search

acouvreur / ssh-log-to-influx

Send SSH authentication logs to influxdb with geohashing IP
GNU General Public License v3.0
101 stars 25 forks source link

Leveraging IP abuse API? #81

Open edasque opened 4 years ago

edasque commented 4 years ago

It might be interesting to look into using such an API to either feed data or add to the data.

https://www.abuseipdb.com/check/83.143.86.62

https://docs.abuseipdb.com/#introduction

I wish https://ip-46.com/83.143.86.62 had an API.

acouvreur commented 4 years ago

Thanks for the suggestion ! I like it a lot ! I will look into it for sure.

What would you suggest as relevant data ? Keep in mind that these data are inserted in InfluxDB which is mainly used for time based data.

edasque commented 4 years ago

I was thinking maybe using the abuseConfidenceScore in the CHECK endpoint?

Another idea was to use the REPORT mechanism to report when there are attacks?

acouvreur commented 4 years ago

Abuse confidence score is nice indeed.

The report feature is indeed nice, but should be optional IMO.