Jabez:
Heya. So you know up-front: I've not installed LaBrea
on my systems here. I like the idea of it, of course, but
haven't done anything about it.
That being said, here's what I see below. Now that
you've opened port-80, it looks like your sh-httpd process
(which I believe is associated with the weblet app) is
receiving these connection requests before your LaBrea
process receives them. I would have thought that the sh-httpd
process would listen to port-80 *only* on the internal
interface, but maybe that's not the default (again, sorry,
I don't use weblet here so I can't tell)...
That being said, there's two ways you can use LaBrea
"correctly". First, as it was originally intended, you can
have it listen to your internal network and to make it
"unmappable" by routine network scanners. In this mode,
LaBrea will populate all of the unused IP address space on
your LAN with ghost machines, making it much more difficult
for an attacker to gauge how many machines you're running
and where to hit first.
The second (and I think more interesting) mode is the
ability of LaBrea to capture and hold connection attempts of
Internet worms, such as CodeRed. In this mode, LaBrea should
be configured to listen to port-80 on your external interface.
>From the outside, it will look and feel like an infinitely
slow web server. A Worm-infected machine that tries to connect
to as many machines as possible will be greatly slowed down
when it comes across you.
Once you know which mode you want to implement, it
should be pretty straightforward to configure the tool to do
it. Just post your config file and we can work through it.
cheers,
Scott
On Sun, 5 May 2002, Jabez McClelland wrote:
> OK, I opened port 80. Now I get the following log
> action:
>
> May 5 06:12:49 firewall sh-httpd[2284]: refused
> connect from dsl092-171-025.wdc1.dsl.speakeasy.net
> May 5 06:12:54 firewall sh-httpd[2285]: refused
> connect from dsl092-171-025.wdc1.dsl.speakeasy.net
> May 5 06:13:03 firewall sh-httpd[2286]: refused
> connect from dsl092-171-025.wdc1.dsl.speakeasy.net
>
> I think I understand now, and I believe I'm trying to
> do something dumb. I am just a lowly home DSL customer
> with a single external IP. Now I'm thinking that
> LaBrea needs spare EXTERNAL IP addresses to do
> anything. That is, it needs to see incoming traffic
> on an external (real world) IP that is assigned to me,
> but I'm not using. I think the only traffic coming
> down my DSL line is directed at my single IP. Is
> this correct? I was thinking before that LaBrea could
> work with all my internal 192.168.1.xxx IPs, but maybe
> not...
>
> Jabez
>
> > Jabez:
> >
> > Easy to do: you can adjust your firewall ruleset to
> > let those packets destined for a webserver (ie,
> > TCP-port 80)
> > "in". So, have the LEAF disk ACCEPT those packets,
> > and let
> > LaBrea tarpit them. Alternatively, to keep your LEAF
> > disk
> > lean, port-forward it's port 80 to port 80 on an
> > internal
> > machine that you have running LaBrea. Same effect...
> >
> > Since LaBrea is the only thing that receives the
> > data connection, your overall security hit is
> > reduced to the
> > security of LaBrea. Which, in my understanding, has
> > been
> > pretty well scrutinized.
> >
> > Kinda fun, in a way. :)
> >
> > -Scott
[old stuff deleted]
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
