Setup an iptables honeypot with fail2ban

The following example shows how to setup an connection honeypot with the fail2ban daemon. It works by logging connection attempts to unused ports with the iptables LOG target and taking ban actions on the source IPs with fail2ban.

The configuration has been tested on a Debian Wheezy box but should also work for other distributions.

On a Debian box, install the fail2ban daemon with:

Create a action definition in /etc/fail2ban/action.d/iptables-honeypot.local:

The start and stop actions will be executed everytime fail2ban starts/stops and will insert the honeypot rules. Adjust the honeyports and honeydev settings for your system. The honeyports line should only list unused ports.

Next create a filter to match the log lines caused by connections to one of the honeyports in /etc/fail2ban/filter.d/iptables-honeypot.local:

How add a honeypot jail like the following to your jail configuration in /etc/fail2ban/jail.local:

Activate the changes by restarting fail2ban:

Be careful to not lock out yourself. Make sure to whitelist your own subnets with the ignoreip setting in [DEFAULT]. You may also want to start with a softer ban action than iptables-allports first.

One Reply to “Setup an iptables honeypot with fail2ban”

  1. Awesome work for a small vps, we were in constant scanning/attack for 11 days – up to point the server (debian) was reset or died due to syn flooding. Kwowing there are no miraculous solutions or drop-in scripts, this was a wise technicque more than magic. Worked flawlessy and is now banning 4 up to 40 scans per minute. thank you !

Leave a Reply

Your email address will not be published. Required fields are marked *