Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
honeypot help
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Travers
Tux's lil' helper
Tux's lil' helper


Joined: 09 Oct 2004
Posts: 142

PostPosted: Sat Feb 12, 2005 2:07 am    Post subject: honeypot help Reply with quote

Ok, so my friend, Ryan, has /var/log/messages filled with ssh failures. The bots that scanned him tried stupid username/passwod combo's trying to get in. root, password root would be one such example. Naturally, these aren't full-on brute force attacks, but rather attempts to crack boxes with bad passwords.

So we decided to setup a honeypot so we can see what the crackers are up to once a machine gets compromised. I've never done this before, so I would like some input.

I just build a box with 2 ethernet cards and am in the process of setting up iptables. The plan is to have this router only let port 22 in and out of the honeypot.

Now, logging all this should be the hard part. We want to let the pot get compromised as root. (We'll probably do user:root passwd:root.) But, we also want to log everything. The original idea was to setup like a 1 second cron that would scp .bash_history and /var/log/messages to the router. Naturally, this is a awful way to do it.

So, this is where I ask for suggestions. How can I log the honeypot for as long as possible and keep the logs safe? Would an IDS be the way to go? Any other suggestions? Moreover, when it does get cracked, how can I keep the FBI from knocking on my door when the cracker uses it in a most devious manner?

Thanks.
Back to top
View user's profile Send private message
psychomunky
Guru
Guru


Joined: 02 Nov 2004
Posts: 337
Location: Canada

PostPosted: Sat Feb 12, 2005 2:26 am    Post subject: Reply with quote

I think the first thing I'd be included to do, is let the "cracker" into a chroot jail environment. Although I am not entirely sure how to set this up, the theory is that since it is a jail, this malicious "person" (or bot or whatever) would only be able to execute what you have put in the jail. This way you could control what he does and does not have access to. For example you could give him access to links, but not ping or some other nasty tools. As well you could hide some devices and re-route other ones.

Being a relative noob to chrooting, I am not entirely sure that this is all possible, but from the bit I've played with jails, it is indeed possible. I have been getting into security more and more lately, and I have seen these stupid worms trying to get into my box as well. I very curious to see what you results are if you stick someone or something.
Back to top
View user's profile Send private message
angoraspruce
Apprentice
Apprentice


Joined: 08 Jan 2005
Posts: 193
Location: Minnesota, USA

PostPosted: Sun Feb 13, 2005 5:34 am    Post subject: Reply with quote

Hello,
Do a google search on honeypots and you'll find lots of info. This one's particularly good:
Quote:
http://www.tracking-hackers.com/solutions/


I have an unused IPaddress that I've been meaning to use for a honeypot, but just haven't had the time. I've read up on the subject, but it's a little more involved than one might think at first glance.

All the same, it would be fun...

Good luck setting yours up :)
Back to top
View user's profile Send private message
zerojay
Veteran
Veteran


Joined: 09 Aug 2003
Posts: 1033

PostPosted: Sun Feb 13, 2005 8:14 am    Post subject: Reply with quote

Unless you are extremely knowledgable in *nix security, I wouldn't suggest running a honeypot whatsoever.

Actually, I'm pretty sure that, from the sounds of things, you were getting attacked by this.. ssh worm, for lack of a better term, that has been going around since the summer. Take a look at the following thread for pretty much everything you need to know about it.

https://forums.gentoo.org/viewtopic-t-210585.html

EDIT: Come to think about it, running a honeypot probably is against your ISP's terms of service as well as possibly being illegal in your country.


Last edited by zerojay on Sun Feb 13, 2005 8:53 am; edited 1 time in total
Back to top
View user's profile Send private message
nightblade
Guru
Guru


Joined: 20 Jul 2004
Posts: 368
Location: back from SE Asia

PostPosted: Sun Feb 13, 2005 9:06 am    Post subject: Re: honeypot help Reply with quote

Travers wrote:
How can I log the honeypot for as long as possible and keep the logs safe? Would an IDS be the way to go? Any other suggestions? Moreover, when it does get cracked, how can I keep the FBI from knocking on my door when the cracker uses it in a most devious manner?

A possible approach is to send the logs to another machine. You can set up a syslog daemon listening for the honeypot logs, and set the syslog on the honeypot to use a non-standard configuration file, in order to make the thing harder to figure out. If you don't have another box, you can simply create a virtual honeypot with vmware. As for the hostile traffic coming from your honeypot, set the router (or the physical machine, if you use vmware in a NAT configuration) to forbid outward connections coming from it.

However, as it has been pointed out already, be sure to understand all security implications, because setting an effective honeypot is not an easy task. You might also want to look at honeyd: http://www.citi.umich.edu/u/provos/honeyd/
_________________
In God we trust. All the others must provide a valid X.509 certificate
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum