This project is a port-scanning honeypot designed to detect and block malicious traffic using Python, Scapy, and iptables. It tracks repeated SYN packets from the same IP address, blocks the offending IP if it exceeds a defined threshold, and taunts the attacker with a custom message. The script is designed to run on Linux systems and is ideal for lightweight devices like the Raspberry Pi.
- Packet Sniffing: Monitors incoming TCP packets and identifies SYN packets.
- IP Blocking: Dynamically blocks IP addresses that exceed a specified threshold of SYN packets.
- Auto Unblocking: Automatically unblocks IPs after a configurable timeout period.
- Attacker Engagement: Sends a taunting message ("GET A LIFE!") to attackers via a TCP payload.
- Lightweight: Optimized for Raspberry Pi (tested on Raspberry Pi 8GB Model B).
Hardware setup with Rasberry Pi B.
The script detects and blocks malicious IPs.
NMAP Scan from attacker side:
- Hardware: Raspberry Pi 8GB Model B or any Linux system.
- Operating System: Ubuntu or any Debian-based distribution.
- Python: Python 3.6+
- Dependencies:
scapysubprocessdatetimecollectionsthreading
sudo apt update
sudo apt install python3 python3-pip iptables -y
pip3 install scapygit clone <repository_url>
cd <repository_directory>sudo python3 honeypot.pyNote: Root privileges are required to modify iptables and sniff packets.
The following parameters can be configured in the script:
BLOCK_DURATION: Time period (in minutes) for which an IP remains blocked. Default:5minutes.MAX_COUNT: Maximum number of SYN packets allowed before blocking an IP. Default:3.- Custom Message: Modify the taunt message in the
Raw(load="GET A LIFE!")payload.
-
Packet Monitoring:
- Sniffs incoming TCP traffic using Scapy.
- Filters packets to identify SYN requests.
-
Tracking and Threshold:
- Tracks SYN requests per IP address.
- Blocks IPs that exceed the defined
MAX_COUNTwithin theBLOCK_DURATION.
-
IP Blocking:
- Uses
iptablesto drop packets from offending IPs. - Automatically unblocks IPs after the
BLOCK_DURATIONexpires.
- Uses
-
Attacker Engagement:
- Sends a SYN-ACK and a taunting message ("GET A LIFE!") to detected attackers.
-
Ensure all dependencies are installed (refer to the Installation section).
-
Run the script with root privileges:
sudo python3 honeypot.py
-
Monitor the output in the terminal for detected IPs, taunt messages, and block/unblock events.
-
Create a systemd service file:
sudo nano /etc/systemd/system/honeypot.service
Add the following content:
[Unit] Description=Port Scan Honeyport After=network.target [Service] ExecStart=/usr/bin/python3 /path/to/honeypot.py Restart=always User=root [Install] WantedBy=multi-user.target
-
Enable and start the service:
sudo systemctl enable honeypot.service sudo systemctl start honeypot.service -
Check the service status:
sudo systemctl status honeypot.service
The script currently uses print statements for logging. To enable more robust logging:
- Replace
printwith Python'sloggingmodule. - Direct logs to a file for persistent storage and debugging.
Example:
import logging
logging.basicConfig(filename="honeypot.log", level=logging.INFO, format="%(asctime)s - %(message)s")- IP Whitelisting:
- Modify the script to exclude trusted IP ranges from blocking.
- Resource Usage:
- Periodically clean up old entries in the tracker to avoid memory bloat.
- Testing:
- Test the honeypot in a controlled environment before deploying it in production.
Contributions are welcome! Please follow these steps:
- Fork the repository.
- Create a feature branch (
git checkout -b feature-name). - Commit your changes (
git commit -m "Add feature"). - Push to the branch (
git push origin feature-name). - Open a pull request.
- Scapy: For its powerful packet crafting and sniffing capabilities.
- Raspberry Pi Community: For their support and tutorials.
This script is intended for educational and defensive purposes only. The author is not responsible for any misuse or legal issues arising from its deployment.