Security feed service for your internet router or website host
Buy a subscription for basic blocklist or basic + predictive blocklists.
Click here
Fortinet, Mikrotik, iptables (ipset) and others, feed thy firewall!
Email: security-desk@supportu.nz for all security feed queries.
Live txt file here: Download txt file
(50:1 redacted ip4 list)
Current honeypot statistics: See more
We have http and firewall honeypot list. This is where we have project websites not using any CMS system (wordpress, joomla etc), no one should be asking for aa.php filemanage.php or wp-login if it was not advertised.
See list of 404 file patterns here
Charity organisations can subscribe for free.
A sticky honeypot
All stories start somewhere, this one is about one individual who wanted a proven & real results block list for his business and his customers.
Bad actors (malicious persons and services for rent) never seem to sleep so getting a good nights rest and to wake up the next day without thinking twice or checking emails or voice messages of zero day issues or compromises to client services is the gold standard for any I.T. individual and business owners.
Will we see fewer bad actors appearing with his honeypot service over time?
By using good logging techniques we now know how busy our part of the world was vs the rest of the world for bad actor activity and now we see less new bad-actor visitors being logged since the service was started.
How does it work?
Glad you asked, its actually very simple and would love it if more people did similar things to be proactive about security.
Basically, to be sure a bad actor is by intent just that, we host a dynamically assigned internet facing honeypot logging device.
This device is used for nothing else, no servers, no googly advertising "here I am", nothing, its a naked no thrills capture device that a normal internet user will never see.
There is no logical reason any one organisation or person needs to be asking this logging device to have access to the MYSQL that does not exist or have a peek for SMB file shares, nor does a email MX service exist here, there many bad actors accessing non standard service ports too like 444, 9608 etc (its a long list!).
What about bots?
The only web bots scanning a dynamically assigned connection that changes regularly and advertises nothing is a malicious service operating a data collection bot.
However there are some genuine bots like Claude, ChatGPT and Bing that are also data mining for new information and we have white lists for these items.
What about students scanning for education?
A scan of any device not advertising services is still a security scan and all attacks begin at this basic level of questioning "are you there".
We log it, block it, publish it.
We have one of two answers from this logging
1. Bad actors already known to us - sweet.
2. New bad actors not known to us, log it, even sweeter!
We then publish this to our web hosts, and you pay a small monthly fee in exchange for this proven collection of internet bad actor's.
How well does this block list perform?
Well we think it does very well vs other existing blocklist sources.
We started with the common lists, Spamhaus spambot and C&C, Firehol consolidated lists 1 to 4 and others and they were not capturing more than 25% of all new bad actors visiting our logging device from the start and today less than 1% are identified by an external blocklist vs our honeypot dataset.
Publicly available Firehol block lists has a much larger collection of ip logged than most external block lists but the hit rate was quite low against newly logged information on our honeypot and so we measure the overlap count to know if were seeing the same information or new unknown information.
We wanted a useful blocklist service, not a copy!
As we are New Zealand based, we get different "visitors" than a item sitting in a hosted AWS data centre so our logging is localised for our environment in the Pacific region making this blocklist quite a relevant toolset for our customer firewalls.
We designed the order of logging...
1st - Our known bad actor list (Basic list)
2nd - Our predictive bad actor lists base on active patterns (Plus lists)
3nd - Other published lists for overlap measurements
Remaining - All new information (more bad actors)
We made two levels of subscription
1. Honeypot blocklist only.
2. Honeypot + Predictive blocklists based on pattern detection.
Now you can subscribe the feed! Click Here