Port honeypot

Estimated reading time: 1 min

The Port honeypot module opens fake services on 100 random ports that have no active service running. So the Port honeypot module won’t stop an active service.
These fake services mimic open ports so if someone is trying to find an open port to exploit it the IP address will be greylisted.

IP forwarding
If the IP forwarding is enabled, our Port Honeypot module can’t start because it doesn’t know which ports can it use and which can’t.
The Port honeypot module will not start if:
The server’s up time is less than half hour.
The server has ipforwarding enabled (the server is a proxy)
PCI compliance mode is enabled in the agent
If the agent does not have the correct access

Change the number of port honeypots

If you would like to run fewer/more honeypot services on your server you can decrease/increase the number of honeypots in /etc/bitninja/PortHoneypot/config.ini

  1. Open the /etc/bitninja/PortHoneypot/config.ini file in your preferred text editor
    nano /etc/bitninja/PortHoneypot/config.ini
  2. Add the below two lines to the text
[random_mines]
random_mines=99
  1. Specify the number of the port honeypots after random_mines=
  2. Save the changes and exit the text editor
    In nano ctrl + W then press Y then press enter
  3. Restart BitNinja with service bitninja restart

Define ports NOT to use as port honeypot

If you would like to make sure BitNinja does not use a port as port honeypot you can define it the config file.

  1. Open the /etc/bitninja/PortHoneypot/config.ini file with your preferred text editor
    e.g.: nano /etc/bitninja/PortHoneypot/config.ini
  2. Navigate under the [ports_never_use] flag. You will need to add a line here
  3.  add a line that looks like this ports[]=XX where XX is the number of the port that we need to remove the port honeypot from
  4. Save settings and exit the editor
    1. in nano editor press ctrl+x then press Y then press enter
  5. Restart BitNinja so the changes take effect. Use service bitninja restart

Define ports as fixed port honeypots

  1. Open the /etc/bitninja/PortHoneypot/config.ini file with your preferred text editor
    e.g.: nano /etc/bitninja/PortHoneypot/config.ini
  2. Navigate under the [ports_always_use] flag. You will need to add a line here
  3.  Add a line that looks like this ports[]=XX where XX is the number of the port that you wish to use as port honeypot
  4. Save settings and exit the editor
    1. in nano editor press ctrl+x then press Y then press enter
  5. Restart BitNinja so the changes take effect. Use service bitninja restart

Passive FTP ports

Passive FTP ports
If an FTP client wants to use a port, which is a BitNinja Port Honeypot, it’ll choose another passive port for the connection.
BitNinja will block the FTP connection only from grey/blacklisted IP addresses.
Views: 341