Hacker News new | past | comments | ask | show | jobs | submit login

Try running some of your blocked ips through greynoise, they usually have some interesting information about them



Thanks for the tip. Looks like greynoise use ipinfo.io for IP metadata.

I use https://www.abuseipdb.com/ for any manual IP address checks, and https://hackertarget.com/as-ip-lookup/ for finding what ASN an IP address (range) is a member of. I'll check out greynoise and see what extra info may be provided.


I (DevRel of IPinfo) run Fail2Ban on a VM as well. Protip use the CLI.

- The CLI has the `grepip` command that extracts all the IP addresses from a text. You do not have to parse your logs.

- Analyze your data. After you have extracted your IP addresses from your logs, pipe them to the `summarize`, `map`, and `bulk` commands on the CLI.

- If you are doing bulk enrichment with the `bulk` command, you can use some kind of CSV query tool like CSVtoolkit, DuckDB, or Python-Pandas.

- Look into the ASN data. ASN data is always going to be the more interesting IP metadata for honeypots IPs. Summarize the IP addresses with the `summarize` command; it will give you a high-level report. If you want a web-shareable report, make a POST call to that endpoint. Docs: https://ipinfo.io/tools/summarize-ips

https://github.com/ipinfo/cli

You can always send your logs to me and ask what I think of them, and if I can find common patterns based on IP metadata. I am running our API and database services 24/7 and enjoy looking at logs. I can suggest firewall configurations based on country and ASN information provided by our free data.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: