This repository offers an integrated solution featuring a probe and client. Our blocklists, sourced from our honeypot network, are freely available. We provide a sync client for up-to-date protection and a probe tool for contributing new data. The blocklist contains IP addresses that have attempted unauthorized access on a honeypot probe, serving as a valuable resource for enhancing network security.
- Regularly updated list of malicious IP addresses.
- Easy integration with various firewalls and security systems.
- Helps prevent unauthorized access and potential security breaches.
This repository offers two separate products:
- Honeypot Probe: Collects IPs from Fail2ban and uploads them to GitHub.
- Honeypot Client: Syncs IPs from GitHub and applies them to Firewalld or ufw.
Ensure you have the following dependencies installed:
gccsystemdsqlite-develfail2ban(for the probe)firewalldorufw(for the client)logrotate
-
Download the RPM files
Download the latest RPMs for the probe and client from the releases page.
-
Install the Probe
sudo yum install honeypot-blocklist-probe-<version>.el9.x86_64.rpm or sudo yum install honeypot-blocklist-probe-<version>.el8.x86_64.rpm
-
Install the Client
sudo yum install honeypot-blocklist-client-<version>.el9.x86_64.rpm or sudo yum install honeypot-blocklist-client-<version>.el8.x86_64.rpm
/usr/local/bin/honeypot-probe --upgrade,
optional:
systemctl start honeypot-probe
systemctl start honeypot-clientgit clone https://github.com/sequoiaheightsms/honeypot-blocklist.gitThe probe syncs fail2ban and applies new IPs to an SQLite DB in GitHub.
A helper script called setup.sh
./setup.sh --probeit will help generate an SSH key pair (if it doesn't already exist) for secure communication with GitHub. The key will be labeled as id_rsa_probe. If the key exists, it will not generate a new one.
also it will install and configure Fail2ban by creating /etc/fail2ban/jail.local:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 2
bantime = 6hand perform the installation of the RPMs and start and enable the services.
The client syncs the blocklist from GitHub and applies the IPs to Firewalld/UFW. The helper script can be used for installation and setup.
./setup.sh --clientBoth the probe and client log their activities to:
- Probe:
/var/log/honeypot-probe.log - Client:
/var/log/honeypot-client.log
Log rotation is handled by logrotate with the following configurations:
- Probe:
/etc/logrotate.d/honeypot-probe - Client:
/etc/logrotate.d/honeypot-client
We welcome contributions from the community. Here’s how you can contribute without using the honeypot probe:
-
Fork the Repository: Click on the "Fork" button on the top right of this page.
-
Clone Your Fork: Clone your forked repository to your local machine.
git clone https://github.com/yourusername/honeypot-blocklist.git
-
Create a Branch: Create a new branch for your feature or bug fix.
git checkout -b feature-name
-
Make Your Changes: Make your changes to the code.
-
Commit Your Changes: Commit your changes with a descriptive commit message.
git commit -m "Description of changes" -
Push Your Changes: Push your changes to your fork.
git push origin feature-name
-
Create a Pull Request: Create a pull request from your forked repository on GitHub.
This project is licensed under the MIT License. See the LICENSE file for details.
Please contact Robert Romero.
We want to thank all contributors and the community for their support and contributions.