OpenBSD 3.0 Honeypot Whitepaper

Tortured Potato writes "This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours. Fascinating stuff...this is the first OpenBSD honeypot I've heard of."

From the article:

[SuiteSisterMary]

Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there

Oooh, dems fightin' words! (runs into the General Store and closes the curtains, peeking out)

White paper ?

[kraf]

This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours

You can do it with a default install in 30 minutes.

Re:What is a honeypot?

[Innomi]

A honeypot is a machine set up for the sole purpose of distracting hackers away from your main network by putting up an easy target.

First OpenBSD honeypot

[snake_dad]

this is the first OpenBSD honeypot I've heard of

Which is not very surprising for an OS that has had "One remote hole in the default install, in nearly 6 years!". An interesting read 'though.

By the way, there is a slashbox for OpenBSD Journal, which can be enabled here. It featured this story yesterday.

Re:What is a honeypot?

[snake_dad]

You can learn a lot about honeypots and network security in general on the Honeynet site. Browse the challenges, and the results, and be amazed ;)

Info on the 'Hacker'

[DeeEm]

If anyones interested, the website for the 'hacker' is omegapunx.org, his msn name is omegakidd@hotmail.com
E-Mail: omegakidd@tfz.net
E-Mail2: omegakidd@cheguevara.zzn.com
aim: eromlenosam
aim2: shoogy maple
aim3: satan the killer
msn: omegakidd@hotmail.com
yahoo: omegakidd
irc@efnet: omegakidd

ph34r omegapunx

[nyquist_theorem]

obligatory link to omegapunx's google-cached website is here

the best entry is certainly May 31st, when this gem appeared:

It seems to me that the Americans are actually the terrorists. I would elaborate right now but I am too lazy to type that much right now.
9:30PM: I had some fun with smoke bombs. I lit like 5 in my back yard and there was this pretty big smoke could going into my front yard. Sense it looked so cool I searched for some more smoke bombs, and all I could find was like 3. But then I lit them in the feild and that was cool. There was this cloud of blue smoke like 4 and a half feet from the ground. It was soo cool.

Re:What is a honeypot?

[Wakko+Warner]

On a similar note, what is your IP address?

- A.P.

Excellent learning resource!

[Demerara]

This article is valuable not so much for how to set up a honeypot (and no doubt this discussion will ventilate that issue) but, to a security newbie (me), it shows how the analysis of the logs proceeded.
Nice one. One question though - why not publish the IP of the hackers? Why protect their anonymity?

Re:OmegaPunx's aka Elmore Mason's Phone Number

[RazzleDazzle]

HAHAHA... this is like 25 minutes from my house, maybe I should drive over there and wait for him and take some pictures and post them online and send them to the Mike A, and maybe one to the kid himself with a link to the story about how he *hacked*(snickering) a honeypot. There could be a ton of fun with this. HA... plus in a few hours I am going to the TC BSD User Group meeting. I wonder if his momma is gonna drop him off there... :) I will be looking for you Mason Elmore a.k.a. OmegaKidd

Re:Obligatory anti-linux statement

[phoxix]

Stuff that effects Redhat not only effects redhat, but the rest of the open source community itself. Last time I checked, redhat used mostly standardized open source software to get the job done. (i.e. openssh for sshd, apache for httpd, etc)

So when redhat has a new securty flaw, it isn't so much as a redhat problem as it is to a open source community security flaw.

Sunny Dubey

Firewall, shmirewall

[alienmole]

Its a reminder

Of just how much you need a firewall these days.

Let's think that through. Let's say this honeypot had a standard packet-filtering firewall in front of it, e.g. the kind implemented by ipchains in Linux. Assume there are two services which we wish to expose to the outside world: Apache and SSH. So we set the firewall to forward all HTTP connections to Apache and all SSH connections to OpenSSH.

Now, how secure is this network? You've got a firewall, so you're secure, right? Just two minor little flaws: the security holes mentioned in the article are in Apache and SSH. Your firewall didn't add any security at all! You're just as exposed as the next guy with no firewall.

Sticking a firewall in front of your network and thinking you're secure can be very dangerous, if it lulls you into thinking that the machines behind the firewall are now secure. Most exploitable holes are not on the thousands of unused ports that a firewall blocks - they're on the ports that the firewall lets through.

I should mention that with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts. However, stateful firewalls tend to be more expensive, less transparent (require more maintenance), and if they're commercial, more expensive. And many hacks can't even be detected by a stateful firewall, and there are all sorts of tunneling tricks that can be used to circumvent this kind of security. Ultimately, the only way to be secure is to make sure that every box that can be accessed from the outside is completely secure.

Especially if you run windows.

Along those lines, one of my favorite firewall-related quotes came from a sysadmin whose mail server and entire internal 70-station LAN had been infected by NIMDA: "But we have a firewall! How did it get through??"

Re:Firewall, shmirewall

[evilviper]

You are correct, to a point... Stateful packet filtering can be more secure, but certainly not for reasons you suggest.

Stateful packet filters only check the first packet, and then only for the source, some flags, and then pass it through. Then it will make sure that following pieces of the conversation are limited to the same source, destination, and ports. What good does this do? Well, instead of just blindly passing ports through, you can say that inbound connections are only allowed if they are responses to outbound requests (net client), and vise versa (net servers).

with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts

I'm afraid that's just not true. A stateful firewall is really only concered with the protocol, flags that are initally set, and source and dest ports. The contents could be pure random binary data sent to Apache or SSH, the firewall doesn't care.

So, if your firewall is set to allow connections to Apache and SSH, the worm or exploit will still get through. As far as more secure, you could configure your firewall to prevent outbound connections, stopping the spread of worms from your machine to others, preventing the use of your machine to attack others, and preventing outbound connections (e.g. Sub7, outgoing e-mails, et al.)... However, even in that restrictive configuration, you are just as susceptible to an attacker connecting with SSH, or an exploit sending a: rm -rf /

So, properly configured, a stateful firewall still can NOT prevent you from being exploited. However, it can prevent your server from being of any use to an attacker (or a worm).

Re:What is a honeypot?

[BarefootClown]

127.24.88.72. Why do you ask?

Re:A Gay Script Kiddie too? No.

[LoonXTall]

Clothing doesn't make people gay. Try reading this book and see if you look at the world in the same way ever again.

My sincerest apologies.

[mikeanuzis]

First, my apologies to the Honeynet Project (http://project.honeynet.org), the Distibuted Honeypot Project (http://www.lucidic.net), and everyone else who does research in the field of honeynets for releasing a paper which revealed the identity of the hackers involves, as this clearly doesn't fall into the scope of releasing a good whitepaper on the topic. Second, my sincerest apologies to the two hackers who compromised my honeypot. I went through and tried to conceal the identity of the two hackers involved, but it's true I knew they could still be traced by searching google's cache for pretty much any sentence on the cached page I displayed. I had no intention of revealing their identities, and it's clear I thoroughly overestimated the level of maturity of my target audience. To be completely honest, I would rather have never had this article featured on deadly.org and /. if I had known ahead of time how badly the two hackers personal information would be exploited. To those people who read this, please stop bugging the hackers involved. They appear to be nothing more than innocent (and slightly unwise) kids. Let's grow up for a minute here for their sake. It can't be all bad, because after all they did hack a honeypot... so I guess there's a moral to be learned with this story, but please don't take their humiliation any farther than it's already gone. I'm honored my whitepaper was featured on these great websites, and I hate to feel like I'm crashing the party... but I can't help but feel bad for the poor hackers involved. With utmost sincerity, Michael Anuzis

Re:It was a honeypot, he did nothing wrong

[mosch]

Could I please have the IP address of the servers you admin, so I can give you some knowledge? I'll send you a bill afterwards.

Mirror site of the whitepaper

[mikeanuzis]

For those interested the site the whitepaper was on has been temporarily disabled by the web hosting company due to too much traffic.

Another copy of the whitepaper is available at:
http://www.anuzisnetworking.com/whitepapers/

And to verify, yes it was in fact me who posted the above apology. --Michael Anuzis