A name? Portable. Honeypot.
How about Portapotty? :-) - L On 10/16/11 12:18 PM, Chris Benedict wrote: > After listening to the pdc guys talk about "honeyports" on the pdc podcast I > decided to run with the idea a bit further. I'm not sure if this has been > done yet or not, but I've written a program in Ruby to implement honeyports > with some extra features thrown into the mix. For info on honeyports check > out john strand's tech segments on episodes 203 and 204 of the pdc podcast. > > You can use a raw tcp listener (netcat-style) to trigger blacklisting or you > can write modules to emulate a ftp server or web server or whatever that can, > for instance, give a banner and version info but blacklist on attempted > logins. When a host trips one of the alarms it broadcasts a signed udp alert > to all the other hosts on the lan so they can act on it also. Alerts can be > handled by different modules too, so far I have only written a commandline > module that simply executes a command with an ip address as an argument that > you can use to insert an ip into a blacklist table in pf for instance. > Something like a syslog or mysql module wouldn't be too difficult to write. > > As far as making it secure goes, it has some more work to be done. > Broadcasted alerts are cryptographically signed and verified but I need to > implement some stuff to prevent replay attacks and I need to add in > whitelisting and thresholding to make it more difficult to use as a weapon > against the user's own network. > > So, I've tried to make the code all very modular so its functionality can be > tweaked or extended pretty well (the sky should be the limit). The end-goal > is to come up with some code that you can drop onto every box on a lan that > can run a ruby interpreter (jruby for instance). It would make the entire > network go dark once an attacker starts grabbing banners or connecting to > ports. > > This is going to be my first project to be released and it doesn't have a > name yet. So, if anyone has any ideas for a name send them my way. Once I > have it named I will put it in a public repo on github with a BSD license for > anyone to get to and contribute. > > -Chris Benedict > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
