Re: using pf for honey pots

Gary <garyd@xxxxxxxxxxxxxxx> wrote:
It's been a while since I've used pf extensively but I'm having trouble
sorting this one out. Is there a mailing list for pf users, btw? I'm
currently trying to get Tillman Werner's honeytrap[1] to compile but until
that's ready, I've come up with something else equally amusing.

net/honeyd comes to mind, as does spamd(8).

In the mean time, I've taken an unpatched install of Windows XP Home SP1,
installed it under VMware, ...

You *do* know that VMWare might or might not actually succeed in
properly separating host and guest OS? See, for example, the list of
problems at <http://www.frsirt.com/english/vendor/3760>.

To be fair, this is something that is decidedly non-trivial, and VMWare
seems to do no worse a job than any of its (Open Source or not)
competitors. It's far from flawless, though, and a dedicated honey box
makes sense.

... and am fwd'ing several ports to it. I was
having trouble singling out VM's IP to block its outbound traffic so my
temporary workaround was to run the Cisco VPN client which has a ZoneAlarm
engine packed with it. If I turn on the ZA firewall, traffic to/from the
guest OS works but traffic to the virtual is inbound only since ZA blocks
all outbound traffic from it. The end result is a lot of scans and failed
attempts by various bots, kiddies, and knuckleheads w/ no real results. No
spamming, either. A a recent rev nmap scan with will still show it's
fronted by a 3.X version of OpenBSD, however. I've also fwd'd a couple of
common exploits to other ports just to confuse them. Attached below is my
pf.conf.

Firewalling within the vulnerable host doesn't really help, as you know.
However, I have no clue how VMWare does networking, but I'll just
continue.

My goal is to try to limit the virtual honey pot's outbound access to a
small handful of ports to prevent, among other things, spam, etc. But I
can seem to only block all traffic or none -- hence the ZA workaround in
the interim. Any feedback would be most welcome.

-Gary


ext_if="hme0"
int_if="xl0"
localnet = $int_if:network
# pot fulla honey!
winbox="172.16.75.30/32"
winports="{135,139,445,1025,5000}"
client_out= {ftp-data,ftp,ssh,domain,nntp,http,https}"

You are aware that ftp-data is handled quite well by ftp-proxy, and that
ssh brute force attacks are pretty much the most common attack seen by
*NIX admins nowadays, right?

set skip on lo

scrub in

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) -> ($ext_if:0)

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# I smell honey -- do you?
rdr on $ext_if proto tcp from !$localnet to $ext_if port $winports -> $winbox
rdr on $ext_if proto udp from !$localnet to $ext_if port $winports -> $winbox
# fakeouts for Windows messaging, MS SQL, and NAV
rdr on $ext_if proto tcp from !$localnet to $ext_if port 1026 -> $winbox port 5000
rdr on $ext_if proto udp from !$localnet to $ext_if port 1026 -> $winbox port 135

These won't both work; you mean to set one to 1025, presumably.

rdr on $ext_if proto tcp from !$localnet to $ext_if port 1433 -> $winbox port 5000
rdr on $ext_if proto udp from !$localnet to $ext_if port 1433 -> $winbox port 135
rdr on $ext_if proto tcp from !$localnet to $ext_if port 2967 -> $winbox port 5000

anchor "ftp-proxy/*"
block in log all
pass out keep state

#pass from { lo0, $localnet } to any keep state

# honey outbound - not working yet so no point in scrubbing
#pass inet proto tcp from $localnet to any port $client_out flags S/SA keep state

Am I correct in presuming that:
1. Without this rule, no traffic from the guest OS is allowed?
2. With this rule, *all* traffic from the guest OS is allowed?

In this case, I don't get it...

However, a good general troubleshooting tip: set all block rules to log,
and execute something like tcpdump -nvvvi pflog0; this will show you
exactly what doesn't work, at least.

pass quick on $int_if
antispoof quick for { lo $int_if }

pass in on $ext_if proto tcp to ($ext_if) port ssh keep state

# honey pot SYN proxy 3-way handshake
pass in log proto tcp from any to $winbox port $winports flags S/SA synproxy state

synproxy state is likely to mess up port scanners even more; don't do it
if your goal is to lure skiddies.

Joachim
.

Relevant Pages

  • Re: Carnival misses port... throws family off ship
    ... so the Carnival Conquest missed a port due to a medical emergency. ... disembark or confine to a stateroom any Guest whose physical ... have no liability for any compensation or other damages in such ...
    (rec.travel.cruises)
  • Port # used while using Shared Networking
    ... When using Shared Networking what is the Port # used When my Guest OS ... Is it still Port 80 as it is when I use IE ... On the Mac side there is nothing else connected to the Net except my ... connection settigs for dial-up & connect to the Net.. ...
    (microsoft.public.mac.virtualpc)
  • Re: Connecting VMWare serial ports
    ... >port IS is actual port. ... >modem, you map the virtual port to the modem. ... VMWare may have to support it specifically. ...
    (comp.os.linux.misc)
  • Re: vmWare, virtualPC, dedect , ... IN/OUT
    ... > Although it is possible to clone a single VM such that the copy of it even ... > to non-networked situations if they have duplicate MAC addresses. ... > port, the device either gets controlled by the host's O.S. itself or one ... USB dongles and then we do not have problems when you use it inside vmWare. ...
    (microsoft.public.win32.programmer.kernel)
  • [2.6.12-rc2 - 2.6.12-rc5] oops with vmware
    ... Before running vmware: ... hub 0 does not exist, ... port on hub 0 successfully opened ... open called by PID 2353 (vmnet-netifup) ...
    (Linux-Kernel)