Linux Bash Ncat Honeyport Script with IPTables and Dome9 Support

After securing systems by hiding them completely from the network/internet using Single Packet Authorization, I’ve recently been interested in doing more so-called ‘active’ defense, by implementing solutions to delay, confuse, or thwart attackers. Completely hiding one’s system is not always feasible (ie. in the case of an internet-facing server), and monitoring, apart from being purely reactive, is not always easy and requires the involvement of a human. An alternative to these is to do some automated active defense. One simple tool in the bag of active defense tricks is the honeyport.

A honeyport is essentially a simpler version of a honeypot. Whereas honeypots aim to simulate an application or protocol for the attacker to play around with, all the honeyport looks for is a connection from an external party, after which a specific action is performed (usually blacklisting them). Although hosts on the internet are regularly port scanned and connected to by automated attacks, it is usually only targeted attackers who will connect to more unusual ports in order to determine what services are running on them. More often than not, it is these targeted attackers you’ll want to repel.

The script below is a fairly simple Linux Bash honeyport script that uses Ncat to listen on a given port, and then blocks the IP of anyone who connects to it. It can block the attacker using Linux’s internal IPtables firewall, or it can add the IP to your Dome9 Dynamic Firewall Blacklist if you use that service (free for one server). The benefit of the Dome9 solution is that any IP that gets blacklisted on one system is automatically and instantly blacklisted across all of your Dome9-enabled servers. The script also has a whitelist so you can prevent certain IPs from getting blocked. Also, I chose Ncat over Netcat as it’s more extensible and could allow you to do more interesting things with your Honeyport. In this case when someone connects the script will execute ‘response.sh’.

I threw this script together fairly quickly, so it’s still a work in progress, but I’m open to suggestions and improvements!

Script: honeyport.sh

Here is a sample ‘response.sh’ file, but you could make it do anything:

#!/bin/bash

echo -e "Nothing to see here!";

If you’re looking for a simple bash one-liner, here’s one written by John Strand for PaulDotCom 204. There is also a Powershell script for Windows honeyports.