User Tools

Site Tools


Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:howto:minipot [2016/10/07 13:56]
mvaner created
en:howto:minipot [2017/01/10 16:57] (current)
mvaner More minipot services
Line 9: Line 9:
 ===== The emulated services ===== ===== The emulated services =====
  
-Currently, Turris OS offers two kinds of emulated services, which have different approach to how they act. There'​s the [[en:​howto:​ssh_honeypot|SSH honeypot]], which emulates a whole login session. The other kind emulates only minimal subset of each protocol, answering „bad password“ to each attempt to log in. There'​s only telnet emulation in the second kind, but more are coming soon.+Currently, Turris OS offers two kinds of emulated services, which have different approach to how they act. There'​s the [[en:​howto:​ssh_honeypot|SSH honeypot]], which emulates a whole login session. The other kind emulates only minimal subset of each protocol, answering „bad password“ to each attempt to log in. 
 + 
 +Currently there are
 + 
 +   * Telnet (ports 23 and 2323) 
 +   * HTTP server (port 80) 
 +   * HTTP proxy (ports 3128, 8080, 8123)
  
 ===== The configuration ===== ===== The configuration =====
  
-The collection can be configured on the //Data collection//​ tab in [[en:​howto:​foris|the Foris interface]]. After you enable data [[en:​howto:​collect|collection]],​ you can configure the minipots. By default only IP addresses ​and times of the attacks are stored. This allows to find and mark active attackers. You can enable the //Collect credentials//​ option if you want to store the username and password sent by the attacker in addition to the IP addresses. This allows to, for example, group the attackers using the same list of credentials,​ therefore are likely to be under the control of the same subject.+The collection can be configured on the //Data collection//​ tab in [[en:​howto:​foris|the Foris interface]]. After you enable data [[en:​howto:​collect|collection]],​ you can configure the minipots. By default only IP addressestimes of the attacks ​and the accessed resource addresses ​are stored. This allows to find and mark active attackers. You can enable the //Collect credentials//​ option if you want to store the username and password sent by the attacker in addition to the IP addresses. This allows to, for example, group the attackers using the same list of credentials,​ therefore are likely to be under the control of the same subject.
  
 It is also possible to disable the minipot on service by service basis. It is also possible to disable the minipot on service by service basis.
Line 22: Line 28:
 If you already have the real service running, the emulated one will not try to displace it. It also doesn'​t take over in case the port is redirected to another computer. The emulated service is active only if the connection would be rejected otherwise. If you already have the real service running, the emulated one will not try to displace it. It also doesn'​t take over in case the port is redirected to another computer. The emulated service is active only if the connection would be rejected otherwise.
  
-However, as the part of the system detecting is rather complex, we would like to know in case it doesn'​t act as expected.+However, as the part of the system detecting ​this is rather complex, we would like to know in case it doesn'​t act as expected.
  
 ===== Security considerations ===== ===== Security considerations =====