Honeypot IP Logger, Blocker, and AbuseIPDB Reporter

This script and systemd service allow you to monitor traffic to an unused IP address ("honeypot" IP) on your server, log all unauthorized hits, automatically block repeat offenders using ipset, and report them to AbuseIPDB.

---

⚠️ Overview

• Watches kernel logs for traffic to a honeypot IP.
• Blocks malicious IPs dynamically with ipset.
• Reports attackers to AbuseIPDB.
• Whitelists safe networks to avoid false positives.

---

🛠 Requirements

• bash
• iptables, ipset
• curl
• systemd
• An AbuseIPDB API key

---

🔧 Installation

1. Download the script

wget https://yourdomain.com/path/to/honeypot-watch.sh -O /usr/local/bin/honeypot-watch.sh
chmod +x /usr/local/bin/honeypot-watch.sh

2. Configure the script

Edit the file:

nano /usr/local/bin/honeypot-watch.sh

Update the variables near the top:

API_KEY="YOUR_ABUSEIPDB_KEY_HERE"
HONEYPOT_IP="UNUSED_IP_HERE"
RANGE="YOUR_RANGE_HERE/24"

You can also edit the WHITELIST_SET section to include trusted IPs or networks.

---

3. Create the systemd service

nano /etc/systemd/system/honeypot.service

Paste the following:

[Unit]
Description=Live Honeypot IP Logger
After=network.target

[Service]
ExecStart=/usr/local/bin/honeypot-watch.sh
Restart=always
RestartSec=3
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

---

4. Enable and start the service

systemctl daemon-reload
systemctl enable --now honeypot.service

---

✅ Verifying It's Working

• View logs live:

journalctl -u honeypot.service -f

• Test by hitting the honeypot IP from another machine.
• Check the ipset:

ipset list honeypot4

---

🧼 Notes

• The honeypot IP is added to lo and cannot make outbound connections.
• This setup avoids blocking your own internal ARP or infrastructure.
• Ensure the honeypot IP is not in DNS or being used by any legitimate service.

---

🕊 License

This project is released under the Unlicense.