brute force ssh attack
Guy Fraser
guy at incentre.net
Thu Apr 28 14:56:19 UTC 2005
On Wed, 2005-27-04 at 17:13 -0400, Matthew Miller wrote:
> On Wed, Apr 27, 2005 at 10:56:38AM -0500, Aleksandar Milivojevic wrote:
> > >there are numerous brute force ssh attacks in the web.
> > >I was quite curious, and for fun, I created the typical
> > >user accounts and set easy to guess passwords....
> > Generally, very bad idea. Unless you know exactly what you are doing,
> > which you obviously don't.
>
> What's the harm? I mean, assuming you're planning on doing a limited,
> controlled experiment?
That was how I understood your initial post, it sounded like you
were intentionally creating a honey pot.
> > You don't just unplug network cable. You wipe off machine and reinstall
> > it from scratch. Simple as that.
>
> Sure. But it doesn't hurt to investigate what happened. It's educational.
Absolutely correct. That is a good way to see how intrusions
are performed.
A couple of suggestions though ;
1) You should make sure that the honey pot is segregated on its
own little subnet. If possible isolated with a dedicated router
to ensure arp poisoning can't be used by it to capture traffic
from other devices on your switch once the honey pot is
compromised.
2) Make sure that honey pot is blocked from accessing the rest
of your network(s) with a router that is not accessible
directly from the honey pot.
3) Capture all traffic that is sent or received by the honey pot
for later analysis. You can use the captured data to confirm the
actions that transpired and if logs are removed you still have
an audit trail.
Honey pots can be fun, especially if your a bear. ;-)
More information about the users
mailing list