User Tools

Site Tools


Minipot - the fake servers

It is possible to emulate some of the often attacked services. The goal is to catch the attacker red-handed, when they think they attack a real service. It is possible to analyze the attackers' behavior if they get caught.

The fake servers are fully voluntary part of the system. It is up to you if you want to participate. However, the data are valuable for the analysis.

The emulated services

Currently, Turris OS offers two kinds of emulated services, which have different approach to how they act. There's the SSH honeypot, which emulates a whole login session. The other kind emulates only minimal subset of each protocol, answering „bad password“ to each attempt to log in.

Currently there are:

  • Telnet (ports 23 and 2323)
  • HTTP server (port 80)
  • HTTP proxy (ports 3128, 8080, 8123)

The configuration

The collection can be configured on the Data collection tab in the Foris interface. After you enable data collection, you can configure the minipots. By default only IP addresses, times of the attacks and the accessed resource addresses are stored. This allows to find and mark active attackers. You can enable the Collect credentials option if you want to store the username and password sent by the attacker in addition to the IP addresses. This allows to, for example, group the attackers using the same list of credentials, therefore are likely to be under the control of the same subject.

It is also possible to disable the minipot on service by service basis.

Interaction with the real services

If you already have the real service running, the emulated one will not try to displace it. It also doesn't take over in case the port is redirected to another computer. The emulated service is active only if the connection would be rejected otherwise.

However, as the part of the system detecting this is rather complex, we would like to know in case it doesn't act as expected.

Security considerations

It is impossible for the attacker to guess a correct password and be let inside the service, since the emulated services have no correct password and no „inside“ exists.

On the other hand, it is another service running and available from the Internet which may, in theory, contain an exploitable error.

Furthermore, if you allow it to store the login credentials and try to log in with real credentials by accident (thinking it is another, real, service), they get stored to the DB. However, as the services emulated are not encrypted, there never was a guarantee the password would be safe in the first place.

A bit of the technical details

This section is probably of interest to the technically experienced users.

The decision if an incoming connection ends up in the emulated service or somewhere else is done in the firewall. Two things are needed for this to work. First, the emulated service runs on some other port (it is a port higher by 1369 than the real port by default – if telnet is port 23, the emulated one listens on port 1392). Furthermore, two bits of the packet mark (the mark module of `iptables`) are used during the selection. By default it's the two bits selected by the 0xC0000 mask. It is possible to change these values in /etc/config/ucollect in the rare case of collisions with something else.

Further details can be found at https://gitlab.labs.nic.cz/turris/ucollect/blob/master/src/plugins/fake/fake.txt, documentation about the firewall is at https://gitlab.labs.nic.cz/turris/ucollect/blob/master/src/plugins/fake/fake_firewall.txt. And, obviously, in the code.