Setup an iptables honeypot with fail2ban

Posted by Markus Benning on February 13, 2015

The following example shows how to setup an connection honeypot with the fail2ban daemon. It works by logging connection attempts to unused ports with the iptables LOG target and taking ban actions on the source IPs with fail2ban.

The configuration has been tested on a Debian Wheezy box but should also work for other distributions.

On a Debian box, install the fail2ban daemon with:

apt-get install fail2ban

Create a action definition in /etc/fail2ban/action.d/iptables-honeypot.local:

actionstart = iptables -A INPUT -p tcp --syn -m multiport -i <honeydev> --dports <honeyports> -j LOG --log-prefix "HONEYPOT CONNECTION: "
actionstop = iptables -D INPUT -p tcp --syn -m multiport -i <honeydev> --dports <honeyports> -j LOG --log-prefix "HONEYPOT CONNECTION: "

actioncheck =
actionban =
actionunban =

honeyports = 23,111,137:139,161,162,194,389,445,636,1080,1433,3306,3128
honeydev = eth0

The start and stop actions will be executed everytime fail2ban starts/stops and will insert the honeypot rules. Adjust the honeyports and honeydev settings for your system. The honeyports line should only list unused ports.

Next create a filter to match the log lines caused by connections to one of the honeyports in /etc/fail2ban/filter.d/iptables-honeypot.local:

before = common.conf

_daemon = kernel
failregex = ^%(__prefix_line)s.*HONEYPOT CONNECTION: .*SRC=<HOST>
ignoreregex =

How add a honeypot jail like the following to your jail configuration in /etc/fail2ban/jail.local:

enabled  = true
maxretry = 1
banaction = iptables-allports
filter   = iptables-honeypot
logpath  = /var/log/kern.log
port     = all
action   = iptables-honeypot

Activate the changes by restarting fail2ban:

/etc/init.d/fail2ban restart

Be careful to not lock out yourself. Make sure to whitelist your own subnets with the ignoreip setting in [DEFAULT]. You may also want to start with a softer ban action than iptables-allports first.