One of my server logs showed there was an unauthorized access attempt on a daemon listening on a non-standard port. That led me to wonder how often people run port scanners to look for vulnerabilities. Is there a program I can run as a honeypot to automatically ban IPs that scan certain ports?
-
2Don't mention the OS, that would take up too much space. – niXar Aug 30 '09 at 20:24
-
2And making sarcastic comments helps nobody – Mark Henderson Aug 30 '09 at 22:01
4 Answers
You could write something for fail2ban to parse iptables rules, and ban ips that hit particular ports.
- 5,777
- 1
- 27
- 40
-
+1 iptable rules. Rate limiting is very easy and useful see this link: http://www.geocities.com/youssef116/writing/ratelim.html ;-) – ForgeMan Aug 31 '09 at 00:59
Heh... pimping OSSEC once again, but check it out. It can automatically run scripts (and update firewall rulesets on Linux/BSD almost out of the box) when specific syslog patterns are noted: http://ossec.net
You should expect a machine on the Internet to be scanned basically continually.
Automatically banning IPs that scan certain ports is not what a honeypot is.
The attackers have access to multiple networks. You can't block them. You can frustrate a portscanner, but if the goal is to frustrate people scanning your network and not add security, your best solution is a honeypot.
But you don't know what one is and I really doubt you want to set one up. Your question indicates that you should study some security and networking basics. Setting up honeypots is one road to better understanding of information security.
To get actual help for systems problems, or really any technical problem in any field, you should describe the situation and where you want to end up. Designing a solution when you know little about what's going on, and asking for implementation assistance with small details, is a sure sign of a project that will end in failure.
- 2,489
- 18
- 12
I don't know what OS you are running, but certain firewalls have the ability to create rules that allow you to automatically ban a user if they hit a certain port within a certain amount of seconds.
The other option is to run a script of some sort that reads the log file, and when it sees attempts on the ports in question that it automatically adds a new entry to the firewall to keep them out.
Port scanning is just a fact of life, if this service is supposed to be available to only certain people, then adjust your firewall so that everything but that what is allowed to access it is blocked, basically creating a whitelist rather than blacklisting. Whitelisting is more effective, but at the same time more of a pain to maintain.
- 752
- 1
- 8
- 18