We are looking for the following solution.
Honey pot that collects attacks against SSH/FTP and so on
Said attacks are then sent to a master ACL on a edge Cisco router to block all traffic from these offenders ..
Of course we would require a master whitelist as well as to not be blocked from our own networks.
Any current solutions or ideas ??
Dionaea (nephentes successor) and Kippo (ssh honeypot) are a good start for the honeypot side.
http://code.google.com/p/kippo/
Watching the tty logs in kippo is great entertainment. Perfect way to collect the skiddies tools.
As far as the automation of ACLs if you find a script out in the wild please share. I do know of the following SNORT to Cisco PIX perl script. Hope this helps.
http://www.chaotic.org/guardian/
http://www.chaotic.org/guardian/scripts/pix-block.pl
Regards,
Ruben Guerra
This sort of thing can be gamed by attackers to cause DoS on your network/for your users/for others trying to access resources on your network. It's a Bad Idea.
Set up S/RTBH and do it by hand.
send/expect?
Private BGP session with Zebra or Quagga on a linux box
adding the selected IP to a null route.
I would consider doing it through BGP via quagga or such. Nullrouting with BGP is much cleaner than ACLs as your config stays static and only your routing table changes. I also imagine due to existing BGP blacklisting methods, that much of the work is already done and all you need is to get the honeypot to export the right format.
Brian,
Have you thought about what a bad guy might do if he knew that you had such a policy deployed? Is there a way that the bad guy might turn the policy against you?
Ron
Ron,
I am sure any solution given enough time could be used against you, However my hope was that a whitelist could help in that regard however I know your correct.
A good start from the honeypot would be sshguard. I'm sure that it could be
adapted to
script out an ACL or such, as well in my usage of it it has timed values to
release the
block after X_amount_of_time .
I'd be curious as to what other(s) you find for this.
-Joe Blanchard
We have used this solution for some time and find it works pretty well ..
However need to find a way to pass this info off to a router, this project used to hold promise however its dead now ..
From: Larry Smith [mailto:lesmith@ecsis.net]
Sent: Tuesday, January 18, 2011 8:32 PM> We are looking for the following solution.
>
> Honey pot that collects attacks against SSH/FTP and so on
>
> Said attacks are then sent to a master ACL on a edge Cisco router to
block
> all traffic from these offenders ..
>
> Of course we would require a master whitelist as well as to not be
blocked
> from our own networks.
>
> Any current solutions or ideas ??Private BGP session with Zebra or Quagga on a linux box
adding the selected IP to a null route.
As we currently do it by putting new rules automatically in firewalls (iptables) it should be easy to change it a little bit I think. After the change it should be able to put rules in Zebra/Quagga (or something similar based on Linux/Unix). As long as telnet access is available it should also be doable to put it automatically in routers without the need of a setup with BGP and Zebra/Quagga.
We are currently looking for ways to increase the list with "abusive" systems to block.
If someone wants to work together with us on increasing the mentioned options feel free to contact me offlist. How we get the data currently (from multiple sources) or how the process currently work isn't something I can currently mention here (at least not the details).
Regards, Mark
Also, have you considered just using the spamhaus DROP list? They even have code to have the list pushed to IOS available. You could simply substitute your file for their list if you only want to use IPs caught by your honeypot.
http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ
I know Spamhaus doesn't offer a BGP feed of the DROP list. Has anyone made a homegrown solution?
There is a PHP script that pull the DROP list and make a Cisco ACL or IPtables rules.
http://www.potato-people.com/code/misctools/spamhausdrop.phps
"DROP is currently available only as a simple text list but may be available in the future by BGP, announced via an Autonomous System Number (ASN). DROP users could then choose to peer with that ASN to null those prefixes as being ranges for which they do not wish to route traffic."
I considered giving it a shot until I read that. It doesn't seem very difficult but don't have the free time to work on things that someone else claims is coming. I also don’t have a spare ASN to share it externally which would be the ultimate goal, like the Cymru bogon peering.
LOL.. oops.. I guess I could just use 65xxx.