Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[TOOL] IP BlackHole
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[TOOL] IP BlackHole

dIsKdIsK Member
edited April 2023 in General

Just a new project. Nothing big.

IP.blackhole.monster

Is an IP blacklist that uses multiple sensors to identify network attacks (e.g. SSH brute force) and spam incidents. All reports are evaluated and in case of too many incidents the responsible IP holder is informed to solve the problem.

P.S.: If you have some idle servers or can sponsor us a server, please mail us at [email protected]

https://github.com/BlackHoleMonster/IP-BlackHole

🚫 ALL IPs:
https://ip.blackhole.monster/blackhole

🚫 TODAY IPs:
https://ip.blackhole.monster/blackhole-today

How to use?

To get a fresh and ready-to-deploy auto-ban list of "bad IPs" you can run:

sudo su
apt-get -qq install iptables ipset
ipset -q flush blackhole
ipset -q create blackhole hash:net
for ip in $(curl --compressed https://ip.blackhole.monster/blackhole-today 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add blackhole $ip; done
iptables -D INPUT -m set --match-set blackhole src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set blackhole src -j DROP
«13

Comments

  • tentortentor Member, Patron Provider

    I think that https://www.crowdsec.net/ is a better option

    Thanked by 3VirtualByte kait deqi
  • also works with nftables ?

  • I just use
    ip r a black 0.0.0.0/0
    Never have to worry about no pesky ssh bruteforce anymore!

    Thanked by 1gbzret4d
  • BasToTheMaxBasToTheMax Member, Host Rep
    edited April 2023

    @CheepCluck said:
    I just use
    ip r a black 0.0.0.0/0
    Never have to worry about no pesky ssh bruteforce anymore!

    Perfect for idle servers! :)

    Thanked by 1gbzret4d
  • dIsKdIsK Member

    @tentor said: I think that https://www.crowdsec.net/ is a better option

    well, as i said, this is nothing big :)

  • kaitkait Member

    @tentor said: I think that https://www.crowdsec.net/ is a better option

    Don't run it anymore but it was amazing, made some contributions and wrote a abuseipdb report plugin for it. Crowdsec is better than fail2ban.

    Thanked by 1dIsK
  • dIsKdIsK Member
    edited April 2023

    @kait said: Don't run it anymore but it was amazing, made some contributions and wrote a abuseipdb report plugin for it. Crowdsec is better than fail2ban.

    sure, i just wanted to learn something new and also to log the commands they try run on server, also storing all the craps they do try download over server, possible to download soon too and auto report to virustotal probably implement too

  • kaitkait Member

    @dIsK said: sure, i just wanted to learn something new and also to log the commands they try, also storing all the craps they do try downloads

    Wasn't discrediting you, would you be able to share around how many honeypots you use and if you scrape other places for IP's? It's an interesting project for sure.

    Thanked by 1dIsK
  • dIsKdIsK Member
    edited April 2023

    @kait said: Wasn't discrediting you, would you be able to share around how many honeypots you use and if you scrape other places for IP's? It's an interesting project for sure.

    understand :) for now we use just cowrie (ssh+telnet) on 4 servers that you can see on main page.
    but later i want add live tcpdump output also to get all ips connecting on every available ports

    no other sources, its coming from that 4 servers, you can search every IP in that list and see what did they tried

    Thanked by 1kait
  • tentortentor Member, Patron Provider

    @dIsK said:

    @tentor said: I think that https://www.crowdsec.net/ is a better option

    well, as i said, this is nothing big :)

    No offense to you nor your project, but personally I don't like giving access to my servers someone else. The idea of crowdsec just fits me better, and you really should develop your project even further to something bigger ;)

  • dIsKdIsK Member
    edited April 2023

    @tentor said: giving access to my servers someone else

    ? it does not require anything like that, i mean if anyone can sponsor a server or have some idle server, but thats totally not required, i just asked :)

    Thanked by 1tentor
  • dosaidosai Member

    @kait said:

    @tentor said: I think that https://www.crowdsec.net/ is a better option

    Don't run it anymore but it was amazing, made some contributions and wrote a abuseipdb report plugin for it. Crowdsec is better than fail2ban.

    My only dislike, Crowdsec basically collects all data for free from installed bouncers from users. They create the most useful blocklist only available for premium accounts.

    Thanked by 1dIsK
  • dIsKdIsK Member
    edited April 2023

    @dosai said: My only dislike, Crowdsec basically collects all data for free from installed bouncers from users. They create the most useful blocklist only available for premium accounts.

    well we only log attackers, everything other goes directly to /dev/null

  • kaitkait Member

    @dosai said: My only dislike, Crowdsec basically collects all data for free from installed bouncers from users. They create the most useful blocklist only available for premium accounts.

    Yeah, but you can disable sending ips to crowdsec, but you also won't get other crowdsources ip's. I think those lists are only for non hosting people and people who want to block specific stuff, almost all of the ips are in the community list anyway.

    Thanked by 2dIsK let_rocks
  • dIsKdIsK Member
    edited April 2023

    Update:
    Added #5 new server - 🇵🇱 Poland

    :)

  • dIsKdIsK Member

    Version: 0.3-βeta 🔥

    • Added special live tcpdump page to see in realtime whats going on (for now its output from one server)

    Thanked by 1dosai
  • dIsKdIsK Member

    Version: 0.4-βeta 🔥
    Added #6 new server - 🇳🇱 Netherlands

  • dIsKdIsK Member

    Version: 0.5-βeta 🔥
    Added #7 new server - 🇩🇪 Germany

  • chihcherngchihcherng Veteran
    edited April 2023

    @dIsK said: understand for now we use just cowrie (ssh+telnet) on 4 servers that you can see on main page.
    but later i want add live tcpdump output also to get all ips connecting on every available ports

    I've been doing something similar for some time. You might need to think about the issue of fake source IP addresses when using tcpdump. Without 3-way handshake, tcpdump can't eliminate fake source IP addresses.

    An alternative way is to use haproxy to listen on tens of thousands of TCP ports.

    Thanked by 1dIsK
  • dIsKdIsK Member

    @chihcherng
    yes, i will probably make new ip blacklist with statement about fake source IPs, but for now there is no list for tcpdump only to show them in realtime

    Version: 0.6-βeta 🔥
    Added #8 new server - 🇸🇬 Singapore

  • Thank you guys,

  • dIsKdIsK Member

    Version: 0.7-βeta 🔥
    Added #9 new server - 🇦🇺 Australia

  • dIsKdIsK Member
    edited April 2023

    Version: 0.8-βeta 🔥
    Added #10 new server - 🇫🇷 France

  • treesmokahtreesmokah Member
    edited April 2023

    at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
    if cloudflare goes to shit, so will your frontend.

  • emghemgh Member

    @treesmokah said:
    at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
    if cloudflare goes to shit, so will your frontend.

    What?

  • @emgh said:

    @treesmokah said:
    at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
    if cloudflare goes to shit, so will your frontend.

    What?

    https://bgp.tools/dns/ip.blackhole.monster

  • emghemgh Member

    @treesmokah said:

    @emgh said:

    @treesmokah said:
    at your place I would use gcore dns(its free and has free geo queries) instead of using cloudflare with backends in multiple countries.
    if cloudflare goes to shit, so will your frontend.

    What?

    https://bgp.tools/dns/ip.blackhole.monster

    You think running CF DNS is an apparent risk and that switching to Gcore will yield much better stability?

  • dIsKdIsK Member

    @treesmokah said: if cloudflare goes to shit, so will your frontend.

    so if gcore goes to shit? its the same everywhere no?

    Thanked by 1emgh
  • emghemgh Member

    @dIsK said:

    @treesmokah said: if cloudflare goes to shit, so will your frontend.

    so if gcore goes to shit? its the same everywhere no?

    I just think he likes Gcore lol

    Thanked by 1dIsK
Sign In or Register to comment.