Tar pitting automated attacks
bsilver at chrononomicon.com
Thu Sep 9 10:06:49 PDT 2004
On Sep 9, 2004, at 11:44 AM, Mike Hauber wrote:
> That makes sense... I haven't gotten so much into security
> that I would want to "invite" a potential cracker. I would
> just assume they go and bug someone else (who knows, maybe
> it will result in more BSD admins. :) )
> How difficult would it be to have a "dummy" system setup on
> the LAN where incoming SSH could be transparently routed
Depending on your router, very easy. Redirect a port on the router to
point to an inside computer running the service you want redirected. I
used to do it all the time with my home linksys system...redirected
mail to one of the computers inside and web requests to a second
computer. From the outside world, they both looked like my NATed
address facing the Internet.
> In fact (and even the idea gives me the creeps), how
> difficult would it be to change "root" to something else,
> and then create a dummy root account.
Not hard at all...anyone with the UID of 0 on a UNIX system is "root".
Change the UID and you have a new root...reassign the UID of root and
it will no longer have superuser privileges. However, this may break
some programs or some functionality, and if the "hacker" had
intelligence above a cucumber they would be reaching for UID 0, not
necessarily just root by name. Wouldn't take them long to realize
something was wrong if they got "root" and weren't able to do some
things or see files that are supposed to be readable by UID 0...
> I mean, if one is
> attempting to get a cracker to waste his time, then why not
> wet his whistle and let him think he's actually getting
> I don't know anything about this kind of thing (I'm just not
> devious enough, I guess). How should I go about googling
> this to learn more? Is there a term for it?
"Honeypot" and "Honeynet". :-)
What may work better is a system that is in a DMZ, virtualized within
something like VMWare (is Virtual PC ever used for something like
this?). Honeypots are often run in environments like that for analysis
and monitoring. But if you're truly paranoid, this computer would be
on it's own segment on the other side of it's own firewall...i.e., you
have your internet connection to your router, then to the network
containing your honeypot machine and image, and then another
router/firewall protecting your actual network, and never the twain'
shall meet (plus monitoring software on your internal *NIX
systems...like snort...to check for leaks).
At least, that's how I would do it if I had limited resources but
really wanted to try to lure them in. Letting ANY experimental,
unpatched network image run as a honeypot inside your actual network
where regular email and net traffic flow is a bad idea, and if the
image is cracked, it is still possible for it to start flooding your
Internet connection and may result in some overzealous admins
blacklisting you or blocking off access from your IP, unless you get a
second IP to the internet and use that entirely as your "honeynet".
More information about the freebsd-questions