[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
James/DarkCow wrote:
jody salt wrote:I have an idea.... I don't know if its been done already - but it would be cool if you could have some sort of fake ssh login that would log you in a fake computer system if you get the wrong password, you could then have secret command (specified in a configuration file) that you could use to verify that you have actually logged in correctly. This would completly ruin these sort cracking attempts, as the malware used will have no way of knowing if it was a genuine success i.e. it will always seem like a success. You could then log all the commands etc used, and build a profile of the cracker - whats commands they use and what files they try to upload etc... It must of been done already?? Any thoughts? Cheers JodyI think it's called a honeypot, but I'm not sure if there's any particular software to do this for you, or if you have to set it up yorself. I think it would be cool if someone did this though...
Ack.. I just read your message again, and I saw this bit:
you could then have secret command (specified in a configuration file) that you could use to verify that you have actually logged in correctly.
And, well, that part has nothing to do with a honeypot, but I had thought of almost exactly the same thing a while ago, except I was going to have it activate whenever a user logged in succesfully. Now that I think about it, it seems like a good idea to put them in a chroot environment or something like that, but it might be a little overkill. The idea was that unless the alarm was 'shut down' with another password within a set number of seconds, it would kick the user out (making it look like a bad connection), but if they came back from the same address and got kicked out again, it would add them to /etc/hosts.deny and lock them out. I didn't get at all far, but I'm looking for people to help with the code. It should be fairly simple...
-- 140cf42384f90b8c349b67457b907115 Public PGP key at http://apolloenterprises.org/stuff/morefiles/publicpgpkey.txt -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html