lafp/honeyblock
1
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity Actions
Block pesky bots
33 commits 1 branch 0 tags 229 KiB
  • Go 100%
Find a file
Exact
L. Pereira 102f1218cd Bump ipset size to 500k
2026-04-20 20:34:51 -03:00
go.mod Initial commit 2026-04-16 00:53:26 +00:00
LICENSE.md Add LICENSE.md 2026-04-16 16:27:43 -03:00
main.go Bump ipset size to 500k 2026-04-20 20:34:51 -03:00
README.md Mention pfBlockNG in README.md 2026-04-16 22:15:57 -03:00

README.md

Honeyblock

This serves as a honeypot to block pesky bots. It's not perfect, but it works for me.

Requirements:

Steps to set it up:

  1. Build (using go build).
  2. Copy the binary somewhere (say, /usr/local/bin/honeyblock).
  3. Edit /etc/ufw/after.init, and ensure that the line /usr/local/bin/honeyblock ufw "$1" is somewhere after the shebang.
  4. Run this as a daemon somehow. I set it up as a systemd unit. Honeyblock has to be able to run ipset add, which probably means running it as root.
  5. Once the daemon starts, it'll download IP lists and block them all. Things should be good already; however, if you use a reverse proxy, you can make it better.
  6. Set your reverse proxy up to serve requests from 127.0.0.1:1337 if they match certain rules. For instance, rules that work well:
    • If you don't have any services in PHP or ASP, you can serve any requests for files ending in .php or .asp or .aspx;
    • Requests for any hidden files (e.g. .git, .env, etc).
    • Requests for backup.(tar|tgz|tar.gz|sql).
    • If you don't have wordpress, blocking (wp-content|wp-includes|wp-json).
    • Requests with Firefox or Chrome in the user agent without anything in the Sec-Fetch-Mode header.
    • Requests with bad user agents. I use a big list I found somewhere and look at the log files for new stuff that pops up every now and then.
    • Requests without a Host header, or with one that doesn't make sense for your server.
    • I also recommend, in your robots.txt, add an Disallow entry to something else that's banned. For instance, this is tia.mat.br's (don't access the URL in that line unless you want to be banned from that server for a few days).

Notes:

  • IP addresses and networks are kept for 3 days in the ipset. They're removed automatically by the kernel, and are not, by default, stored to disk -- so, on reboot, the sets will be flushed.
  • The IP lists are updated every 2 days (and change).
  • Opening /blocked-ips.php will export a list of all the IP addresses that have been blocked by this tool. This format is accepted by tools such as pfBlockerNG.
  • Running honeyblock ufw status will give you some stats.
  • Running honeyblock ufw stop will undo what honeyblock ufw start does.
  • Running honeyblock ufw flush-all will flush all iptables stats.
  • An earlier version of this thing has been running for years on one of my servers; it's been working great. I've recently decided to revamp the code and make it work with ipsets to improve performance and publish the source code so more people could benefit from it. I would appreciate a heads up if you end up using this!