Report:September-2004

From Honeynet-PT

Contents 1 DEPLOYMENTS 2 FINDINGS 3 MISC ACTIVITIES 4 ORGANIZATIONAL 5 LESSONS LEARNED 6 FUTURE GOALS

DEPLOYMENTS

We're currently running two Gen II honeynets, at 2 different locations.

Honeynet 1:

- Linux Firewall/Sebek Database/Log Server

- Linux Bridge, with snort-inline and IPTables

- RedHat 7.3 with SSH, Sendmail, Samba and Portmapper

- Windows 2000 Server SP3, IIS

Honeynet 2:

- Linux Firewall/Sebek Database/Log Server

- Linux Bridge, with snort-inline and IPTables

- Solaris 9 fully patched and hardened

For further details, see the diagram at our website.

The MySQL sebek database needs some structural optimization, so that the queries can be executed in less time when dealing with big amounts of data.

Since we're lacking appropriate hardware for fast honeypot replacement, after each break in our honeypots are offline for as long as it takes us to analyse and reinstall the honeypot(s).

FINDINGS

The Windows 2000 honeypot was compromised twice over the past 6 months, both times using the DCOM vulnerabity.

The RedHat 7.3 was compromised via Samba also twice.

All compromises were "standard" with no particulary interesting tools or methods. The compromised honeypots were used to try to compromise other systems, and for IRC bouncing.

Since late July we've been seeing SSH brute-forcing attempts, with no successful compromises.

MISC ACTIVITIES

We're developing tools to help us centralize our honeynets, reducing the amount of hardware needed for honeypot deployment. We'll be tunneling ethernet over IP to our NOC, where one honeynet core architecture will be located (one firewall, one bridge, and one database/log server). This will allow us to receive traffic from remote locations on several ISPs that have already agreed to provide us IP address space and colocation. We've been testing this architecture with great success with two honeypots, using Dan Kaminsky's linkcat together with SSH tunnels, providing us with an encrypted channel to move the traffic in and out of the core honeynet.

ORGANIZATIONAL

We're still looking for other portuguese researchers to join us, so we can increase the number of honeypots and findings.

LESSONS LEARNED

- Keep an image of an uncompromised system, for faster replacement of the honeypot.

- Don't run honeypots in the attic on the summer without air conditioning. The hardware will fail.

- Don't buy very cheap hardware at the local computer junkyard.

FUTURE GOALS

- Reduce the amount of time replacing honeypots (This will come after aquiring bigger hard drives for disk-dumps for forensics, and deploying our centralized architecture).

- Internal Wiki for our team to share ideas, and projects.

- Deploy to production our distributed architecture using ethernet tunneling.

- Release a paper and tools for the ethernet tunneling approach.