Date: Sat, 18 Sep 2004 18:37:44 +0200 From: Patrick Proniewski <patpro@patpro.net> To: brain@winbot.co.uk, Liste FreeBSD-security <freebsd-security@FreeBSD.ORG> Subject: Re: Attacks on ssh port Message-ID: <10CB0925-0991-11D9-AE98-000D93B1A412@patpro.net> In-Reply-To: <E1C8fre-000EPt-VB@brainbox.winbot.co.uk> References: <E1C8fre-000EPt-VB@brainbox.winbot.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 18 sept. 2004, at 15:05, Craig Edwards wrote: > as ive read this is an attack from some kiddie trying to build a > floodnet. > > records show that most of the compromised boxes are linux machines > which end up having suckit rootkit and an energymech installed on > them, i dont know if the attacker has ever gotten into a freebsd > machine and what they'd do if they did. > > On my machines i have a dummy shell which APPEARS to be a successful > login but just returns weird errors (such a "Segmentation Fault") or > bad data for all commands that are issued, while also logging their > commands. im tempted to put this on the 'test' account and let them in > on this shell to see what is attempted. just to clarify, if i did such > a thing theres no way for them to break out of the shell, right? its a > simple perl script, so if the perl script ends, theyre logged off? > This is what i expect to happen however i don't want to risk it unless > its 100% safe... And just to clarify again all commands that are > issued from this fake shell never reach the REAL os, even "uname" > returns a redhat 7.2 string when the real machine is actually freebsd > 5... > I wouldn't do that if I were you, I think it's more interesting and safe to create a full jailed system, with a honeypot running in this jail (but well, honeypot has to be legal in your country, and that is not the case everywhere) patpro -- je cherche un poste d'admin-sys Mac/UNIX http://patpro.net/cv.php
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?10CB0925-0991-11D9-AE98-000D93B1A412>