Implementing a honeypot on Cisco routers
I got the idea to make some kind of fail2ban package on the Cisco router using only the router's own tools.
It works like this. In the access list attached to the interface of the border Internet router, trap rules are created. When a rule is triggered, an event is written to the log. Each line of such an event contains a special label to make it easier to select. The log is analyzed, and all trapped IP addresses are entered into a special object group. This group can be used in the same access list to block access to attackers already to all IP addresses and ports of our network.
To understand this article, you need to know what access lists are and what they are for, as well as how to use object groups in access lists.
Access list traps
For example, we will write a rule for the incoming access list, under which all attempts to get from the Internet to the telnet port of our devices fall. Please note that at the end of the rule, a unique label “HONEYPOT001” is affixed. According to it, then we will look for triggers in the log.
ip access-list extended acl-WAN-In … deny tcp any any eq telnet log HONEYPOT001 …
It is important to choose the right criteria for traps.
Attempts to connect from the outside on port 23 (telnet) are perhaps the most common. In this case, the object group will be instantly filled with the IP addresses of bots from all over the Internet, and the memory allocated for access lists will simply end.
You can catch attempts to connect to your equipment on port 22 (ssh). They are an order of magnitude smaller than telnet. You can catch attempts to access any one of your device.
A large number of bots climbs on port 7547, trying to connect using the CPE WAN Management protocol.
Another option would be to catch attempts to use the Smart Install Client, enabled on port 4786.
You can also make a trap on port 80 by selecting an IP address where you do not have a web server. The main thing is that search engine robots should not fall into it.
Here is an example of a trap on an IP address [192.0.2.10].
ip access-list extended acl-WAN-In … deny tcp any host 192.0.2.10 eq www log HONEYPOT002 …
Logging on the router, of course, must be enabled beforehand, then something like this gets into the log:
225435: Jan 11 08:57:13.838: %SEC-6-IPACCESSLOGP: list acl-WAN-In denied tcp 22.214.171.124(59472) -> 192.0.2.9(23), 1 packet [HONEYPOT001]
We see that from an external IP address [126.96.36.199] an attempt was made to contact the 23rd port of our IP address [192.0.2.9]. The label "HONEYPOT001" in the line is also present. By the way, [188.8.131.52] is a real attacker caught while writing an article.
To analyze the log, we will use Embedded Event Manager (EEM) - a tool for automating tasks and customizing software behavior built into Cisco IOS.
In the router's configuration mode, create an applet that analyzes the log and, while in the log line of the “HONEYPOT001” tag, cuts the attacker's IP address and adds this address to the BlackList object group.
event manager applet honeypot event syslog occurs 1 pattern "HONEYPOT001" action 100 regexp "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" "$_syslog_msg" result IP_address action 200 if $_regexp_result eq "1" action 210 cli command "enable" action 220 cli command "conf t" action 230 cli command "object-group network hosts-BlackList" action 240 cli command "h $IP_address" action 250 cli command "end" action 260 syslog msg "IP address $IP_address added to blacklist" action 270 end action 300 cli command "exit"
- when the next line with the label “HONEYPOT001” occurs in the log, an event occurs;
- in the event handler itself, from the log line using the pattern “([0-9] + \. [0-9] + \. [0-9] + \. [0-9] +)”, the attacker's IP address is cut out and assigned to IP_address variable (action 100);
- if the address is successfully cut out, and no problems with parsing the string happened (action 200), then console commands are executed that add the IP address to the object group (action 210 - 250);
- a trap is written to the log (action 260).
The first thing that comes to mind is to use the object group to completely block intruders to all resources of our network.
The blocking rule must be in the access list above the rule with a trap so that the banned IP address does not fall into the trap again and again.
ip access-list extended acl-WAN-In … deny ip object-group hosts-BlackList any … deny tcp any any eq telnet log HONEYPOT001 …
Sooner or later, the object group will exceed all permissible sizes, so you will have to do an amnesty by cleaning out old IP addresses from it. To do this, we write an applet that will do this, for example, once a week at midnight on Sunday.
On the way of writing, we will meet two pitfalls.
You cannot delete an object group that is used in the access list. Therefore, you first need to find out the row number of the access list in which the group is used. In our example, this is line 60. We will use this number to remove the line with the group from the access list, and then return it back to its original place.
Cannot create an empty object group. Therefore, immediately when creating a group, we will add an IP address to it [255.255.255.255]. This address is never forwarded by routers that connect the local network to other networks, so we do not expect connections from it.
event manager applet DeleteBlackList event timer cron name timer-cron1 cron-entry "@weekly" action 100 cli command "enable" action 200 cli command "conf t" action 210 cli command "ip access-list ext acl-WAN-In" action 215 cli command "no 60" action 220 cli command "exit" action 225 cli command "no object-group net hosts-BlackList" action 230 cli command "object-group net hosts-BlackList " action 240 cli command "host 255.255.255.255" action 245 cli command "exit" action 250 cli command "ip access-list ext acl-WAN-In" action 255 cli command "60 deny ip object-group hosts-BlackList any" action 260 cli command "exit" action 265 cli command "end" action 300 syslog msg "Completed" action 400 cli command "exit"
- remove from the access list the rule with the object group. (action 210 - 220);
- delete the group itself (action 225);
- create an object group again, and insert the broadcast IP address into it. (action 230 - 245);
- We return to the access list the rule for the old place. (action 250 - 260).
What to do if tags in the access list are not supported
Many IOSs, despite the fact that the “ACL Syslog Correlation” function is stated in them, do not allow to mark the lines of access lists with labels.
In this case, you can use the so-called generated hash values. (device-generated hash value) to be added to log message lines.
If IOS-does not support both options, then it is necessary to complicate analysis a little.
We modify the rule with a trap in the access list. Instead of “log” we will use “log-input”.
ip access-list extended acl-WAN-In … deny tcp any any eq telnet log-input …
In this case, the log will additionally receive information about the name of the physical interface and, possibly, about the MAC address of the router-neighbor that sent the packet.
For example, the following message appears in the log:
Jan 11 00:20:23 172.25.100.43 2394768: Jan 10 20:20:22.808: %FMANFP-6-IPACCESSLOGP: SIP1: fman_fp_image: list acl-WAN-In denied tcp 184.108.40.206(7537) Port-channel1.88-> 192.0.2.9(23), 1 packet
Then the rule for activating an event will look like this:
event syslog occurs 1 pattern "Port-channel1\.88-> 192\.0\.2\."
What to read
Pro unique identification of the rules that generated the message in the log:
ACL Syslog Correlation
About the Embedded Event Manager:
Embedded Event Manager Configuration Guide