The following example shows how to setup an connection honeypot with the fail2ban daemon. It works by logging connection attempts to unused ports with the iptables LOG target and taking ban actions on the source IPs with fail2ban.
The configuration has been tested on a Debian Wheezy box but should also work for other distributions.
On a Debian box, install the fail2ban daemon with:
Create a action definition in /etc/fail2ban/action.d/iptables-honeypot.local:
actionstart = iptables -A INPUT -p tcp --syn -m multiport -i <honeydev> --dports <honeyports> -j LOG --log-prefix "HONEYPOT CONNECTION: "
actionstop = iptables -D INPUT -p tcp --syn -m multiport -i <honeydev> --dports <honeyports> -j LOG --log-prefix "HONEYPOT CONNECTION: "
honeyports = 23,111,137:139,161,162,194,389,445,636,1080,1433,3306,3128
honeydev = eth0
The start and stop actions will be executed everytime fail2ban starts/stops and will insert the honeypot rules. Adjust the honeyports and honeydev settings for your system. The honeyports line should only list unused ports.
Next create a filter to match the log lines caused by connections to one of the honeyports in /etc/fail2ban/filter.d/iptables-honeypot.local:
before = common.conf
_daemon = kernel
failregex = ^%(__prefix_line)s.*HONEYPOT CONNECTION: .*SRC=<HOST>
How add a honeypot jail like the following to your jail configuration in /etc/fail2ban/jail.local:
enabled = true
maxretry = 1
banaction = iptables-allports
filter = iptables-honeypot
logpath = /var/log/kern.log
port = all
action = iptables-honeypot
Activate the changes by restarting fail2ban:
Be careful to not lock out yourself. Make sure to whitelist your own subnets with the ignoreip setting in [DEFAULT]. You may also want to start with a softer ban action than iptables-allports first.