[Gllug] honeypots and iptables redirects?

Sun Sep 4 09:08:07 UTC 2005

On Sat, Sep 03, 2005 at 06:00:55PM +0100, Benedikt Heinen wrote:
> >I changed the SSH port to something obscure and the attacks stopped.
> 
> That surely is a way - but I'd rather look for something to keep potential 
> attackers busy so that they eventually get caught out - i.e. either slow 
> them with a tarpit (connection speed limitation) or better, just silently 
> forward them to a honey-pot).
> 
> For one thing, it (hopefully) gives time to properly report them (while 
> the attack is still running), if there are on a network where reporting 
> makes sense (i.e. if they're attacking from a system within Europe/US).

Since the machine doing the scanning is likely just another compromised
*nix box, all you will be reporting is that someone somewhere has an
insecure box.

If they were lax enough to have an old ssh installed, or weak passwords,
or enabled root login over ssh on an internet-accessible machine, then
the chances of them reacting sensibly to being told that their machine
is compromised are pretty low, I expect.

You'll probably find that they're running RH6.4 publicly on the 'net or
something, without a firewall.

Instead of wiping the machine and reinstalling from scratch (which is
pretty much the only way to be safe after being rooted), they'll
probably just delete what they can find and reinstall sshd. They might
not even do that - maybe they'll just stick a firewall between the
compromised box and the internet or something!

I really think ISPs should be monitoring this kind of stuff and
disconnecting users who are running zombies. Of course, this isn't going
to happen. It's not in the ISP's interests to go disconnecting users,
and ISPs are usually pretty stretched anyway and aren't about to go
installing monitoring systems to punish their users for being ignorant
and/or dumb.

Even if ISPs were to do something like
"iptables -I FORWARD -d "$CUSTOMER" -p {tcp,udp} -m state --state NEW -j REJECT

it wouldn't be very effective, as there are so many hugely complicated
and massively exploitable network clients out there that the user is
quite capable of going out and being tricked into exploiting their own
machine in any one of a huge number of ways!

This rant doesn't really say anything, but I just felt like having a bit
of a bitch :)

If you aren't qualified to admin a computer, you should probably get
someone else to do it for you - it's scary enough the number of
compromised machines out there which have people paid to administer
them. When I think about the number of home machines out there which
have nobody at all to ensure they're clean and running properly, it
just makes me giddy.

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug