> On Wed, 05 Jul 2006 17:01:35 BST, Tom Doherty said:
>> Sorry, I must of not made myself clear. My query wasn't about preventing
>> ssh bruteforcing (such threads have been done to death). I wanted to
>> display passwords tried, being a honeypot I'm encourage people to try
>> and gain access.
>
> I got that part - I was replying to Nikola's suggestion to build a "lock
> them
> out" system around it. Leaving something open until your honeypots and
> other
> sensors trigger is just *asking* for trouble - the most obvious failure
> mode is
> if they poke the Crown Jewels machine and get lucky on the first try.
> Unless
> *very* well designed and maintained, it's also usually possible to use
> feedback
> systems like that to make the victim DoS themselves by blocking access to
> something they really wanted to talk to...
>
> Honeypots are good for gathering intel. But you shouldn't rely on them as
> an IPS.
>
>
Greetings to all, I have been reading alot about Honeypots/Honeynets the
past year and my Msc Thesis was also the Design and Implementation of a
Gen3 Honeynet.
I have also discussed the Subject with varius Students, Professors and
Security Proffessionals in Greece.
In this Thread i feel that some people have many areas of Network Security
confused.
So lets Start:
1)About The Beggining of the Thread and Tom Doherty's Question:
I would say that any attacker that tried to breach a system with such a
poor security policy and failed, is under no circuimstances a threat for
modern Network Security. I mean you left the door unlocked and a note
saying you are not there... If the guy cant open the door he is
incapable of harm and most probably a victim himself. So this should be
recorded in your "Honeypot Journal" as a low threat Attack. If you want
to be more specific you can check the logs and judge by the time between
the attemps if it was automated or not. If you want even more Info you
should had saved the entire communication in "raw packets" and then
analyze it in ethereal or snort to try and recognise any known
signatures. In any case such attacks provide you no real "Honeypot
Information" since you cought the smallest of the fish posible (probably
a script kiddie).
2) As mentioned by others there are many ways and implementations to make
your system "log" SSH login attemps. If you had SEBEK installed for
example, SEBEK would record and timestamp the attempts for you, hence
save you time and brainpower.
3)I would suggest to all of you out there runnng "LIVE"
Honeypots/Honeynets , and lack some knowledge, to read as much as possible
about Network Security and Internet Therats. Honeypots are resources that
can be a serious threat to your network if the attacker can take them over
and disable your measures. Just never forget the 3 golden rules: DATA
CONTROL- DATA CAPTURE - DATA ANALYSIS
4)Honeypots and Honeynets are definately not an architecture to "just"
gather information. After all a honeynet is a Network of honeypots were
data is captured and controled, and some of its components include IDS-IPS
and Firewalls. Also dont forget that a Honeypot works based on the
Attackers Intent and not just on content like all other security
systems(IDS,FIREWALLS, antivirus). Having a honeypot deployed to a
corporate network can alert you of unknown attacks that have passed
through all other security measures(a fresh worm for example)
I hope this helped a little, sorry for the long mail, and all the spelling
errors, take care
Andreas Derdemezis.
BEng IT , Msc ICT (e-Tech), Msc ITT
Received on Jul 07 2006
Intro
