Use iptables as Tarpit

• A Tarpit is a service on a computer that delays incoming connections as long as possible. So the aggressor lost a lot of time.

• Tested with Ubuntu 10.04 Server 32-Bit.
• For Arch there is a package available in AUR but it doesn't work as I tested it.

apt-get install xtables-addons-common xtables-addons-source
module-assistant --verbose --text-mode auto-install xtables-addons

• Finish: Now you can use Tarpit rules.
• For example:

iptables -A INPUT -p tcp --dport 20 -j TARPIT

• Unfortunately it seems impossible to make tarpit to the default action of a chain but you can tarpit to most recent ports.
• Example for very strict Rules:

/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
#allow answers to from inside established connections 
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow answers to from outside established connections on Port 80 and a ssh port
/sbin/iptables -A OUTPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1234 -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow connections to port 80
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Tarpit
/sbin/iptables -A INPUT -p tcp --dport 20 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 21 -j LOG -m limit --limit 20/min --log-prefix "FTP TARPIT: "
/sbin/iptables -A INPUT -p tcp --dport 21 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 22 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 23 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 25 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 110 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 143 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 443 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 445 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 220 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 993 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 995 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 1080 -j TARPIT
/sbin/iptables -A INPUT -p tcp --dport 8080 -j TARPIT
########
##ssh host
/sbin/iptables -A INPUT -p tcp --dport 1234 -j ACCEPT
##logging
iptables -N LOGDROP
iptables -A LOGDROP -j LOG -m limit --limit 20/min --log-prefix "DROP: "
iptables -A LOGDROP -j DROP
# Drop all other traffic
iptables -A INPUT -j LOGDROP
#eof

• Hope at last I did not delete too much away. Before I did it the rule set was working.

• Syslog-ng logging all messages according to iptables in:

  /var/log/syslog

• To create a single logging file you must reconfigure Syslog-ng:

filter f_iptables { facility(kern) and match("IN=") and match("OUT="); };
destination d_iptables { file("/syslog/iptables/$YEAR-$MONTH/iptables.log-$DAY"); };
log { source(s_all); filter(f_iptables); destination(d_iptables); flags(final); };

• These lines contain a final flag, that means after matching this filter the message processing end. So the message from iptabels doesn't appear in the file:

  /var/log/syslog

• You must add these line to syslog-ng config before the standard destinations are defined and after the standard sources.

Honeypot Projekt A Honeypot for example takes all request to a network none other answer and seems to answer it.