[wplug] howto advertise all ports as open
Alexandros Papadopoulos
apapadop at cmu.edu
Sat Mar 29 17:21:00 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 29 March 2003 16:21, Eric C. Cooper wrote:
> On Sat, Mar 29, 2003 at 04:02:36PM -0500, Alexandros Papadopoulos :
> > I've come across the idea of having a machine overwhelm an attacker
> > by presenting *all* ports as listening/open.
>
> This is known as a honeypot.
Honeypots are more elaborate than that, actually providing the break-in
illusion, virtual hosts and services, forged header replies, etc. This
is overkill for my purposes.
>
> > Does anyone know of such a module?
>
> A quick google turned up honeyd
> (http://www.citi.umich.edu/u/provos/honeyd/) and Tiny Honeypot
> (http://www.alpinista.org/thp/), for starters.
thp looks closer to what I was looking for (since it runs on a single
host/IP without the need to emulate virtual hosts), but again, it gets
too complex. It needs to talk to xinetd (which I don't even want to
run), uses perl scripts to serve up bogus information, uses local
netfilter redirects, assumes that an IDS is running on the machine... a
client box doesn't need all that.
What I'm after is something that has the same effect as
for $port in `cat /etc/services` do
if [ $port < 1024 ]; do
nc -l -p $port > /dev/null
else
# do nothing
fi
done
(yeah, this is not legit bash syntax but you get the idea :-)
...and an accompanying ipfilter script in the fashion of:
## Drop all replies by default
/sbin/iptables -P OUTPUT DROP
## Now allow for legitimate traffic of my machine
## Allow outgoing ssh
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 22 -j ACCEPT
## Allow outgoing HTTP
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 80 -j ACCEPT
## Allow outgoing HTTPS
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j ACCEPT
## Allow outgoing POP3
/sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 110 -j ACCEPT
## etc...
Something as simple as that might work, assuming that our netcats would
all bind to <1024 ports (as any self-respecting vulnerable service
does, anyhow :-)
Now, this raises concerns with SYN floods (I don't know to what extent I
can trust SYNcookies), and is generally a very ugly way of solving the
issue.
Cheers
- -A
- --
http://andrew.cmu.edu/~apapadop/pub_key.asc
3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+hhxMgmAMwQt1gmURAuLaAJ9lEZGgBMw4xtbsh+kvMdFog9CibwCfQdi6
BttvG1IDnDTU8ofdHZrZIQk=
=5CBO
-----END PGP SIGNATURE-----
More information about the wplug
mailing list