Community discussions

MikroTik App
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Mikrotik Honeypot IP Threat Feed

Fri Dec 31, 2021 2:39 am

Well I figured I might as well make this a public thread so it's not just in my sig only for the few that view that.

I recently have made a system to ingest and process logs for honeypots I have in the wild. Essentially it's just open services for now that IP's will try and wordlist or brute force login to which has become extremely abused within 12 hours which is nice.

Currently I just have the one honeypot doing what it can but I will eventually deploy more. It's not a fail2ban based system, it's essentially a custom syslog server I made that intakes all login failures and appends new IP's to the list. Which you can then script or do whatever with to throw it into a firewall rule to block connections from if you wish.

This is purely ran in my free time and so is the project so I do not have any type of terms of service or SLA or what not. It'll just be there for whoever wants to use it on their systems. Obviously it can be used for anything not just Mikrotik but the target that is obtaining the login failures is a Mikrotik system very much exposed to the wild.

So yeah sorry for the probably long useless info above, the feed can be access here:
https://991tech.org/downloads/Public_Feeds/ip.list
Github repo if you want to use that instead:
https://github.com/Crash0v3r1de/HoneypotIPLists

Currently I do not have any scheduled reset so this list of IP's is currently coming up on a week old. I will probably implement a semi weekly or possibly just monthly IP reset since a lot of the IP's are just throw away hosts.


IF you wish to help the feed
  • Shoot me a PM and I can walk you through what you need to do - essentially just send your syslogs to one of my public IP's and I'll do the rest.
Updates
  • 12-31-2021 | Had a fairly lengthy outage last night until a few hours ago, shut down my systems in hopes of it helping with the power issues going on with the wildfires. Everything has been restored and will stay live.
  • 01-21-2022 | Added the Github repo that is updated hourly if the list is changed/updated
Last edited by paintballer4lfe on Sat Jan 22, 2022 6:12 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Mikrotik Honeypot IP Threat Feed

Fri Dec 31, 2021 3:23 am

Why again do I need this......... Currently have no issues with regular firewall rules.
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Re: Mikrotik Honeypot IP Threat Feed

Fri Dec 31, 2021 3:31 am

Why again do I need this......... Currently have no issues with regular firewall rules.
I don't run your network so you tell me if you need it or not.

It's an ongoing list of IP's actively attempting logins to systems open to the internet. Do as you please with it.

I would recommend folks make input rules to block incoming to all outside connections or to specific sources but a lot of folks rather go this route oddly enough.
 
apestalménos
just joined
Posts: 14
Joined: Wed Sep 16, 2020 8:22 pm

Re: Mikrotik Honeypot IP Threat Feed

Fri Dec 31, 2021 5:02 pm

Thank you for this. It's very useful.

Consider employing Portspoof.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Mikrotik Honeypot IP Threat Feed

Fri Dec 31, 2021 5:46 pm

Why again do I need this......... Currently have no issues with regular firewall rules.
I would recommend folks make input rules to block incoming to all outside connections or to specific sources but a lot of folks rather go this route oddly enough.
Not only incoming, also attention should be given to outbound traffic.
Block also egress traffic trying to connect to such IP's.
I block traffic to TOR-exit nodes, I block traffic to DoH-servers and force all & any lookups to pass through a PIHOLE etc,etc.
 
paintballer4lfe
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Tue Dec 06, 2016 5:10 pm

Re: Mikrotik Honeypot IP Threat Feed

Sat Jan 01, 2022 2:03 am


I would recommend folks make input rules to block incoming to all outside connections or to specific sources but a lot of folks rather go this route oddly enough.
Not only incoming, also attention should be given to outbound traffic.
Block also egress traffic trying to connect to such IP's.
I block traffic to TOR-exit nodes, I block traffic to DoH-servers and force all & any lookups to pass through a PIHOLE etc,etc.
I believe that any additional information sharing is worth something to someone even if others only think of themselves.

Have a good new years!

Who is online

Users browsing this forum: dioeyandika and 10 guests