Honeypot- logger on nodejs and tcpdump
Hello. Recently Comrade R_Voland talked about his http hanipot. He inspired me to write this post. But in this case, we will catch all tcp and udp scans, not just http. We will catch requests by means of tcpdump.
For tcp, we only catch syn packages:
For udp all incoming udp packets
')
In theory, the output from tcpdump can be redirected to a file and then parsed as necessary, but I'm still the pervert, so we will write a service to nodejs, which will listen to tcpdump and save the results in a mysql database.
Script header with everything you need:
lastTcpLine - needed for temporary storage of the last line obtained from stdout. Because we receive data not line by line, but by blocks in which the last line may not be complete, and its 2nd half will arrive with the second data block.
we need to excludePorts and excludeAddrs to exclude any of our own connections. On port 80 we will have a separate extended logger, we will not listen to localhost either.
Hang the listener:
IP come to us in the form of address.port, for example 192.168.1.1.443, we parse into the address and port:
Save the result to the database:
The code for the udp listener is 100% complete, I will not repeat, the source code can be viewed on the github: github.com/hololoev/honeypot_tcpdump_logger.git
Now we need a new virtual box on which we put nginx with the “Under construction” stub and our logger. We do not send any domain to it, in every way we depict the view of the newly created server, the average webmaster. In a couple of days (from May 5 to 9) we get the results:
Top 5 TCP ports:
Top 5 udp ports:
Top 10 most active ip addresses:
Map with top 100 most active addresses:
For tcp, we only catch syn packages:
tcpdump -n "tcp[tcpflags] & (tcp-syn) != 0" For udp all incoming udp packets
')
tcpdump -n inbound and udp In theory, the output from tcpdump can be redirected to a file and then parsed as necessary, but I'm still the pervert, so we will write a service to nodejs, which will listen to tcpdump and save the results in a mysql database.
Script header with everything you need:
#!/usr/bin/nodejs 'use strict'; const net = require('net'); const spawn = require('child_process').spawn; const mysql = require('mysql2'); const config = require('./config'); const connection = mysql.createConnection(config.mysql); const tcpdump = spawn('tcpdump', ['-n', 'tcp[tcpflags] & (tcp-syn) != 0']); const excludePorts = [ 80 ]; const excludeAddrs = [ '127.0.0.1', ]; let lastTcpLine = ''; lastTcpLine - needed for temporary storage of the last line obtained from stdout. Because we receive data not line by line, but by blocks in which the last line may not be complete, and its 2nd half will arrive with the second data block.
we need to excludePorts and excludeAddrs to exclude any of our own connections. On port 80 we will have a separate extended logger, we will not listen to localhost either.
Hang the listener:
tcpdump.stdout.on('data', (data) => { let lines = `${data}`.split('\n'); // // lastTcpLine , lastTcpLine let lastTcpLineNum = lines.length - 1; let toNum = lines.length - 1; lines[ 0 ] = lines[ 0 ] + lastTcpLine; if( lines[ lastTcpLineNum ].indexOf('\n') == -1 ) { lastTcpLine = lines[ lastTcpLineNum ]; toNum --; } else lastTcpLine = ''; for(let i=0; i<=toNum; i++) { saveLog( parseLine(lines[ i ], 'tcp') ); // } }); IP come to us in the form of address.port, for example 192.168.1.1.443, we parse into the address and port:
function parseLine(line, proto) { let parts = line.split(' '); // let dstAddrParts = parseIP(parts[ 4 ]); // , let srcAddrParts = parseIP(parts[ 2 ]); // return { addr: srcAddrParts.addr, port: dstAddrParts.port, proto: proto, req_time: parseInt(new Date() / 1000), }; } function parseIP(ipStr) { let addrParts = ipStr.split('.'); // , let port = addrParts[ addrParts.length - 1 ]; // - let ipOctets = []; // for(let i=0; i<=(addrParts.length-2); i++) ipOctets.push(addrParts[ i ]); let addr = ipOctets.join('.'); if( !net.isIP(addr) ) // , , , - , null addr = null; return { addr: addr, port: parseInt(port) }; } Save the result to the database:
function saveLog(info) { if( excludePorts.indexOf(info.port) > -1 ) // - return; if( excludeAddrs.indexOf(info.addr) > -1 ) // - return; for(let key in info) // - - if( !info[ key ] ) { console.log('Bad info:', info); return; } let fields = []; // for(let key in info) fields.push('`' + key + '`'); let values = []; // for(let key in info) { if( typeof(info[ key ]) == 'number' ) values.push(info[ key ]); else values.push(`'` + info[ key ] + `'`); } let query = 'INSERT INTO access_logs (' + fields.join(',') + ') VALUES(' + values.join(',') + ')'; // connection.query(query); } The code for the udp listener is 100% complete, I will not repeat, the source code can be viewed on the github: github.com/hololoev/honeypot_tcpdump_logger.git
Now we need a new virtual box on which we put nginx with the “Under construction” stub and our logger. We do not send any domain to it, in every way we depict the view of the newly created server, the average webmaster. In a couple of days (from May 5 to 9) we get the results:
| Total adresses | tcp scans | udp scans | http Scans |
|---|---|---|---|
| 4324 | 38558 | 543 | 101 |
Top 5 TCP ports:
| tcp port | Scans |
|---|---|
| 445 | 2538 |
| 23 | 1515 |
| 22 | 1304 |
| 3306 | 151 |
| 3389 | 148 |
Top 5 udp ports:
| udp port | Scans |
|---|---|
| 5060 | 95 |
| 161 | 41 |
| 1900 | 32 |
| 123 | thirty |
| 137 | 23 |
Top 10 most active ip addresses:
| Address | Total scans | Location | http | tcp | udp |
|---|---|---|---|---|---|
| 40.115.124.127 | 25822 | IE / Dublin | 0 | 25822 | 0 |
| 77.72.82.101 | 861 | RU / | 0 | 861 | 0 |
| 77.72.82.22 | 760 | RU / | 0 | 760 | 0 |
| 145.239.134.1 | 550 | GB / | 0 | 550 | 0 |
| 101.128.72.140 | 282 | ID / Jakarta | 0 | 282 | 0 |
| 77.72.85.25 | 244 | RU / | 0 | 244 | 0 |
| 181.214.87.34 | 208 | US / Las Vegas | 0 | 208 | 0 |
| 5.188.11.91 | 189 | RU / Saint Petersburg | 0 | 189 | 0 |
| 128.199.141.239 | 173 | SG / Singapore | 0 | 173 | 0 |
| 5.188.11.79 | 156 | RU / Saint Petersburg | 0 | 156 | 0 |
Map with top 100 most active addresses:
Source: https://habr.com/ru/post/358214/
All Articles