On 2015-09-24 11:37, Pantelis Roditis wrote: > On 09/24/2015 11:39 AM, Peter Hessler wrote: >> On 2015 Sep 23 (Wed) at 18:14:51 +0100 (+0100), Craig Skinner wrote: >> :Hello, >> : >> :Zombies are often attacking ports which don't have services running, >> :such as telnet (most popular indeed....), mysql, 3551, 8080, 13272, etc. >> > > Hi, > > This is the exact reason why we created bofh-divert[1]. The idea is that > you pass those packets with PF to a divert socket opened by a daemon. > The daemon grabs the source IP and adds it to a predefined table.
I've used one of the inetd "trivial services" (echo, discard, chargen, daytime or time) for this purpose, in combination with a couple of PF rules. Something like this: match in log on egress from any to <my_unused_ips> tag honeypot pass in log tagged honeypot rdr-to 127.0.0.1 port echo keep state \ (max-src-conn-rate 1/30, overload <badguyshoneypot> flush global) Regards, /Benny PS. Who named unlistened-to ports "zombies" anyway? I've never heard that before. A zombie in a unix context have always been one thing and one thing only - a dead process that has yet to be wait()ed for by its parent.
