Am 09.06.2013 05:08, schrieb Todd Lyons:
On Fri, Jun 7, 2013 at 7:42 AM, Ian Eiloart <[email protected]> wrote:
Suppose we reconfigured servers with no authentication configuration to
advertise that they take authentication and that you have a fake authenticator
that accepts any password.
It might be better to accept only, say, 1% of authentication attempts. That
would prevent the hacker from trivially detecting your trap (by authenticating
to the same account with two different passwords).
Even better: accept that 1%, store that info, and then wait for IP's
to connect using that username and password combination (and either
reject it or blackhole it, your choice) and use long delays for
systems that connect with that user/pass combo.
One small problem with that, if you accept 1% of all connections, you
have to make sure, that already authenticated username/password combos
are not rejected. Anyone would notice it if try #1 succeeds and #2 #3 #4
#5 not..
Honeypots arn't that simple to setup :)
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
