|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
PF dynamic adding of ips to table (booby trap port)
As i have only few ports opend to the internet within the service range i would like to booby trap others to block any host that sends tcp or udp packet to any of them.
What i am having problem with is dynamically adding the offending ip to the table (most likely port scan), something like: table <honeypot> persist block quick from <honeypot> pass in on em0 proto tcp from any to any port 1:24 "add ip to" <honeypot> The problem is that i cant find syntax to add the ip sending the packet to the honeypot table, is this even possible? The overload has this possibility but this is not about the connection count as the handshake is not even done yet - there should be no traffic so any kind of tcp packet should be enough to get blocked. |
|
||||
I think you're looking for the overload and flush stateful tracking options, which are designed to add offending IPs to a table (overload) and kill any established states (flush).
|
|
|||
yep overload would be fine but it requires max-src-conn or max-src-conn-rate. As the connection is not established (tcp handshake not done yet), even max-src-conn 1 wouldnt trigger it, so it is unadequate for what i want to achieve. For the port scans, completing the handshake is overhead, sending syn and waiting for syn-ack is more then enough. Also there is no listener running on those ports so the handshake is never established, the synproxy would be an option but not really usefull...
Last edited by irukandji; 3rd December 2013 at 09:13 PM. |
|
|||
I hoped i am missing something... *grumble*
I'll check the sources if this can be changed without much of a problems and submit it |
|
||||
I just did some testing; you are correct, the syntax permits overload to be specified but pfctl(8) will insist on max-src-conn or max-src-conn-rate. Nor will pfctl permet max-src-conn or max-src-nodes set to 0.
If you want to create a honeypot using PF as designed, you're going to have to permit at least one connection. Consider redirecting traffic to a tarpit listener. |
|
|||
Ok, i have solved it this way, i dont like it but it works... And captured one offender within first 5 minutes... Practically all service ports except few that i am using are booby trapped.
tcpdump -lq -n "(not src net x.x.x.x mask y.y.y.y) and ((tcp dst portrange n-nn) or (tcp dst portrange n1-nn1)" | awk '{split($3,a,"."); system("pfctl -t tarpit -T add "a[1]"."a[2]"."a[3]"."a[4]) }' |
|
||||
Wow! That's certainly creative.
If I were to set up a honeypot, it would be for attack analysis. I would probably deploy honeyd and direct unwelcome traffic there via PF. However, I've not bothered, as no attempted (and noticed) attacks so far have warranted any analysis. |
|
|||
Quote:
Ah one more thing, port 80 was left out of blocking where index is verifying if connecting client is tarpitted and captcha is shown to remove the blockage... (well... 98% of code done ) Last edited by irukandji; 5th December 2013 at 12:17 AM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Security Web server backdoor also booby traps lighttpd and NGINX | J65nko | News | 0 | 8th May 2013 09:50 PM |
opera bug in openbsd 5.1 release with Abort Trap message | daemonfowl | OpenBSD Packages and Ports | 2 | 26th May 2012 06:42 AM |
why won't my table work? | tomp | OpenBSD Security | 3 | 25th August 2011 12:23 PM |
Fatal trap 12: page fault while in kernel mode | sixshot | FreeBSD General | 11 | 18th July 2008 12:53 AM |
Ajax dynamic table/spreadsheet | robbak | Programming | 1 | 7th June 2008 10:33 PM |