Project HONEYPOT

xanubi · February 18, 2015, 9:12pm

Project HoneyPOT is very good to avoid spammers, hackers and crackers, before they arrive to your sites. Modsecurity can implement this, and COMOD could add this.
Project HoneyPOT: https://www.projecthoneypot.org/

How to do it:


# This is your HoneyPOT API Key
SecHttpBlKey "PUT-YOUR-API-KEY-HERE"

#This is the rule
SecRule TX:REAL_IP|REMOTE_ADDR "[at]rbl dnsbl.httpbl.org" \
  "id:'901',\
  chain,\
  phase:1,\
  t:none,\
  capture,\
  block,\
  msg:'COMODO WAF: HoneyPOT Project Match of Client IP',\
  logdata:'%{tx.httpbl_msg}',\
  setvar:tx.httpbl_msg=%{tx.0},\
  setvar:tx.ip_atacante=%{REMOTE_ADDR},\
  redirect:https://www.projecthoneypot.org/ip_%{tx.ip_atacante}"
  SecRule TX:0 "threat score (\d+)" \
    "chain,capture"
    SecRule TX:1 "[at]gt 20"

xanubi · February 18, 2015, 9:14pm

Just for you to know, what this does, look at this, spammer stoped:

	
901: COMODO WAF: HoneyPOT Project Match of Client IP
Request:	GET /index.php?option=com_phocaguestbook&view=phocaguestbook&id=1&Itemid=72
Action Description:	Access denied with redirection to https://www.projecthoneypot.org/ip_188.123.248.103 using status 302 (phase 1).
Justification:	Operator GT matched 20 at TX:1.

oleg.tsygany · February 19, 2015, 9:40am

Thank you for sharing this very useful information !

I’m sure our rulewriters will appreciate it :P0l
And willing customers can add this to Custom Rules right now.

Varial · February 19, 2015, 8:09pm

Project Honeypot can also be enabled as a blocklist through CSF firewall. Wouldn’t it be more efficient to block those users that way?

xanubi · February 20, 2015, 12:03am

From CSF Firewall? Very different, many ip’s that visit our site are not on the list that CSF download, you’ve to use the DNS RBL to catch them, plus you use the SCORE, only above 20 should be blocked.

It’s much more efective, than CSF Firewall Honeypot. Also i’ve both, and this rule catchs alot of ip’s that are not on the CSF List.

BeZazz · February 22, 2015, 8:36pm

I could not get this working.
I came across
http://forums.cpanel.net/f185/utilizing-http-blacklist-httpbl-api-mod_security-313241.html
With a mixture of yours and the other, I am currently using the bellow.

SecHttpBlKey YOUR_API_KEY
SecRule TX:REAL_IP|REMOTE_ADDR "[at]rbl dnsbl.httpbl.org" "id:'901',chain,phase:1,t:none,capture,block,msg:'COMODO WAF: HoneyPOT Project Match of Client IP.',logdata:'%{tx.httpbl_msg}',setvar:tx.httpbl_msg=%{tx.0}"
        SecRule TX:0 "threat score (\d+)" "chain,capture"
                SecRule TX:1 "[at]gt 20"

EDIT: [at]'s should be at symbol with no brackets (the forum even using code tags is changing it.

EDIT2: The blocked IP’s are pouring in.