Blacklisting with Project Honeypot

The other day I was looking at the traffic coming in to one of our sites and I saw some semi-suspicious traffic. turns out it is some sort of crawler, but that it has been linked in the past to some sort of trojan. This got me wondering how I could easily block traffic from an IP or a range of IP’s. I did not really want to use IIS to block IP’s, or have to enter individual IP’s (or ranges for that matter) into our firewall. I was looking for something a bit more automated.

A quick google turned up this post for an HTTP module. The module uses the blacklist from Project Honeypot. All one needs to do is signup for the PH api, make some minor modifications to the module and you are off an running.

A little more googling turned up another HTTP module on Github called BlacklistProtector. I did not look much at this code, but I imagine it is pretty similar and likely requires an api key as well.

One thing I did notice in the comments section of the first blog post is that the original creator of the module claimed PH had too many “false positives”. Granted, the comment was from a few years back, so it may not apply these days, but it is something to consider. I haven’t implemented the blacklist handler, but I thought it would be useful to allow for some method of overriding IP addresses. Perhaps when I finally do implement the handler I’ll add this capability. If I do, I’ll be sure to put the code up on Github and update this post with a link.