On Sat, Jan 5, 2019 at 5:46 AM Misc User <[email protected]> wrote:
>
> On 1/3/2019 11:20 PM, Radek wrote:
> >> A little ncat, sed, pfctl, and a dash of cron are able to do
> >> the job just fine. cron is just there to start the ncat processes at
> >> boot and run an hourly script to do a pfctl -T expire <table> 86400 to
> >> keep the table clean of old attackers.
> > Sounds good. Could you share your script here?
> >
>
> I don't have access to my systems right now, but the script is pretty
> much a couple of one-liners in crontab, somethings similar to:
>
> ncat -l -k 23 -vv | sed s/..../..../ | xargs -R 1 -I % pfctl -t honeypot
> -T add %
>
> I'll have to look up the exact command when I get get home tonight,
> especially the sed I used. Running on my local system, the ncat command
> echoes out lines like:
>
> Ncat: Connection from 172.16.11.152.
> Ncat: Connection from 172.16.11.152:57562.
>
> If I get the time today, I'll work on re-creating the regex, if not,
> I'll share the one I've been using on my systems.
>
Hi
Any news on this? I've tried building my own and while I can get a
list of IP addresses, nothing gets sent through to xargs. They appear
if I leave off the xargs bit:
git# nc -vnkl 21 2>&1 | sed -E 's/^Connection from
([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) [0-9]*
received!$/\1/'
111.222.33.44
^C
git#
But if I include the pipe to xargs, nothing happens, I still get
nothing happening if I change it to a while loop, using read to pull
in the IP address.
This works, though, though it assumes that the output for nc(1) will
stay the same forever - it's also IPv6 ready unlike my example above:
nc -vnkl 21 2>&1 | while read dummy dummy ipaddr dummy dummy; do pfctl
-t honeypot -T add $ipaddr; done
--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse
