From owner-freebsd-questions@FreeBSD.ORG Thu Sep 9 17:06:49 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 269D716A4CE for ; Thu, 9 Sep 2004 17:06:49 +0000 (GMT) Received: from destiny.chrononomicon.com (mail.chrononomicon.com [65.193.73.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81BAF43D39 for ; Thu, 9 Sep 2004 17:06:48 +0000 (GMT) (envelope-from bsilver@chrononomicon.com) Received: from [127.0.0.1] (destiny.chrononomicon.com [192.168.1.42]) by destiny.chrononomicon.com (Postfix) with ESMTP id 0D28D1FE26 for ; Thu, 9 Sep 2004 13:06:34 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v619) In-Reply-To: <200409091144.00787.m.hauber@mchsi.com> References: <200409091144.00787.m.hauber@mchsi.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <998F12A8-0282-11D9-A45D-000D9338770A@chrononomicon.com> Content-Transfer-Encoding: 7bit From: Bart Silverstrim Date: Thu, 9 Sep 2004 13:06:32 -0400 To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.619) Subject: Re: Tar pitting automated attacks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Sep 2004 17:06:49 -0000 On Sep 9, 2004, at 11:44 AM, Mike Hauber wrote: > That makes sense... I haven't gotten so much into security > that I would want to "invite" a potential cracker. I would > just assume they go and bug someone else (who knows, maybe > it will result in more BSD admins. :) ) > > How difficult would it be to have a "dummy" system setup on > the LAN where incoming SSH could be transparently routed > to. Depending on your router, very easy. Redirect a port on the router to point to an inside computer running the service you want redirected. I used to do it all the time with my home linksys system...redirected mail to one of the computers inside and web requests to a second computer. From the outside world, they both looked like my NATed address facing the Internet. > In fact (and even the idea gives me the creeps), how > difficult would it be to change "root" to something else, > and then create a dummy root account. Not hard at all...anyone with the UID of 0 on a UNIX system is "root". Change the UID and you have a new root...reassign the UID of root and it will no longer have superuser privileges. However, this may break some programs or some functionality, and if the "hacker" had intelligence above a cucumber they would be reaching for UID 0, not necessarily just root by name. Wouldn't take them long to realize something was wrong if they got "root" and weren't able to do some things or see files that are supposed to be readable by UID 0... > I mean, if one is > attempting to get a cracker to waste his time, then why not > wet his whistle and let him think he's actually getting > somewhere? > > I don't know anything about this kind of thing (I'm just not > devious enough, I guess). How should I go about googling > this to learn more? Is there a term for it? "Honeypot" and "Honeynet". :-) What may work better is a system that is in a DMZ, virtualized within something like VMWare (is Virtual PC ever used for something like this?). Honeypots are often run in environments like that for analysis and monitoring. But if you're truly paranoid, this computer would be on it's own segment on the other side of it's own firewall...i.e., you have your internet connection to your router, then to the network containing your honeypot machine and image, and then another router/firewall protecting your actual network, and never the twain' shall meet (plus monitoring software on your internal *NIX systems...like snort...to check for leaks). At least, that's how I would do it if I had limited resources but really wanted to try to lure them in. Letting ANY experimental, unpatched network image run as a honeypot inside your actual network where regular email and net traffic flow is a bad idea, and if the image is cracked, it is still possible for it to start flooding your Internet connection and may result in some overzealous admins blacklisting you or blocking off access from your IP, unless you get a second IP to the internet and use that entirely as your "honeynet". -Bart