How to use Python and Fail2Ban to write an auto-blocking honeypot.
I have been practicing for the upcoming NECCDC competition and have been playing
around with various security concepts and one that I thought of trying was
creating a honeypot that automagically blocks ips when trapped. So what I have is
a honeypot script written in python that logs intruders to a log file and then a
definition that will block the ip address. So I will show you the Fail2Ban
honeypot that I have thrown together.
We first need to install
Installation process might be different depending which linux distribution
you are using.
sudo apt-get install python fail2ban
Copy the following python script and create a file
def __init__(self, logfile, port):
self.logfile = logfile
self.port = port
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind( ('', port) )
self.sock.listen( 1 )
print 'Listening on: ', port
channel, details = self.sock.accept()
logstr = (
'Connection from %s:%s on port %s\r\n' %
(details, details, self.port)
self.logfile.write('%s\r\n' % logstr)
channel.send('You Just Got Stuck In Some Honey')
ports = 
for arg in sys.argv[1:]:
threads = 
logfile = open('/var/log/honeypot.log', 'a')
for p in ports:
for thread in threads:
print 'Bring it on!'
Some may notice a slight issue, this script is meant to run 24⁄7 and never be
stopped. There is no particular way of stopping the threads unless the machine
To run the honeypot simply issue the following command:
python honeypot.py 22 25 80 443
Replace the ports shown with the ports that you want the honeypot to run on.
When someone tries to connect to one of the supplied ports this script will
display on the screen the ip address that connected, the port they connected from
and the port they were trying to reach. It will also log the incident to
Now to setup fail2ban to block the ip address when it is captured.
A new filter definition needs to be created in
And the filter has to be set in
enabled = true
filter = honeypot
logpath = /var/log/honeypot.log
action = iptables-allports[name=Honeypot, protocol=all]
maxretry = 1
Please make sure to read up on fail2ban’s various actions, the ‘iptables-allports’
one is used here with ‘protocol: all’, meaning that the ip address is banned from
making all connections on any port using any protocol (tcp, udp, icmp, etc). Also
change ‘maxretry’ as you see fit, with it set to 1 then any single access to the
honeypot will ban the ip for the configured amount of time (600 seconds by
default), if you want this can be changed to 2 or 3 so if someone is persistent
with trying to access the false service.
And that is it, just start Fail2Ban and test by trying to access the one of the
honeypot ports. This can be done from a second machine and using telnet.
telnet 192.168.1.11 80
Replace ’192.168.1.11′ with the ip address of the machine running the honeypot
and ’80′ with the port you wish to test.
And there you have it, a Fail2Ban honeypot written in Python. Deploy and Enjoy.