brute force ssh attack

Guy Fraser guy at incentre.net
Thu Apr 28 14:56:19 UTC 2005


On Wed, 2005-27-04 at 17:13 -0400, Matthew Miller wrote:
> On Wed, Apr 27, 2005 at 10:56:38AM -0500, Aleksandar Milivojevic wrote:
> > >there are numerous brute force ssh attacks in the web.  
> > >I was quite curious, and for fun, I created the typical 
> > >user accounts and set easy to guess passwords.... 
> > Generally, very bad idea.  Unless you know exactly what you are doing, 
> > which you obviously don't.
> 
> What's the harm? I mean, assuming you're planning on doing a limited,
> controlled experiment?

That was how I understood your initial post, it sounded like you 
were intentionally creating a honey pot.

> > You don't just unplug network cable.  You wipe off machine and reinstall 
> > it from scratch.  Simple as that.
> 
> Sure. But it doesn't hurt to investigate what happened. It's educational.

Absolutely correct. That is a good way to see how intrusions 
are performed.

A couple of suggestions though ;

1) You should make sure that the honey pot is segregated on its 
own little subnet. If possible isolated with a dedicated router
to ensure arp poisoning can't be used by it to capture traffic
from other devices on your switch once the honey pot is 
compromised.

2) Make sure that honey pot is blocked from accessing the rest 
of your network(s) with a router that is not accessible 
directly from the honey pot.

3) Capture all traffic that is sent or received by the honey pot
for later analysis. You can use the captured data to confirm the 
actions that transpired and if logs are removed you still have 
an audit trail.

Honey pots can be fun, especially if your a bear. ;-)





More information about the users mailing list