a while ago i was interested in a similar idea, i wrote a small program to
act as roots shell, then changed roots password to root.
one of the first accounts they try is root:root
this lead to the totally self automated site http://gnook.org/root/
you can see some of them has many more attempts after root:root while
others try it first. I also tried mailing the abuse@ from whois with the
logs i collected, but it was a pain to automate and i didn't want to do it
manually.
ive stopped running root:root instead have settled for guest:guest
which gives this http://gnook.org/~guest/
but obviously cant get the same results as guest cant access
/var/log/authlog etc.
sbr.
On Wed, 1 Jun 2005, Myk Taylor wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
With OpenBSD 3.7 I can finally easily detect and block those annoying
ssh scanning zombies with the following pf rule:
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state (max-src-conn-rate 5/60, \
overload <zombies> flush global)
then I can block all IPs in the <zombies> table (I automatically phase
IPs out of the table after a couple days in daily.local). This is all
fine and good for my server, but I'd rather tarpit the suckers instead
of blocking them outright after 5 connections. It would be easy to rdr
them to a tarpit process, but I haven't seen any tarpits on the web that
simulate ssh servers.
I think ideally there could be a public honeypot server somewhere I
could redirect them to, where their IPs and activity could be centrally
logged and email could be automatically sent to the abuse@ address in
the whois(1) entry. I'm doing this manually for the ~2 zombies daily I
discover, but it's a bit tedious.
So what's the best solution here? Is there a better way than hacking
the sshd source to unconditionally sleep for 20s and return failure?
- --myk
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCnpuXBOPsJyAQkeARAkEeAKDEJBfnnr/3DjCYo0SF5wdWW2430wCghEk+
xL7LiYzbnbr5xqkIK5+bCy8=
=3rIG
-----END PGP SIGNATURE-----
