RE: newbie question about honeypot

["Rivest, Philippe" <PRivest () transforce ca>]

Regards

I believe you have the wrong objective for a HoneyPot (or honeynet).
These technologies are use to make an attacker believe a system is more
vulnerable than another (the real live production box). As such the attacker
will hit the Honeypot first (hopefully), waste time and if you are
lucky/wise alert you before any damage is done.

You shouldn't try to fool an attacker into thinking you are more vulnerable
than you are. Be secure; don’t add ports on iptables just for the sake of
the honeypot.

What you want, hiding port and messing up the fingerprint is a totally
different issue and is OS (and protocol) specific. You could, for example,
change the banner, change the ports and modify the IP settings (Flags and
timeout and so one) so that nmap believes you are someone you are not.
 
I'm no expert into this specific subject and cant help you setup it on your
machine (not knowning what kind of *Nix you are using). How ever, I do know
that theres a bunch of data out there for that.

Passive-Aggressive Resistance: OS Fingerprint Evasion
http://www.linuxjournal.com/article/4750



Have fun
Noted by someelse on the net:
Trying to modify your OS fingerprint is a fun trick, but you might remind
your security auditors that it's nothing more than "security by obscurity".
(i.e. Waste of effort, IMO.)
http://www.linuxforums.org/forum/misc/96516-os-fingerprint-change.html

being an auditor, I agree its security by obscurity. Its bad if it’s the
only step you take (IMHO)


Philippe Rivest - CEH, Network+, Server+, A+
TransForce Inc.
Internal auditor - Information security
Verificateur interne - Securite de l'information

8585 Trans-Canada Highway, Suite 300
Saint-Laurent (Quebec) H4S 1Z6
Tel.: 514-331-4417   
Fax: 514-856-7541

http://www.transforce.ca/



-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
la part de J. Bakshi
Envoyé : 20 août 2009 10:43
À : security-basics () securityfocus com
Objet : newbie question about honeypot

Dear list,

My home server is already running iptable firewall. Though nmap scan able to
show the correct os finger print and the open ports. I have come to know
about honeypot which can fool the port scanners. But I am still very
confused about honeypot and its implementation. I like to simply implement a
honeypot which can hide the open ports but shows some other non opened ports
to the scanner as well as provide a false os fingerprint report. There is
honeyd and tinyhoneypot. Which one can do this and how to configure ? Please
suggest.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------

Attachment: smime.p7s
Description: