Monday, August 9, 2010

Honeyport script

I was listening to a pauldotcom podcast (see www.pauldotcom.com), episode 204 and they had a very interesting tech segment called Honeyports on linux (see episode 203 as well for honeyports on windows). The basic idea behind this is the block a potential malicious person via his ip address from accessing your system. This can also work in some situations where an attacker is performing a TCP scan of your machine that actually goes through the entire 3 way TCP handshake and by doing so, trigger our Honeyport script and automatically add a firewall rule to restrict that IP address from further establishing any TCP communication to our machine.

The script is also very simple and elegant.

#!/bin/bash
while [ 1 ] ;
echo "started" ;
do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`;
iptables -A INPUT -p tcp -s ${IP} -j DROP ;
done

Good Stuff from John Strand and the pauldotcom crew for comming up with something so simple, yet so elegant and usefull.

Resources/Good Reading:
http://pauldotcom.com/wiki/index.php/Episode204
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)