On 1/3/2019 11:20 PM, Radek wrote:
A little ncat, sed, pfctl, and a dash of cron are able to do
the job just fine. cron is just there to start the ncat processes at
boot and run an hourly script to do a pfctl -T expire <table> 86400 to
keep the table clean of old attackers.
Sounds good. Could you share your script here?
I don't have access to my systems right now, but the script is pretty
much a couple of one-liners in crontab, somethings similar to:
ncat -l -k 23 -vv | sed s/..../..../ | xargs -R 1 -I % pfctl -t honeypot
-T add %
I'll have to look up the exact command when I get get home tonight,
especially the sed I used. Running on my local system, the ncat command
echoes out lines like:
Ncat: Connection from 172.16.11.152.
Ncat: Connection from 172.16.11.152:57562.
If I get the time today, I'll work on re-creating the regex, if not,
I'll share the one I've been using on my systems.
