Tar pitting automated attacks

Bart Silverstrim bsilver at chrononomicon.com
Thu Sep 9 10:06:49 PDT 2004 

On Sep 9, 2004, at 11:44 AM, Mike Hauber wrote:
> That makes sense...  I haven't gotten so much into security
> that I would want to "invite" a potential cracker.  I would
> just assume they go and bug someone else (who knows, maybe
> it will result in more BSD admins.  :) )
>
> How difficult would it be to have a "dummy" system setup on
> the LAN where incoming SSH could be transparently routed
> to.

Depending on your router, very easy.  Redirect a port on the router to 
point to an inside computer running the service you want redirected.  I 
used to do it all the time with my home linksys system...redirected 
mail to one of the computers inside and web requests to a second 
computer.  From the outside world, they both looked like my NATed 
address facing the Internet.

> In fact (and even the idea gives me the creeps), how
> difficult would it be to change "root" to something else,
> and then create a dummy root account.

Not hard at all...anyone with the UID of 0 on a UNIX system is "root".  
Change the UID and you have a new root...reassign the UID of root and 
it will no longer have superuser privileges.  However, this may break 
some programs or some functionality, and if the "hacker" had 
intelligence above a cucumber they would be reaching for UID 0, not 
necessarily just root by name.  Wouldn't take them long to realize 
something was wrong if they got "root" and weren't able to do some 
things or see files that are supposed to be readable by UID 0...

> I mean, if one is
> attempting to get a cracker to waste his time, then why not
> wet his whistle and let him think he's actually getting
> somewhere?
>
> I don't know anything about this kind of thing (I'm just not
> devious enough, I guess).  How should I go about googling
> this to learn more?  Is there a term for it?

"Honeypot" and "Honeynet". :-)

What may work better is a system that is in a DMZ, virtualized within 
something like VMWare (is Virtual PC ever used for something like 
this?).  Honeypots are often run in environments like that for analysis 
and monitoring.  But if you're truly paranoid, this computer would be 
on it's own segment on the other side of it's own firewall...i.e., you 
have your internet connection to your router, then to the network 
containing your honeypot machine and image, and then another 
router/firewall protecting your actual network, and never the twain' 
shall meet (plus monitoring software on your internal *NIX 
systems...like snort...to check for leaks).

At least, that's how I would do it if I had limited resources but 
really wanted to try to lure them in.  Letting ANY experimental, 
unpatched network image run as a honeypot inside your actual network 
where regular email and net traffic flow is a bad idea, and if the 
image is cracked, it is still possible for it to start flooding your 
Internet connection and may result in some overzealous admins 
blacklisting you or blocking off access from your IP, unless you get a 
second IP to the internet and use that entirely as your "honeynet".

-Bart

More information about the freebsd-questions mailing list