Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems BSD

OpenBSD 3.0 Honeypot Whitepaper 211

Posted by michael from the it-only-takes-one dept.
Tortured Potato writes "This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours. Fascinating stuff...this is the first OpenBSD honeypot I've heard of."
This discussion has been archived. No new comments can be posted.

OpenBSD 3.0 Honeypot Whitepaper More

OpenBSD 3.0 Honeypot Whitepaper

Comments Filter:

  • Its a reminder (Score:1, Flamebait)

    by mgv ( 198488 )
    Of just how much you need a firewall these days.

    Especially if you run windows.

    Michael

    • Firewall, shmirewall (Score:5, Insightful)

      by alienmole ( 15522 ) on Saturday July 13, 2002 @11:24AM (#3877168)
      Its a reminder

      Of just how much you need a firewall these days.

      Let's think that through. Let's say this honeypot had a standard packet-filtering firewall in front of it, e.g. the kind implemented by ipchains in Linux. Assume there are two services which we wish to expose to the outside world: Apache and SSH. So we set the firewall to forward all HTTP connections to Apache and all SSH connections to OpenSSH.

      Now, how secure is this network? You've got a firewall, so you're secure, right? Just two minor little flaws: the security holes mentioned in the article are in Apache and SSH. Your firewall didn't add any security at all! You're just as exposed as the next guy with no firewall.

      Sticking a firewall in front of your network and thinking you're secure can be very dangerous, if it lulls you into thinking that the machines behind the firewall are now secure. Most exploitable holes are not on the thousands of unused ports that a firewall blocks - they're on the ports that the firewall lets through.

      I should mention that with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts. However, stateful firewalls tend to be more expensive, less transparent (require more maintenance), and if they're commercial, more expensive. And many hacks can't even be detected by a stateful firewall, and there are all sorts of tunneling tricks that can be used to circumvent this kind of security. Ultimately, the only way to be secure is to make sure that every box that can be accessed from the outside is completely secure.

      Especially if you run windows.
      Along those lines, one of my favorite firewall-related quotes came from a sysadmin whose mail server and entire internal 70-station LAN had been infected by NIMDA: "But we have a firewall! How did it get through??"
      • You are correct, to a point... Stateful packet filtering can be more secure, but certainly not for reasons you suggest.

        Stateful packet filters only check the first packet, and then only for the source, some flags, and then pass it through. Then it will make sure that following pieces of the conversation are limited to the same source, destination, and ports. What good does this do? Well, instead of just blindly passing ports through, you can say that inbound connections are only allowed if they are responses to outbound requests (net client), and vise versa (net servers).
        with a stateful firewall, you can get greater security, since it monitors the actual content of the connection and may be able to detect hack attempts
        I'm afraid that's just not true. A stateful firewall is really only concered with the protocol, flags that are initally set, and source and dest ports. The contents could be pure random binary data sent to Apache or SSH, the firewall doesn't care.

        So, if your firewall is set to allow connections to Apache and SSH, the worm or exploit will still get through. As far as more secure, you could configure your firewall to prevent outbound connections, stopping the spread of worms from your machine to others, preventing the use of your machine to attack others, and preventing outbound connections (e.g. Sub7, outgoing e-mails, et al.)... However, even in that restrictive configuration, you are just as susceptible to an attacker connecting with SSH, or an exploit sending a: rm -rf /

        So, properly configured, a stateful firewall still can NOT prevent you from being exploited. However, it can prevent your server from being of any use to an attacker (or a worm).

        • Stateful packet filters only check the first packet, and then only for the source, some flags, and then pass it through. Then it will make sure that following pieces of the conversation are limited to the same source, destination, and ports.

          You're correct that a firewall which exclusively perform OSI layer-3&4 stateful inspection works like this. I was speaking loosely, since commercial firewalls tend to be less focused than this. Perhaps I should have said "stateful multi-layer inspection firewalls", which is a more accurate description of the hybrid nature of many "stateful" commercial firewalls. These firewalls perform inspection at multiple OSI layers, in many cases right up to layer 7, the application layer. Firewalls like this are quite capable of protecting against the HTTP attacks of Nimda and Code Red.

          When I said "monitors the actual content of the connection", I again spoke too loosely: I was talking about the protocol content at the application layer, which is what layer-7 firewalls monitor.

          So, properly configured, a stateful firewall still can NOT prevent you from being exploited.

          Some of the layer-7 firewalls can prevent certain application exploits. Even something like this SSH hole could potentially be blocked by such a firewall, but it would depend on the specifics of the exploit and on what the firewall was checking for. But everything I said was intended to emphasize that firewalls do not provide a complete security solution, no matter how stateful they are or what network layer they operate at.

          • Okay, I understand what you meant.
            Some of the layer-7 firewalls can prevent certain application exploits. Even something like this SSH hole could potentially be blocked by such a firewall
            That's doubtful... Not impossible, but doubtful. To do that, the firewall (App-Layer Reverse SSH Proxy Actually) would need to generate SSH keys, decrypt all incomming traffic, then re-encrypt it before sending it back out again (just like a filtering HTTPS proxy). So, every server that the firewall serves will be seen as having the same key (the one on the firewall). Also, a firewall that does app-layer filtering, it is rather vulnerable to attack, itself.

            Besides that, the OpenSSH vulnerability is easy to protect against. You simply have to disable S/Key (ChallengeResponse) auth, or upgrade to the latest version.

            Blocking exploits AFTER they have happened is not the job of a firewall (that's the IDS' part). Rather, a firewall should be able to block the attacks, or somehow help to render them useless.

            <rant>
            I don't see much value in reverse proxies. They are slow, not likely to block most exploits, and vulnerable themselves.

            You'd be much better off using a stateful firewall/router with a good ruleset, in combination with running services as a normal user, chroot-ing services, or using software that will keep the software in line (Systrace [deadly.org], imsafe [sourceforge.net], or something similiar).

            I happen to recall some commerical software similiar to imtrace that would detect strange behavior in running services, kill the process, ban the IP that caused the behavior temporarily, then restart the service. Their 'hack this server' site was a fairly impressive demonstration. Anyone happen to know the company name or URL?
            </rant>

  • From the article: (Score:3, Funny)

    by SuiteSisterMary ( 123932 ) <slebrunNO@SPAMgmail.com> on Saturday July 13, 2002 @07:57AM (#3876413) Journal
    Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there

    Oooh, dems fightin' words! (runs into the General Store and closes the curtains, peeking out)

    • (dives behind watering trough)

      Not sure, but he could be talking about just the *nix environments. If not then we have to go get the sheriff and the undertaker, there's a gonna be a shoot out!
  • I think I'm not the only one who's reading this article and asking himself what a honeypot is. Could anyone please explain what it is? Thank you in advance.

  • He didn't wipe out enough info on those images (Score:2, Funny)

    by Anonymous Coward
    http://www.google.ca/search?q=cache:b3jn4bU41cYC:w ww.omegapunx.org/+muffinface+band&hl=en&ie=UTF -8

  • White paper ? (Score:3, Funny)

    by kraf ( 450958 ) on Saturday July 13, 2002 @08:01AM (#3876426)
    This white paper, by Michael Anuzis, details how he set up an OpenBSD 3.0 honeypot, watched it get cracked and then analyzed it -- all within 28 hours

    You can do it with a default install in 30 minutes.

    • You can do it with a default install in 30 minutes.

      So you actually can predict that your box will be hacked by two individual hackers in 30 minutes, analyze what they were doing and write a doc about it? You'll need good timing. Please - please read the articles before begging for karma.

      • The 30-minute timeframe (to the first intrusion on a default install) is not a bad guess. My logs show that many machines in my net are probed on average once every 15-180 minutes.

        If the machines were default installs, they would have fallen. I'm seeing all the usual (for this week) stuff: SSH, apache, NIMBDA/Code.Red, FTP, etc.

        Add about 15 minutes for installing a sniffer+hub in parallel instead of the single-host honeypot here, and 45-60 minutes of setup would get you a few hours of fun and amusement.

        I think that the nost interesting part of this particular honeypot was the single honeypot system, instead of the victim + sniffer that I've used and almost always seen used.

        • Yeah, let's not argue about time... Sweep scans are very common - I get mostly ftp-scans.
          What I'm intrested is using virtual servers to fake a net of computers - virtual honeynet - net of honeypots. Could be cheaper and faster to setup than with real hardware. I've heard that there are people already doing this using usermodelinux [usermodelinux.org]. With that one could setup a honeypot in minutes...

  • First OpenBSD honeypot (Score:4, Informative)

    by snake_dad ( 311844 ) on Saturday July 13, 2002 @08:05AM (#3876439) Homepage Journal
    this is the first OpenBSD honeypot I've heard of

    Which is not very surprising for an OS that has had "One remote hole in the default install, in nearly 6 years!" [openbsd.org]. An interesting read 'though.

    By the way, there is a slashbox [slashdot.org] for OpenBSD Journal [deadly.org], which can be enabled here [slashdot.org]. It featured this story yesterday.

    • Well that doesn't mean you're secure [alldas.org].
      It's worth remembering for some OpenBSD worshipping newbie zealots that every OS is as secure as the admin installing/maintaining the server.
      Let me say that I know the seasoned OpenBSD users surely are not prone to that, but that is true for (nearly) any OS, and for all *nixes.
      • It's worth remembering for some OpenBSD worshipping newbie zealots that every OS is as secure as the admin installing/maintaining the server.

        Given two equally paranoid and skilled sysadmins, the one using OpenBSD has a head start over the one using Linux. Linux machines are owned so easily and often, it often occurs to admins, "gee, maybe I should study all the crackers roaming about my boxes."

  • Info on the 'Hacker' (Score:5, Informative)

    by DeeEm ( 209892 ) on Saturday July 13, 2002 @08:11AM (#3876449)
    If anyones interested, the website for the 'hacker' is omegapunx.org, his msn name is omegakidd@hotmail.com
    E-Mail: omegakidd@tfz.net
    E-Mail2: omegakidd@cheguevara.zzn.com
    aim: eromlenosam
    aim2: shoogy maple
    aim3: satan the killer
    msn: omegakidd@hotmail.com
    yahoo: omegakidd
    irc@efnet: omegakidd

  • ph34r omegapunx (Score:5, Funny)

    by nyquist_theorem ( 262542 ) <mbelleghem@@@gmail...com> on Saturday July 13, 2002 @08:18AM (#3876465) Homepage
    obligatory link to omegapunx's google-cached website is here [216.239.35.100]

    the best entry is certainly May 31st, when this gem appeared:

    It seems to me that the Americans are actually the terrorists. I would elaborate right now but I am too lazy to type that much right now.
    9:30PM: I had some fun with smoke bombs. I lit like 5 in my back yard and there was this pretty big smoke could going into my front yard. Sense it looked so cool I searched for some more smoke bombs, and all I could find was like 3. But then I lit them in the feild and that was cool. There was this cloud of blue smoke like 4 and a half feet from the ground. It was soo cool.

    • Who wants to visit him, looks like a home adderess:
      Registrant:
      OmegaPunx
      5233 Welcome Ave N.
      Crystal, Minnesota 55429
      US

      Registrar: Dotster (http://www.dotster.com)
      Domain Name: OMEGAPUNX.ORG
      Created on: 03-MAY-02
      Expires on: 03-MAY-03
      Last Updated on: 03-MAY-02

      Administrative, Technical Contact:
      Elmore, Mason omegakidd@tfz.net
      OmegaPunx
      5233 Welcome Ave N.
      Crystal, Minnesota 55429
      US
      (763)531-0637
      Here's a map [mapquest.com], and an picture of his house. [msn.com]
    • My brother's girlfriend Danyel gave me this purply long skirt thingy. It is soo cool. I would wear it to school tommorow, but there are these kids in the loccer room who hate gay people.

      This guy has a lot going for him. He can crack any kid's computer that tried to beat him up.
      • This guy has a lot going for him. He can crack any kid's computer that tried to beat him up.

        He can pack a gun, would that earn you more respect?

        Its a good thing they didnt post the kids IPs, these kids are just kids and should be left alone. They dont need more gay-bashing or script kidding bashing. He just wanted to hack to put on a IRC bot script, which is pretty harmless, wrong, but harmeless.

        • He just wanted to hack to put on a IRC bot script, which is pretty harmless, wrong, but harmeless.

          Tell that to the guy I just send a $600 bill to for cleaning up his computer after he was hacked by a "harmless kid looking to run IRC bots".

          I'm sure he would disagree about how harmless it was.
          • I did say Harmless, and wrong. re-read my post.
            • But it's not harmless, monetary damages and lost productivity are real harm, it's not just a morality issue, there are tangible damages.
              • If your system is compromised, and you don't know, what harm has been caused? Not all comprimised systems produce monetary damages or lost productivity. But I'm sure you can find your system cracked, spend a million dollars on upgrading security, and consulting fees, and say some "script kiddie" just cost your company a million dollars.

                • If your system is compromised, and you don't know, what harm has been caused? Not all comprimised systems produce monetary damages or lost productivity.

                  All compromised systems cost people in the form of time spent cleaning it up. Once a system is compromised, unless you were running an integrity checking program, it's basically impossible to trust any binary on it without a clean reinstall, or a tedious comparison of checksums.

                  In a business environment, this means downtime, and lost money, in addition to whatever you have to pay whoever is cleaning it up.

                  Leaving up a system that is known to be compromised could expose you to legal liability from the actions of the cracker.

                  I can't believe you think cracking is harmless. Even if it is never discovered, that means that your privacy is compromised, your bandwidth and resources are stolen, and could possibly open you up to more malicious attacks if there is a badly secured backdoor installed.

                  Maybe you are just trying to rationalize your own illegal behavior? Cracking cost companies real money, not just fabricated figures.

                  A lot of the numbers are trumped up, and sometimes people overreact, like those kids that were put on extended suspension for hacking their school computer, but that doesn't mean that cracking is harmless, it is far from it.
                  • My god, you guys rate crackers as terrorists or murders. WTF is wrong with you?! Yes you need to protect your systems, and you need to slap the kids on the wrists for cracking, but if a kid trespasses, you put a bigger lock on your door, you don't build a new house and shoot the kid. Get some fucking perspective.

                    Maybe you are just trying to rationalize your own illegal behavior?

                    Maybe your a tight assed republican, hard core christen who believe in the death penalty, and hates gays.

                    BTW, people can support a prosecuted group, and not belong to that group. I for one, believe that the "Zero Tolerance" approach is more evil than murder. You need to look at each case, and punish for the level of intent. Stop believing the FUD, crackers/hackers have been around for 30+ years on our computer systems, only a very few cause monetary damage. But yes, he was pretty harmless compared to most, and yes I believe its wrong to enter a computer uninvited.
                    • Maybe your a tight assed republican, hard core christen who believe in the death penalty, and hates gays.

                      Libertarian, and I have no position on the death penalty. Homosexuals are OK by me.

                      I view crackers more like shoplifters. I don't believe what they do is harmless, and the potential loss is much higher than in the case of shoplifting, but it is usually on the same scale.

                      I'm not believing FUD, I'm basing my opinion on the damage I have personally seen crackers cause. I do some freelance consulting in my spare time, and sometimes I do cleanups after someone is broken into. It's a serious matter, not to be taken lightly, when a business server is compromised.
          • The purpose of a honeypot is to get knowledge from the hacker. In this case, I think the sysadmin should pay the hacker for the knowledge gained.
            • God, you people are so full of shit. I guess if I leave my house unlocked, it is OK to hang out inside and eat some of my food.
            • Could I please have the IP address of the servers you admin, so I can give you some knowledge? I'll send you a bill afterwards.
        • heh.. that reminds me of back in 1994 (give or take a year), when I was a teenager, and went around cracking systems. I'd see other crackers running those stupid IRC bots and I'd of course send them fake messages to their tty that their phone line has been traced and they will be prosecuted. I'd see them logout immediately (if I didn't kill their processes myself) and never show up again. Good times.

      • Re:A Gay Script Kiddie too? No. (Score:4, Insightful)

        by LoonXTall ( 169249 ) <loonxtall@hotmail.com> on Saturday July 13, 2002 @03:59PM (#3878516) Homepage
        Clothing doesn't make people gay. Try reading this book [amazon.com] and see if you look at the world in the same way ever again.
      • Hey, there are even gays on the other side of the fence, so to speak...

        Here [monkey.org] is Theo de Raadt [openbsd.org] slamming into Darren Reed [anu.edu.au] over Darren having a bit of a poke at OpenBSD practices in the shadow of the recent OpenSSH hole [securityfocus.com] that led to a remote exploit in the default install.

        I spend more than 8 hours of every single day of my life auditing code (and over the last week, 16+ hours a day), and here is some gay guy from Australia who spent all of Usenix in San Antonio years ago moping with droopy eyes after a very straight and girlfriended Mudge is not going to tell me that I am not doing enough

        I love reading Theo's posts.

  • My brother's girlfriend Danyel gave me this purply long skirt thingy. It is soo cool. I would wear it to school tommorow, but there are these kids in the loccer room who hate gay people. They say things like "Man, if you are gay I am going to kick your ass." And stuff like that. So, they would probably think I am gay or something and kick my ass. Welp, what are you going to do in this world these days.
  • Well, there isn't really such a thing like a secure system.
    So all this pro-OpenBSD propaganda by Theo de Rat saying "OpenBSD is secure, really, always" is rather a bad thing. I lulls sysadms into the belief that their system is save, making them unaware of the fact that a system is never secure at all.
    Of course, the sources of every OS should be explicitly checked for security holes. But this shouldn't be the single feature of an OS. In fact claiming an OS "secure" just due to these checks is serving security rather badly.
    I sometimes wonder if the OpenBSD project hasn't excatly the opposite effects than intended by it's maintainers for these very reasons. On the other hand there are some cynical commentators out there, who claim that the main intend of OpenBSD is to boost Theo's ego.
      • Of course I notice that July 2, 02 is when the majority of these took place. Hmmmm... popular exploit is found in a program that everyone has enabled (probably everyone has SSHD enabled). Slow, unimformed, uncarring sysadmins don't know or dont care to patch their systems. From Feb 11, 2000 to July 1, 2002 (over 2 years) there are only about 1/10 of the defacements. Not bad I would say. This doesn't prove much about OpenBSD except that there are some incompetent admins using it.
      • Note that statistically [alldas.org],
        0.31% of defaced sites were running OpenBSD, which greatly contrasts with netcraft's [netcraft.com] statistics that over 59% of indexed web sites use the Apache httpd server, and considering that Apache runs on the BSD's, Linux, commercial *nix's, Windows, MacOS ... even assuming an equal distribution, this means that the defaced sites are at least two orders of magnitude less than the total sites using OpenBSD (ok, that is a lot of assuming, but I couldn't find statistics of server OS distribution).
    • What maintainers are you talking about that have said that OpenBSD is a system that needs no attention once it is up and running? If anyone installs any operating system, they should be aware of insecurites. It doesn't matter that one OS seems to have slightly more or less MARKETING as being secure; if you buy or use a product based on marketing, you deserve what you get. I don't recall any of the OpenBSD maintainers claiming their OS is so good you will not ever be hacked. If the admins don't upkeep their system, they will be exploited.

    • I use OpenBSD. My biggest complaint is that binary updates are not provided, even though the initial installtion was from binaries. No, we need to manually patch, build, install, and configure. For this reason, unless you are a skilled and determined software developer, OpenBSD could easily be less secure for you. Theo you suck.

      Does Theo realize this behavior will make unpached openbsd system more likely, thus encouraging greater deveopment of root kits?

  • Why is it that BSD users always feel the need to knock Linux? This article kicks off with "Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there". RH is pretty damn secure compared with Windows, which seems to have a major security alert almost every day.

    HH
    • Because it is true...but wait! It is true because RH is by far the most common Linux one could hope to encounter on the net, especially in the hands of neophyte 'nix users. Any other distro that strives to knock RH out of the top spot should also be prepared to wear the most hacked crown. Does this mean that RH is really less secure than other Linux distros? Not in my experience it, it just happens to be very popular and thus a likely target. RH has produced some less than stellar distros in the past, but I would feel comfortable putting 7.2 or 7.3 up against any other offering available currently. That includes FreeBSD and OpenBSD as well. I run all of them for different reasons, and they all are vulnerable to attack to various degrees. Vulnerable is vulnerable, but I think popular tells the real story here.

    • Re:Obligatory anti-linux statement (Score:4, Informative)

      by phoxix ( 161744 ) on Saturday July 13, 2002 @10:07AM (#3876826)
      Stuff that effects Redhat not only effects redhat, but the rest of the open source community itself. Last time I checked, redhat used mostly standardized open source software to get the job done. (i.e. openssh for sshd, apache for httpd, etc)

      So when redhat has a new securty flaw, it isn't so much as a redhat problem as it is to a open source community security flaw.

      Sunny Dubey

      • The problem with Red Hat was that a default install used to throw a million half-configured, un-firewalled, and unneeded services.

        The emphasis is because this is no longer true. A basic firewall is installed by default unless you explicitely say not to during the install, and the only questionable service that is left running is sunrpc. (probably because the errors caused by it not running when it needs to be aren't always very clear). Of course a home user probably doesn't need sunrpc.

        Other than sunrpc, I think the only other running services are sshd, sendmail, configured to only accept connections from localhost, and maybe one more I am forgetting. The point is, Red Hat is pretty damn secure now, by default.

    • I like the folks at Red Hat, they have made huge contributions to everyone. The OpenBSD folks, for example, can't build a single executable without using a compiler that has been developed and maintained largely by Red Hat folks over the last ten years (about 50% of all gcc development work over the last decade, if not more, has been by Red Hat/Cygnus people, and it was their business/marketing people that got the funding to allow all those guys to work full-time on gcc).

      Nevertheless, Red Hat has in the past put out releases that were horribly insecure, and this has been a problem for the net as a whole. They've gotten much better, but by the time a release sold in stores requires so many updates to make it secure that it would take 12 hours to download them all on a dialup modem, that makes the retail version dangerous to the public, a product that should be recalled. This goes both for Windows and Linux. Bad security doesn't just affect the owner of the system, an "owned" system is commonly used as a launch pad for distributed denial of service attacks.

      Maybe the thing to do is to get any BSD or Linux distribution that is sold at retail or shipped on CDs that might not be current, to "phone home" the first time the system is connected to the net (telling the user what is happening, of course), so that the very first thing that happens is that all security updates that enable remote exploits get installed.

      • This is not entirely true. Out of the 12 people who have blanket write privs. 8 are from redhat, but out of the about 2364 recent changes to gcc, less halve of the changes were made by redhat people. Most of the changes by non-redhat people have been major changes to gcc. Redhat for generic simd support which is pretty cool but it still needs some work. The cpp (the c pre-processor) has been bumped up. The new

  • Excellent learning resource! (Score:3, Insightful)

    by Demerara ( 256642 ) on Saturday July 13, 2002 @09:41AM (#3876701) Homepage
    This article is valuable not so much for how to set up a honeypot (and no doubt this discussion will ventilate that issue) but, to a security newbie (me), it shows how the analysis of the logs proceeded.
    Nice one. One question though - why not publish the IP of the hackers? Why protect their anonymity?

    • Obscuring the IP (Score:2, Interesting)

      by tg_schlacht ( 570380 )

      Well for one thing the IP may be dynamic. Some other person may have been assigned that IP. Another thing is that they might have been working from a compromised system (though I doubt that in this case.)

      In any case the anonymity of at least one of them was not really too well protected as several of the posts above indicate.

  • I thought this had something to do with Winnie the Pooh using BSD. Oh well.

  • From the article:

    If the hacker is smart enough to find out with a simple 'ps ax' that the processes you're running aren't the same as the processes he or she may have seen when they port scanned you (if they take the time to do that), they may realize port forwarding is going on which may raise suspicion

    Firstly, assuming they used a tool like "nmap" to do the portscan they would already know that some of the ports are forwarded - nmap states which ones are in the results of the scan (I believe it can tell by the differences in TCP sequence numbers.)

    Secondly, why would this detract from the realism of the situation? Not everyone who wants to provide limited services on the internet buys additional IPs. I know I don't have the money to!

    Julian

    • Re:NAT issue (Score:2, Informative)

      by Anonymous Coward
      OpenBSD uses random TCP sequence numbers, therefore it isn't very useful to nmap openbsd for finding initial sequence numbers when the firewall admin could simply apply "modulate state" for extra protection. For documentation man pf.conf(5) and search on down for "STATE MODULATION".
      • I have a /29 network on my DSL at home. So I put a honeypot behind a bridged firewall. From the outside the world, no one can see the firewall. I allowed all in bound traffic, but blocked outbound traffic from the honeypot. I set up a tcpdump to log all traffice to the honeypot so I could see what was happening. It's a nice solution for honeypot

  • BLAH (Score:2, Interesting)

    by Junior Macintosh ( 589919 )


    For some interesting reading related to this article, take a look at the text files [quell.org] that come with the exploit that was used to crack this honeypot.
  • > Most honeypots out there tend to be Redhat Linux as it's has the worst record for security out of pretty much every OS out there, and so it makes for a good honeypot since the goal is to get hacked.

    Obviously, he's never heard of Windows.
  • I've got a dollar bill with www.omegapunx.org written on it. Do I win something?

  • My sincerest apologies. (Score:5, Insightful)

    by mikeanuzis ( 592699 ) on Saturday July 13, 2002 @05:20PM (#3878787)
    First, my apologies to the Honeynet Project (http://project.honeynet.org), the Distibuted Honeypot Project (http://www.lucidic.net), and everyone else who does research in the field of honeynets for releasing a paper which revealed the identity of the hackers involves, as this clearly doesn't fall into the scope of releasing a good whitepaper on the topic. Second, my sincerest apologies to the two hackers who compromised my honeypot. I went through and tried to conceal the identity of the two hackers involved, but it's true I knew they could still be traced by searching google's cache for pretty much any sentence on the cached page I displayed. I had no intention of revealing their identities, and it's clear I thoroughly overestimated the level of maturity of my target audience. To be completely honest, I would rather have never had this article featured on deadly.org and /. if I had known ahead of time how badly the two hackers personal information would be exploited. To those people who read this, please stop bugging the hackers involved. They appear to be nothing more than innocent (and slightly unwise) kids. Let's grow up for a minute here for their sake. It can't be all bad, because after all they did hack a honeypot... so I guess there's a moral to be learned with this story, but please don't take their humiliation any farther than it's already gone. I'm honored my whitepaper was featured on these great websites, and I hate to feel like I'm crashing the party... but I can't help but feel bad for the poor hackers involved. With utmost sincerity, Michael Anuzis
    • Oh please, don't be so self-righteous.

      Those two kids are probably loving the attentiong right now. Did you even check out their website? /. is featured in his Links section. I agree that people shouldn't be calling him at home or otherwise harassing him, but a few emails or guestbook entries is a small price to pay for getting caught in the midst of a stupid, stupid (and illegal) act.

      The white paper was a good read; just keep in mind that these kids are most likely bragging to their friends about their being on the front page of slashdot.

      Peace.
      Alric.
      • I disagree;
        attention it is, but not positive attention. Their servers are being hit with posts of 'that was a dumb thing to do' (look at the guest book) and the like. It's a lot of negative attention, and the kids are probably feeling pretty shitty right now being the target of name-calling and attacks (verbal, and their computers are probably being attacked also.)
        Don't stereotype that just because they are teenagers they crave any type of attention.
    • Note that this user has only posted one message, and has no information linking them to the actual author of the article. The legitimacy of the message should be IN QUESTION.

      (Off topic: How did this posting get +1 without any other comments to get karma from?)
  • Registrant: OmegaPunx 5233 Welcome Ave N. Crystal, Minnesota 55429 US Registrar: Dotster (http://www.dotster.com) Domain Name: OMEGAPUNX.ORG Created on: 03-MAY-02 Expires on: 03-MAY-03 Last Updated on: 03-MAY-02 Administrative, Technical Contact: Elmore, Mason omegakidd@tfz.net OmegaPunx 5233 Welcome Ave N. Crystal, Minnesota 55429 US (763)531-0637 Domain servers in listed order: NS1.MYDYNDNS.ORG NS2.MYDYNDNS.ORG NS3.MYDYNDNS.ORG NS4.MYDYNDNS.ORG NS5.MYDYNDNS.ORG

  • That my proxy box will run something tight [it's fussy, wont run windoze for some reason], right now its an old RedHat release, which I thought I had amateurishly locked down, and windows 98 inside my network.

    Honypots are only honeypots if they're intentional...

    Most honeypots out there tend to be RedHat Linux as it's has the worst record for security out of pretty much every OS out there

    /me gets that goatse feeling.

    Ali

  • As of the 13th of July, our script kid friend wants to hide his screenshots [omegapunx.org] section for some reason.

    Too bad Google has it cached [216.239.35.100].

  • Mirror site of the whitepaper (Score:3, Informative)

    by mikeanuzis ( 592699 ) on Monday July 15, 2002 @12:03PM (#3886359)
    For those interested the site the whitepaper was on has been temporarily disabled by the web hosting company due to too much traffic.

    Another copy of the whitepaper is available at:
    http://www.anuzisnetworking.com/whitepapers/

    And to verify, yes it was in fact me who posted the above apology. --Michael Anuzis

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close