A honeypot is a system with vulnerable services left publicly accessible for the purpose of collecting data about intrusions and attacks. It usually has some kind of safeguards to prevent the complete takeover of the system.
Questions tagged [honeypot]
19 questions
10
votes
10 answers
Setting up a fake email address to trap spammers
I have heard it suggested that we set up a special email address, with it's only purpose being to be harvested. Then blacklisting every sender that targets this address.
I'm wondering:
if anyone else has tried this
how do you go about doing it (ie…
Brent
- 22,219
- 19
- 68
- 102
7
votes
1 answer
How to forward FTP requests to another IP?
I have a VMware: 10.10.10.1, a linux in VMware (Guest): 10.10.10.128 and a honeypot on Guest: 10.10.10.15, and my Windows (Host): 192.168.1.11. I can send FTP requests directly from my Host to honeypot and the connection is established. Now I want…
ThisIsMe
- 73
- 1
- 7
5
votes
3 answers
Setting up a Honeypot in an Enterprise Environment
I'm interested to see if anyone here who administers a large environment (200-500 Servers), and has a very large public customer base (100,000+), has set up (or has at least considered setting up) a honeypot? I'm specially interested for those that…
Xerxes
- 4,133
- 3
- 26
- 33
4
votes
4 answers
Providing DNS redirection to honeypot server for known bad domains
Currently running BIND on RHEL 5.4 and am looking for a more efficient manner of providing DNS redirection to a honeypot server for a large (30,000+) list of forbidden domains.
Our current solution for this requirement is to include a file…
syn-
- 483
- 3
- 7
- 10
3
votes
1 answer
Is there any useful/funny HTTP redirect for all those vulnerability probes?
I'm sure your HTTP logs, like mine, are full of 404 errors of various probes for common vulnerabilities and such:
File does not exist: /www/XXXXXX.XX/data/email
File does not exist: /www/XXXXXX.XX/data/exchange
File does not exist:…
Luke404
- 5,708
- 3
- 44
- 58
2
votes
2 answers
Rejecting traffic where ACCEPT header is empty on favicon.ico requests
As part of filtering out potential harmful traffic, I currently reject traffic where $_SERVER["HTTP_ACCEPT"] is empty.
I notice from my logs that a fair number of requests have been rejected due to the accept header being empty and some of them come…
mseifert
- 359
- 1
- 4
- 12
2
votes
2 answers
Has anyone ever tried to collect passwords and user logins from ssh-attacks?
I guess it should be easily possible to open the ssh port with a fake ssh server and collect passes (I guess they aren't plain anymore and became hashes) and corresponding logins, e.g. a honey-pot. The idea behind that is to build a database and…
math
- 443
- 3
- 10
1
vote
2 answers
Prevent using spam trap e-mail address on registration
I am running a website where the users register using their e-mail addresses and receive a confirmation code before they can log in. (After this every contact is opt-in.)
Every now and then some user uses an e-mail address that does not belong to…
Gábor Héja
- 323
- 2
- 14
1
vote
3 answers
How to have sshd write passwords associated with login attempts in logs?
I would like to gather common login/password pairs.
Currently, I have this in my system.log file:
sshd[9117]: error: PAM: authentication error for root from localhost via ::1
How can I have the password inside the logs ?
Edit: this is for my…
alecail
- 201
- 3
- 7
1
vote
1 answer
better place to redirect spam than black hole?
I use throwaway email addresses of the form sitename@mydomain.com whenever I sign up to newsletters. When I get spam to them I unsubscribe from the newsletter and forward them to ":blackhole:". Is there somewhere I could forward them to instead that…
Sam Hasler
- 301
- 3
- 13
1
vote
0 answers
HIDS: Need a trip wire for a honeypot, best approach?
We run a small VPS hosting company, each vps is based on a fixed 18.04 template.
We run a honeypot, a fallow server, to verify the template continues to be secure. We look at it probably once a month seeing what has changed, any intrusion of any…
DaBuddha
- 31
- 2
0
votes
1 answer
Installed Kippo on a remote machine, cant get the root access back
This seems to be a foolish question, so I recently tried to install Kippo to my server (DigitalOcean).
I logged in to the server using PuTTY, configure the honeypot etc until it's working. Then the connection suddenly closed.
So every time is SSHd…
Adam
- 325
- 4
- 7
0
votes
1 answer
Beeswarm Honeypot Setup
I am working on a POC of Beeswarm and I'm running into an issue with connecting the drone. For the basic setup, I have the server working fine and I can access it via https://X.X.X.X:5000 (I get a certificate error due to accepting the defaults).…
Eric
- 1,373
- 3
- 17
- 33
0
votes
2 answers
Throw brute-forcers into a honeypot, but still allow real SSH logins?
So just for fun I opened up SSH to the world and a few bots have latched on to my server (unsuccessfully trying to log in by password). But of course this fills up the logs.
I've attempted to use DenyHosts, but somehow it's not really working, so I…
Tsaukpaetra
- 221
- 1
- 10
0
votes
4 answers
Temporarily banning IPs for accessing certain ports
One of my server logs showed there was an unauthorized access attempt on a daemon listening on a non-standard port. That led me to wonder how often people run port scanners to look for vulnerabilities. Is there a program I can run as a honeypot to…
Lin
- 2,869
- 6
- 26
- 25