On Jan 4, 2019 12:44 PM, Misc User <open...@leviathanresearch.net> wrote: > > On 1/3/2019 11:20 PM, Radek wrote: > >> A little ncat, sed, pfctl, and a dash of cron are able to do > >> the job just fine. cron is just there to start the ncat processes at > >> boot and run an hourly script to do a pfctl -T expire <table> 86400 to > >> keep the table clean of old attackers. > > Sounds good. Could you share your script here? > > > > I don't have access to my systems right now, but the script is pretty > much a couple of one-liners in crontab, somethings similar to: > > ncat -l -k 23 -vv | sed s/..../..../ | xargs -R 1 -I % pfctl -t honeypot > -T add % > > I'll have to look up the exact command when I get get home tonight, > especially the sed I used. Running on my local system, the ncat command > echoes out lines like: > > Ncat: Connection from 172.16.11.152. > Ncat: Connection from 172.16.11.152:57562. > > If I get the time today, I'll work on re-creating the regex, if not, > I'll share the one I've been using on my systems. > >
I'm curious what the security/performance cons to something like: nc -kl 22 > /dev/null & You wouldn't get the benefits of a pf table but it would still be fun knowing they are wasting their time. Edgar
