New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: Use Public IP as the Target IP #104
Comments
This is a feature which Johannes has started implementing some months ago (using the dshield IP lookup API). Hopefully this is still in the pipeline ;-) |
It looks like /etc/dshield.ini has placeholders for this future work (honeypotip= and replacehoneypotip=). In the meantime, I inserted three lines in the /srv/dshield/dshield.pl file after rsyslog is restarted and before the /var/log/dshield.log.old file is opened for parsing. The lines just lookup and replace my internal private IP with my external IP before the log is parsed:
|
thanks for the solution. I will try to add that. We had some issues with hosts running IPv6 in which case the IPv6 address was reported. But with curl (or wget) I should be able to force IPv4. will try that. |
The solution by @bgant no longer works - it looks like dshield.pl is no longer called. |
added the public IP of the honeypot to the configuration (and may be used later). I am using our own API for it to avoid dependency issues. |
I notice in the reports that the target IP is showing my private IP address. Wouldn't it be more helpful to show the public IP that is being attacked?
Or is there a setting I missed?
The text was updated successfully, but these errors were encountered: