February 24th, 2002 04:02 PM
Honeypots & TCPServer
While doing a qmail install recently, I was reminded of Dan Bernstein's TCPServer, which is part of the ucspi-tcp package. What TCPServer does, is listen on a given port and when a connection is made, it executes a program of your choice, sending stdout out via the TCP Port. This is useful in that you can listen on say, TCP/1095 and just have a shellscript that reads:
You can also control things like how many connections are allowed at once (so that each spawned app can't be misused and DoS your server through resource usage), etc., etc..
echo GO AWAY YOU DIRTY H4X0R!
It's a pretty customizable thing, and I was hoping to get some input on how it might fly in a honeypot setup. If you were a hacker, and you saw TCP/21 was open thanks to your fav. port scanner, would you not be frustrated if you telnet in and get GO AWAY YOU DIRTY H4X0R!! and then the connection is closed?
Because you restrict connections based on IP, it might also be possible to have a remote shell sitting and listening on your internal network, that kinda thing.
What do you honeypot types think?
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
March 25th, 2002 02:04 AM
Well, since I've never set up a honeypot myself, I'm not sure how much my opinion is worth in that regard, but I do find the concept fascinating and I intend to learn more about it.
Since I'm the conservative type when it comes to security, I never run my services on the "correct" port. For example, my version of SSH runs on a port way up in the 10,000's so that it's harder to find. But I always found it interesting that upon connecting to SSH, it announces what version it is running. Now, I know this is for compatbility and things like that, but I always thought that sounded like such a bad idea - kinda like saying "Hey, In case you're trying to hack me, I'm running a version of SSH that's 3 versions old - you'll need expliot X31437942 to overflow my buffers."
So maybe with your idea, I could leave something listeing on my port 22 similar to what you were talking about - maybe tell them I'm running openssh version 19.0.2 or something similarly absurd before disconnecting them. Just a thought... Thanks for the info.
April 3rd, 2002 03:31 AM
cant you just get rid of the banner is SSH that announces your version?
April 3rd, 2002 03:33 AM
oh yeah...one more thing:the more you piss them off the more they will come after you. but since this is a honeypot i guess you dont really care.
April 3rd, 2002 03:45 AM
theirs a program called portsentry
when someone port scans you it shows what ports u specify to be open but when they connect it trips a trip wire and displays a msg of their choice pretty good program security wise im not to sure about although i know a few consultants that swear by it
April 14th, 2002 02:18 AM
Are there any honey pots or sites that I can test? I would like to attempt to crack a site after my Unix class.
[glowpurple]Guarding the Nationas Infrastructure.[/glowpurple]
April 14th, 2002 04:07 AM
That would be pretty cool if it said GO AWAY YOU DIRTY H4X0R!! and then the connection is closed? That would scare the hacker thinking he's caught lol. I almost c hacked a website but it wasn't a website it turned out to be a honey pot. It had 34 poorly written cgi -scripts it had 25 ports open very poor security it was a unix system but I figured I would not hack it. I just told them in E-mail. But it turned out they set it up like that go figure! But this happendend last year!
If you were a hacker, and you saw TCP/21 was open thanks to your fav. port scanner, would you not be frustrated if you telnet in and get GO AWAY YOU DIRTY H4X0R!! and then the connection is closed?