Linux, Virtualization and whatever I find interesting ...

User Tools

Site Tools

Use iptables as Tarpit

  • A Tarpit is a service on a computer that delays incoming connections as long as possible. So the aggressor lost a lot of time.

Install Software

  • Tested with Ubuntu 10.04 Server 32-Bit.
  • For Arch there is a package available in AUR but it doesn't work as I tested it.
apt-get install xtables-addons-common xtables-addons-source
module-assistant --verbose --text-mode auto-install xtables-addons
  • Finish: Now you can use Tarpit rules.
  • For example:
iptables -A INPUT -p tcp --dport 20 -j TARPIT
  • Unfortunately it seems impossible to make tarpit to the default action of a chain but you can tarpit to most recent ports.
  • Example for very strict Rules:
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
#allow answers to from inside established connections 
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow answers to from outside established connections on Port 80 and a ssh port
/sbin/iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1234 -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow connections to port 80
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Tarpit
/sbin/iptables -A INPUT -p tcp --dport 20 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 21 -j LOG -m limit --limit 20/min --log-prefix "FTP TARPIT: "
/sbin/iptables -A INPUT -p tcp --dport 21 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 22 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 23 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 25 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 110 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 143 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 443 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 445 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 220 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 993 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 995 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 1080 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j TARPIT
##ssh host
/sbin/iptables -A INPUT -p tcp --dport 1234 -j ACCEPT
iptables -N LOGDROP
iptables -A LOGDROP -j LOG -m limit --limit 20/min --log-prefix "DROP: "
iptables -A LOGDROP -j DROP
# Drop all other traffic
iptables -A INPUT -j LOGDROP
  • Hope at last I did not delete too much away. Before I did it the rule set was working.

Configure Syslog-ng

  • Syslog-ng logging all messages according to iptables in:
  • To create a single logging file you must reconfigure Syslog-ng:
filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
destination d_iptables { file("/syslog/iptables/$YEAR-$MONTH/iptables.log-$DAY"); };
log { source(s_all); filter(f_iptables); destination(d_iptables); flags(final); };
  • These lines contain a final flag, that means after matching this filter the message processing end. So the message from iptabels doesn't appear in the file:
  • You must add these line to syslog-ng config before the standard destinations are defined and after the standard sources.

Honeypot Projekt A Honeypot for example takes all request to a network none other answer and seems to answer it.

linux/iptables_as_tarpit.txt · Last modified: 23.03.2013 18:48 by eanderalx