On Saturday 11 January 2003 08:49 am, Mark Weaver wrote: > Lorne wrote: > > On Friday 10 January 2003 11:13 am, Todd Lyons wrote: > >>Lorne wrote on Fri, Jan 10, 2003 at 09:15:02AM -0700 : > >>>I've run coyote-linux for 5 years now and have NEVER been hacked. That > >>> is until September of 2002. I spoke with the author and he felt his > >>> system was secure and it couldn't have been his LRP based firewall that > >>> broke down. I DID have port 21 forwarded, so assumed it was the inside > >>> box that got compromised via port 21. I took the inside box off line, > >>> totally built it from scratch, hardened all boxes and made sure I had a > >>> secure intranet. I then brought the firewall back up. Within a month > >>> someone was poking around inside my intranet again. Now it seems that > >>> it takes about 48 hours for them to get back in. So I've been rebooting > >>> it every night until I can get my MNF box up. I believe there is some > >>> buffer overflow or other vulnerability that hasn't been identified yet > >>> with the LRP firewall system. So just a warning, > >> > >>Geez, you should be sitting there with tcpdump running nearly non-stop > >>and logging to a seperate host so that you can see exactly is occurring. > >>Get active and into it and you'll learn a LOT about security. You may > >>_think_ you know a lot now, but when you watch a box getting 'sploited, > >>and then pull the plug and figure it all out, you'll come out of it with > >>some invaluable knowledge that you can put to use immediately! > > > > I prefer ethereal and sniffer pro and I have had really really limited > > time here at home. I've been getting more and more into packet analysis > > at work and it is pretty cool stuff. I've been to a couple of classes on > > it. I've had snort running on Mandrake snf and I'm putting the finishing > > touches on MNF. It has snort. I'm putting tripwire on it now. What I > > REALLY would like to do is set up a honey pot and then I'm truly in > > control and can watch with interest what is going on. I'm trying to talk > > my boss into letting me set up a honey pot at work, but corportate is > > against it. I need to talk to the fellow that is against it. I think he > > is wrong. :) > > why in the world would someone be "against" setting up a honeypot in > defense of a network and all the mission critical data stored thereon? > Yes, I understand that "honeypot" in and of itself does nothing to > actually protect a network, but in the overall scheme it is a part of > the process.
That is what I asked the director yesterday. He said the head dude is from the "CIA" and he has always been against it. ???? WFT!?!? My response was, I need to talk to this guy, because he either doesn't understand them or knows something profound I've never thought or heard of. Like I tried to explain to the director yesterday is that there should never ever be any legitimate traffic to a honeypot so if there is activity, it is going to be improper. Makes it pretty damned easy to catch activity on a busy network. Like you said, it isn't protection, but what a cool tool to trigger alarms, watch what they are doing, keep them busy until you figure out what is going on etc. :)
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
