Perhaps one of us misunderstands the term honeypot, it could be me, but IMO this seems perfectly usable to create a honeypot system on your network.
A honeypot is used to attract and detect an attacker, usually logging their actions and patterns for analysis or blocking. This tool could use more logging beyond just iptables, and sure it’s not _by itself_ a honeypot, but the idea isn’t that far off.
All that aside, the GitHub page suggests this “enhances OS security” which I don’t buy one bit. Sure it provides some obfuscation against automated service scanners, but if you have a MySQL server listening on 3306, and an attacker connects to 3306, they’re still talking to MySQL. Doesn’t matter if all the other 65534 ports are serving garbage responses.
All the responses look legitimate though, so even if someone does hit that MySQL, they'll be hard pressed determining it's not part of the noise of the other 65.5k legitimate-seeming responses. They'll just be wasting resources trying to get beyond such a broad surface to gain any depth. And if they already know to target MySQL (or any other particular service), it's all moot in any case, but also they wouldn't be doing a spectrum scan.
I would imagine the amount of time someone spends “investigating” a port like 3306 is the amount of time it takes for the existing automated software to run a check to see if the mysql server is vulnerable. So unless the service on 3306 is able to spoof a vulnerable mysql server, they don’t care if it’s real or not. They just care if their tool reports a vulnerable service.
Unless they are specifically targeting that system my assumption would be that they are just looking for open ports for known services, then if found checking if exploits work or not, and if not move on. I could very well be wrong but from a practical standpoint I can’t imagine this service mattering to someone that is running a program to scan for open ports with vulnerabilities.
I might just be regurgitating the article, but isn't the point that it can massively increase the time and effort it takes to scan a system for valid vulnerabilities?
What I’m saying though is that if I were running a script like this, unless I’m targeting a specific ip, I would just be scanning known ports for known vulnerabilities. I wouldn’t be scanning every single port.
I do red team, if I see a server with 20+ ports I'll immediately assume it's a honeypot and will stop scanning it. If you are part of a blue team you WANT them to waste time, not instantly know it's a honeypot, that's what I meant for specifically this software.
A honeypot is used to attract and detect an attacker, usually logging their actions and patterns for analysis or blocking. This tool could use more logging beyond just iptables, and sure it’s not _by itself_ a honeypot, but the idea isn’t that far off.
All that aside, the GitHub page suggests this “enhances OS security” which I don’t buy one bit. Sure it provides some obfuscation against automated service scanners, but if you have a MySQL server listening on 3306, and an attacker connects to 3306, they’re still talking to MySQL. Doesn’t matter if all the other 65534 ports are serving garbage responses.