On Fri, 3 Oct 1997, Colin Campbell wrote:
> My mailer thinks Brian Mitchell said:
> [stuff deleted]
> > You want to see who is knocking on your door. You give them lots of
> > services to play with to keep them knocking. I really advise you read
> > Firewalls and Internet Security: Repelling the Wily Hacker (Cheswick and
> > Bellovin) it goes into great detail about this sort of thing.
> Of course if you are running something like Gauntlet, the packet filters
> pick up this sort of activity anyway and log it without the ports actually
> being open.
Not enough information.
with something like that, you would know, for instance, that someone
connected to portmapper.
You wouldnt know what procedure they tried calling. Logging port accesses
just doesnt do the trick, in my opinion. You usually want something more.
With portmapper, for instance, you can provide a number of fake honeypot
services. Anything using unix authentication will pass a user id. That can
be valuable information (knowing full well it is client side specifiable,
and therefore not trustable). Knowing what services the proper is
interested in is also valuable information. Knowing that they are trying
to talk portmapper into executing a rpc call for them is also valuable
This is just an example of information that can be gleaned from one
service. There are a multitude of examples, although portmapper is one of
the most useful.