Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenBSD 3.0 Honeypot Whitepaper

Posted by michael on from the it-only-takes-one dept.

Tortured Potato writes "This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours. Fascinating stuff...this is the first OpenBSD honeypot I've heard of."

9 of 209 comments (clear)

  1. Re:What is a honeypot? by Innomi · · Score: 3, Informative

    A honeypot is a machine set up for the sole purpose of distracting hackers away from your main network by putting up an easy target.

  2. First OpenBSD honeypot by snake_dad · · Score: 4, Informative
    this is the first OpenBSD honeypot I've heard of

    Which is not very surprising for an OS that has had "One remote hole in the default install, in nearly 6 years!". An interesting read 'though.

    By the way, there is a slashbox for OpenBSD Journal, which can be enabled here. It featured this story yesterday.

    --
    karma capped .sig seeking available Slashdot poster for long-term relationship.
  3. Re:What is a honeypot? by snake_dad · · Score: 4, Informative

    You can learn a lot about honeypots and network security in general on the Honeynet site. Browse the challenges, and the results, and be amazed ;)

    --
    karma capped .sig seeking available Slashdot poster for long-term relationship.
  4. Info on the 'Hacker' by DeeEm · · Score: 5, Informative

    If anyones interested, the website for the 'hacker' is omegapunx.org, his msn name is omegakidd@hotmail.com
    E-Mail: omegakidd@tfz.net
    E-Mail2: omegakidd@cheguevara.zzn.com
    aim: eromlenosam
    aim2: shoogy maple
    aim3: satan the killer
    msn: omegakidd@hotmail.com
    yahoo: omegakidd
    irc@efnet: omegakidd

  5. OmegaPunx's aka Elmore Mason's Phone Number by Anonymous Coward · · Score: 2, Informative
    From Betterwhois.com

    Registrant:
    OmegaPunx
    5233 Welcome Ave N.
    Crystal, Minnesota 55429
    US

    Registrar: Dotster (http://www.dotster.com)
    Domain Name: OMEGAPUNX.ORG
    Created on: 03-MAY-02
    Expires on: 03-MAY-03
    Last Updated on: 03-MAY-02

    Administrative, Technical Contact:
    Elmore, Mason omegakidd@tfz.net
    OmegaPunx
    5233 Welcome Ave N.
    Crystal, Minnesota 55429
    US
    (763)531-0637
    I tried calling the number, but no one answered (at 9:30AM EST) let me know if

  6. Re:Obligatory anti-linux statement by phoxix · · Score: 4, Informative
    Stuff that effects Redhat not only effects redhat, but the rest of the open source community itself. Last time I checked, redhat used mostly standardized open source software to get the job done. (i.e. openssh for sshd, apache for httpd, etc)

    So when redhat has a new securty flaw, it isn't so much as a redhat problem as it is to a open source community security flaw.

    Sunny Dubey

  7. Re:NAT issue by Anonymous Coward · · Score: 2, Informative

    OpenBSD uses random TCP sequence numbers, therefore it isn't very useful to nmap openbsd for finding initial sequence numbers when the firewall admin could simply apply "modulate state" for extra protection. For documentation man pf.conf(5) and search on down for "STATE MODULATION".

  8. Re:Firewall, shmirewall by evilviper · · Score: 3, Informative
    You are correct, to a point... Stateful packet filtering can be more secure, but certainly not for reasons you suggest.

    Stateful packet filters only check the first packet, and then only for the source, some flags, and then pass it through. Then it will make sure that following pieces of the conversation are limited to the same source, destination, and ports. What good does this do? Well, instead of just blindly passing ports through, you can say that inbound connections are only allowed if they are responses to outbound requests (net client), and vise versa (net servers).
    with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts
    I'm afraid that's just not true. A stateful firewall is really only concered with the protocol, flags that are initally set, and source and dest ports. The contents could be pure random binary data sent to Apache or SSH, the firewall doesn't care.

    So, if your firewall is set to allow connections to Apache and SSH, the worm or exploit will still get through. As far as more secure, you could configure your firewall to prevent outbound connections, stopping the spread of worms from your machine to others, preventing the use of your machine to attack others, and preventing outbound connections (e.g. Sub7, outgoing e-mails, et al.)... However, even in that restrictive configuration, you are just as susceptible to an attacker connecting with SSH, or an exploit sending a: rm -rf /

    So, properly configured, a stateful firewall still can NOT prevent you from being exploited. However, it can prevent your server from being of any use to an attacker (or a worm).

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  9. Mirror site of the whitepaper by mikeanuzis · · Score: 3, Informative

    For those interested the site the whitepaper was on has been temporarily disabled by the web hosting company due to too much traffic.

    Another copy of the whitepaper is available at:
    http://www.anuzisnetworking.com/whitepapers/

    And to verify, yes it was in fact me who posted the above apology. --Michael Anuzis