Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-13-2006, 11:15 AM
|
#1
|
Member
Registered: Feb 2006
Posts: 33
Rep:
|
Need to monitor SSH attacks with Sebek
I am still fairly new to Linux but competent with much of the basics as I have passed the RHCT. I've monitored some heavy SSH attacks/attempts and I'd like to set up a honeypot to monitor what exactly is trying to be done. My intent is to put Sebek on FC5 with a weak root password so that I can monitor whats really going on. I have not used Sebek though and I am curious about how to get it all started.
I am familiar with iptables and I'll likely use an iptables firewall to just forward only ssh traffic to the box that has Sebek on it. I could also set another host behind it to be the logging server for Sebek but I am unsure how to do this and pretty weak with logs.
Thanks in advance for any tips, advice, or links.
|
|
|
10-13-2006, 01:27 PM
|
#2
|
Member
Registered: Jun 2004
Location: Cala city
Distribution: Suse 10.0; Debian 5.0 (Lenny) Fluxbox
Posts: 240
Rep:
|
If you want to see all the brute force attempts just check out your /var/log/messages. You can grep for ssh if you want. I don't see how setting a weak password will help you learn anything. There is probably not as much going on as you think. Have fun with that.
|
|
|
10-13-2006, 07:12 PM
|
#3
|
Member
Registered: Feb 2006
Posts: 33
Original Poster
Rep:
|
You're missing my point. I've already done the monitoring. I have rotations of the logs for 20 weeks that include thousands of attacks. The most prevalent are SSH attempts from all over the world. I want to do some research on what exactly is behind these. I want to know what files are accessed, what is installed, how they do it, what it results in, etc. Thus I mentioned using a weak password...after all...you WANT a honeypot to be compromised. I just dont have experience using honeypots and Sebek seems to have what I want...I just thought there'd be some good tips from you gurus in here that would be a little more tolerable than reading whitepapers. Thanks in advance.
|
|
|
10-13-2006, 07:47 PM
|
#4
|
Member
Registered: Jun 2004
Location: Cala city
Distribution: Suse 10.0; Debian 5.0 (Lenny) Fluxbox
Posts: 240
Rep:
|
Is your box actually being penatrated, or are they just attempts. If they are actually gainning access to your computer your already in a bad spot. Honestly, there shouldn't be much to figure out. They are most likely script kiddies looking for an easy target.
|
|
|
10-13-2006, 09:03 PM
|
#5
|
Member
Registered: Feb 2006
Posts: 33
Original Poster
Rep:
|
Traffic has been logged from all over the world for some time now between various monitoring hosts that were behind iptables firewalls. The machines were used for logging/monitoring of attacks on default ports. Now we want to step it up and focus on the SSH attacks, hopefully using Sebek on a new machine to monitor what happens AFTER a breach. 98% of what we've observed so far has not resulted in a breach and when it has we've pulled the plug. Obviously for a honeypot we might ease back of the complexity of the passwords. This isn't just for curiosity. I want to research and document real attacks/comprimises with high detail. Thats why I wanted to use Sebek rather than just checking logs. I am open to advice from anyone who's used it, as it sounds like a good program for what I want to do.
|
|
|
10-14-2006, 01:06 AM
|
#6
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
Quote:
Originally Posted by ActiveX
Traffic has been logged from all over the world for some time now between various monitoring hosts that were behind iptables firewalls. The machines were used for logging/monitoring of attacks on default ports. Now we want to step it up and focus on the SSH attacks, hopefully using Sebek on a new machine to monitor what happens AFTER a breach. 98% of what we've observed so far has not resulted in a breach and when it has we've pulled the plug. Obviously for a honeypot we might ease back of the complexity of the passwords. This isn't just for curiosity. I want to research and document real attacks/comprimises with high detail. Thats why I wanted to use Sebek rather than just checking logs. I am open to advice from anyone who's used it, as it sounds like a good program for what I want to do.
|
Sounds like you've everything pretty much mapped out already.
Instead of 'pulling the plug' when a breach happens, observe what the attacker does AFTER the breach. Watch what the attacker does to further compromise the machine: he/she may immediately change the password after getting in, then cleanse the logs of the breach, then start installing trojans that will allow him/her backdoors into the machine if the breach is discovered and remedied, then start installing key loggers and sniffers to capture valuable data.
When you start seeing any such activity such as the culprit launching DoS attacks against other networks or attempting to enlist other potential zombie machines, pull the plug then.
I don't think the objective of using a honeypot is to observe attempts then drop the connections when a breach occurs...if that's the case, plain ole snort or a HIDS would work better.
|
|
|
All times are GMT -5. The time now is 10:25 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|