Skip to main content

Port Honeypot (+Port Blocker)

This is a general honeypot module. This module will set up to 100 honeypots on your server on random ports chosen from the 1 000 most popular ports. This module will detect if someone does a deep port scan on your server (except syn stealth scan and some others). The module will also capture any traffic on these honeypots and reply to the requests, so when the attacker tries to exploit one of these fake services, it will generate incidents. This is a very effective way to catch early on both direct attacks and botnet activities.

The module does not bind on actual ports, but binds on a port above 60 000 and uses iptables rules to forward from the actual ports. We use this to avoid any port from being blocked from real services. If a daemon starts listening a honeypot port, the module will automatically stop using that port as honeypot. When the module starts, it also lists all the open sockets in listening mode and won't start honeypot on active ports. This way the module will automatically avoid any collision with real services. If you want, you can set ports to always use for honeypot purposes and you can set up ports that you never want to be used as a honeypot.

Port Blocking and Allowing

Starting from BitNinja 3.12.8, the PortHoneypot module includes port management capabilities that allow you to control which ports can be blocked or allowed on your server. This feature provides granular control over network access and can be used as an additional security layer.

How It Works

The port blocking/allowing functionality provides two main options:

  • Blocked Ports: Add individual ports or ranges that should be blocked
  • Allowed Ports: Add individual ports or ranges that should remain open (has higher priority than blocked ports)
  • Wildcard Blocking: Use * to block all ports except those specified in allowed ports

Note: Each port or range must be added separately. For ranges, use the format from:to (e.g., 1000:2000).

Default Protected Ports

When using blocked_ports[]='*', the following ports are automatically protected and will remain open:

  • BitNinja ports: All ports used by BitNinja services
  • Essential services: 20, 21, 22, 53, 80, 443, 465, 587, 993, 995 (opened by default)
  • Custom allowed ports: Any ports specified in the allowed_ports[]
note

The ports 20, 21, 22, 53, 80, 443, 465, 587, 993, 995 are opened by default and will always remain accessible even when using blocked_ports[]='*'. These ports are considered essential for basic server functionality and cannot be blocked through the port management system.

tip

If you have cPanel or Plesk installed on your server, the module will automatically detect that, and will add the ports used by these services to the exclude list. Port Honeypot won't try to start a honeypot on these ports.

For some protocols we have implemented chat scripts. Chat scripts are used for faking services even more realistically. For example, in case of the telnet protocol (an old protocol, usually listens on port 23), if you try to open the honeypot created by BitNinja, you will see a prompt and a default message like this:

This is an unrestricted telnet server. Please do not use for production purposes

The attacker will think that this is an open telnet session for the server and will probably try to download malware and do other malicious activities. All the information will be collected by BitNinja and sent to the BitNinja center. The offending IP will be challenge listed. All challenge listed IPs can still connect to honeypots, but all other real services are blocked (except the Captcha services).

We keep improving the chat scripts for the different protocols so we can get more information from the attackers and use this information to further tweak the BitNinja protection system. Currently, we have chat scripts for these protocols:

  • FTP (21)
  • telnet (23)
  • SMTP (25)
  • POP3 (110)
  • IMAP (143)

The chatscripts are stored in /opt/bitninja/modules/PortHoneypot/lib/ChatScriptFactory.php. Do you feel like you could contribute by implementing further protocols? Feel free to send us your chat script file so we can include it in the next BitNinja version. In the case of ports without a chatscript, the system chooses a chatscript randomly, so don't be surprised if you find ftp, telnet, smtp, imap, and pop3-like services everywhere on your server. They are not real services, just honeypots :-)

Limitation

If the net.ipv4.ip_forward variable on the server is set to 1, the PortHoneypot module will not initiate.

This is a common occurrence on servers that run dockers or work as a proxy. We disable the module since we're unaware of how the port mapping is set up. This is to prevent any problems that may arise if the PortHoneypot starts on a port intended for forwarding, thereby impeding communication.

note

Unfortunately, at this time, it is not possible to manually disable this feature and there are no known workarounds.

Configuration

Here is how to set up a list of ports to be used as honeypots and the list of ports you never want to be used for honeypot purposes.

Config file location: /etc/bitninja/PortHoneypot/config.ini


;
; List of ports that can be blocked or allowed. Each Ports or Port Range must be added in new line as defined below.
; Allowing or blocking Port ranges must be done with as 'from:to'
; Additionally you can also block all ports by setting asterisk (*).
;
[portblocker]
blocked_ports[]='*'

allowed_ports[]=8888
allowed_ports[]=4444
allowed_ports[]='2222:2250'

;
; List of ports that will always be honeypotted
;
[ports_always_use]
ports[]=21
ports[]=23
ports[]=53

;
; List of ports the module will never use for honeypot purposes
;
[ports_never_use]
ports[]=80
ports[]=25
ports[]=22
;
; Starting port for Porthoneypot.
; If you experience ftp issues when using Porthoneypot, it could be because ftp is trying
; to create data connection port on one of the ports that Porthoneypot is using.
; To solve this issue, you can restart ftp service to recognize used ports or set
; ftp passive port range and PortHoneypot startport to not intercept each other.
;
[startport]
startport=60500
;
; You can control how many additional random honey ports should be started. Default value is 100.
;
[random_mines]
random_mines=100

Happy hacker hunting!