[wplug] howto advertise all ports as open
Nick Iglehart
nick at systemsecuritysolutions.com
Thu Apr 3 16:45:38 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Portsentry can be configured to run on any and all ports you want it
to and it will pretend to be a listening port. Set it to run on all
ports and it gladly will.
Nick
> -----Original Message-----
> From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On
> Behalf Of Nick Iglehart
> Sent: Thursday, April 03, 2003 3:59 PM
> To: wplug at wplug.org
> Subject: RE: [wplug] howto advertise all ports as open
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Look into portsentry.
>
> Nick
>
> > -----Original Message-----
> > From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On
> > Behalf Of Alexandros Papadopoulos
> > Sent: Saturday, March 29, 2003 5:21 PM
> > To: Eric C. Cooper
> > Cc: wplug at wplug.org
> > Subject: Re: [wplug] howto advertise all ports as open
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Saturday 29 March 2003 16:21, Eric C. Cooper wrote:
> > > On Sat, Mar 29, 2003 at 04:02:36PM -0500, Alexandros
> > > Papadopoulos :
> > > > I've come across the idea of having a machine overwhelm
> > an attacker
> > > > by presenting *all* ports as listening/open.
> > >
> > > This is known as a honeypot.
> >
> > Honeypots are more elaborate than that, actually providing
> > the break-in
> > illusion, virtual hosts and services, forged header replies,
> > etc. This
> > is overkill for my purposes.
> >
> > >
> > > > Does anyone know of such a module?
> > >
> > > A quick google turned up honeyd
> > > (http://www.citi.umich.edu/u/provos/honeyd/) and Tiny Honeypot
> > > (http://www.alpinista.org/thp/), for starters.
> >
> > thp looks closer to what I was looking for (since it runs
> on a single
> > host/IP without the need to emulate virtual hosts), but
> again, it gets
> > too complex. It needs to talk to xinetd (which I don't even want
> > to
> > run), uses perl scripts to serve up bogus information, uses
> > local netfilter redirects, assumes that an IDS is running on the
> > machine... a
> > client box doesn't need all that.
> >
> > What I'm after is something that has the same effect as
> >
> > for $port in `cat /etc/services` do
> > if [ $port < 1024 ]; do
> > nc -l -p $port > /dev/null
> > else
> > # do nothing
> > fi
> > done
> >
> > (yeah, this is not legit bash syntax but you get the idea :-)
> >
> > ...and an accompanying ipfilter script in the fashion of:
> >
> > ## Drop all replies by default
> > /sbin/iptables -P OUTPUT DROP
> >
> > ## Now allow for legitimate traffic of my machine
> > ## Allow outgoing ssh
> > /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 22 -j
> > ACCEPT ## Allow outgoing HTTP /sbin/iptables -A OUTPUT -p tcp
> > --sport 1024: --dport 80 -j ACCEPT ## Allow outgoing HTTPS
> > /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j
> > ACCEPT ## Allow outgoing POP3 /sbin/iptables -A OUTPUT -p tcp
> > --sport 1024: --dport 110 -j ACCEPT
> >
> > ## etc...
> >
> > Something as simple as that might work, assuming that our
> > netcats would
> > all bind to <1024 ports (as any self-respecting vulnerable
> > service does, anyhow :-)
> >
> > Now, this raises concerns with SYN floods (I don't know to
> > what extent I
> > can trust SYNcookies), and is generally a very ugly way of
> > solving the
> > issue.
> >
> > Cheers
> >
> > - -A
> > - --
> > http://andrew.cmu.edu/~apapadop/pub_key.asc
> > 3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> >
> > iD8DBQE+hhxMgmAMwQt1gmURAuLaAJ9lEZGgBMw4xtbsh+kvMdFog9CibwCfQdi6
> > BttvG1IDnDTU8ofdHZrZIQk=
> > =5CBO
> > -----END PGP SIGNATURE-----
> >
> > _______________________________________________
> > wplug mailing list
> > wplug at wplug.org
> > http://www.wplug.org/mailman/listinfo/wplug
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 7.0.3 for non-commercial use
> <http://www.pgp.com>
>
> iQA/AwUBPoygpKq/UK5/FuEgEQKHNACeNyM7yOBDK7J7sPzpTUDzn1brGeEAoLF8
> oBcgON08wvffqBNzGcCdLLpH
> =pteN
> -----END PGP SIGNATURE-----
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPoyrgaq/UK5/FuEgEQLnqQCfXBPBGyFB3Y236SjZLSu3eTaytA4An1YC
QkdrQ6gjisqNOek37jT11g4V
=evNI
-----END PGP SIGNATURE-----
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
More information about the wplug
mailing list