30

Setup my port honeypot today finally, including port 22, then wrote a custom dashboard for some data tracking, feels great to have it open on my screen seeing the bans just roll in every 2 seconds of refresh, the highest hits are as expected from china, russia and india, also filed ~700 reports and already got 300 banned from their service. (mainly Microsoft Azure for whatever reason)

I wanted to first automate that (or atleast blacklist report to various IP lists via API), but then I was afraid that I'll be one day stupid enough to somehow get banned - don't want myself to get reported lol

Comments
  • 3
    What I switched to is haas.nic.cz, provides visualization and data goes to CSIRT team as well. So don't have to run my own (safer) and I contribute to general good :-)
  • 2
    what honeypot software are you using? I've been wanting to play around with one but I've never had the time
  • 2
    @PerfectAsshole I think the most popular nowadays is cowrie. I think haas is also based on that. I played with kippo before it became cowrie.
  • 1
    @PerfectAsshole I couldn't yet wrap my head around a full blown fake-cli and seperate server setup to monitor, which I plan for the future maybe - but currently I have iptables with the recent module ban anyone who hits 22 or any other usual public ports like 194 seems to be popular, 150 samba etc. also I have anyone denied on 80/443 except cloudflare ranges, though with a fake hittable "wordpress install", basically a theme that looks like a popular wordpress theme and has the typical vulnerabilities (also hittable admin panel) recreated manually - so as soon as somebody attempts to do anything he gets banned and put into my report list (not automated though, as said I am afraid one day somehow I will end up in that list myself), also I didnt yet cover everything, so oftentimes I ban even if you hit some specific login point.
  • 1
    @misiman That actually looks pretty cool, will def. check it out!
Add Comment