Recipe 3-1: Adding Honeypot Ports
This recipe shows you how to add additional listening ports to your web server configuration to alert on any clients sending requests.
Ingredients
- Apache Listen directive1
Instead of needing to deploy an entirely new honeypot system, we can easily reuse the existing, legitimate web server platform. We will implement our honeytrap by adding more network ports that will accept HTTP request traffic. These ports have no legitimate purpose, so any traffic we receive is suspect by definition. This recipe shows you how to enable these honeytrap ports using the Apache web server. This process, however, can be duplicated on any other web server software.
Apache Listen Directive
The Apache Listen directive allows us to define on which port(s) or IP address and port combinations we want to accept incoming requests. By default, the httpd.conf file enables one Listen directive that listens on the standard HTTP port 80:
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80For our honeytrap port implementation, we want to add Listen ports to catch automated attack probes that are scanning our IP address space, looking for web services. There are three other common alternative HTTP ports:
- 8000
- 8080
Get Web Application Defender's Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
