{"id":8507,"date":"2025-07-26T19:20:30","date_gmt":"2025-07-26T17:20:30","guid":{"rendered":"https:\/\/tech.lobobrothers.com\/?p=8507"},"modified":"2025-07-26T19:26:44","modified_gmt":"2025-07-26T17:26:44","slug":"smart-honeypot-that-returns-attacks-to-the-attacker","status":"publish","type":"post","link":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/","title":{"rendered":"Smart Honeypot that Returns Attacks to the Attacker"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The Attacker\u2019s Infinite Loop<\/strong><\/h2>\n

<\/p>\n

In this guide, I will teach you how to deploy a honeypot that not only simulates services running on certain ports but also applies dynamic rules so that any attacker who connects\u2026 ends up attacking themselves haha.<\/p>\n

<\/p>\n

Ideal to entertain yourself while exhausting the patience and resources of the attacking bot.<\/p>\n

<\/p>\n

\n

What do we need?<\/strong><\/h2>\n

<\/p>\n

Very little, just a Linux system\u2014in our case, Debian 12\u2014and install iptables so our honeypot works, plus tcpdump to actually see it in action.<\/p>\n

\n
\n

sudo apt install -y iptables tcpdump<\/p>\n<\/div>\n

<\/div>\n

<\/p>\n

Once we have what we need, for the system to redirect incoming connections to another IP (in this case, back to the attacker themselves), we have to enable IP forwarding. The code provided later already does this when executed, but if you want to remove it from the script, you\u2019ll have to enable it permanently like this:<\/p>\n

\n
echo “net.ipv4.ip_forward = 1” | sudo tee -a \/etc\/sysctl.conf
\nsudo sysctl -p<\/div>\n

<\/p>\n

<\/div>\n

<\/div>\n

<\/p>\n

How does it work?<\/strong><\/h2>\n

<\/p>\n

It\u2019s simple. We\u2019ll launch fake services on all the ports we want and be even more annoying: on the first connection, we\u2019ll show a banner very slowly. When the banner finishes displaying, it will create two iptables rules: one DNAT to redirect all future traffic from that attacker back to themselves, and one MASQUERADE so the attacker\u2019s system doesn\u2019t discard the traffic for not recognizing the source.<\/p>\n

<\/p>\n

Now all that\u2019s left is to create our honey. Create the file \/opt\/honeypot\/honeypot.py with the following content:<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\n\t\t\t\t\timport socket\nimport threading\nimport time\nimport subprocess\nimport logging\nimport uuid\nimport sys\nfrom logging.handlers import RotatingFileHandler\nimport gzip\nimport os\n\nHONEYPOT_PORTS = [21, 23, 80, 443, 2222, 3306, 3389, 4000, 8080, 8443, 10000]\nBANNER = \"Welcome \\nUnauthorized access is prohibited\\n\"\nCHAR_DELAY = 0.3  # Seconds per character for banner delay\n\nclass CompressedRotatingFileHandler(RotatingFileHandler):\n    def doRollover(self):\n        super().doRollover()\n        if self.backupCount > 0:\n            old_log = f\"{self.baseFilename}.1\"\n            if os.path.exists(old_log):\n                with open(old_log, 'rb') as f_in, gzip.open(old_log + '.gz', 'wb') as f_out:\n                    f_out.writelines(f_in)\n                os.remove(old_log)\n\nlogger = logging.getLogger()\nlogger.setLevel(logging.INFO)\n\nformatter = logging.Formatter('%(asctime)s [%(levelname)s] %(message)s')\n\nfile_handler = CompressedRotatingFileHandler(\n    '\/var\/log\/honeypot.log', maxBytes=1_000_000_000, backupCount=5)\nfile_handler.setFormatter(formatter)\nlogger.addHandler(file_handler)\n\nconsole_handler = logging.StreamHandler(sys.stdout)\nconsole_handler.setFormatter(formatter)\nlogger.addHandler(console_handler)\n\n\ndef create_firewall_rules(attacker_ip, local_port):\n    dnat_cmd = [\n        \"iptables\", \"-t\", \"nat\", \"-A\", \"PREROUTING\",\n        \"-s\", attacker_ip, \"-p\", \"tcp\", \"--dport\", str(local_port),\n        \"-j\", \"DNAT\", \"--to-destination\", f\"{attacker_ip}:{local_port}\"\n    ]\n\n    masq_cmd = [\n        \"iptables\", \"-t\", \"nat\", \"-A\", \"POSTROUTING\",\n        \"-p\", \"tcp\", \"-d\", attacker_ip, \"--dport\", str(local_port),\n        \"-j\", \"MASQUERADE\"\n    ]\n\n    logger.info(f\"Applying DNAT rule: {attacker_ip}:{local_port} -> {attacker_ip}:{local_port}\")\n    subprocess.call(dnat_cmd)\n\n    logger.info(f\"Applying MASQUERADE rule for {attacker_ip}:{local_port}\")\n    subprocess.call(masq_cmd)\n\n\ndef send_slow_banner(conn):\n    try:\n        for char in BANNER:\n            conn.send(char.encode())\n            time.sleep(CHAR_DELAY)\n    except Exception as e:\n        logger.error(f\"Error sending banner: {e}\")\n\n\ndef handle_connection(conn, addr, port):\n    ip, src_port = addr\n    session_id = uuid.uuid4()\n    logger.info(f\"Session {session_id} started from {ip}:{src_port} on port {port}\")\n\n    send_slow_banner(conn)\n    create_firewall_rules(ip, port)\n\n    try:\n        while True:\n            data = conn.recv(1024)\n            if not data:\n                break\n            data_str = data.decode(errors='ignore').strip()\n            logger.info(f\"Session {session_id} received data: {data_str}\")\n            conn.send(b\"Access denied\\n\")\n    except Exception as e:\n        logger.error(f\"Session {session_id} error with {ip}:{src_port} - {e}\")\n    finally:\n        conn.close()\n        logger.info(f\"Session {session_id} closed with {ip}:{src_port}\")\n\n\ndef listener(port):\n    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n    sock.bind(('0.0.0.0', port))\n    sock.listen(5)\n    logger.info(f\"Honeypot listening on port {port}\")\n\n    while True:\n        conn, addr = sock.accept()\n        thread = threading.Thread(target=handle_connection, args=(conn, addr, port))\n        thread.daemon = True\n        thread.start()\n\n\ndef enable_ip_forwarding():\n    try:\n        subprocess.call([\"sysctl\", \"-w\", \"net.ipv4.ip_forward=1\"])\n\n        with open(\"\/etc\/sysctl.conf\", \"r\") as sysctl_file:\n            lines = sysctl_file.readlines()\n\n        forwarding_line = \"net.ipv4.ip_forward = 1\\n\"\n        if forwarding_line not in lines:\n            with open(\"\/etc\/sysctl.conf\", \"a\") as sysctl_file:\n                sysctl_file.write(\"\\n\" + forwarding_line)\n\n        subprocess.call([\"sysctl\", \"-p\"])\n        logger.info(\"IP forwarding enabled\")\n    except Exception as e:\n        logger.error(f\"Error enabling IP forwarding: {e}\")\n\n\ndef main():\n    logger.info(\"Infinite honeypot starting...\")\n    enable_ip_forwarding()\n\n    for port in HONEYPOT_PORTS:\n        thread = threading.Thread(target=listener, args=(port,))\n        thread.daemon = True\n        thread.start()\n\n    try:\n        while True:\n            time.sleep(10)\n    except KeyboardInterrupt:\n        logger.info(\"Honeypot terminated\")\n\n\nif __name__ == '__main__':\n    main()<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-278b742 elementor-widget elementor-widget-text-editor\" data-id=\"278b742\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"118\" data-end=\"345\">As you can easily see in the code, we simply put the fake ports we want in <strong data-start=\"193\" data-end=\"208\">HONEY_PORTS<\/strong>, customize the banner as you like, and set <strong data-start=\"252\" data-end=\"266\">CHAR_DELAY<\/strong> \u2014 the higher it is, the slower the characters display on the first connection.<\/p>\n<p><\/p>\n<p data-start=\"347\" data-end=\"458\">Now we run it. There are two options: run it manually, which is ideal the first time to see how it works, with:<\/p>\n<p><\/p>\n<p style=\"padding-left: 40px;\" data-start=\"460\" data-end=\"498\">sudo python3 \/opt\/honeypot\/honeypot.py<\/p>\n<p><\/p>\n<p data-start=\"500\" data-end=\"539\">And then we can create it as a service:<\/p>\n<p><\/p>\n<p style=\"padding-left: 40px;\" data-start=\"541\" data-end=\"592\">sudo nano \/etc\/systemd\/system\/honeypot-loop.service<\/p>\n<p><\/p>\n<p data-start=\"594\" data-end=\"604\">And paste:<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bf83f20 elementor-widget elementor-widget-code-highlight\" data-id=\"bf83f20\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"prismjs-okaidia copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-bash line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-bash\">\n\t\t\t\t\t<xmp>[Unit]\nDescription=Infinite Attacker Loop Honeypot\nAfter=network.target\n\n[Service]\nExecStart=\/usr\/bin\/python3 \/opt\/honeypot\/honeypot.py\nRestart=always\nUser=root\n\n[Install]\nWantedBy=multi-user.target\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-36a9f9b elementor-widget elementor-widget-text-editor\" data-id=\"36a9f9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"75\" data-end=\"103\">We enable and start it with:<\/p>\n<p><\/p>\n<p data-start=\"105\" data-end=\"257\">sudo systemctl daemon-reexec<br data-start=\"133\" data-end=\"136\" \/>sudo systemctl daemon-reload<br data-start=\"164\" data-end=\"167\" \/>sudo systemctl enable honeypot-loop.service<br data-start=\"210\" data-end=\"213\" \/>sudo systemctl start honeypot-loop.service<\/p>\n<p><\/p>\n<p data-start=\"259\" data-end=\"300\">With this, our honey loop would be ready.<\/p>\n<h2 data-start=\"307\" data-end=\"611\"><strong data-start=\"307\" data-end=\"329\">How can I test it?<\/strong><\/h2>\n<p><\/p>\n<p data-start=\"307\" data-end=\"611\">The easiest way is with a telnet to a port we set in the script and that our attacking machine also listens on, so we can see how after the first connection and the banner finishes displaying, it connects us back to our own machine. We will do the test in the lab with port 4000.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8459 size-full\" src=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot.png\" alt=\"start honeypot\" width=\"602\" height=\"293\" srcset=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot.png 602w, https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-300x146.png 300w\" sizes=\"(max-width: 602px) 100vw, 602px\" \/><\/p>\n<p>From our attacking machine we launch the first telnet to port 4000:<\/p>\n<p style=\"padding-left: 40px;\">telnet 192.168.1.148 4000<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8461 size-full\" src=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/telnet-4000.png\" alt=\"telnet puerto 4000\" width=\"395\" height=\"90\" srcset=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/telnet-4000.png 395w, https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/telnet-4000-300x68.png 300w\" sizes=\"(max-width: 395px) 100vw, 395px\" \/><\/p>\n<p>Now if we launch a second telnet it will not show us the banner, because it will actually connect to the attacker&#8217;s machine which also has port 4000 open:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8481 size-full\" src=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/telnet-4000-redirigido-2.png\" alt=\"telnet redirigido\" width=\"530\" height=\"75\" srcset=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/telnet-4000-redirigido-2.png 530w, https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/telnet-4000-redirigido-2-300x42.png 300w\" sizes=\"(max-width: 530px) 100vw, 530px\" \/><\/p>\n<p>In our honeypot we can also see using tcpdump, with this command:<\/p>\n<p style=\"padding-left: 40px;\">sudo tcpdump -n host 192.168.1.139 and port 4000<\/p>\n<p>How to redirect the connection to the attacker&#8217;s IP:<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8465 size-full\" src=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/comprobacion-tcpdump.png\" alt=\"comprobar redireccion tcpdump\" width=\"1607\" height=\"150\" srcset=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/comprobacion-tcpdump.png 1607w, https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/comprobacion-tcpdump-300x28.png 300w, https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/comprobacion-tcpdump-1024x96.png 1024w, https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/comprobacion-tcpdump-768x72.png 768w, https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/comprobacion-tcpdump-1536x143.png 1536w\" sizes=\"(max-width: 1607px) 100vw, 1607px\" \/><\/p>\n<p>You can find the logs in \/var\/log\/honeypot.log<\/p>\n<p>If you want to delete the iptables rules to run tests from scratch, just run:<\/p>\n<p style=\"padding-left: 40px;\">sudo iptables -t nat -F<\/p>\n<p>Keep in mind that this is done on a LAN and can be very entertaining to confuse the cybersecurity auditor who comes to your company, even by placing a banner for each port like the real service. If you expose it to the internet and the machine has a direct public IP, you won&#8217;t have to do anything except expose only the fake ports you want and, if you want, set default iptables policies for INPUT and FORWARD in DROP and a basic anti-Dos:<\/p>\n<p style=\"padding-left: 40px;\">iptables -P INPUT DROP<br \/>\niptables -P FORWARD DROP<br \/>\niptables -P OUTPUT ACCEPT<\/p>\n<p><\/p>\n<p style=\"padding-left: 40px;\">iptables -A INPUT -p tcp &#8211;dport Number_Port -m connlimit &#8211;connlimit-above 5 -j REJECT<\/p>\n<p>But that&#8217;s a matter of taste. If you put it behind a firewall, as usual, you&#8217;ll have to redirect ports and, in some cases, configure iptables to preserve headers.<\/p>\n<p>That&#8217;s all, have a nice weekend.<\/p>\n<p>TL.<\/p>\n<p>Thanks for reading our posts.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2f4d424 elementor-widget elementor-widget-heading\" data-id=\"2f4d424\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">FAQs<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-20b9684 elementor-widget elementor-widget-toggle\" data-id=\"20b9684\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"toggle.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle\">\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-3431\" class=\"elementor-tab-title\" data-tab=\"1\" role=\"button\" aria-controls=\"elementor-tab-content-3431\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><svg class=\"e-font-icon-svg e-fas-caret-right\" viewBox=\"0 0 192 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M0 384.662V127.338c0-17.818 21.543-26.741 34.142-14.142l128.662 128.662c7.81 7.81 7.81 20.474 0 28.284L34.142 398.804C21.543 411.404 0 402.48 0 384.662z\"><\/path><\/svg><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">What is a honeypot for, or what does it actually do?<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-3431\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"1\" role=\"region\" aria-labelledby=\"elementor-tab-title-3431\"><p>A honeypot is like a bait you set up to entice hackers to break into your system instead of your real system. This way, you can see what they&#8217;re trying to do, how they attack, and learn how to better protect yourself.<\/p>\n<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-3432\" class=\"elementor-tab-title\" data-tab=\"2\" role=\"button\" aria-controls=\"elementor-tab-content-3432\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><svg class=\"e-font-icon-svg e-fas-caret-right\" viewBox=\"0 0 192 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M0 384.662V127.338c0-17.818 21.543-26.741 34.142-14.142l128.662 128.662c7.81 7.81 7.81 20.474 0 28.284L34.142 398.804C21.543 411.404 0 402.48 0 384.662z\"><\/path><\/svg><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Is it safe to run this honeypot on a machine with a public IP?<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-3432\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"2\" role=\"region\" aria-labelledby=\"elementor-tab-title-3432\"><p>Yes, as long as you only expose the honeypot ports and keep everything else closed. The honeypot doesn&#8217;t provide real access to the system and simply simulates services, but it&#8217;s recommended to use it in controlled environments and monitor traffic to avoid risks.<\/p>\n<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-toggle-item\">\n\t\t\t\t\t<div id=\"elementor-tab-title-3433\" class=\"elementor-tab-title\" data-tab=\"3\" role=\"button\" aria-controls=\"elementor-tab-content-3433\" aria-expanded=\"false\">\n\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon elementor-toggle-icon-left\" aria-hidden=\"true\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-closed\"><svg class=\"e-font-icon-svg e-fas-caret-right\" viewBox=\"0 0 192 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M0 384.662V127.338c0-17.818 21.543-26.741 34.142-14.142l128.662 128.662c7.81 7.81 7.81 20.474 0 28.284L34.142 398.804C21.543 411.404 0 402.48 0 384.662z\"><\/path><\/svg><\/span>\n\t\t\t\t\t\t\t\t<span class=\"elementor-toggle-icon-opened\"><\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-toggle-title\" tabindex=\"0\">Is setting up a honeypot inviting hacking? Isn't it dangerous?<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t<div id=\"elementor-tab-content-3433\" class=\"elementor-tab-content elementor-clearfix\" data-tab=\"3\" role=\"region\" aria-labelledby=\"elementor-tab-title-3433\"><p>Don&#8217;t worry, it&#8217;s designed to catch and study attackers without them being able to harm what you truly care about. It&#8217;s like a safe trap you can use to spy on the &#8220;bad guys&#8221; and learn how to protect yourself.<\/p>\n<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t<script type=\"application\/ld+json\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"What is a honeypot for, or what does it actually do?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<p>A honeypot is like a bait you set up to entice hackers to break into your system instead of your real system. This way, you can see what they&#8217;re trying to do, how they attack, and learn how to better protect yourself.<\\\/p>\\n\"}},{\"@type\":\"Question\",\"name\":\"Is it safe to run this honeypot on a machine with a public IP?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<p>Yes, as long as you only expose the honeypot ports and keep everything else closed. The honeypot doesn&#8217;t provide real access to the system and simply simulates services, but it&#8217;s recommended to use it in controlled environments and monitor traffic to avoid risks.<\\\/p>\\n\"}},{\"@type\":\"Question\",\"name\":\"Is setting up a honeypot inviting hacking? Isn't it dangerous?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"<p>Don&#8217;t worry, it&#8217;s designed to catch and study attackers without them being able to harm what you truly care about. It&#8217;s like a safe trap you can use to spy on the &#8220;bad guys&#8221; and learn how to protect yourself.<\\\/p>\\n\"}}]}<\/script>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>The Attacker\u2019s Infinite Loop In this guide, I will teach you how to deploy a honeypot that not only simulates services running on certain ports but also applies dynamic rules so that any attacker who connects\u2026 ends up attacking themselves haha. Ideal to entertain yourself while exhausting the patience and resources of the attacking bot. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8506,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[49,50,51],"tags":[],"class_list":["post-8507","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux-world","category-open-source","category-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Smart Honeypot that Returns Attacks to the Attacker - LBT<\/title>\n<meta name=\"description\" content=\"Smart honeypot that catches and redirects attacks directly to the attacker, using Python\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Smart Honeypot that Returns Attacks to the Attacker - LBT\" \/>\n<meta property=\"og:description\" content=\"Smart honeypot that catches and redirects attacks directly to the attacker, using Python\" \/>\n<meta property=\"og:url\" content=\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog sobre linux y el mundo opensource\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/LoboBrothers\/\" \/>\n<meta property=\"article:published_time\" content=\"2025-07-26T17:20:30+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-26T17:26:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente-1024x683.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/person\/7aaf3383779baf142fe9642d1f578fd4\"},\"headline\":\"Smart Honeypot that Returns Attacks to the Attacker\",\"datePublished\":\"2025-07-26T17:20:30+00:00\",\"dateModified\":\"2025-07-26T17:26:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/\"},\"wordCount\":865,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp\",\"articleSection\":[\"Linux World\",\"Open Source\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/\",\"url\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/\",\"name\":\"Smart Honeypot that Returns Attacks to the Attacker - LBT\",\"isPartOf\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp\",\"datePublished\":\"2025-07-26T17:20:30+00:00\",\"dateModified\":\"2025-07-26T17:26:44+00:00\",\"description\":\"Smart honeypot that catches and redirects attacks directly to the attacker, using Python\",\"breadcrumb\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage\",\"url\":\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp\",\"contentUrl\":\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp\",\"width\":1536,\"height\":1024,\"caption\":\"humano luchando contra un bote de miel con una computadora\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\/\/tech.lobobrothers.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Smart Honeypot that Returns Attacks to the Attacker\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#website\",\"url\":\"https:\/\/tech.lobobrothers.com\/en\/\",\"name\":\"Tech LBT\",\"description\":\"Como apasionados de la tecnolog\u00eda y amantes del open source creamos este blog con art\u00edculos interesantes obre linux, cloud, open source, criptomonedas y ciberseguridad\",\"publisher\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/tech.lobobrothers.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#organization\",\"name\":\"Lobo Brothers Technology\",\"url\":\"https:\/\/tech.lobobrothers.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2019\/06\/logo_red.png\",\"contentUrl\":\"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2019\/06\/logo_red.png\",\"width\":110,\"height\":50,\"caption\":\"Lobo Brothers Technology\"},\"image\":{\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/LoboBrothers\/\",\"https:\/\/www.linkedin.com\/company\/lobobrothers\/about\/?viewAsMember=true\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/person\/7aaf3383779baf142fe9642d1f578fd4\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6fb2da57af6ca2f6ea62eeae0bc1bbc3?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6fb2da57af6ca2f6ea62eeae0bc1bbc3?s=96&d=mm&r=g\",\"caption\":\"admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Smart Honeypot that Returns Attacks to the Attacker - LBT","description":"Smart honeypot that catches and redirects attacks directly to the attacker, using Python","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/","og_locale":"en_US","og_type":"article","og_title":"Smart Honeypot that Returns Attacks to the Attacker - LBT","og_description":"Smart honeypot that catches and redirects attacks directly to the attacker, using Python","og_url":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/","og_site_name":"Blog sobre linux y el mundo opensource","article_publisher":"https:\/\/www.facebook.com\/LoboBrothers\/","article_published_time":"2025-07-26T17:20:30+00:00","article_modified_time":"2025-07-26T17:26:44+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente-1024x683.png","type":"image\/png"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#article","isPartOf":{"@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/"},"author":{"name":"admin","@id":"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/person\/7aaf3383779baf142fe9642d1f578fd4"},"headline":"Smart Honeypot that Returns Attacks to the Attacker","datePublished":"2025-07-26T17:20:30+00:00","dateModified":"2025-07-26T17:26:44+00:00","mainEntityOfPage":{"@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/"},"wordCount":865,"commentCount":0,"publisher":{"@id":"https:\/\/tech.lobobrothers.com\/en\/#organization"},"image":{"@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage"},"thumbnailUrl":"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp","articleSection":["Linux World","Open Source","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/","url":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/","name":"Smart Honeypot that Returns Attacks to the Attacker - LBT","isPartOf":{"@id":"https:\/\/tech.lobobrothers.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage"},"image":{"@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage"},"thumbnailUrl":"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp","datePublished":"2025-07-26T17:20:30+00:00","dateModified":"2025-07-26T17:26:44+00:00","description":"Smart honeypot that catches and redirects attacks directly to the attacker, using Python","breadcrumb":{"@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#primaryimage","url":"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp","contentUrl":"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2025\/07\/honeypot-inteligente.png.webp","width":1536,"height":1024,"caption":"humano luchando contra un bote de miel con una computadora"},{"@type":"BreadcrumbList","@id":"https:\/\/tech.lobobrothers.com\/en\/smart-honeypot-that-returns-attacks-to-the-attacker\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/tech.lobobrothers.com\/en\/"},{"@type":"ListItem","position":2,"name":"Smart Honeypot that Returns Attacks to the Attacker"}]},{"@type":"WebSite","@id":"https:\/\/tech.lobobrothers.com\/en\/#website","url":"https:\/\/tech.lobobrothers.com\/en\/","name":"Tech LBT","description":"Como apasionados de la tecnolog\u00eda y amantes del open source creamos este blog con art\u00edculos interesantes obre linux, cloud, open source, criptomonedas y ciberseguridad","publisher":{"@id":"https:\/\/tech.lobobrothers.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/tech.lobobrothers.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/tech.lobobrothers.com\/en\/#organization","name":"Lobo Brothers Technology","url":"https:\/\/tech.lobobrothers.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2019\/06\/logo_red.png","contentUrl":"https:\/\/tech.lobobrothers.com\/wp-content\/uploads\/2019\/06\/logo_red.png","width":110,"height":50,"caption":"Lobo Brothers Technology"},"image":{"@id":"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/LoboBrothers\/","https:\/\/www.linkedin.com\/company\/lobobrothers\/about\/?viewAsMember=true"]},{"@type":"Person","@id":"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/person\/7aaf3383779baf142fe9642d1f578fd4","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/tech.lobobrothers.com\/en\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6fb2da57af6ca2f6ea62eeae0bc1bbc3?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6fb2da57af6ca2f6ea62eeae0bc1bbc3?s=96&d=mm&r=g","caption":"admin"}}]}},"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/posts\/8507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/comments?post=8507"}],"version-history":[{"count":2,"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/posts\/8507\/revisions"}],"predecessor-version":[{"id":8512,"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/posts\/8507\/revisions\/8512"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/media\/8506"}],"wp:attachment":[{"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/media?parent=8507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/categories?post=8507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.lobobrothers.com\/en\/wp-json\/wp\/v2\/tags?post=8507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}