Comment by BLKNSLVR

8 days ago

This is great.

Do you publish a list of the 'knocking' IP addresses anywhere? (abuseipdb.com was mentioned, maybe I need to just pay for their service for their 100k blocklist)

(I've mentioned this before on related HN threads) I've got a setup whereby any incoming connections to ports behind which I don't have a service running get logged, and periodically the log is filtered and the IP addresses extracted and added to a block list.

My theory is that, if there's traffic coming into a port behind which there's no service (and therefore there's absolutely no good reason for this traffic to exist), then it must be malicious. If it's malicious, then I have no reason to trust any data coming from that IP address.

This is based on OPNSense firewall rules and logs and is documented haphazardly here: https://github.com/UninvitedActivity/UninvitedActivity

Most IP addresses age out of the logs after 12 months. I also have lists of common internet scanners that I've got from my own curation of the logs plus other similar projects of others. I'm just protecting my little homelab, so I don't care whether I'm blocking an infected computers, computers running proxies, or blocking large swathes of the internet via ASN blocks. What I have setup is a pickaxe, where a lot of people really need a scalpel. Don't apply blindly!

(But I do think that if there was more aggressive blocking of the malicious traffic on the internet, then there would be more motivation for providers to at least attempt to minimise facilitating it - I admit that there is a fine line, and opinions on what is and is not malicious are subjective)

3 comments

BLKNSLVR

djkurlander 8 days ago

I'm reporting the bots that have visited to abuseipdb once per day, but yeah, there should be a free alternative. You aren’t the first person to have asked for this.

It would be trivial to write out a file that people can grab for free. What do you think would make the most sense? Plain text file, one ip per line, of offending ip’s within the last month? Or year? Or a .csv with the dates included? Generally I’m a big fan of simplicity.

BLKNSLVR 8 days ago
Plain text file one IP address per line works for me. Simplicity for the win.
Within the last month is probably enough. If I was consuming it, I'd add each monthly list to a database so I can build up my own 12-month (or whatever time frame suits me) list over time.
Or, publish one list for the last month and one list for the last 12 months.
Keep up the great work!
- djkurlander 8 days ago
  
  OK - thanks for the excellent suggestion. It's now implemented (just two SQL queries that will run as a cron job every night). You can grab the month and year offending ip blacklists this way.
  wget https://knock-knock.net/static/ip-blocklist-month.txt
  wget https://knock-knock.net/static/ip-blocklist-year.txt