Security feed service for your internet router
​
Helping all NETizens of good standing!
Fortinet, Mikrotik, iptables (ipset) and others, feed thy firewall!
Email: security-desk@supportu.nz for all security feed queries.
Live txt file here: Download txt file
(50:1 redacted ip4 list)
​
Current honeypot statistics: See more
Charity organisations can subscribe for free.
A sticky honeypot
All stories start somewhere, this one is about one person who wanted a proven & real results block list for his business and his customers.
Bad actors (malicious persons and services for rent) never seem to sleep so getting a good nights rest and to wake up the next day without thinking twice or checking emails or voice messages of zero day issues or compromises to client services is the gold standard for any I.T. person and business owners.
Will we see fewer bad actors appearing with his honeypot service over time?
By using good logging techniques we now know how busy our part of the world was vs the rest of the world for bad actor activity and now we see less new bad-actor visitors being logged since the service was started.
​​​​
How does it work?
​​
Glad you asked, its actually very simple and would love it if more people did similar things to be proactive about security.
​
Basically, to be sure a bad actor is by intent just that, we host a dynamically assigned internet facing honeypot logging device.
This device is used for nothing else, no servers, no googly advertising "here I am", nothing, its a naked no thrills capture device that a normal internet user will never see.
There is no logical reason any one organisation or person needs to be asking this logging device to have access to the MYSQL that does not exist or have a peek for SMB file shares, nor does a email MX service exist here, there many bad actors accessing non standard service ports too like 444, 9608 etc (its a long list!).
What about bots?
The only web bots scanning a dynamically assigned connection that changes regularly and advertises nothing is a malicious service operating a data collection bot.
​
What about students scanning for education?
A scan of any device not advertising services is still a security scan and all attacks begin at this basic level of questioning "are you there".
We log it, block it, publish it.
​​
We have one of two answers from this logging
1. Bad actors already known to us - sweet.
2. New bad actors not known to us, log it, even sweeter!
We then publish this to our web hosts, and you pay a small monthly fee in exchange for this proven collection of internet bad actor's.
​​​​​​​
How well does this block list perform?
​​
Well we think it does very well vs other existing list sources.
We started with the common lists, Spamhaus spambot and C&C, Firehol consolidated lists 1 to 4 and others... they were not capturing more than 25% of all new bad actors visiting our logging device. Firehol block lists has a much larger collection of ip logged than most external block lists but the hit rate was quite low against newly logged information on our honeypot.
As we are New Zealand based, we get different "visitors" than a item sitting in a hosted AWS data centre so our logging is localised for our environment in the Pacific region making this blocklist quite a relevant toolset for our customer firewalls.
​
We designed the order of logging...​
1st - Our known bad actor list
2nd - Other published lists
Remaining - All new information (more bad actors)
​
As time has progressed from early testing to today
Our list started from zero new logs while other published lists caught a few early on at around 25% of all logged items, that is over 75% missed from the very start!
Today the logging shows 90% as already found on our naughty bad actor list and the remaining 10% logging is made up of new information being captured.
​
That is a win.
Now you can subscribe the feed!