I’ve recently dug into my firewall logs and the most traffic I seem to receive from internet is targeting port 3389.

While I could just blacklist the source IPs and call it a day, I would like to actually listen on this port and “trap” them in a fake RDP connection.

There are tools like endlessh, and I’ve found that you can do the same for http by sending an endless stream of headers. I would like to do the same for RDP, and before I start digging into the whole spec, I was wondering if there is already something similar for RDP.

Is anyone aware of that ? Is that even a thing ?

  • @Gooey0210@sh.itjust.works
    link
    fedilink
    51 year ago

    You’re looking for a honeypot Be careful with installing something like that with docker(or anything), docker is very unsafe

      • 520
        link
        fedilink
        11 year ago

        It’s not as safe as people expect it to be either. Container breakouts are very much a thing and not necessarily relegated to those that did something stupid in configurations

    • z3braOP
      link
      21 year ago

      Yeah that was my question. I never mentioned docker though ?

  • @pp99@sh.itjust.works
    link
    fedilink
    21 year ago

    you can use iptables tarpit target. it works on the transport layer so it should work with any application layer protocol.

    • z3braOP
      link
      11 year ago

      I didn’t know there was a tarpit target for iptables, that’s neat. Unfortunately I run OpenBSD and pf so I can’t use it, but I’ll look into how it works to see if I can replicate it in my setup. Thanks !