В настоящее время я использую psad для автоматической блокировки потенциально опасных IP-адресов. Когда он обнаруживает атаку, он добавляет ip в PSAD_BLOCKED_INPUT или PSAD_BLOCK_OUTPUT, а затем отбрасывает весь дальнейший трафик из этого источника.
Пока все хорошо, но я хочу перенаправить трафик с этих заблокированных IP-адресов на honeypot, работающий на виртуальной машине. Есть идеи / предложения?
First you would have to load /etc/host.deny into an ipset. Then define a rule to forward it. iptables -A PREROUTING -m set -i eth0 -j DNAT --to-destination 192.168.1.1 --match-set banned_nets src
192.168.1.1 would be where you put your VM ip.
Now it could get tricky as psad may clear all iptables rules and then you would have to add it after psad is initialize.
I decided to take a shot at @cybernard answer and, guess what, I did work! Thank you so much :)
So here is how I did it:
psad automatically writes every blocked IP into a text file named auto_blocked_ips located in /var/log/psad. So we first need to add it into an ipset which I called banned_nets.
I wrote this simple script to do it dynamically:
#!/bin/bash #ipset banned_nets must already exist AUTO_BLOCKED_IPTABLES_PATH=/var/log/psad/auto_blocked_iptables update_set(){ ipset flush banned_nets grep -E -o '^([0-9][\.])[0-9]' $AUTO_BLOCKED_IPTABLES_PATH | while read -r line ; do echo "Processing $line" ipset add banned_nets $line done } while true #run indefinitely do inotifywait -e modify $AUTO_BLOCKED_IPTABLES_PATH | update_set done Now we need rules to forward the traffic from the server to the honeypot. The detail is that actually we need two rules, so the server act as a transparent proxy.
Here is how I did it (once more, thanks to @cybernard):
###### forwarding ###### ipset create banned_nets hash:ip hashsize 4096 iptables -t nat -A PREROUTING -p tcp -m set --dport 8181 -j DNAT --to-destination $HONEYPOT_ADDR:443 --match-set banned_nets src iptables -t nat -A POSTROUTING -p tcp -s $HONEYPOT_ADDR --dport 443 -j SNAT --to-source $SERVER_ADDR:8181 iptables -t nat -A PREROUTING -p tcp -m set -j DNAT --to-destination $HONEYPOT_ADDR --match-set banned_nets src iptables -t nat -A PREROUTING -p udp -m set -j DNAT --to-destination $HONEYPOT_ADDR --match-set banned_nets src iptables -t nat -A POSTROUTING -p tcp -m set -j SNAT --to-source $SERVER_ADDR --match-set banned_nets src iptables -t nat -A POSTROUTING -p udp -m set -j SNAT --to-source $SERVER_ADDR --match-set banned_nets src echo "[+] Activating IP forwarding" echo 1 > /proc/sys/net/ipv4/ip_forward These rules make part of my iptables.sh script.
So we have an attacker trying to scan 192.168.56.101 and a honeypot in 192.168.56.100.
Scanning the server before IP is blocked
After the blocking the attacker actually scans the honeypot