I am currently using psad to automatically block potentially harmful IPs. When it detects an attack it adds the ip to PSAD_BLOCKED_INPUT or PSAD_BLOCK_OUTPUT and then drops all further traffic from this source.
So far so good, but what I want is to redirect the traffic from these blocked IPs to a honeypot running on a VM. Any ideas/suggestions?
First you would have to load /etc/host.deny into an ipset. Then define a rule to forward it. iptables -A PREROUTING -m set -i eth0 -j DNAT --to-destination 192.168.1.1 --match-set banned_nets src
192.168.1.1 would be where you put your VM ip.
Now it could get tricky as psad may clear all iptables rules and then you would have to add it after psad is initialize.
I decided to take a shot at @cybernard answer and, guess what, I did work! Thank you so much :)
So here is how I did it:
psad automatically writes every blocked IP into a text file named auto_blocked_ips located in /var/log/psad. So we first need to add it into an ipset which I called banned_nets.
I wrote this simple script to do it dynamically:
#!/bin/bash
#ipset banned_nets must already exist
AUTO_BLOCKED_IPTABLES_PATH=/var/log/psad/auto_blocked_iptables
update_set(){
ipset flush banned_nets
grep -E -o '^([0-9]{1,3}[\.]){3}[0-9]{1,3}' $AUTO_BLOCKED_IPTABLES_PATH | while read -r line ; do
echo "Processing $line"
ipset add banned_nets $line
done
}
while true #run indefinitely
do
inotifywait -e modify $AUTO_BLOCKED_IPTABLES_PATH | update_set
done
Now we need rules to forward the traffic from the server to the honeypot. The detail is that actually we need two rules, so the server act as a transparent proxy.
Here is how I did it (once more, thanks to @cybernard):
###### forwarding ######
ipset create banned_nets hash:ip hashsize 4096
iptables -t nat -A PREROUTING -p tcp -m set --dport 8181 -j DNAT --to-destination $HONEYPOT_ADDR:443 --match-set banned_nets src
iptables -t nat -A POSTROUTING -p tcp -s $HONEYPOT_ADDR --dport 443 -j SNAT --to-source $SERVER_ADDR:8181
iptables -t nat -A PREROUTING -p tcp -m set -j DNAT --to-destination $HONEYPOT_ADDR --match-set banned_nets src
iptables -t nat -A PREROUTING -p udp -m set -j DNAT --to-destination $HONEYPOT_ADDR --match-set banned_nets src
iptables -t nat -A POSTROUTING -p tcp -m set -j SNAT --to-source $SERVER_ADDR --match-set banned_nets src
iptables -t nat -A POSTROUTING -p udp -m set -j SNAT --to-source $SERVER_ADDR --match-set banned_nets src
echo "[+] Activating IP forwarding"
echo 1 > /proc/sys/net/ipv4/ip_forward
These rules make part of my iptables.sh script.
So we have an attacker trying to scan 192.168.56.101 and a honeypot in 192.168.56.100.
Scanning the server before IP is blocked
After the blocking the attacker actually scans the honeypot
