On Thu, Sep 24, 2015 at 02:42:47PM +0200, Benny Lofgren wrote: > On 2015-09-24 11:37, Pantelis Roditis wrote: > > On 09/24/2015 11:39 AM, Peter Hessler wrote: > >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: > >> :Hello, > >> : > >> :Zombies are often attacking ports which don't have services running, > >> :such as telnet (most popular indeed....), mysql, 3551, 8080, 13272, etc. > >> > > > > Hi, > > > > This is the exact reason why we created bofh-divert[1]. The idea is that > > you pass those packets with PF to a divert socket opened by a daemon. > > The daemon grabs the source IP and adds it to a predefined table. > > I've used one of the inetd "trivial services" (echo, discard, chargen, > daytime or time) for this purpose, in combination with a couple of PF > rules. Something like this: > > match in log on egress from any to <my_unused_ips> tag honeypot > pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \ > (max-src-conn-rate 1/30, overload <badguyshoneypot> flush global) > > > Regards, > /Benny > > > PS. Who named unlistened-to ports "zombies" anyway? I've never heard > that before. A zombie in a unix context have always been one thing and > one thing only - a dead process that has yet to be wait()ed for by its > parent.
Zombie is also a pc taken over bij malware. -Otto