I never use honeypot before. But, I have a task from my lecture, that I should use a honeypot for detecting hackers attacks.
I searched in journals, tutorials and articles. I tried using honeydrive3 and used the honeypot Kippo. When I tried that, and I attack by myself, it works, the detailed of attack is served. But, when I told that to my lecturer, he said it was not what he wanted.
The workflow he want is, we use the honeypot and then we try that to some websites. But, when the attacker scanning or do something to that web IP address, it must deflect to the honeypot, it means that the attacker really attacks the real website.. and I really don't know what to do.
You either misunderstood what the lecturer wanted, or what he wants does not make sense.
You can only analyze traffic sent to your IP (or an IP you control), it is not possible for you to "deflect the traffic" from a generic IP address.
What you did is correct: putting in place the honeypot, and then sending some traffic to it.
The next step would be to expose it to Internet to get malicious traffic (directed to your IP) but you must be very careful as the whole machine is likely going to get successfully attacked. It must not have any connection to your (home|uni|private) network, because (I am being frank reading your question), you stand no chance to secure it for the time being.
I would go for a cloud hosted machine which I would then kill.
Just read about IP spoofing. Not sure, but it seems that it's possible to enter any ip and make the recipient believe that you are someone else, without it being controlled?
What I perceived is that if I end up under attack and choose to handle this by "blacklisting" the ip address behind the attacker, then there is a high chance that I actually blacklist someone innocent (if the attacker has entered a different ip address than their own)
The probability that the attacker switches to an address that matches and affects one of my regular users is of course very small, but that means I can't stop the attacker and the madness continues.
What approaches do you recommend to deal with this?
The best way to secure your server is to install fail2ban and confurige it to read your access log(s) to ban ip's for a certain time. There are loads of tutorials on how to install fail2ban, so not going to write that info here. In my 8 years of running web servers I have never had an ip spoofing situation, but atleast with fail2ban you can block an ip for a limited time, thereby decreasing the chances of a DOS, exploit, or something else.
What failban does is, it reads your logs, and based on the regex from its filters it can ban ip's. There are some filters pre-installed with failban, but they are in no way perfect for any server, so some finetuning is needed.
after you installed it and read through the docs I would greatly recomend that you read the Python regex docs so you can write your own regex Python regex documentation
Below is a filter I created to ban bad requests one of my servers. You can just edit it to suit your server
[Definition]
badreqcustom = .*mysql.*|.*backup.*|.*wlwmanifest.*|.*xmlrpc.*|.*sleep.*|.*benchmark.*|.*when.*|.*then.*|.*schema.*|.*else.*|.*author.*|.*\.aspx.*|.*wp-admin.*|.*myadmin.*|.*wp-login.*|.*/misc/.*|.*\.rar.*|.*wordpress.*|.*wp-includes.*|.*/tmp/.*|.*js/lib.*|.*charcode.*
badreq = .*sql.*|.*phpmyadmin.*|.*adminer.*|.*alert.*|.*union.*|.*select.*|.*where.*|.*fetch.*|.*proxy.*|.*debug.*|.*phpstorm.*|.*eval-stdin.*|.*phpunit.*|.*invoke.*|.*adminlogin.*|.*admin123.*|.*hack.*|.*login\.php.*|.*404\.php.*|.*blackhat.*|.*cgi-bin.*
failregex = (?i)^<HOST> -.*"(GET|POST|HEAD|PUT).(?:%(badreq)s|%(badreqcustom)s).*".*".*".*".*".*$
ignoreregex = (?i)^<HOST> -.*"(GET|POST|HEAD|PUT).*(madmin|uid|gclid|fbclid|/blog/|/photographers-directory/|/amasty_acart|/vcs/).*"$
All the best and goodluck
This is an example of dictionary brute force attack however i do not understand the principle behind it. yes i do know that dictionary brute force is when an attacker tries combinations of passwords from a dictionary file. However, how is that explicitly shown in the capture below
If you feel that it would be more helpful to see the packets before this then please let me know.
ps. i apologise if the tags are incorrect
EDIT: the attacker is 192.168.56.1 and the victim is 192.168.56.101
EDIT: what i am trying to say is that this capture is from an assignment i was given. One of the questions in this assignment was:
How did the attacker exploit this vulnerability to gain access ?
it is my belief that the vulnerability was that port 22 was left open (can be seen in other packets apart from this screenshot). A group of my friends suspect that the attacker used brute force to exploit this vulnerability and gain access.
My question is, is this true? can you tell that from this screenshot or would you need to see other packets? Can this screenshot be used as evidence that the attacker possibly used brute force to gain access?
If your assignment is a simple type of packet inspection then,
The attacker gained access by bruteforcing the SSH service and the vulnerability is due to the use of weak password and the fact that it permitted password-based authentication.
By examining the screenshot of packet capture, we see a number of SSH authentication requests being made.
So, the attack must be carrying out either DoS or bruteforce.
The question explicitly states that the attacker has gained access.
Therefore, we know the attack is SSH-bruteforcing.
Update
Packettotal showed that the attacker was carrying out
Port Scanning (Indicator: use of ICMP echos)
Smuggling Data from Web server
SSH Bruteforcing
Link to the report
Update 2:
Manual packet analysis gave these results:
Attacker first used aggressive ARP scan to scan the hosts.
Started port scan on the victim.
Then found a SSH server and a web server running on the victim machine.
Tried bruteforcing SSH but failed
Sent a GET request to victim webserver and luckily it returned
private SSH key
Has complete access to the victim
so suppose I detect a user's ip using some code to perform restrictions....
is there a way for a user to circumvent this by arbitrarily setting their ip to any ip they want anytime they want (eg. via proxy server or something) hence allowing them to choose a specific ip to be displayed when I detect it
There are several tunneling and proxy-based techniques that will effectively present a different IP address for any HTTP requests than the one belonging to the originating computer. I have mentioned several methods in this answer, as well as here. In many cases it is actually impossible to tell apart a relayed connection from the real thing...
In general you cannot forge the source of a TCP connection on the Internet to be an arbitrary address for a number of reasons, some of which are:
TCP is a stateful protocol and packets go back and forth even in order to establish the connection. Forging an IP source address means that you cannot get any packets back.
Some ISPs will drop packets generated within their own network that do not have a source IP within the proper subnet. This is usually done at the client connection level to protect the ISP network and prevent random packets from leaking client information to the Internet due to simple misconfiguration issues client-side.
ISP filters will also prevent users from just setting an arbitrary IP - if not for any other reason, then just because ISPs sell connections with static IP addresses at significantly higher prices and having users set their own IPs would spoil that. Not to mention the mess that would result if there could be IP conflicts among the clients of an ISP...
So in general you cannot just spoof the source of a TCP connection. You have to use an intermediate computer to relay the connection.
Keep in mind, however, that motivated and experienced attackers may have at their disposal botnets that consist of millions of compromised computers belonging to innocent users. Each and every one of those computers could theoretically be used as a connection relay, thus allowing a potential attacker quite a wide variety of IP addresses to chose from.
The bottom line is that simple IP-based checks and filters cannot in any form ensure the legitimacy of a connection. You should be using additional methods to protect your service:
HTTPS and proper user accounts.
Extensive logging and monitoring of your service.
Intrusion detection systems and automatic attack responders (be careful with those - make sure you don't lock yourself out!).
We cannot really provide a more concrete answer unless you tell us what service you are providing, what restrictions you want to apply and what kind of attacks you are so worried about...
Sort of - as you mentioned, proxies are a risk, however it makes life a wee bit harder for the attacker so it is still worth using IP bans.
Monitor your logs, automate alerts and if attacks come from another IP - ban it too. If you make life hard enough for an attacker they may give up.
I'm planning to deploy an internal app that has sensitive data. I suggested that we put it on a machine that isn't exposed to the general internet, just our internal network. The I.T. department rejected this suggestion, saying it's not worth it to set aside a whole machine for one application. (The app has its own domain in case that's relevant, but I was told they can't block requests based on the URL.)
Inside the app I programmed it to only respect requests if they come from an internal I.P. address, otherwise it just shows a page saying "you can't look at this." Our internal addresses all have a distinct pattern, so I'm checking the request I.P. against a regex.
But I'm nervous about this strategy. It feels kind of janky to me. Is this reasonably secure?
IP filtering is better than nothing, but it's got two problems:
IP addresses can be spoofed.
If an internal machine is compromised (that includes a client workstation, e.g. via installation of a Trojan), then the attacker can use that as a jump host or proxy to attack your system.
If this is really sensitive data, it doesn't necessarily need a dedicated machine (though that is best practice), but you should at least authenticate your users somehow, and don't run less sensitive (and more easily attacked) apps on the same machine.
And if it is truly sensitive, get a security professional in to review what you're doing.
edit: incidentally, if you can, ditch the regex and use something like tcpwrappers or the firewalling features within the OS if it has any. Or, if you can have a different IP address for your app, use the firewall to block external access. (And if you have no firewall then you may as well give up and email your data to the attackers :-)
I would rather go with SSL and some certificates, or a simple username / password protection instead of IP filtering.
It depends exactly HOW secure you really need it to be.
I am assuming your server is externally hosted and not connected via a VPN. Therefore, you are checking that the requesting addresses for your HTTPS (you are using HTTPS, aren't you??) site are within your own organisation's networks.
Using a regex to match IP addresses sounds iffy, can't you just use a network/netmask like everyone else?
How secure does it really need to be? IP address spoofing is not easy, spoofed packets cannot be used to establish a HTTPS connection, unless they also manipulate upstream routers to enable the return packets to be redirected to the attacker.
If you need it to be really secure, just get your IT department to install a VPN and route over private IP address space. Set up your IP address restrictions for those private addresses. IP address restrictions where the routing is via a host-based VPN are still secure even if someone compromises an upstream default gateway.
If your application is checking the IP Address, then it is extremely vulnerable. At that point you don't have any protection at the router which is where IP filtering really needs to be. Your application is probably checking HTTP header information for the sending IP address and this is extremely easy to spoof. If you lock the IP address down at the router, that is a different story and will buy you some real security about who can access the site from where.
If are you are doing is accessing the application internally, then SSL won't buy you much unless you are trying to secure the information from parties internal to the organization, or you require client certificates. This is assuming you won't ever access the site from an external connection (VPNs don't count, because you are tunneling into the internal network and are technically part of it at that point). It won't hurt either and isn't that hard to setup, just don't think that it is going to be the solution to all your problems.
IP Whitelisting is, as others have mentioned, vulnerable to IP spoofing and Man-in-the-Middle attacks. On an MITM, consider that some switch or router has been compromised and will see the "replies". It can either monitor or even alter them.
Consider also vulnerabilities with SSL encryption. Depending on the effort, this can be foiled in a MITM as well, as well as the well-known gaffs with the reuse of the primes, etc.
Depending on the sensitivity of your data, I would not settle for SSL, but would go with StrongSWAN or OpenVPN for more security. If handled properly, these will be a lot less vulnerable to a MITM.
Reliance on whitelisting alone (even with SSL) I would consider "low grade", but may be sufficient for your needs. Just be keenly aware of the implications and do not fall into the trap of a "false sense of security".
If it's limited by IP address, then although they can spoof the IP address, they won't be able to get the reply. Of course, if it's exposed to the internet, it can still get hit by attacks other than against the app.
Just because all your internal IPs match a given regex, that doesn't mean that all IPs that match a given regex are internal. So, your regex is a point of possible security failure.
I don't know what technology you used to build your site, but if it's Windows/ASP.net, you can check the permissions of the requesting machine based on its Windows credentials when the request is made.
Like all security, it's useless on it's own. If you do have to put it on a public-facing webserver, use IP whitelisting, with basic username/password auth, with SSL, with a decent monitoring setup, with an up-to-date server application.
That said, what is the point in having the server be publicly accessible, then restrict it to only internal IP addresses? It seems like it's basically reinventing what NAT gives you for free, and with an internal-only server, plus you have to worry about web-server exploits and the likes.
You don't seem to gain anything by having it externally accessible, and there are many benefits to having having it be internal-only..
My first thought on the ressource issue would be to ask if it wouldn't be possible to work some magic with a virtual machine?
Other than that - if the IP addresses you check up against are either IPs you KNOW belongs to computers that are supposed to access the application or in the local IP range, then I cannot see how it could not be secure enough (I am actually using a similiar approach atm on a project, although it is not incredibly important that the site is kept "hidden").
A proper firewall can protect against IP spoofing, and it's not as easy as say spoofing your caller ID, so the argument /not/ to use IP filtering because of the spoofing danger is a bit antiquated. Security is best applied in layers, so you're not relying on only one mechanism. That's why we have WAF systems, username+password, layer 3 firewalls, layer 7 firewalls, encryption, MFA, SIEM and a host of other security measures, each which adds protection (with increasing cost).
If this is a web application you're talking about (which was not clear from your question), the solution is fairly simple without the cost of advanced security systems. Whether using IIS, Apache, etc. you have the ability to restrict connections to your app to a specific target URL as well as source IP address - no changes to your app necessary - on a per-application basis. Preventing IP-based web browsing of your app, coupled with IP source restrictions, should give you significant protection against casual browsing/attacks. If this is not a web app, you'll have to be more specific so people know whether OS-based security (as has been proposed by others) is your only option or not.
Your security is only as strong as your weakest link. In the grand scheme of things, spoofing an IP is child's play. Use SSL and require client certs.
It became useful first to distinguish among different kinds of IP vpn based on the administrative relationships, not the technology, interconnecting the nodes. Once the relationships were defined, different technologies could be used, depending on requirements such as security and quality of service.
Maybe this will help ? I've been looking for the same answer, and found this stackoverflow as well as this idea from Red Hat Linux Ent. I'll try it soon. I hope it helps.
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
Where 0/24 is the LAN range you want to protect. The idea is to block "internet" facing (Forward) devices from being able to spoof the local IP network.
Ref: http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-rule.html