_KEY=/my/location/sentrypeer-key.pem\n ENV SENTRYPEER_TLS_LISTEN_ADDRESS=0.0.0.0:5061\n\nEither set these in the Dockerfile or in your `Dockerfile.env` file or `docker run` command.\n\nSettings any of these to `0` will also _enable_ the feature. We _don't care_ what you set it to, just that it's set.\n\n#### Configuration File\n\nYou can also use a configuration file to set certain things. Mainly the TLS configuration\nbelow. The default location is `~/.config/sentrypeer/default-config.toml`, but can \nchange this with the `SENTRYPEER_CONFIG_FILE` environment variable or `-g` cli option.\n\n#### TLS Configuration\n\nTo use your own certs, you can either set the appropriate ENV vars, cli arguments \nor use the configuration file. For example:\n\n```\ncat ~/.config/sentrypeer/default-config.toml \ncert = \"tests/unit_tests/127.0.0.1.pem\"\nkey = \"tests/unit_tests/127.0.0.1-key.pem\"\ntls_listen_address = \"0.0.0.0:5061\"\n```\n\nIf you don't set these, a certificate for localhost will be automatically \ngenerated in the directory that sentrypeer is run from creating a `cert.pem` and\na `key.pem` file.\n\n### Installation\n \nDebian or Fedora packages are always available from the release page for the current version of SentryPeer:\n\n https://github.com/SentryPeer/SentryPeer/releases\n\n#### Homebrew (macOS or Linux):\n\nWe have a [Homebrew Tap for this project](https://github.com/SentryPeer/homebrew-sentrypeer) (until we get more popular):\n\n brew tap sentrypeer/sentrypeer\n brew install sentrypeer\n\n#### Alpine Linux:\n\nSentryPeer is in [testing on Alpine Linux](https://gitlab.alpinelinux.org/alpine/aports/-/tree/master/testing/sentrypeer), so you can install it with the following command:\n\n apk -U add --no-cache -X https://dl-cdn.alpinelinux.org/alpine/edge/testing sentrypeer\n\n#### Ubuntu Package\n\nYou can install SentryPeer from [our Ubuntu PPD](https://launchpad.net/~gavinhenry/+archive/ubuntu/sentrypeer) which\nis currently for Ubuntu 20 LTS (Focal Fossa):\n\n sudo apt install software-properties-common\n sudo add-apt-repository ppa:gavinhenry/sentrypeer\n sudo apt-get update\n\nThis PPA can be added to your system manually by copying the lines below and adding them to your system's software \nsources:\n\n deb https://ppa.launchpadcontent.net/gavinhenry/sentrypeer/ubuntu focal main \n deb-src https://ppa.launchpadcontent.net/gavinhenry/sentrypeer/ubuntu focal main\n\nThen you can install SentryPeer:\n\n sudo apt-get install sentrypeer\n\n#### Building from source\n\nYou have two options for installation from source. CMake or autotools. Autotools is recommended at the moment. A release is an autotools build.\n\nIf you are a Fedora user, you can install this via [Fedora copr](https://copr.fedorainfracloud.org/coprs/):\n\n[https://copr.fedorainfracloud.org/coprs/ghenry/SentryPeer/](https://copr.fedorainfracloud.org/coprs/ghenry/SentryPeer/)\n\nIf you are going to build from this repository, you will need to have the following installed:\n\n - `git`, `autoconf`, `automake` and `autoconf-archive` (Debian/Ubuntu)\n - `libtool`, `rustc` and `cargo` (Fedora)\n - `libosip2-dev` (Debian/Ubuntu) or `libosip2-devel` (Fedora)\n - `libsqlite3-dev` (Debian/Ubuntu) or `sqlite-devel` (Fedora)\n - `uuid-dev` (Debian/Ubuntu) or `libuuid-devel` (Fedora)\n - `libmicrohttpd-dev` (Debian/Ubuntu) or `libmicrohttpd-devel` (Fedora)\n - `libjansson-dev` (Debian/Ubuntu) or `jansson-devel` (Fedora)\n - `libpcre2-dev` (Debian/Ubuntu) or `pcre2-devel` (Fedora)\n - `libcurl-dev` (Debian/Ubuntu) or `libcurl-devel` (Fedora)\n - `libcmocka-dev` (Debian/Ubuntu) or `libcmocka-devel` (Fedora) - for unit tests\n\nDebian/Ubuntu:\n\n sudo apt-get install git build-essential clang autoconf-archive autoconf \\\n automake libtool cmake libosip2-dev libsqlite3-dev libcmocka-dev uuid-dev \\\n libcurl4-openssl-dev libpcre2-dev libjansson-dev libmicrohttpd-dev libclang-dev\n\nFedora:\n\n sudo dnf install git clang pkg-config autoconf automake autoconf-archive \\ \n libtool libosip2-devel libsqlite3-devel libcmocka-devel libuuid-devel \\\n libmicrohttpd-devel jansson-devel libcurl-devel pcre2-devel cmake \\\n clang-libs clang\n\nmacOS:\n\n brew install git libtool autoconf automake autoconf-archive libosip cmocka \\\n libmicrohttpd jansson curl pcre2 pkg-config opendht ossp-uuid cmake \n\nRust:\n\n curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n\nthen (make check is highly recommended):\n\n ./bootstrap.sh\n ./configure\n make\n make check\n make install\n\nCMake:\n\n cmake -S . -B build -DUNIT_TESTING=ON\n cmake --build build\n ctest --test-dir build\n cmake --install build\n\n### Running SentryPeer\n\nOnce built, you can run like so to start in **debug mode**, **respond** to SIP probes, enable the **RESTful API**, \nenable WebHooks and enable syslog logging ([use a package](https://github.com/SentryPeer/SentryPeer/releases) if you want [systemd](https://www.freedesktop.org/wiki/Software/systemd/)):\n\n ./sentrypeer -draps\n SentryPeer node id: e5ac3a88-3d52-4e84-b70c-b2ce83992d02\n Starting sentrypeer...\n API mode enabled, starting http daemon...\n SIP mode enabled...\n Peer to Peer DHT mode enabled...\n Starting peer to peer DHT mode using OpenDHT-C lib version '2.4.0'...\n Configuring local address...\n Creating sockets...\n Binding sockets to local address...\n Listening for incoming UDP connections...\n SIP responsive mode enabled. Will reply to SIP probes...\n Listening for incoming TCP connections...\n Peer to peer DHT mode started.\n DHT InfoHash for key 'bad_actors' is: 14d30143330e2e0e922ed4028a60ff96a59800ad\n Bootstrapping the DHT\n Waiting 5 seconds for bootstrapping to bootstrap.sentrypeer.org...\n Listening for changes to the bad_actors DHT key\n\n\nwhen you get a probe request, you can see something like the following in the terminal:\n\n```bash\nReceived (411 bytes): OPTIONS sip:100@XXX.XXX.XXX.XXX SIP/2.0\nVia: SIP/2.0/UDP 91.223.3.152:5173;branch=z9hG4bK-515761064;rport\nContent-Length: 0\nFrom: \"sipvicious\"\u003csip:100@1.1.1.1\u003e;tag=6434396633623535313363340131363131333837383137\nAccept: application/sdp\nUser-Agent: friendly-scanner\nTo: \"sipvicious\"\u003csip:100@1.1.1.1\u003e\nContact: sip:100@91.223.3.152:5173\nCSeq: 1 OPTIONS\nCall-ID: 679894155883566215079442\nMax-Forwards: 70\n\n\nread_packet_buf size is: 1024: \nread_packet_buf length is: 468: \nbytes_received size is: 411: \n\nBad Actor is:\nEvent Timestamp: 2021-11-23 20:13:36.427515810\nEvent UUID: fac3fa20-8c2c-445b-8661-50a70fa9e873\nSIP Message: OPTIONS sip:100@XXX.XXX.XXX.XXX SIP/2.0\nVia: SIP/2.0/UDP 91.223.3.152:5173;branch=z9hG4bK-515761064;rport\nFrom: \"sipvicious\" \u003csip:100@1.1.1.1\u003e;tag=6434396633623535313363340131363131333837383137\nTo: \"sipvicious\" \u003csip:100@1.1.1.1\u003e\nCall-ID: 679894155883566215079442\nCSeq: 1 OPTIONS\nContact: \u003csip:100@91.223.3.152:5173\u003e\nAccept: application/sdp\nUser-agent: friendly-scanner\nMax-forwards: 70\nContent-Length: 0\n\n\nSource IP: 193.107.216.27\nCalled Number: 100\nSIP Method: OPTIONS\nTransport Type: UDP\nUser Agent: friendly-scanner\nCollected Method: responsive\nCreated by Node Id: fac3fa20-8c2c-445b-8661-50a70fa9e873\nSentryPeer db file location is: sentrypeer.db\nDestination IP address of UDP packet is: xx.xx.xx.xx\n```\n\nYou can see the data in the sqlite3 database called `sentrypeer.db` using [sqlitebrowser](https://sqlitebrowser.org/) or sqlite3 command line tool.\n\nHere's a screenshot of the database opened using [sqlitebrowser](https://sqlitebrowser.org/) (it's big, so I'll just link to the image):\n\n[sqlitebrowser exploring the sentrypeer.db](./screenshots/SentryPeer-sqlitebrowser.png)\n\n### WebHook\n\nThere is a WebHook to POST a [JSON Log Format](#json-log-format) payload to [SentryPeerHQ](https://github.com/SentryPeer/SentryPeerHQ) or\nyour own WebHook endpoint. The WebHook is **not** enabled by default. You can configure the WebHook URL via `-w` or set \nthe `SENTRYPEER_WEBHOOK_URL` env variable.\n\nIf using [SentryPeer SaaS](https://sentrypeer.com) you need to get your client id and client secret from the \nDashboard and set the `SENTRYPEER_OAUTH2_CLIENT_ID` and `SENTRYPEER_OAUTH2_CLIENT_SECRET` env variables or use the `-i` and `-c` flags.\n\n### RESTful API \n\nThe RESTful API is complete for the current use cases. Please click the Watch button to be notified when more things come out :-)\n\n#### Endpoint /health-check\n\nQuery the API to see if it's alive:\n\n```bash\ncurl -v -H \"Content-Type: application/json\" http://localhost:8082/health-check\n\n* Connected to localhost (127.0.0.1) port 8082 (#0)\n\u003e GET /health-check HTTP/1.1\n\u003e Host: localhost:8082\n\u003e User-Agent: curl/7.79.1\n\u003e Accept: */*\n\u003e Content-Type: application/json\n\u003e \n* Mark bundle as not supporting multiuse\n\u003c HTTP/1.1 200 OK\n\u003c Date: Mon, 24 Apr 2022 11:16:25 GMT\n\u003c Content-Type: application/json\n\u003c Access-Control-Allow-Origin: *\n\u003c X-Powered-By: SentryPeer\n\u003c X-SentryPeer-Version: 1.4.0\n\u003c Content-Length: 81\n\u003c \n{\n \"status\": \"OK\",\n \"message\": \"Hello from SentryPeer!\",\n \"version\": \"1.0.0\"\n}\n```\n\n#### Endpoint /ip-addresses\n\nList all the IP addresses that have been seen by SentryPeer:\n\n```bash\ncurl -v -H \"Content-Type: application/json\" http://localhost:8082/ip-addresses\n\n* Connected to localhost (127.0.0.1) port 8082 (#0)\n\u003e GET /ip-addresses HTTP/1.1\n\u003e Host: localhost:8082\n\u003e User-Agent: curl/7.79.1\n\u003e Accept: */*\n\u003e Content-Type: application/json\n\u003e \n* Mark bundle as not supporting multiuse\n\u003c HTTP/1.1 200 OK\n\u003c Date: Mon, 24 Jan 2022 11:17:05 GMT\n\u003c Content-Type: application/json\n\u003c Access-Control-Allow-Origin: *\n\u003c X-Powered-By: SentryPeer\n\u003c X-SentryPeer-Version: 1.0.0\n\u003c Content-Length: 50175\n\u003c \n{\n \"ip_addresses_total\": 396,\n \"ip_addresses\": [\n {\n \"ip_address\": \"193.107.216.27\",\n \"seen_last\": \"2022-01-11 13:30:48.703603359\",\n \"seen_count\":\t\"1263\"\n },\n {\n \"ip_address\": \"193.46.255.152\"\n \"seen_last\": \"2022-01-11 13:28:27.348926406\",\n \"seen_count\": \"3220\" \n }\n ...\n ]\n}\n```\n\n#### Endpoint /ip-addresses/{ip-address}\n\nQuery a single IP address:\n\n```bash\ncurl -v -H \"Content-Type: application/json\" http://localhost:8082/ip-addresses/8.8.8.8\n\n* Connected to localhost (127.0.0.1) port 8082 (#0)\n\u003e GET /ip-addresses/8.8.8.8 HTTP/1.1\n\u003e Host: localhost:8082\n\u003e User-Agent: curl/7.79.1\n\u003e Accept: */*\n\u003e Content-Type: application/json\n\u003e \n* Mark bundle as not supporting multiuse\n\u003c HTTP/1.1 404 Not Found\n\u003c Date: Mon, 24 Jan 2022 11:17:57 GMT\n\u003c Content-Type: application/json\n\u003c Access-Control-Allow-Origin: *\n\u003c X-Powered-By: SentryPeer\n\u003c X-SentryPeer-Version: 1.0.0\n\u003c Content-Length: 33\n\u003c \n* Connection #0 to host localhost left intact\n{\n \"message\": \"No bad actor found\"\n}\n```\n\n#### Endpoint /numbers \n\nList all the called numbers that have been seen by SentryPeer:\n\n```bash\ncurl -v -H \"Content-Type: application/json\" http://localhost:8082/numbers\n\n* Connected to localhost (127.0.0.1) port 8082 (#0)\n\u003e GET /numbers HTTP/1.1\n\u003e Host: localhost:8082\n\u003e User-Agent: curl/8.0.1\n\u003e Accept: */*\n\u003e Content-Type: application/json\n\u003c Date: Thu, 27 Jul 2023 11:10:35 GMT\n\u003c Content-Type: application/json\n\u003c Access-Control-Allow-Origin: *\n\u003c X-Powered-By: SentryPeer\n\u003c X-SentryPeer-Version: 4.0.0\n\u003c Content-Length: 31746258\n\n\n {\n \"called_numbers_total\": 244850,\n \"called_numbers\": [\n {\n \"called_number\": \"981046500729221\",\n \"seen_last\": \"2023-07-27 12:06:59.388055505\",\n \"seen_count\": \"451\"\n },\n {\n \"called_number\": \"81046500729221\",\n \"seen_last\": \"2023-07-27 12:05:19.206442003\",\n \"seen_count\": \"453\"\n },\n {\n \"called_number\": \"100\",\n \"seen_last\": \"2023-07-27 11:59:57.679798597\",\n \"seen_count\": \"17335\"\n },\n ....\n```\n\n#### Endpoint /numbers/{phone-number}\n\nQuery a phone number a bad actor tried to call with optional `+` prefix:\n\n```bash\ncurl -v -H \"Content-Type: application/json\" http://localhost:8082/numbers/8784946812410967\n\n* Connected to localhost (127.0.0.1) port 8082 (#0)\n\u003e GET /numbers/8784946812410967 HTTP/1.1\n\u003e Host: localhost:8082\n\u003e User-Agent: curl/7.79.1\n\u003e Accept: */*\n\u003e Content-Type: application/json\n\u003e \n\u003c HTTP/1.1 200 OK\n\u003c Date: Mon, 24 Jan 2022 11:19:53 GMT\n\u003c Content-Type: application/json\n\u003c Access-Control-Allow-Origin: *\n\u003c X-Powered-By: SentryPeer\n\u003c X-SentryPeer-Version: 1.0.0\n\u003c Content-Length: 46\n\u003c \n{\n \"phone_number_found\": \"8784946812410967\"\n}\n```\n\n### Syslog and Fail2ban\n\nWith `sentrypeer -s`, you parse syslog and use Fail2Ban to block the IP address of the bad actor:\n\n```syslog\nNov 30 21:32:16 localhost.localdomain sentrypeer[303741]: Source IP: 144.21.55.36, Method: OPTIONS, Agent: sipsak 0.9.7\n```\n\n### JSON Log Format \n\nWith `sentrypeer -j`, you can produce a JSON log file of the bad actor's IP address and the phone number they tried to call \nplus other metadata (set a custom log file location with `-l`):\n\n```json\n{\n \"app_name\":\"sentrypeer\",\n \"app_version\":\"v1.4.0\",\n \"event_timestamp\":\"2022-02-22 11:19:15.848934346\",\n \"event_uuid\":\"4503cc92-26cb-4b3e-bb33-69a83fa09321\",\n \"created_by_node_id\":\"4503cc92-26cb-4b3e-bb33-69a83fa09321\",\n \"collected_method\":\"responsive\",\n \"transport_type\":\"UDP\",\n \"source_ip\":\"45.134.144.128\",\n \"destination_ip\":\"XX.XX.XX.XX\",\n \"called_number\":\"0046812118532\",\n \"sip_method\":\"OPTIONS\",\n \"sip_user_agent\":\"friendly-scanner\",\n \"sip_message\":\"full SIP message\"\n}\n```\n\n### Command Line Options\n\n```bash\n./sentrypeer -h\nProtect your SIP Servers from bad actors at https://sentrypeer.com\n\nUsage: sentrypeer [OPTIONS]\n\nOptions:\n -f \u003cDB_FILE\u003e Set 'sentrypeer.db' location or use SENTRYPEER_DB_FILE env\n -j Enable json logging or use SENTRYPEER_JSON_LOG env\n -p Enable Peer to Peer mode or use SENTRYPEER_PEER_TO_PEER env\n -b \u003cBOOTSTRAP_NODE\u003e Set Peer to Peer bootstrap node or use SENTRYPEER_BOOTSTRAP_NODE env\n -i \u003cCLIENT_ID\u003e Set OAuth 2 client ID or use SENTRYPEER_OAUTH2_CLIENT_ID env to get a Bearer token for WebHook\n -c \u003cCLIENT_SECRET\u003e Set OAuth 2 client secret or use SENTRYPEER_OAUTH2_CLIENT_SECRET env to get a Bearer token for WebHook\n -a Enable RESTful API mode or use SENTRYPEER_API env\n -w \u003cWEBHOOK_URL\u003e Set WebHook URL for bad actor json POSTs or use SENTRYPEER_WEBHOOK_URL env\n -r Enable SIP responsive mode or use SENTRYPEER_SIP_RESPONSIVE env\n -R Disable SIP mode completely or use SENTRYPEER_SIP_DISABLE env\n -l \u003cJSON_LOG_FILE\u003e Set JSON logfile (default './sentrypeer_json.log') location or use SENTRYPEER_JSON_LOG_FILE env\n -N Disable Rust powered TCP, UDP and TLS or use SENTRYPEER_TLS_DISABLE env\n -t \u003cTLS_CERT_FILE\u003e Set TLS cert location (default './cert.pem') or use SENTRYPEER_CERT env\n -k \u003cTLS_KEY_FILE\u003e Set TLS key location (default './key.pem') or use SENTRYPEER_KEY env\n -z \u003cTLS_LISTEN_ADDRESS\u003e Set TLS listen address (default '0.0.0.0:5061') or use SENTRYPEER_TLS_LISTEN_ADDRESS env\n -g \u003cCONFIG_FILE\u003e Set config file location or use SENTRYPEER_CONFIG_FILE env\n -s Enable syslog logging or use SENTRYPEER_SYSLOG env\n -v Enable verbose logging or use SENTRYPEER_VERBOSE env\n -d Enable debug mode or use SENTRYPEER_DEBUG env\n -h, --help Print help\n -V, --version Print version\n```\n\n### IPv6 Multicast Address\n\nThe project has an IANA IPv6 multicast address for the purpose of sending messages between SentryPeer peers.\n\n Addresses: FF0X:0:0:0:0:0:0:172\n Description: SentryPeer\n Contact: Gavin Henry \u003cghenry at sentrypeer.org\u003e\n Registration Date: 2022-01-26\n\nPlease see http://www.iana.org/assignments/ipv6-multicast-addresses\n\nThe assigned variable-scope address -- which can also be listed as \"FF0X::172\" for short -- the \"X\" denotes any possible scope.\n\n### License\n\n[![AGPLv3](https://camo.githubusercontent.com/473b62766b498e4f2b008ada39f1d56fb3183649f24447866e25d958ac3fd79a/68747470733a2f2f7777772e676e752e6f72672f67726170686963732f6167706c76332d3135357835312e706e67)](https://www.gnu.org/licenses/why-affero-gpl.en.html)\n \nGreat reading - [How to choose a license for your own work](https://www.gnu.org/licenses/license-recommendations.en.html)\n\nThis work is dual-licensed under GPL 2.0 and GPL 3.0.\n\n`SPDX-License-Identifier: GPL-2.0-only OR GPL-3.0-only`\n\n### Contributing\n\nSee [CONTRIBUTING](./CONTRIBUTING.md)\n\n### Project Website\n\nhttps://sentrypeer.org\n\n### Trademark\n\n[**SENTRYPEER** is a registered trademark](https://trademarks.ipo.gov.uk/ipo-tmcase/page/Results/1/UK00003700947) of Gavin Henry\n\n### Questions, Bug reports, Feature Requests\n\nNew issues can be raised at:\n\nhttps://github.com/SentryPeer/SentryPeer/issues\n\nIt's okay to raise an issue to ask a question.\n\n### Special Thanks\n\nSpecial thanks to:\n - [Deutsche Telekom Security GmbH](https://github.com/telekom-security) for sponsoring us!\n - [psanders](https://github.com/psanders) from the [Routr](https://github.com/fonoster/routr) project for [tips on re-working this README.md](https://mobile.twitter.com/pedrosanders_/status/1554572884714070019) file.\n - [Fly.io](https://fly.io) for crediting the SentryPeer account for hosting the [SentryPeer HQ web app](https://sentrypeer.com) on their infrastructure\n - [AppSignal](https://www.appsignal.com/) for Application performance monitoring sponsorship in the [SentryPeer HQ web app](https://sentrypeer.com)\n - [David Miller](http://davidmiller.io/) for the design of the SentryPeer [Web GUI theme](./web-gui-theme) and [logo](./web-gui-theme/src/assets/logo.svg). Very kind of you!\n - [@garymiller](https://github.com/garyemiller) for the feature request of syslog and Fail2ban as per [ Fail2ban Integration via syslog #6](https://github.com/SentryPeer/SentryPeer/issues/6) \n - [@joejag](https://github.com/joejag) for the [Pull Request](https://github.com/SentryPeer/SentryPeer/pull/19) for the start of [Terraform recipes to launch SentryPeer on different cloud providers #12](https://github.com/SentryPeer/SentryPeer/issues/12)\n\n### Sponsorship\n\nSpecial thanks to [Deutsche Telekom Security GmbH](https://github.com/telekom-security) for sponsoring us! Very kind!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSentryPeer%2FSentryPeer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSentryPeer%2FSentryPeer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSentryPeer%2FSentryPeer/lists"}