Am 30.05.2014 16:32, schrieb li...@rhsoft.net:
> Am 30.05.2014 16:21, schrieb li...@rhsoft.net:
>> sorry for the more or less off-topic but i think
>> here are the people with most expierience
>>
>> what i would like to do is:
>>
>> * setup whatever software listeing on port 25
>> * any IP connecting to that machine feed into
>> a dns-zone file for a DNSBL
>>
>> currently i have a stripped down CentOS6 listening
>> on all unsued IP's in a /24 network on standard
>> ports with xinedt answering to ping and response
>> with a dash-script "creep away"
>>
>> assuming that only infected machines part of a botnet
>> are trying to connect on random IP's to port 25 i would
>> say the same machines likely are used to spread spam
>>
>> so feed any connection to a automatically maintained
>> RBL may stop recent spam waves targeting the own network
>> long before the big RBL's react nad if you achive to
>> remove IP's on that auto-feeded RBL after 48 hours there
>> should be little to no bad impact
>
> answering myself:
>
> a tiny, secure piece of software accepting connections on
> a specific port and write only the IP adress in a textfile
> would be enough as start
>
> the rest are some cron-scripts maintaining a database with
> timestamp/IP, generate the PTR-zone for the RBL and reload
> whatever nameserver software using that zone file
well, that's a php service accepting a single connection
at one time, store the IP and close without any answer to
the client, after the socket is created it drops the privileges
to 'nobody' which is in case of Redhat uid/gid 99
that wrapped in a tiny systemd-unit and you are done
for collecting the relevant data and the rest should
be not that much work since i've written a BIND backend
for some hundret domains running 6 years now in prod
#!/usr/bin/php
<?php
/** listen on all interfaces */
$address = '0.0.0.0';
/** tcp port to listen */
$port = 1000;
/** disable output buffering */
ob_implicit_flush();
/** create the socket */
if(($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) ) === false)
{
exit('socket_create() failed: reason: ' .
socket_strerror(socket_last_error()) . "\n");
}
if(@socket_bind($sock, $address, $port) === false)
{
exit('socket_bind() failed: reason: ' .
socket_strerror(socket_last_error($sock)) . "\n");
}
if(@socket_listen($sock, 5) === false)
{
exit('socket_listen() failed: reason: ' .
socket_strerror(socket_last_error($sock)) . "\n");
}
/** drop privileges to 'nobody' */
if(!@posix_setgid(99) || !@posix_setuid(99))
{
exit('Drop privileges failed' . "\n");
}
/** service loop */
while(1 == 1)
{
/** accept connection */
$msgsock = @socket_accept($sock);
/** get the remote address */
$remote_ip = '';
@socket_getpeername($msgsock , $remote_ip);
/** here later comes the code to feed a database with IP's connecting to the
honeypot */
if(!empty8$remote_ip)
{
echo $remote_ip . "\n";
}
/** close connection */
@socket_close($msgsock);
}
?>
