: Disadvantages of a fake phpMyAdmin honeypot that causes ip blacklisting and robots.txt disallow/exclusion of the honeypot? I'm trying to figure out whether I should set up a honeypot system with

@BetL925

Are there disadvantages to this approach


Yes. A malicious party could be using a proxy IP. You could end up blacklisting legitimate users with the same IP, and the malicious user may just change their IP if blacklisted.

Vote Up Vote Down

@Shanna517

Obvious disadvantage of blacklisting is blocking valid users sharing NAT with machines you want to blacklist (think: big corporations with VPN and only few external IPs or universities with similar setups, maybe even some ISPs).

In particular case of worms, such as the one trying to propagate through bugs in phpMyAdmin, that would mean you blacklist infected machines. They would remain blacklisted even after they have been cleaned up using anti-virus software. That's also not something what you want.

Vote Up Vote Down

@Heady270

Robots.txt is an advisory protocol; no-one has to follow it, and several spiders don't (e.g. those used by Internet archivists like the archive team.)

As such, you might like to consider whitelisting the IP addresses that will be accessing your real phpMyAdmin area and excluding all others, rather than blacklisting all those who hit your honeypot. The simplest way to do this if you have access to the phpMyAdmin directory is by including a .htaccess file with the following rules:

order deny,allow
deny from all
# allow my home IP address
allow from XX.XX.XXX.XXX
# allow my work IP address
allow from XX.XX.XXX.XXX

Vote Up Vote Down