Re: Project: Multiple service-instances on single h-pot

[oudot <oudot () rstack org>]

Daniel Roth a écrit:
> Hi!
>
> Just have som quite brief questions on a project that I and 8 of my
> friends (all taking a masters degree in computer science) have been
> ordered to to do. The project in itself is rather complex, but one of the
> parts involves setting up a honeypot in this way.
>
> It is suppose to answer traffic directed to a computer on its inside LAN
> on ports that aren't open on the particular computer. Furthermore, it
> shall start up multiple instances of services to diffrent IPs trying to
> connect to diffrent computers inside. So if an attacker A tries to connect
> to a ssh service on computer A(which hasn't got any ssh-service) in our
> LAN the honeypot shall answer with starting up a ssh-service to fool this
> attacker.

just to try to help (architecture ideas) : you could use honeyd and 
(nat+)port redirection : everything coming to your port 22 on host A is 
sent to honeyd port 22 (kind of farm of honeypots) [see redirection port 
and nat rules with your favorite firewall]

perhaps that one or more diagrams could help to really understand 
(or/and explain) your problem if needed.

> Another ssh-service shall be started if attacker B tries the same to an
> other computer on the LAN. But attacker C shall get access to the same
> ssh-service as attacker A if he tries to connect to computer A. Hard to
> describe, hope you all got it.

huh ?
i think that honeyd should be able to handle that

> On top of that, ftp/telnet/webserver etc shall be simulated the same.
>
> Comments about how this could be implemented / architected are more than
> welcome. What about the performence of this "honeypot"? Anyone tried this
> before and have any tips? How flexible is the honeyd written today, is it
> possible to rewrite it to fit our needs? Are there other and better
> honeypot-deamos?

according to me : no :-)

have fun,

laurent