Monday, August 9, 2010

Honeyport script

I was listening to a pauldotcom podcast (see, episode 204 and they had a very interesting tech segment called Honeyports on linux (see episode 203 as well for honeyports on windows). The basic idea behind this is the block a potential malicious person via his ip address from accessing your system. This can also work in some situations where an attacker is performing a TCP scan of your machine that actually goes through the entire 3 way TCP handshake and by doing so, trigger our Honeyport script and automatically add a firewall rule to restrict that IP address from further establishing any TCP communication to our machine.

The script is also very simple and elegant.

while [ 1 ] ;
echo "started" ;
do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`;
iptables -A INPUT -p tcp -s ${IP} -j DROP ;

Good Stuff from John Strand and the pauldotcom crew for comming up with something so simple, yet so elegant and usefull.

Resources/Good Reading:

No comments:

Post a Comment