LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-13-2006, 10:15 AM   #1
ActiveX
Member
 
Registered: Feb 2006
Posts: 33

Rep: Reputation: 15
Need to monitor SSH attacks with Sebek


I am still fairly new to Linux but competent with much of the basics as I have passed the RHCT. I've monitored some heavy SSH attacks/attempts and I'd like to set up a honeypot to monitor what exactly is trying to be done. My intent is to put Sebek on FC5 with a weak root password so that I can monitor whats really going on. I have not used Sebek though and I am curious about how to get it all started.

I am familiar with iptables and I'll likely use an iptables firewall to just forward only ssh traffic to the box that has Sebek on it. I could also set another host behind it to be the logging server for Sebek but I am unsure how to do this and pretty weak with logs.

Thanks in advance for any tips, advice, or links.
 
Old 10-13-2006, 12:27 PM   #2
pAn1k
Member
 
Registered: Jun 2004
Location: Cala city
Distribution: Suse 10.0; Debian 5.0 (Lenny) Fluxbox
Posts: 240

Rep: Reputation: 30
If you want to see all the brute force attempts just check out your /var/log/messages. You can grep for ssh if you want. I don't see how setting a weak password will help you learn anything. There is probably not as much going on as you think. Have fun with that.
 
Old 10-13-2006, 06:12 PM   #3
ActiveX
Member
 
Registered: Feb 2006
Posts: 33

Original Poster
Rep: Reputation: 15
You're missing my point. I've already done the monitoring. I have rotations of the logs for 20 weeks that include thousands of attacks. The most prevalent are SSH attempts from all over the world. I want to do some research on what exactly is behind these. I want to know what files are accessed, what is installed, how they do it, what it results in, etc. Thus I mentioned using a weak password...after all...you WANT a honeypot to be compromised. I just dont have experience using honeypots and Sebek seems to have what I want...I just thought there'd be some good tips from you gurus in here that would be a little more tolerable than reading whitepapers. Thanks in advance.
 
Old 10-13-2006, 06:47 PM   #4
pAn1k
Member
 
Registered: Jun 2004
Location: Cala city
Distribution: Suse 10.0; Debian 5.0 (Lenny) Fluxbox
Posts: 240

Rep: Reputation: 30
Is your box actually being penatrated, or are they just attempts. If they are actually gainning access to your computer your already in a bad spot. Honestly, there shouldn't be much to figure out. They are most likely script kiddies looking for an easy target.
 
Old 10-13-2006, 08:03 PM   #5
ActiveX
Member
 
Registered: Feb 2006
Posts: 33

Original Poster
Rep: Reputation: 15
Traffic has been logged from all over the world for some time now between various monitoring hosts that were behind iptables firewalls. The machines were used for logging/monitoring of attacks on default ports. Now we want to step it up and focus on the SSH attacks, hopefully using Sebek on a new machine to monitor what happens AFTER a breach. 98% of what we've observed so far has not resulted in a breach and when it has we've pulled the plug. Obviously for a honeypot we might ease back of the complexity of the passwords. This isn't just for curiosity. I want to research and document real attacks/comprimises with high detail. Thats why I wanted to use Sebek rather than just checking logs. I am open to advice from anyone who's used it, as it sounds like a good program for what I want to do.
 
Old 10-14-2006, 12:06 AM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by ActiveX
Traffic has been logged from all over the world for some time now between various monitoring hosts that were behind iptables firewalls. The machines were used for logging/monitoring of attacks on default ports. Now we want to step it up and focus on the SSH attacks, hopefully using Sebek on a new machine to monitor what happens AFTER a breach. 98% of what we've observed so far has not resulted in a breach and when it has we've pulled the plug. Obviously for a honeypot we might ease back of the complexity of the passwords. This isn't just for curiosity. I want to research and document real attacks/comprimises with high detail. Thats why I wanted to use Sebek rather than just checking logs. I am open to advice from anyone who's used it, as it sounds like a good program for what I want to do.
Sounds like you've everything pretty much mapped out already.

Instead of 'pulling the plug' when a breach happens, observe what the attacker does AFTER the breach. Watch what the attacker does to further compromise the machine: he/she may immediately change the password after getting in, then cleanse the logs of the breach, then start installing trojans that will allow him/her backdoors into the machine if the breach is discovered and remedied, then start installing key loggers and sniffers to capture valuable data.

When you start seeing any such activity such as the culprit launching DoS attacks against other networks or attempting to enlist other potential zombie machines, pull the plug then.

I don't think the objective of using a honeypot is to observe attempts then drop the connections when a breach occurs...if that's the case, plain ole snort or a HIDS would work better.
 
Old 10-14-2006, 02:49 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Since you came up with Sebek yourself you must have read all of http://www.honeynet.org/tools/sebek/, http://www.securityfocus.com/infocus/1855 and http://www.securityfocus.com/infocus/1858 (and maybe also have looked for anti-honeypot detection texts and tools) and I'm asking myself what is the *real* problem here?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Growing ever concerned about attacks on SSH impulse() Linux - Security 2 09-11-2006 03:34 AM
LXer: Preventing SSH Dictionary Attacks With DenyHosts LXer Syndicated Linux News 0 02-19-2006 11:01 AM
Sebek 3.0 freezing 2.4.31 KneeLess Linux - Security 11 10-05-2005 04:04 PM
!!!!HELP!!!!Sebek Installation simi_544 Linux - Security 1 05-31-2005 05:44 AM


All times are GMT -5. The time now is 10:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration