[TOOL] IP BlackHole

dIsK

Just a new project. Nothing big.

IP.blackhole.monster

Is an IP blacklist that uses multiple sensors to identify network attacks (e.g. SSH brute force) and spam incidents. All reports are evaluated and in case of too many incidents the responsible IP holder is informed to solve the problem.

P.S.: If you have some idle servers or can sponsor us a server, please mail us at [email protected]

https://github.com/BlackHoleMonster/IP-BlackHole

🚫 ALL IPs:
https://ip.blackhole.monster/blackhole

🚫 TODAY IPs:
https://ip.blackhole.monster/blackhole-today

How to use?

To get a fresh and ready-to-deploy auto-ban list of "bad IPs" you can run:

sudo su
apt-get -qq install iptables ipset
ipset -q flush blackhole
ipset -q create blackhole hash:net
for ip in $(curl --compressed https://ip.blackhole.monster/blackhole-today 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add blackhole $ip; done
iptables -D INPUT -m set --match-set blackhole src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set blackhole src -j DROP

tentor

I think that https://www.crowdsec.net/ is a better option

Carlin0

also works with nftables ?

CheepCluck

I just use
ip r a black 0.0.0.0/0
Never have to worry about no pesky ssh bruteforce anymore!

BasToTheMax

@CheepCluck said:
I just use
ip r a black 0.0.0.0/0
Never have to worry about no pesky ssh bruteforce anymore!

Perfect for idle servers!

dIsK

@tentor said: I think that https://www.crowdsec.net/ is a better option

well, as i said, this is nothing big

kait

@tentor said: I think that https://www.crowdsec.net/ is a better option

Don't run it anymore but it was amazing, made some contributions and wrote a abuseipdb report plugin for it. Crowdsec is better than fail2ban.

dIsK

@kait said: Don't run it anymore but it was amazing, made some contributions and wrote a abuseipdb report plugin for it. Crowdsec is better than fail2ban.

sure, i just wanted to learn something new and also to log the commands they try run on server, also storing all the craps they do try download over server, possible to download soon too and auto report to virustotal probably implement too

kait

@dIsK said: sure, i just wanted to learn something new and also to log the commands they try, also storing all the craps they do try downloads

Wasn't discrediting you, would you be able to share around how many honeypots you use and if you scrape other places for IP's? It's an interesting project for sure.

dIsK

@kait said: Wasn't discrediting you, would you be able to share around how many honeypots you use and if you scrape other places for IP's? It's an interesting project for sure.

understand for now we use just cowrie (ssh+telnet) on 4 servers that you can see on main page.
but later i want add live tcpdump output also to get all ips connecting on every available ports

no other sources, its coming from that 4 servers, you can search every IP in that list and see what did they tried

tentor

@dIsK said:

@tentor said: I think that https://www.crowdsec.net/ is a better option

well, as i said, this is nothing big

No offense to you nor your project, but personally I don't like giving access to my servers someone else. The idea of crowdsec just fits me better, and you really should develop your project even further to something bigger

dIsK

@tentor said: giving access to my servers someone else

? it does not require anything like that, i mean if anyone can sponsor a server or have some idle server, but thats totally not required, i just asked

dosai

@kait said:

@tentor said: I think that https://www.crowdsec.net/ is a better option

Don't run it anymore but it was amazing, made some contributions and wrote a abuseipdb report plugin for it. Crowdsec is better than fail2ban.

My only dislike, Crowdsec basically collects all data for free from installed bouncers from users. They create the most useful blocklist only available for premium accounts.

dIsK

@dosai said: My only dislike, Crowdsec basically collects all data for free from installed bouncers from users. They create the most useful blocklist only available for premium accounts.

well we only log attackers, everything other goes directly to /dev/null

kait

@dosai said: My only dislike, Crowdsec basically collects all data for free from installed bouncers from users. They create the most useful blocklist only available for premium accounts.

Yeah, but you can disable sending ips to crowdsec, but you also won't get other crowdsources ip's. I think those lists are only for non hosting people and people who want to block specific stuff, almost all of the ips are in the community list anyway.

dIsK

Update:
Added #5 new server - 🇵🇱 Poland

dIsK

Another update:
was added to maltrail - https://github.com/stamparm/maltrail/commit/886da5bde55128390bdab5d0345bdf47f1ebd0f4

dIsK

Version: 0.3-βeta 🔥

• Added special live tcpdump page to see in realtime whats going on (for now its output from one server)

dIsK

Version: 0.4-βeta 🔥
Added #6 new server - 🇳🇱 Netherlands

dIsK

Version: 0.5-βeta 🔥
Added #7 new server - 🇩🇪 Germany

chihcherng

@dIsK said: understand for now we use just cowrie (ssh+telnet) on 4 servers that you can see on main page.
but later i want add live tcpdump output also to get all ips connecting on every available ports

I've been doing something similar for some time. You might need to think about the issue of fake source IP addresses when using tcpdump. Without 3-way handshake, tcpdump can't eliminate fake source IP addresses.

An alternative way is to use haproxy to listen on tens of thousands of TCP ports.

dIsK

@chihcherng
yes, i will probably make new ip blacklist with statement about fake source IPs, but for now there is no list for tcpdump only to show them in realtime

Version: 0.6-βeta 🔥
Added #8 new server - 🇸🇬 Singapore

cheatpz

Thank you guys,

dIsK

Version: 0.7-βeta 🔥
Added #9 new server - 🇦🇺 Australia

dIsK

Version: 0.8-βeta 🔥
Added #10 new server - 🇫🇷 France

treesmokah

at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
if cloudflare goes to shit, so will your frontend.

emgh

@treesmokah said:
at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
if cloudflare goes to shit, so will your frontend.

What?

treesmokah

@emgh said:

@treesmokah said:
at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
if cloudflare goes to shit, so will your frontend.

What?

https://bgp.tools/dns/ip.blackhole.monster

emgh

@treesmokah said:

@emgh said:

@treesmokah said:
at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
if cloudflare goes to shit, so will your frontend.

What?

https://bgp.tools/dns/ip.blackhole.monster

You think running CF DNS is an apparent risk and that switching to Gcore will yield much better stability?

dIsK

@treesmokah said: if cloudflare goes to shit, so will your frontend.

so if gcore goes to shit? its the same everywhere no?

emgh

@dIsK said:

@treesmokah said: if cloudflare goes to shit, so will your frontend.

so if gcore goes to shit? its the same everywhere no?

I just think he likes Gcore lol