One Person’s Experience with Honeypots

Ulisses Costa describes how he and Pedro Pereira created a honeypot and now has reported some of his statistics about attempted SMTP attacks and attempted SSH attacks. Ulisses used the honeyd daemon to make it happen.

He also made graphs and has them in his articles. Very educational reading – and recommended.

While a honeypot can sound like a fabulous security tool (e.g., make the hackers go for the honeypot instead of the real thing), it is weak at this at best and is better for research. Using the honeypot can show you what the hackers are doing, and give you insights into their activities.

I should mention that honeypots, by their very nature, are magnets for hackers: so don’t put one of these on a trusted (or valuable) network, nor should you put one of these up without getting permission first.

Update: He was as good as his word (see below). He has two new articles: Tracing the Attack, Part I and Tracing the Attack, Part II. Illuminating!

Securing your network traffic

If you want to start some exciting discussion in a security forum, just say you use telnet: you’ll find that every admin knows that telnet is insecure, that one should use OpenSSH or similar to encrypt the traffic, and that telnet should be banned from the server environment entirely.

However, telnet is not the only server that transmits its passwords in the clear. There are a lot of others. Here’s a list I came up with:

  • FTP
  • HTTP
  • IMAP
  • IPP
  • LDAP
  • LPD
  • NFS
  • POP3
  • rsync
  • SMTP
  • SNMP
  • syslog
  • VNC
  • X11

I won’t cover all of these here (more about these items can be found in my book) but I do want to cover just a few.

Consider, for example, the mail protocols: SMTP, POP3, and IMAP. SSL encryption is available with all three – but do you use it? And what about your logins to your mailbox at your ISP? Every time you login, your password to your mailbox goes across the wire in the clear.

What about NFS – particularly NFS home directories? If you have unencrypted secrets in your home directory, then these items will be transmitted across the network in the clear as well. What about private SSH keys? Unfortunately, there is no way to encrypt NFS traffic.

VNC is another one to watch for: if you type passwords for your root logins over VNC – even if you are using SSH in your VNC session – the passwords are in the clear. The only way to secure VNC entirely is to use an SSH tunnel to encrypt it.

X11 is insecure in the same way, but presents special problems. However, OpenSSH handles X transparently through the use of special tunnels just for X.

syslog is another unencrypted service; do you have passwords put into the system logs? What about secret doings of your servers? How much information leakage can you handle? Unfortunately, syslog is another service that cannot be secured unless you use something such as syslog-ng which permits you to use TCP (and thus, an OpenSSH tunnel).