Limiting Exposure to Mass Scanners #1494
-
|
So, I went into the tpot.yml file and selected the honeypots I wanted to have active and which ports to be open to connection. However, the mass scanners out there such as nmap and online port scanners, list like 50+ ports being open on my machine, when I thought I only had 12? Has anyone found a work around for this and has an example on best practice to mitigate this unnecessary exposure to seem more legitimate? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
You can activate the Blackhole feature. |
Beta Was this translation helpful? Give feedback.
-
|
Did I miss understand the feature of Blackhole then? I read its description as it will block all known mass scanners kinda like a blacklist. I'm not trying to outright ban them, just limit them to seeing the honeypot ports and not all these ports open for the docker services that get spun up? Someone already suggested utilizing iptables and specifying specific network rules. |
Beta Was this translation helpful? Give feedback.
-
|
Then you need to disable |
Beta Was this translation helpful? Give feedback.
-
|
Thank you sir, I didn't think to try Honeytrap as it didn't have a specific port labeled in the tpot.yml. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the feedback, great to hear it works 😃 |
Beta Was this translation helpful? Give feedback.
Then you need to disable
honeytrap.