Setup an iptables honeypot with fail2ban

The following example shows how to setup an connection honeypot with the fail2ban daemon. It works by logging connection attempts to unused ports with the iptables LOG target and taking ban actions on the source IPs with fail2ban.

The configuration has been tested on a Debian Wheezy box but should also work for other distributions.

On a Debian box, install the fail2ban daemon with:

Create a action definition in /etc/fail2ban/action.d/iptables-honeypot.local:

The start and stop actions will be executed everytime fail2ban starts/stops and will insert the honeypot rules. Adjust the honeyports and honeydev settings for your system. The honeyports line should only list unused ports.

Next create a filter to match the log lines caused by connections to one of the honeyports in /etc/fail2ban/filter.d/iptables-honeypot.local:

How add a honeypot jail like the following to your jail configuration in /etc/fail2ban/jail.local:

Activate the changes by restarting fail2ban:

Be careful to not lock out yourself. Make sure to whitelist your own subnets with the ignoreip setting in [DEFAULT]. You may also want to start with a softer ban action than iptables-allports first.