Honeypots & TCPServer
Results 1 to 7 of 7

Thread: Honeypots & TCPServer

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Honeypots & TCPServer

    While doing a qmail install recently, I was reminded of Dan Bernstein's TCPServer, which is part of the ucspi-tcp package. What TCPServer does, is listen on a given port and when a connection is made, it executes a program of your choice, sending stdout out via the TCP Port. This is useful in that you can listen on say, TCP/1095 and just have a shellscript that reads:
    Code:
    #!/bin/sh
    echo GO AWAY YOU DIRTY H4X0R!
    You can also control things like how many connections are allowed at once (so that each spawned app can't be misused and DoS your server through resource usage), etc., etc..

    It's a pretty customizable thing, and I was hoping to get some input on how it might fly in a honeypot setup. If you were a hacker, and you saw TCP/21 was open thanks to your fav. port scanner, would you not be frustrated if you telnet in and get GO AWAY YOU DIRTY H4X0R!! and then the connection is closed?

    Because you restrict connections based on IP, it might also be possible to have a remote shell sitting and listening on your internal network, that kinda thing.

    What do you honeypot types think?
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  2. #2
    Senior Member
    Join Date
    Mar 2002
    Posts
    425
    Well, since I've never set up a honeypot myself, I'm not sure how much my opinion is worth in that regard, but I do find the concept fascinating and I intend to learn more about it.

    Since I'm the conservative type when it comes to security, I never run my services on the "correct" port. For example, my version of SSH runs on a port way up in the 10,000's so that it's harder to find. But I always found it interesting that upon connecting to SSH, it announces what version it is running. Now, I know this is for compatbility and things like that, but I always thought that sounded like such a bad idea - kinda like saying "Hey, In case you're trying to hack me, I'm running a version of SSH that's 3 versions old - you'll need expliot X31437942 to overflow my buffers."

    So maybe with your idea, I could leave something listeing on my port 22 similar to what you were talking about - maybe tell them I'm running openssh version 19.0.2 or something similarly absurd before disconnecting them. Just a thought... Thanks for the info.

  3. #3
    Banned
    Join Date
    Apr 2002
    Posts
    149
    cant you just get rid of the banner is SSH that announces your version?

  4. #4
    Banned
    Join Date
    Apr 2002
    Posts
    149
    oh yeah...one more thing:the more you piss them off the more they will come after you. but since this is a honeypot i guess you dont really care.

  5. #5
    Banned
    Join Date
    Sep 2001
    Posts
    853
    theirs a program called portsentry
    http://www.psionic.com/products/
    when someone port scans you it shows what ports u specify to be open but when they connect it trips a trip wire and displays a msg of their choice pretty good program security wise im not to sure about although i know a few consultants that swear by it
    RiOtEr

  6. #6
    Junior Member
    Join Date
    Feb 2002
    Posts
    1
    Are there any honey pots or sites that I can test? I would like to attempt to crack a site after my Unix class.

    Thanks
    [glowpurple]Guarding the Nationas Infrastructure.[/glowpurple]

  7. #7
    Banned
    Join Date
    Mar 2002
    Posts
    74
    If you were a hacker, and you saw TCP/21 was open thanks to your fav. port scanner, would you not be frustrated if you telnet in and get GO AWAY YOU DIRTY H4X0R!! and then the connection is closed?
    That would be pretty cool if it said GO AWAY YOU DIRTY H4X0R!! and then the connection is closed? That would scare the hacker thinking he's caught lol. I almost c hacked a website but it wasn't a website it turned out to be a honey pot. It had 34 poorly written cgi -scripts it had 25 ports open very poor security it was a unix system but I figured I would not hack it. I just told them in E-mail. But it turned out they set it up like that go figure! But this happendend last year!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •