Results 1 to 8 of 8

Thread: Project honeypot integration?

  1. #1
    Join Date
    Oct 2006
    Posts
    43

    Project honeypot integration?

    Botnets are constantly trying to brute force into this or that e-mail account in my server. The limits help, but they just keep trying slowly and with different IP addresses every time. It's annoying to receive notifications and to have to block them manually.

    It just so happens that I noticed many of these IPs are already known as malicious by project honeypot. CSF can retrieve the list of IPs from their RSS feed, but it only provides the 25 latest entries (likewise for the user interface; 50 if you're logged in). But they do seem to have an API with various example implementations.

    Has anyone been able to integrate their DA/dovecot install with PH in order to automatically check and block addresses that are blacklisted before they attempt to log in? Any ideas?

  2. #2
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,548
    It's annoying to receive notifications and to have to block them manually.
    I disabled those notifications and they are blocked automatically (tempban) at our servers, maybe that's an idea too.

    However, the way you mention it is also interesting, so I'm also interested in idea's about this.
    Greetings, Richard.

  3. #3
    Join Date
    Aug 2015
    Posts
    314
    Why not use it with CSF block lists?
    Kind regards, Fred

    Alentejo Webdesign
    Webdesign with Passion is what we do
    Web development, Hosting, Speed Optimizing & More......

  4. #4
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,548
    Because CSF uses iptables and blocks ip's in iptables which will let your amount of lines grow very big.
    Which it already can become by blocking all kinds of hacking attempts.

    If you can already refuse on connection time this way, it might come in handy and no iptables block line is necessary.
    Greetings, Richard.

  5. #5
    Join Date
    Oct 2006
    Posts
    43
    Awd, do you have a way to do this with csf blocklists? If I block everyone who fails a bunch of times permanently I'm blocking innocent people who just entered their password wrong in outlook or something. If I block them temporarily, usually botnets have enough bots to cycle through individual IPs during the time a reasonable temporary block would last. If you mean block the addresses in project honeypot to begin with (not the ones hitting the brute force monitor), as far as I know, they don't make their full list available; only tests against specific addresses.

  6. #6
    Join Date
    Aug 2015
    Posts
    314
    Kind regards, Fred

    Alentejo Webdesign
    Webdesign with Passion is what we do
    Web development, Hosting, Speed Optimizing & More......

  7. #7
    Join Date
    Oct 2006
    Posts
    43
    Awd, thank you so much for the help, but like I said in #1 and #5, Project Honeypot merely makes available as a list the last 25 IP addresses they've seen. You can easily confirm this by visiting the source URL for the blocklist ( http://www.projecthoneypot.org/list_....php?t=d&rss=1 ) and also by checking your iptables rules after loading csf. This doesn't help with IP addresses that are on their list but weren't seen by their honeypots very recently.

  8. #8
    Join Date
    Aug 2015
    Posts
    314
    You are right, to be honest, never realized that only the last 25 IP addresses where in the rss feed. Still learning every day
    Maybe someone else has great ideas?
    Kind regards, Fred

    Alentejo Webdesign
    Webdesign with Passion is what we do
    Web development, Hosting, Speed Optimizing & More......

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •