On Thu, Sep 24, 2015 at 02:42:47PM +0200, Benny Lofgren wrote:
> On 2015-09-24 11:37, Pantelis Roditis wrote:
> > On 09/24/2015 11:39 AM, Peter Hessler wrote:
> >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote:
> >> :Hello,
> >> :
> >> :Zombies are often attacking ports which don't have services running,
> >> :such as telnet (most popular indeed....), mysql, 3551, 8080, 13272, etc.
> >>
> >
> > Hi,
> >
> > This is the exact reason why we created bofh-divert[1]. The idea is that
> > you pass those packets with PF to a divert socket opened by a daemon.
> > The daemon grabs the source IP and adds it to a predefined table.
>
> I've used one of the inetd "trivial services" (echo, discard, chargen,
> daytime or time) for this purpose, in combination with a couple of PF
> rules. Something like this:
>
> match in log on egress from any to <my_unused_ips> tag honeypot
> pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \
> (max-src-conn-rate 1/30, overload <badguyshoneypot> flush global)
>
>
> Regards,
> /Benny
>
>
> PS. Who named unlistened-to ports "zombies" anyway? I've never heard
> that before. A zombie in a unix context have always been one thing and
> one thing only - a dead process that has yet to be wait()ed for by its
> parent.
Zombie is also a pc taken over bij malware.
-Otto
