Slashdot Mirror

← Back to Stories (view on slashdot.org)

Know Your Enemy: Honeynets

Posted by CmdrTaco on from the somewhere-in-outer-space dept.

bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.

2 of 73 comments (clear)

  1. Re:I am building one. by gleam · · Score: 5


    I get hit with about 10-15 of these a day:

    Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
    Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"

    I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.


    Portsentry/ipchains is *not* a wonderful thing in that instance. It would be much wiser for you to at least implement a brief timeout on the drop.

    Here's a scenario:

    I know your box is up, because I can connect to you at port 80, or whatever. So I portscan you.

    And your box isn't up. EH? Oh! You must have some sort of portscan detector that automatically drops packets! Let's see if I can get to port 80!

    Nope! Hmmmmm.

    So what do I do? I spoof a portscan from the last hop between you and me. Lo, you block that IP. Lo, you lose your entire upstream.

    Lo, you're screwed. All because you let an imperfect program control your TCP/IP stack.

    Sure, blocking port scanners is OK. Just don't let them use it as an opportunity to launch a denial of service attack.

    Think it through.

    -gleam

    --
    this .sig is not a .sig.
  2. Slightly OT but... by Lostman · · Score: 5

    How do you tell someone that they are running a "Honeypot" server unintentionally?

    I used to have the habit of talking to people about security issues on networking around my high school. As people are, they scoffed at a kid explaining to them security issues... and when their network was compromised (not by me) my attempt at pointing out their security problems came to their mind... They remembered me speaking to them, of course, and since I knew about their security problems I "had to be" the person who compromised their system...

    That was high school -- I learned to keep my mouth shut...

    About a month ago, when I first started reading about the honeypot project I noticed that my Universities box was running a version of linux that had a few security issues.. as in the same security issues that allowed others to access and control the Honeypot for a little. (I am not mentioning my U's name!) -- I acted against reason and informed the administrator (who I had as a professor) about the problem... their answer was strange: "I know about the problem but I just don't have enough time to deal with it right now. I think I might take a look at patching it sometime this summer..."

    Now I am worried the same thing will happen.. my precious U's network will be compromised and the admin will be thinking "Wait.. I remember someone who knew about this security problem.."

    So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?