How to Write a Simple Linux Bash Honeypot
The first step in a malicious hacker attack is scanning. This means that an attacker will scan its target for open ports and vulnerabilities. So, the best approach is to block an attacker who tries to do such a scan in the very beginning. Here is a fast and easy way how to do this.
Pick up a port which is not used on your system. For example, TCP 8080. This port is usually used by default application servers and attackers are more than glad to find it open. If you already use port 8080, pick up a different one.
So, once you decide to use port 8080 for your honeypot, write the following Bash script:
#!/bin/bash
# Start listening on port 8080
nc -lk 8080 | while read ip; do
# Block the IP using iptables
iptables -A INPUT -s $ip -j DROP
done
This script uses thenc
command to listen on port 8080 and read incoming connections. When a connection is made, the script reads the IP address of the connecting client and blocks it using theiptables
command. Theiptables
command adds a rule to the firewall's input chain that drops all packets from the specified IP address.
To run this script as root, you can use the sudo
command:
sudo ./script.sh
Again, please exercise caution when running scripts with root privileges, as they can have unintended consequences.
To run this script in the background, you can use the following command:
nohup ./script.sh &
This will start the script in the background and redirect its output to nohup.out
. You can close the terminal and the script will continue to run in the background.