Security Basics mailing list archives
RE: newbie question about honeypot
From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Thu, 20 Aug 2009 11:39:45 -0400
Regards I believe you have the wrong objective for a HoneyPot (or honeynet). These technologies are use to make an attacker believe a system is more vulnerable than another (the real live production box). As such the attacker will hit the Honeypot first (hopefully), waste time and if you are lucky/wise alert you before any damage is done. You shouldn't try to fool an attacker into thinking you are more vulnerable than you are. Be secure; dont add ports on iptables just for the sake of the honeypot. What you want, hiding port and messing up the fingerprint is a totally different issue and is OS (and protocol) specific. You could, for example, change the banner, change the ports and modify the IP settings (Flags and timeout and so one) so that nmap believes you are someone you are not. I'm no expert into this specific subject and cant help you setup it on your machine (not knowning what kind of *Nix you are using). How ever, I do know that theres a bunch of data out there for that. Passive-Aggressive Resistance: OS Fingerprint Evasion http://www.linuxjournal.com/article/4750 Have fun Noted by someelse on the net: Trying to modify your OS fingerprint is a fun trick, but you might remind your security auditors that it's nothing more than "security by obscurity". (i.e. Waste of effort, IMO.) http://www.linuxforums.org/forum/misc/96516-os-fingerprint-change.html being an auditor, I agree its security by obscurity. Its bad if its the only step you take (IMHO) Philippe Rivest - CEH, Network+, Server+, A+ TransForce Inc. Internal auditor - Information security Verificateur interne - Securite de l'information 8585 Trans-Canada Highway, Suite 300 Saint-Laurent (Quebec) H4S 1Z6 Tel.: 514-331-4417 Fax: 514-856-7541 http://www.transforce.ca/ -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de J. Bakshi Envoyé : 20 août 2009 10:43 À : security-basics () securityfocus com Objet : newbie question about honeypot Dear list, My home server is already running iptable firewall. Though nmap scan able to show the correct os finger print and the open ports. I have come to know about honeypot which can fool the port scanners. But I am still very confused about honeypot and its implementation. I like to simply implement a honeypot which can hide the open ports but shows some other non opened ports to the scanner as well as provide a false os fingerprint report. There is honeyd and tinyhoneypot. Which one can do this and how to configure ? Please suggest. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------
Attachment:
smime.p7s
Description:
Current thread:
- newbie question about honeypot J. Bakshi (Aug 20)
- RE: newbie question about honeypot Rivest, Philippe (Aug 20)
- Re: newbie question about honeypot J. Bakshi (Aug 20)
- RE: newbie question about honeypot Rivest, Philippe (Aug 20)