OpenBSD 3.0 Honeypot Whitepaper

Tortured Potato writes "This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours. Fascinating stuff...this is the first OpenBSD honeypot I've heard of."

Info on the 'Hacker'

[DeeEm]

If anyones interested, the website for the 'hacker' is omegapunx.org, his msn name is omegakidd@hotmail.com
E-Mail: omegakidd@tfz.net
E-Mail2: omegakidd@cheguevara.zzn.com
aim: eromlenosam
aim2: shoogy maple
aim3: satan the killer
msn: omegakidd@hotmail.com
yahoo: omegakidd
irc@efnet: omegakidd

ph34r omegapunx

[nyquist_theorem]

obligatory link to omegapunx's google-cached website is here

the best entry is certainly May 31st, when this gem appeared:

It seems to me that the Americans are actually the terrorists. I would elaborate right now but I am too lazy to type that much right now.
9:30PM: I had some fun with smoke bombs. I lit like 5 in my back yard and there was this pretty big smoke could going into my front yard. Sense it looked so cool I searched for some more smoke bombs, and all I could find was like 3. But then I lit them in the feild and that was cool. There was this cloud of blue smoke like 4 and a half feet from the ground. It was soo cool.

Re:What is a honeypot?

[Wakko+Warner]

On a similar note, what is your IP address?

- A.P.

Re:OmegaPunx's aka Elmore Mason's Phone Number

[RazzleDazzle]

HAHAHA... this is like 25 minutes from my house, maybe I should drive over there and wait for him and take some pictures and post them online and send them to the Mike A, and maybe one to the kid himself with a link to the story about how he *hacked*(snickering) a honeypot. There could be a ton of fun with this. HA... plus in a few hours I am going to the TC BSD User Group meeting. I wonder if his momma is gonna drop him off there... :) I will be looking for you Mason Elmore a.k.a. OmegaKidd

Firewall, shmirewall

[alienmole]

Its a reminder

Of just how much you need a firewall these days.

Let's think that through. Let's say this honeypot had a standard packet-filtering firewall in front of it, e.g. the kind implemented by ipchains in Linux. Assume there are two services which we wish to expose to the outside world: Apache and SSH. So we set the firewall to forward all HTTP connections to Apache and all SSH connections to OpenSSH.

Now, how secure is this network? You've got a firewall, so you're secure, right? Just two minor little flaws: the security holes mentioned in the article are in Apache and SSH. Your firewall didn't add any security at all! You're just as exposed as the next guy with no firewall.

Sticking a firewall in front of your network and thinking you're secure can be very dangerous, if it lulls you into thinking that the machines behind the firewall are now secure. Most exploitable holes are not on the thousands of unused ports that a firewall blocks - they're on the ports that the firewall lets through.

I should mention that with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts. However, stateful firewalls tend to be more expensive, less transparent (require more maintenance), and if they're commercial, more expensive. And many hacks can't even be detected by a stateful firewall, and there are all sorts of tunneling tricks that can be used to circumvent this kind of security. Ultimately, the only way to be secure is to make sure that every box that can be accessed from the outside is completely secure.

Especially if you run windows.

Along those lines, one of my favorite firewall-related quotes came from a sysadmin whose mail server and entire internal 70-station LAN had been infected by NIMDA: "But we have a firewall! How did it get through??"

My sincerest apologies.

[mikeanuzis]

First, my apologies to the Honeynet Project (http://project.honeynet.org), the Distibuted Honeypot Project (http://www.lucidic.net), and everyone else who does research in the field of honeynets for releasing a paper which revealed the identity of the hackers involves, as this clearly doesn't fall into the scope of releasing a good whitepaper on the topic. Second, my sincerest apologies to the two hackers who compromised my honeypot. I went through and tried to conceal the identity of the two hackers involved, but it's true I knew they could still be traced by searching google's cache for pretty much any sentence on the cached page I displayed. I had no intention of revealing their identities, and it's clear I thoroughly overestimated the level of maturity of my target audience. To be completely honest, I would rather have never had this article featured on deadly.org and /. if I had known ahead of time how badly the two hackers personal information would be exploited. To those people who read this, please stop bugging the hackers involved. They appear to be nothing more than innocent (and slightly unwise) kids. Let's grow up for a minute here for their sake. It can't be all bad, because after all they did hack a honeypot... so I guess there's a moral to be learned with this story, but please don't take their humiliation any farther than it's already gone. I'm honored my whitepaper was featured on these great websites, and I hate to feel like I'm crashing the party... but I can't help but feel bad for the poor hackers involved. With utmost sincerity, Michael Anuzis