Security tool

[MrWhisp]

Hi,

 

I have developed a "Honeypot" security tool. I really would like some more ideas about this tool and therefore I would like to discuss it. And if anyone is interested in testing it let me know and I will post it on a website.

 

The tool works as follows:

A hacker always tries the easiest ways of attacking a system. So if, for example, port 139 (Netbios) is open a hacker attacks that port before trying other attacks, such as webserver exploits.

My Honeypot opens servers at selected ports so it, for example, looks like the Netbios service is available. If anyone tries to connect to this port, the honeypot logs the intruder IP and hostname and automatically adds his IP to the Shorewall dynamic blacklist. The server ports is specified in a config file and can be any ports not used by a system service.

I have for example emulated the Windows RPC service (computers probably infected with viruses like Ms Blaster) and blacklists about 2-4 IP / minute.

To avoid infinitely growing blacklists the system executes a shorewall allow of the IP addresses after a user specified time interval, for example 10 minutes.

 

Any ideas of further development for this tool?

 

/MrWhisp

[Michel]

seems a nice tool. I'll maybe have a look at it after my finals are done.

Edited June 29, 2004 by Michel

[durvish]

I'd be highly interested in taking a look at that.

[MrWhisp]

I will post it somewhere in a few days. I just has to finish some details with the service scripts...

The goal of this project is a useful honeypot, and therefore I need some ideas of other "honeypot" techniques...

[MrWhisp]

The application and all installation/usage instructions is now available at

http://www.frc-consulting.com/security/tools/

 

Send any feedback, questions or ideas about this project to johan@frc-consulting.com

[MrWhisp]

I have made a lot of changes and moved the system to sourceforge:

http://jhoney.sourceforge.net

 

/MrWhisp

[liquidzoo]

Wow. That looks like a very nice script.