In 2 weeks, the SIP and RDP honeypot has captured 1336 addresses.
I think it would be nice to have some tool or script that runs through the list and consolidates anything that can be consolidated into a CIDR notation, to make the list smaller.
Any ideas ?
I have a similar SIP & RDP honeypot set up at another site. The address list there is nearly 6000 entries. It’s important because their SIP is available externally, due to clients having dynamic IPs. So I listen for SIP connections on spare IP addresses, as well as having fail2ban on the PBX link to the Mikrotik as well, and of course RDP honeypot is easy way to capture more offenders.
It would be nice to have a script that lets you set a threshold, e.g. if ~ 50% of the hosts in a /24 subnet have been attacking, then block the whole /24 subnet.
As you can see here, it would make sense to block a whole /24 for this offender:
