View Full Version : Project honeypot integration?

09-12-2018, 11:23 AM
Botnets are constantly trying to brute force into this or that e-mail account in my server. The limits help, but they just keep trying slowly and with different IP addresses every time. It's annoying to receive notifications and to have to block them manually.

It just so happens that I noticed many of these IPs are already known as malicious by project honeypot. CSF can retrieve the list of IPs from their RSS feed, but it only provides the 25 latest entries (likewise for the user interface; 50 if you're logged in). But they do seem to have an API with various example implementations.

Has anyone been able to integrate their DA/dovecot install with PH in order to automatically check and block addresses that are blacklisted before they attempt to log in? Any ideas?

Richard G
09-12-2018, 11:38 AM
It's annoying to receive notifications and to have to block them manually.
I disabled those notifications and they are blocked automatically (tempban) at our servers, maybe that's an idea too.

However, the way you mention it is also interesting, so I'm also interested in idea's about this.

09-13-2018, 04:02 AM
Why not use it with CSF block lists?

Richard G
09-13-2018, 04:59 AM
Because CSF uses iptables and blocks ip's in iptables which will let your amount of lines grow very big.
Which it already can become by blocking all kinds of hacking attempts.

If you can already refuse on connection time this way, it might come in handy and no iptables block line is necessary.

09-13-2018, 09:01 AM
Awd, do you have a way to do this with csf blocklists? If I block everyone who fails a bunch of times permanently I'm blocking innocent people who just entered their password wrong in outlook or something. If I block them temporarily, usually botnets have enough bots to cycle through individual IPs during the time a reasonable temporary block would last. If you mean block the addresses in project honeypot to begin with (not the ones hitting the brute force monitor), as far as I know, they don't make their full list available; only tests against specific addresses.

09-13-2018, 03:00 PM
Maybe this article is helpfull.

09-13-2018, 03:14 PM
Awd, thank you so much for the help, but like I said in #1 and #5, Project Honeypot merely makes available as a list the last 25 IP addresses they've seen. You can easily confirm this by visiting the source URL for the blocklist ( http://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1 ) and also by checking your iptables rules after loading csf. This doesn't help with IP addresses that are on their list but weren't seen by their honeypots very recently.

09-14-2018, 01:54 AM
You are right, to be honest, never realized that only the last 25 IP addresses where in the rss feed. Still learning every day :)
Maybe someone else has great ideas?