I participated in a capture the flag contest this past weekend where the competitors were allowed to attack each other.  So I began to prepare my laptop to be as hardened as possible beforehand so I could focus on the flags and not worry about the attackers.  One thing I really wanted to have was a dynamic firewall that would automatically firewall off any attacking systems.  Taking the dynamic firewall idea a step further I decided to add an additional step to counterscan any attacking IPs.  I decided to call this self defensive set of scripts "poisonports".

As of this initial release the scripts work but I have a lot of ideas/additions and there are a few kinks I still need to work out.  I feel like the CTF was a good test for poisonports.  Some issues came up with the scripts but they did the job I wanted them to do. 

Basically, poisonports sets up listeners on multiple ports.  Then, when a port has been connected to, like when an attacker is running a portscan, the script captures their IP address and adds a rule to iptables to drop all further packets from that IP.  A counterscan is then initiated against the attacking IP so you can continue to go about your flag capturing and check back later on poisonports to see that it has captured service information about your opponents.

poisonports.sh opens a terminal with multiple tabs.  Each tab is a seperate "shields.sh" instance for different ports with the main tab running "counterscan.sh".  This is where you can modify the listening ports.  By default the script sets up listeners on ports 23, 25, 445, 1433, 3306, and 8080.

shields.sh creates a netcat listener on a variable port.  Once a connection has been made to the specified port the IP is checked against iptables to see if it has been added already.  If not shields.sh adds the IP to IPs.txt to be used later in the counterscan and an iptables rule is added to drop all connections from the connecting IP.

counterscan.sh is a script that checks the file IPs.txt every 10 seconds to see if it has been created.  If so it copies the file to IPs_working.txt and deletes IPs.txt.  For each IP address in IPs_working.txt an nmap scan is launched and the results are put in a text file located in /root/Desktop/.

Extensive testing has not been done on this early version of the script.  It has only been tested on Backtrack 5 R3 gnome.

To run poisonports make sure all three files (poisonports.sh, shields.sh, and counterscan.sh) are all in the same folder.

or

https://github.com/beaubullock/Poisonports/zipball/master