[wplug] howto advertise all ports as open
Nick Iglehart
nick at systemsecuritysolutions.com
Thu Apr 3 15:59:18 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Look into portsentry.
Nick
> -----Original Message-----
> From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On
> Behalf Of Alexandros Papadopoulos
> Sent: Saturday, March 29, 2003 5:21 PM
> To: Eric C. Cooper
> Cc: wplug at wplug.org
> Subject: Re: [wplug] howto advertise all ports as open
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Saturday 29 March 2003 16:21, Eric C. Cooper wrote:
> > On Sat, Mar 29, 2003 at 04:02:36PM -0500, Alexandros Papadopoulos
> > :
> > > I've come across the idea of having a machine overwhelm
> an attacker
> > > by presenting *all* ports as listening/open.
> >
> > This is known as a honeypot.
>
> Honeypots are more elaborate than that, actually providing
> the break-in
> illusion, virtual hosts and services, forged header replies,
> etc. This
> is overkill for my purposes.
>
> >
> > > Does anyone know of such a module?
> >
> > A quick google turned up honeyd
> > (http://www.citi.umich.edu/u/provos/honeyd/) and Tiny Honeypot
> > (http://www.alpinista.org/thp/), for starters.
>
> thp looks closer to what I was looking for (since it runs on a
> single host/IP without the need to emulate virtual hosts), but
> again, it gets
> too complex. It needs to talk to xinetd (which I don't even want to
> run), uses perl scripts to serve up bogus information, uses local
> netfilter redirects, assumes that an IDS is running on the
> machine... a
> client box doesn't need all that.
>
> What I'm after is something that has the same effect as
>
> for $port in `cat /etc/services` do
> if [ $port < 1024 ]; do
> nc -l -p $port > /dev/null
> else
> # do nothing
> fi
> done
>
> (yeah, this is not legit bash syntax but you get the idea :-)
>
> ...and an accompanying ipfilter script in the fashion of:
>
> ## Drop all replies by default
> /sbin/iptables -P OUTPUT DROP
>
> ## Now allow for legitimate traffic of my machine
> ## Allow outgoing ssh
> /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 22 -j
> ACCEPT ## Allow outgoing HTTP /sbin/iptables -A OUTPUT -p tcp
> --sport 1024: --dport 80 -j ACCEPT ## Allow outgoing HTTPS
> /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j
> ACCEPT ## Allow outgoing POP3 /sbin/iptables -A OUTPUT -p tcp
> --sport 1024: --dport 110 -j ACCEPT
>
> ## etc...
>
> Something as simple as that might work, assuming that our
> netcats would
> all bind to <1024 ports (as any self-respecting vulnerable service
> does, anyhow :-)
>
> Now, this raises concerns with SYN floods (I don't know to
> what extent I
> can trust SYNcookies), and is generally a very ugly way of
> solving the
> issue.
>
> Cheers
>
> - -A
> - --
> http://andrew.cmu.edu/~apapadop/pub_key.asc
> 3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQE+hhxMgmAMwQt1gmURAuLaAJ9lEZGgBMw4xtbsh+kvMdFog9CibwCfQdi6
> BttvG1IDnDTU8ofdHZrZIQk=
> =5CBO
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPoygpKq/UK5/FuEgEQKHNACeNyM7yOBDK7J7sPzpTUDzn1brGeEAoLF8
oBcgON08wvffqBNzGcCdLLpH
=pteN
-----END PGP SIGNATURE-----
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
More information about the wplug
mailing list