iptables question with honeypots

**Nerigal** · 04-19-2010

hi,

i got a question if its possible to make kind of "honeypots" using iptables... i explain myself.

port scan look to be a pain to block with iptables so i wondered instead of chasing portscans if its possible to block from all a IP that hit once a specific port or group of ports...

thanks.

**Lazydog** · 04-21-2010

A honeypot is used to attract hackers. Why would you want to block them? Using IPTABLES to stop port scans is not a good idea. What you would need is something that monitors your log files and blocks on that.

**Nerigal** · 04-30-2010

Originally Posted by Lazydog

A honeypot is used to attract hackers. Why would you want to block them? Using IPTABLES to stop port scans is not a good idea. What you would need is something that monitors your log files and blocks on that.

this is a horrible idea ...
parsing logs to caugh a port scan that take about 0.30 sec to execute...even you caugh it im 70 % sure the guy who made the port scan will enough time to get the first 3000 port which is realy bad...

the only way to make a decent log parser would be a deamon wrote in C...but i dont have much time for that.

iptables is the best way to block ip.. its the firewall and build-in kernel app so...

i need to know how to ban any ip that would hit exemple port 137 but ban it not only for port 137 but all

any one would know how to build this rules to make it work over iptables ?

thanks

**Lazydog** · 05-03-2010

Originally Posted by Nerigal

this is a horrible idea ...
parsing logs to caugh a port scan that take about 0.30 sec to execute...even you caugh it im 70 % sure the guy who made the port scan will enough time to get the first 3000 port which is realy bad...

So just how do you plan on blocking someone from scanning your system is you don't know who is scanning? Wait for it...... check the logs.

the only way to make a decent log parser would be a deamon wrote in C...but i dont have much time for that.

So someone give you an way to do it but you believe it is a bad but you don't have the time to come up with something on your own.

iptables is the best way to block ip.. its the firewall and build-in kernel app so...

True, but again I ask how are you going to block a scanner without knowing what IP Address is scanning without checking the logs?

i need to know how to ban any ip that would hit exemple port 137 but ban it not only for port 137 but all

any one would know how to build this rules to make it work over iptables ?

thanks

Try This

Next time you ask for help and get it don't come back with a stupid remark without a better solution to the question!!

Thread Tools

Display

iptables question with honeypots

Posting Permissions