Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: Re: Displaying SSH password attempts

Re: Displaying SSH password attempts

From: <ader_at_ait.edu.gr>
Date: Tue, 11 Jul 2006 02:01:11 +0300 (EEST)

> On Fri, 07 Jul 2006 20:29:23 +0300, ader_at_ait.edu.gr said:
>
>> I would say that any attacker that tried to breach a system with such
>> a
>> poor security policy and failed, is under no circuimstances a threat for
>> modern Network Security. I mean you left the door unlocked and a note
>> saying you are not there... If the guy cant open the door he is
>> incapable of harm and most probably a victim himself.
>
> So tell me.. if you saw a flood of 62,497 totally lame ssh password probe
> attempts from the same set of 4 IP addresses, what are the chances that
> you'd be more likely to totally *fail* to notice a 4-packet zero-day
> from one of those 4 addresses?
>
> It's called "flying under the radar"...

I really dont get the point in your question... In the "flying under the
radar" scenario you just mention... you really are not flying under the
radar are you?????

1) In Corporate Networks --- By making all those thousands attemps to log
into SSH, the attacker accomplishes only one thing... to get his IP
droped. Any address that tries these many failed attempes is definately
hostile and gets blacklisted.
What you mentioned is definately a bad way to fly under the radar...
Sending fake requests, or gibberish packets may hide the real attack but
still in modern Network Security, any IP addresses that flood a service
(HHTP, SSH, TELNET etc) should be considered hostile and get droped by the
firewall

2) In Honeypots --- Well in the case that the attacker is already aware of
your honeypot, and tries to hide his real attack by Spamming your SSH
Daemon, with lame attemps. You should read my Last comment about
Honeypots and how dangerous they can be. Any LIVE honeypots must be
properly configured and that is your job to do... Having proper DATA
CAPTURING and DATA ANALYSIS tools helps to identify the attacks.... Thats
why SEBEK is such a nice tool, since it records all the packects
transfered and classifies any known attacks. DATA ANALYSIS is one of the
biggest burdons for Security Engineers since in many cases there are
Millions of false-positive alerts and trying to find real attacks is
almost impossible (A thorough Nessus scan for a single system triggers
thousands of IDS alerts by the way).

I hope it clariffied my positions a bit...
Received on Jul 11 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos