Enhancement: Use Public IP as the Target IP

[mikep11]

I notice in the reports that the target IP is showing my private IP address. Wouldn't it be more helpful to show the public IP that is being attacked?

Or is there a setting I missed?

[gebhard73]

This is a feature which Johannes has started implementing some months ago (using the dshield IP lookup API). Hopefully this is still in the pipeline ;-)

[bgant]

It looks like /etc/dshield.ini has placeholders for this future work (honeypotip= and replacehoneypotip=).

In the meantime, I inserted three lines in the /srv/dshield/dshield.pl file after rsyslog is restarted and before the /var/log/dshield.log.old file is opened for parsing. The lines just lookup and replace my internal private IP with my external IP before the log is parsed:

`/etc/init.d/rsyslog restart`;
my $privateip=`hostname -I | tr -d ' \n'`;
my $internetip=`curl --silent http://ipecho.net/plain`;
`sed -i 's/DST=$privateip/DST=$internetip/g' /var/log/dshield.log.old`;
open(F,'/var/log/dshield.log.old');

[jullrich]

thanks for the solution. I will try to add that. We had some issues with hosts running IPv6 in which case the IPv6 address was reported. But with curl (or wget) I should be able to force IPv4. will try that.

[mikep11]

The solution by @bgant no longer works - it looks like dshield.pl is no longer called.
Has this feature been implemented and I need to enable it somewhere?

[jullrich]

added the public IP of the honeypot to the configuration (and may be used later). I am using our own API for it to avoid dependency issues.