The following example shows how to setup an connection honeypot with the fail2ban daemon. It works by logging connection attempts to unused ports with the iptables LOG target and taking ban actions on the source IPs with fail2ban.
The configuration has been tested on a Debian Wheezy box but should also work for other distributions.
On a Debian box, install the fail2ban daemon with:
apt-get install fail2ban
Create a action definition in /etc/fail2ban/action.d/iptables-honeypot.local:
[Definition]
actionstart = iptables -A INPUT -p tcp --syn -m multiport -i <honeydev> --dports <honeyports> -j LOG --log-prefix "HONEYPOT CONNECTION: "
actionstop = iptables -D INPUT -p tcp --syn -m multiport -i <honeydev> --dports <honeyports> -j LOG --log-prefix "HONEYPOT CONNECTION: "
actioncheck =
actionban =
actionunban =
[Init]
honeyports = 23,111,137:139,161,162,194,389,445,636,1080,1433,3306,3128
honeydev = eth0
The start and stop actions will be executed everytime fail2ban starts/stops and will insert the honeypot rules. Adjust the honeyports and honeydev settings for your system. The honeyports line should only list unused ports.
Next create a filter to match the log lines caused by connections to one of the honeyports in /etc/fail2ban/filter.d/iptables-honeypot.local:
[INCLUDES]
before = common.conf
[Definition]
_daemon = kernel
failregex = ^%(__prefix_line)s.*HONEYPOT CONNECTION: .*SRC=<HOST>
ignoreregex =
How add a honeypot jail like the following to your jail configuration in /etc/fail2ban/jail.local:
[iptables-honeypot]
enabled = true
maxretry = 1
banaction = iptables-allports
filter = iptables-honeypot
logpath = /var/log/kern.log
port = all
action = iptables-honeypot
%(action_)s
Activate the changes by restarting fail2ban:
/etc/init.d/fail2ban restart
Be careful to not lock out yourself. Make sure to whitelist your own subnets with the ignoreip setting in [DEFAULT]. You may also want to start with a softer ban action than iptables-allports first.