Auto ban IP from Honeypot attempts?

[chuzie]

Not sure if it a DoS or a valid attempt to break in, but I've had multiple incidents in the past month of attacks on my Honeypot trying to login (1600+). Luckily I get the emails and manually ban the source IP. Yes, I realize this is the point of the Honeypot and it's a zero threat, but I'd rather just have a mechanism in place to ban the IP after X failed login attempts. 

Is this possible at the non-geek level?

Thanks!

[[ExiTuS]]

It is a very hard decision to rely on a IP addresses for a total ban.
Consider dynamically changing IP addresses.
If you can figure out same IP addresses periodically, then you may ban these addresses. But stay careful to not ban conventional visitors.

As a webmaster running a webserver for a while, you should know about permanent attempts of attack. Welcome to the web
You can never prevent such attempts (nevertheless if you're running a honeypot or a real login screen). You can't prevent!
A webserver is a system open to the web by definition, listening on ports that everyone can sniff and access.

If the amount of threats reaching a level where log files fill up, than it could be useful to drop logging/alerting for the moment and try other firewall activities instead.

What's your "Honeypot" - a plugin or any other self-made build?
Where do you see the log with all the attemps of attack?

[ETS]

[Crazycat]

Just a few words concerning honeypots.
The better way to use them is not to ban IP, because attackers will come back with another. A honeypot is interesting when it can slow down the attack. Vilain will spend time to try hacking a potential vulnerability without knowing he has been spotted.

It exists for ssh, creating a false SSHd which is really slow (around 1min to display the banner ), and I made (a long long time before) a php honeyspot (false wordpress admin page) in which I put a lot of sleep() and other funny features. I spent time to find the better way to slow the page without consume too much resources, and log a maximum of infos about attackers.

I also played with fail2ban to add temporary bans (between 24h and a week) by creating my own logs, filters and jails. It mades my server really resilient.

[Michael.Sentry]

You can auto ban hostile traffic with a firewall like Config Server Firewall ( CSF ). It also has Login Failure Daemon ( LFD ) which can temporarily ban brute force login attempts, similar to fail2ban. With CSF repeat offenders can be permanently banned automatically and you can also block IP's manually.

https://www.configserver.com/cp/csf.html

You could set up LFD to watch a log file, such as your honeypot logs and take action from there. Because LFD is a daemon and not run by cron so it's more effective at stopping attacks immediately.

Once the number of failed login attempts is reached, LFD immediately forks a sub-process and uses CSF to block the offending IP address from both in and outgoing connections. Stopping the attack in its tracks in a quick and timely manner. Other applications that use cron job timings to run usually completely miss brute force attacks as they run usually every 5 minutes or by which time the attack could be over, or simply biding its time. In the meantime LFD will have block the offenders IP address. By running the block and alert email actions in a sub-process, the main daemon can continue monitoring the logs without delay.

https://docs.danami.com/juggernaut/user-...ure-daemon

https://help.liquidweb.com/s/article/Wha...Daemon-LFD

How To Configure CSF/LFD to Block Wordpress Bruteforce Attacks Using a Custom Regex
https://www.knownhost.com/wiki/security/...sing-regex
https://www.knownhost.com/wiki/security/csf-lfd