feeding your honeypot to the firewall

For a long time I’ve had an apache honeypot set up for common requests for specified files (all identical, but hardlinked) in the scripts, msadc, msdac, _vti_bin folders etc, etc. If the honeypot got hit then it would email me and feed the offending ip address into the firewall blocklist filter. (Makes the apache logs much quieter).

So last night when a general forum exploit came looking (phpBB, phpBB2, forums, board, boards, members, etc) I decided it needed an upgrade. I now only have a single script and mod_rewrite sends all the offending urls to it.

Additionally I now have a script that monitors the sshd logs and does much the same. If you’re over the limit, then your ip gets fed to the firewall. (sshd logs much quieter now too :))

My approach is different and easier on the end users than Jon’s method which requires that your users are a bit more savvy.

Edit: not less than five minutes after i posted this, it sends me my first live email, and blocked a sucker. A few invalid users, then actually a few root attempts, then he got greedy and got nailed!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>