: securitygeneration.com: Linux Bash Ncat Honeyport Script with IPTables and Dome9 Supp

22.08.2013, 06:17
After securing systems by hiding them completely from the network/internet using Single Packet Authorization (http://www.zamkidveri.com/spa), I’ve recently been interested in doing more so-called ‘active’ defense, by implementing solutions to delay, confuse, or thwart attackers. Completely hiding one’s system is not always feasible (ie. in the case of an internet-facing server), and monitoring, apart from being purely reactive, is not always easy and requires the involvement of a human. An alternative to these is to do some automated active defense.*One simple tool in the bag of active defense tricks is the honeyport.

A honeyport is essentially a simpler version of a honeypot. Whereas honeypots aim to simulate an application or protocol for the attacker to play around with, all the honeyport looks for is a connection from an external party, after which a specific action is performed (usually blacklisting them). Although hosts on the internet are regularly port scanned and connected to by automated attacks, it is usually only targeted attackers who will connect to more unusual ports in order to determine what services are running on them. More often than not, it is these targeted attackers you’ll want to repel.

The script below is a fairly simple Linux Bash honeyport*script that uses Ncat (http://nmap.org/ncat/) to listen on a given port, and then blocks the IP of anyone who connects to it. It can block the attacker using Linux’s internal IPtables firewall, or it can add the IP to your Dome9 (http://www.dome9.com) Dynamic Firewall Blacklist if you use that service (free for one server). The benefit of the Dome9 solution is that any IP that gets blacklisted on one system is automatically and instantly blacklisted across all of your Dome9-enabled servers. The script also has a whitelist so you can prevent certain IPs from getting blocked. Also, I chose Ncat over Netcat as it’s more extensible and could allow you to do more interesting things with your Honeyport. In this case when someone connects the script will execute ‘response.sh’.

I threw this script together fairly quickly, so it’s still a work in progress, but I’m open to suggestions and improvements!


#!/bin/bash# Linux Bash Ncat Honeyport with IPTables and Dome9 support (v0.1)# By Sebastien Jeanquier (@securitygen)# Security Generation - http://www.securitygeneration.com# Requires: lsof, ncat, curl, iptables# ----------------------------------------------------------## Configuration#PORT=8080; # Set your port numberMETHOD='DOME9'; # Blacklist using IPTABLES (requires root) or DOME9DOMEUSER='user@email.com'; # Your Dome9 username (eg. user@email.com)DOMEAPI='apikey'; # Your Dome9 API key (https://secure.dome9.com/settings under API Key)WHITELIST=( "" "" ); # Whitelisted IPs eg. ( "" "" );# ----------------------------------------------------------# Ensure a valid blacklist METHOD is setif [ "${METHOD}" != "IPTABLES" ] && [ "${METHOD}" != "DOME9" ]; then echo "[-] Invalid METHOD. Enter IPTABLES or DOME9.";# Ensure we are root if IPtables is chosenelif [ "${METHOD}" == "IPTABLES" ] && [[ $EUID -ne 0 ]]; then echo "[-] Using method IPtables requires root."else # Check PORT is not in use RUNNING=`/usr/sbin/lsof -i :${PORT}`; if [ -n "$RUNNING" ]; then echo "Port $PORT is already in use. Aborting."; #echo $RUNNING; # Optional for debugging exit; else echo "[+] Starting Honeyport listener on port $PORT. Waiting for the bees..." while [ -z "$RUNNING" ] do # Run Ncat listener on PORT. Run response.sh when a client connects. Grep client's IP. IP=`/usr/local/bin/ncat -v -l -p ${PORT} -e ./response.sh 2>&1 1> /dev/null | grep from | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}:' | awk {'print $4'} | cut -d: -f1`; # Check IP isn't whitelisted WHITELISTED=false; for i in "${WHITELIST[@]}" do if [ "${IP}" == $i ]; then echo "[!] Hit from whitelisted IP: ${i} - `date`" | tee -a ~/honeyport_log.txt; WHITELISTED=true; fi done # If IP is not blank or localhost or whitelisted, blacklist the IP using IPtables or Dome9 and log. if [ "${IP}" != "" ] && [ "${IP}" != "" ] && [ "${WHITELISTED}" != true ]; then if [ "${METHOD}" == "IPTABLES" ]; then /sbin/iptables -A INPUT -p all -s ${IP} -j DROP; echo "[+] Blacklisting: ${IP} with IPtables - `date`" | tee -a ~/honeyport_log.txt; elif [ "${METHOD}" == "DOME9" ]; then /usr/bin/curl -H "Accept: application/json" -u ${DOMEUSER}:${DOMEAPI} -X "POST" -d "IP=$IP&Comment=Honeyport $PORT - `date`" --silent https://api.dome9.com/v1/blacklist/Items/ > /dev/null 2>&1; echo "[+] Blacklisting: ${IP} with Dome9 - `date`" | tee -a ~/honeyport_log.txt; fi; fi; RUNNING=`/usr/sbin/lsof -i :${PORT}`; done; fi;fi;Here is a sample ‘response.sh’ file, but you could make it do anything:

#!/bin/bashecho -e "Nothing to see here!";If you’re looking for a simple bash one-liner, here’s one written by John Strand for PaulDotCom 204 (http://pauldotcom.com/wiki/index.php/Episode204#Tech_Segment:_HoneyPorts_on_Linux).*The re is also a Powershell script (https://github.com/Pwdrkeg/honeyport) for Windows honeyports.

http://www.zamkidveri.com/forum/images/imported/2013/08/feedstatspostid4257-1.jpgRelated posts:
ipt_pkd – Single Packet Authorization iptables Extension (http://www.securitygeneration.com/security/ipt_pkd-single-packet-authorization-iptables-extension/)
Fwknop in BackTrack 5 Repository (http://www.securitygeneration.com/security/fwknop-in-backtrack-5-repository/)
Malicious Backdoor Batch Script Re-Enables Privileged Guest and Support Accounts on Windows Servers (http://www.securitygeneration.com/security/malicious-backdoor-batch-script-re-enables-privileged-guest-and-support-accounts-on-windows-servers/)

... (http://www.securitygeneration.com/security/linux-bash-ncat-honeyport-script-with-iptables-and-dome9-support/)