[wplug] howto advertise all ports as open

Bill bhalpin at collaborativefusion.com
Thu Apr 3 16:19:31 EST 2003 

Nick

I'm curious, how were you intending Alex use portsentry for
"advertising" open ports?

I never noticed anything in portsentry that would do that...


On Thu, 2003-04-03 at 15:59, Nick Iglehart wrote:
>  
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Look into portsentry.
> 
> Nick
> 
> > -----Original Message-----
> > From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On 
> > Behalf Of Alexandros Papadopoulos
> > Sent: Saturday, March 29, 2003 5:21 PM
> > To: Eric C. Cooper
> > Cc: wplug at wplug.org
> > Subject: Re: [wplug] howto advertise all ports as open
> > 
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Saturday 29 March 2003 16:21, Eric C. Cooper wrote:
> > > On Sat, Mar 29, 2003 at 04:02:36PM -0500, Alexandros Papadopoulos
> > > : 
> > > > I've come across the idea of having a machine overwhelm 
> > an attacker 
> > > > by presenting *all* ports as listening/open.
> > >
> > > This is known as a honeypot.
> > 
> > Honeypots are more elaborate than that, actually providing 
> > the break-in 
> > illusion, virtual hosts and services, forged header replies, 
> > etc. This 
> > is overkill for my purposes.
> > 
> > >
> > > > Does anyone know of such a module?
> > >
> > > A quick google turned up honeyd
> > > (http://www.citi.umich.edu/u/provos/honeyd/) and Tiny Honeypot 
> > > (http://www.alpinista.org/thp/), for starters.
> > 
> > thp looks closer to what I was looking for (since it runs on a
> > single  host/IP without the need to emulate virtual hosts), but 
> > again, it gets 
> > too complex. It needs to talk to xinetd (which I don't even want to
> >  run), uses perl scripts to serve up bogus information, uses local 
> > netfilter redirects, assumes that an IDS is running on the 
> > machine... a 
> > client box doesn't need all that.
> > 
> > What I'm after is something that has the same effect as
> > 
> > for $port in `cat /etc/services` do
> > 	if [ $port < 1024 ]; do
> > 		nc -l -p $port > /dev/null
> > 	else
> > 		# do nothing
> > 	fi
> > done
> > 
> > (yeah, this is not legit bash syntax but you get the idea :-)
> > 
> > ...and an accompanying ipfilter script in the fashion of:
> > 
> > ## Drop all replies by default
> > /sbin/iptables -P OUTPUT DROP
> > 
> > ## Now allow for legitimate traffic of my machine
> > ## Allow outgoing ssh
> > /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 22 -j 
> > ACCEPT ## Allow outgoing HTTP /sbin/iptables -A OUTPUT -p tcp 
> > --sport 1024: --dport 80 -j ACCEPT ## Allow outgoing HTTPS 
> > /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j 
> > ACCEPT ## Allow outgoing POP3 /sbin/iptables -A OUTPUT -p tcp 
> > --sport 1024: --dport 110 -j ACCEPT
> > 
> > ## etc...
> > 
> > Something as simple as that might work, assuming that our 
> > netcats would 
> > all bind to <1024 ports (as any self-respecting vulnerable service 
> > does, anyhow :-)
> > 
> > Now, this raises concerns with SYN floods (I don't know to 
> > what extent I 
> > can trust SYNcookies), and is generally a very ugly way of 
> > solving the 
> > issue.
> > 
> > Cheers
> > 
> > - -A
> > - --
> > http://andrew.cmu.edu/~apapadop/pub_key.asc
> > 3DAD 8435 DB52 F17B 640F  D78C 8260 0CC1 0B75 8265
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > 
> > iD8DBQE+hhxMgmAMwQt1gmURAuLaAJ9lEZGgBMw4xtbsh+kvMdFog9CibwCfQdi6
> > BttvG1IDnDTU8ofdHZrZIQk=
> > =5CBO
> > -----END PGP SIGNATURE-----
> > 
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> > 
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
> >  
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
> 
> iQA/AwUBPoygpKq/UK5/FuEgEQKHNACeNyM7yOBDK7J7sPzpTUDzn1brGeEAoLF8
> oBcgON08wvffqBNzGcCdLLpH
> =pteN
> -----END PGP SIGNATURE-----
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug

More information about the wplug mailing list