Honeypot: Building the beehive
In one of my previous posts I talked about creating a honeypot to see what my fans knocking at my ssh door are going to do once I let them in my system.
I installed gentoo 2008 as a vmware guest using the hardened kernel sources, this includes the grsecurity kernel patches which will allow me to audit exec calls which I will be using to trace activity of certain accounts. A nice feature is that you can enable auditing for specific groups. In order to not arise suspision I created a “www” group and selected it as the group to be audited by grsecurity.
The honeypot system (web01) is isolated from the rest of my network, only allowing traffic to go directly to the web, not to my lan.
The next change I made to the honeypot system is a little addition to openssh (openssh-5.1p1) this change logs the host, username and passwords used using ssh and scp. Always fun to know the credentials of our attacker on other machines.
*** sshconnect2.c.dist Tue Mar 17 23:14:09 2009
--- sshconnect2.c Wed Mar 18 00:23:33 2009
***************
*** 29,34 ****
--- 29,35 ----
#include
#include
#include
+ #include
#include
#include
***************
*** 1231,1236 ****
--- 1233,1243 ----
response = read_passphrase(prompt, echo ? RP_ECHO : 0);
+ openlog ("Honey", LOG_CONS | LOG_PID | LOG_NDELAY, LOG_AUTH);
+ syslog(LOG_WARNING,"hostname: %s, username: %s, password [%s]", authctxt->host, authctxt->server_user, response);
+ closelog();
+
+
packet_put_cstring(response);
memset(response, 0, strlen(response));
xfree(response);
This will suffice for now, time to open the hive so the bees can come in.
Recent Comments