Follow

Working on this IP reputation API:

reputation.noc.org/

Test it out and let me know if you find it useful somehow.

Gives basic information about an IP + details if we detected it involved on web spam, web attacks, sshd bruteforce, etc...

*in beta

@dcid
Looks cool! Where do you get the information from (I'm most interested in the reputation section)

@agielchinsky A mix of our own collection of honeypots (for ssh/web brute force and web attacks) and some external blacklists / lists of proxies/vpns.

@dcid
I would love to add this to my wordpress site. How would you recommend the best way to do so?

@ScottMortimer You just gave me a project :) Let me look into how to integrate that as a plugin.

@dcid
That would be awesome. There is a serious dearth of good IP address tools in the WP ecosystem.

@dcid It's nitpicky, but why does it return an autonomous system number number?

@jens For information purposes. That's the ASN for that specific IP block.

@dcid Yeah, sorry, I made a bad joke.

I meant that the N in ASN already stands for "number", so "asn_number" is a bit redundant.

Doesn't really matter, it's understandable :)

@dcid yeah, might be helpful. It works, just checked some of my server IPs. Thanks you, I'll bookmark it for further use.

@dcid why is "tor" in "reputation", putting it in a context of clearly-bad-things?

I find that problematic. Basically that's a category of *malicious actions* that randomly contains a particular tool. Why not adding "nmap" or other tools that can and often are used for malicious purposes?

Wouldn't make more sense to add a separate category for such tools that does not presuppose them being used maliciously?

In the end, if you see malicious actions form that IP, it matters less that it came through Tor.

@rysiek Oh, it means if the IP is being used as a Tor exit node.

I love Tor and what it provides, but in the context of security, unfortunately, we see a LOT of attacks, spam comments and other bad activities from these small number of Tor exit nodes.

@dcid I understand all of this (doing infosec for an infrastructure provider here).

My point was about mixing a tool ("tor") with malicious actions ("ddos", "spam", etc) in the same category.

It seems to me that:
1. information that an IP is a tor exit node is relevant;
2. information that there are malicious actions associated with an IP is relevant;
3. these are *separate* pieces of information;
4. mixing information on tools with information about actions is perhaps not great.

@dcid specifically, it signals that Tor is to be considered "bad" (just like other things in that same category), and I think we can agree that it's more nuanced than that.

If you see malicious traffic coming from an IP, you will see it regardless of whether or not it's a Tor node.

Therefore, it would already register and be expressed in one of the other items in that category, anyway.

Conversely, if there is no malicious traffic coming from that IP, flagging "tor" in the category for malicious...

@dcid ...actions seems a bit unfair.

In other words, making "tor" part of that same category as actually malicious actions is, I would argue, redundant at best, and somewhat harmful at worst.

I agree that information that there is a Tor exit node at an IP address is relevant and needs expressing though. It just doesn't feel right to express that in the same category as "ddos", "brute_force" etc.

Same goes for "proxy", I'd say.

@rysiek Agree. Good points. Will organize it better.

I think the same argument applies to the proxy/vpn category.

@dcid yup, totally.

Great to hear, thanks for taking it under consideration!

@dcid
It would be nice if it responded to urls in addition to IPs. Currently if I put in a url it returns the results for my current IP.

Sign in to participate in the conversation
Noc.Social

Open Source Social Network. Focused on technology, networking, linux, privacy and security, but open to anyone. Civil discourse, polite and open. Managed by the noc.org team.