Honeypots mailing list archives

Re: tiny honeypot configuration

From: George Bakos <gbakos () ists dartmouth edu>
Date: Mon, 23 Jun 2003 18:18:57 -0400

On Mon, 23 Jun 2003 11:54:04 -0300
"Daniel Almendra" <danielalmendra () terra com br> wrote:

Hi!
I am trying to configure Tiny Honeypot in my house, but I just can't
figure out what I'm doing wrong. It just doesn't seem to work! Can
someone tell me a way to configure the iptables.rules file and thp.conf
file?


The defaults work for most end-user systems. Is there a particular setting
that you would like to change and need help with?

How can I test if the honeypot is working fine?

From a different system, you can point a web browser to it and you should

see a default web page. Additionally, you can, as root, run "logthis" with
the name of a target responder as a commandline switch. Here's an example
test session:

[root@www root]# /usr/local/thp/logthis ftp
220 localhost.localdomain FTP server (Version wu-2.6.1-16)
ready.
user foo
331 Password required for foo
pass bar
230 User foo logged in.
pwd
257 "/" is current directory.
pasv
227 Entering Passive Mode (208,253,154,2,131,165)
stor foobar.tgz
150 Opening BINARY mode data connection.
226 Transfer complete.
quit
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 2164 bytes in 0 transfers.
221 Thank you for using the FTP service on localhost.localdomain.

Can someone tell me one exploit that can be fooled by thp?


many rpc service buffer overflows such as statdx and dtspcd
7350wurm (wu-ftpd)
idiot coattailers scanning for ports 23, 1524, 39168, 60008, etc.
With a few lines of Perl, I've thrown together additional responder
modules to catch:
        sqlsnake
        spybot
        sub7
        kuang2thevirus

If you would like some example logs, I'd be happy to share.

Thanks a lot for your attention. I'll appreciate if someone gives me an
answer...


If you are still having troubles, I'd be happy to have a look at your
configs off-list.

Daniel Almendra



-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax

Current thread:

tiny honeypot configuration Daniel Almendra (Jun 23)
- Re: tiny honeypot configuration George Bakos (Jun 23)
- RE: tiny honeypot configuration Gorgon Beast (Jun 23)