Friday, January 7, 2005


Using a honeypot against port scanners and script kiddies

The Beat Hackers At Their Own Game With A Hackerbasher Site article suggests using a honeypot for security. I completely agree with its suggestion: always bind web sites on the internet to a hostname.

This best practice applies to all web servers, not only IIS. It does not stop hackers determined to hack your server, but it stops script kiddies scanning for vulnerable web servers by IP address. Setting up the honeypot is not necessary for security if you have configured the host name on all IPs, but it allows you to check the log for hacking attempts. It also helps you verify that you have configured it correctly as it will gie you an error (Another site may be running on this port) if you forget to set the hostname for all IPs

The article recommends configuring Integrated Windows Authentication (NTLM) on the honeypot site. I disagree and think this is more of a security risk than a benefit. A hacker may try to brute force passwords using the NTLM challenge response. It unlikely that the hacker manages to guess the password in three attempts so the result is that it blocks accounts which it manages to guess the name of. It is, in my opinion, better to use anonymous security and configure security on the home directory so the anonymous user is unable to access the directory.

I would change the instructions slightly (new/changed instructions in italic):

  • configure a hostname for each IP on each web site

  • create a new empty directory (not on the system disk)

  • set security on the directory so only domain admin has access to it

  • create a new web site pointing to the empty directory

  • remove all ISAPI filters (tomcat, front page etc)

  • in the "Directory security tab": Enable Anonymous security. Remove Integrated Windows Authentication

  • in the Performance tab: Enable "Throttle network bandwidth"  and set it to a few KB/second. No reason to let the hackers waste valuable bandwidth

  • in the Performance tab on Win2k3 (in the Web Site tab on Win2k) : Limit max connections to 1. Let the script kiddies block each other from hacking your site

  • Disable the "read" and "index this resource" check boxes in the home directory tab

  • Add all IP addresses the honeypot should listen to

If the site is configured correctly, you will get the following message:

HTTP Error 401.3 - Unauthorized: Access is denied due to an ACL set on the requested resource.

You will get the following error message if the security is not set correctly on the directory:

HTTP Error 403.2 - Forbidden: Read access is denied.

In any case the hacker will not be able to access your site.

Via [MSDN Student Flash] and [Stefan Goßner]

No comments:

Post a Comment