Quick n’ dirty way to run a HTTP sink (on a server that isn’t supposed to have a HTTP server running) to catch bots scanning all machines across your network.
socat -T 1 -d -d tcp-l:80,bind=192.168.200.115,reuseaddr,fork,su=nobody,crlf system:”echo -e \”\\\”HTTP/1.0 200 OK\\\nDocumentType: text/html\\\n\\\n<html>date: \$\(date\)<br>server:\$SOCAT_SOCKADDR:\$SOCAT_SOCKPORT<br>client: \$SOCAT_PEERADDR:\$SOCAT_PEERPORT\\\n<pre>\\\”\”; cat; echo -e \”\\\”\\\n</pre></html>\\\”\”” 2>&1 | grep connection
2015/03/30 21:11:23 socat N accepting connection from AF=2 192.168.200.100:65477 on AF=2 192.168.200.115:80
Leave it up and running to quickly identify and process bot IP addresses that should be blocked. Modify port as needed for other services the bots are trying to find.