New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Don't let your LET's server idle for nothing. Make Honey!
Create a honeypot and join up by automatically reporting attackers.
More information can be found in the following talk:
tl;dr: Netwatch is a community projects where everyone can run an attack pod on a idle server. They auto report attacks and NetWatch forwards aggregated reports to the ISPs. They already have a standing with (some of) them, allowing for faster takedowns.
Get your api key here: https://community.netwatch.team/
I'd love to know how many are interested and if there are any similar projects to collab with.
Comments
abuseipdb
portspoof
Oh? Which ones?
lol my greedy eyes read it as "Make Money"
Is the honey organic?
Me too...
You are not the only one!
Is there a similar project that does reporting to AbusedIPDB and similar well known sites instead of ISPs? That would be more useful.
I guess https://github.com/NetWatch-team/SSH-AttackPod is what they want you to run. Having looked at it, I don't think I would be comfortable running that.
... What. It's literally just a docker container.
Anyone tried it yet
This use case is kinda illegal.
The same scenario from below can be aplied to this honeypot case:
I buy(rent) a VPS and then i talk to a friend to test the security. He is doing crime, because I'm not thr guy who can aprove him to "hack" my VPS, the ISP is the right owner who can aprove the pentest
So if you have idle VPSes don't honeypot them for money! just instal snowflake proxy on them.and help people use the free internet https://community.torproject.org/relay/setup/snowflake/standalone/
Do you have any previous cases that support this opinion?
The host has leased it to you, it is yours to do as you wish.
It's taking foreever to get an api key
(. What I like about the project it that they already have a good standing with especially EU ISPs. I wouldn't run to run this on a production server either, but I have 2 idling that'll get the treatment.
The thread title is stupid. Why people intentionally make it harder to search keywords is beyond me.
''If you have already an sshd running it's default port is 22 so you must change the port of your sshd to another port. In these instructions we move it to port 2222. You need root privileges to do this.''
I guess joke?
that's also anoying, but you can leave it at 22 and change the config.
Oh this is funny because people aren't creating honeypot for 'money', you seem to have misread the title as well haha
With proof!
will play around with this & make a PR with a podman quadlet after some testing
Oof. Fail.
Just put one up, seems to be working going by the logs
What is cashout minimum?
Please make sure that only useful reports are sent. For example, don't report attacks from Tor exits as they are already public and such reports only cause noise for both IP reputation providers and exit operators.
Personally, when I have idlers, I'll run:
And just recently, I've been setting up rTorrent to assist Anna's Archive: https://annas-archive.li/torrents#generate_torrent_list
I'm going to send this to my beekeeping friend!
To be fair, if people are using tor exits to cause trouble, then you should report it so the person running the tor exit can filter the traffic to block it. I'd hope you don't allow SMTP out of your tor exit either. If you do, please let us know all your IPs so we can easily block them all.
It's not possible to block traffic from the exit (at least, not practical), and it would be completely pointless as whoever is spamming would just use a different exit. The complete list of Tor exits, along with the ports they allow (iirc I have a couple that allow port 25) are public, so there's no need to waste time reporting them; Anyone who wants to block Tor already can.
Because of the way the Tor network works, it's better to just consider the entire set of exits as one entity with a shared IP reputation, and that entire list is published by the Tor Project in various forms (including a DNSBL).
I'am a bit sus for Florian https://netwatch.team/team/
EOL I guess.
Sure there is.
ip-tables -A INPUT ! -d $MYIP -p tcp -m tcp --dport 22 -j REJECTThe world will be a much nicer place.
Oh, so you can easily mark ssh as not routable over your tor exit. Sounds like they expect people will want to get rid of such abuse vectors.
Sure, but I'm talking about helping to reduce the problem tor causes to other people. Sounds like tor is a perfect use case if you want to avoid systems like fail2ban. If everybody shrugs and goes "well everyone else doesn't care, why should we?" then the problem persists. Just like allowing SMTP traffic will get you reported, so you take care to block it, you should expect if people are using your exit to hammer ssh ports, then you should also expect complaints. And there's a simple fix.
FWIW I'm not ideologically opposed to tor, even though I'd never use it or operate a node, but I think it makes sense to help people access HTTP(S) for people in restrictive regimes, but ssh isn't really justified. If someone wants to run ssh on a non-standard port to get around the port 22 block, then you can assume they're not just using it for malice.