Timeline for Could there be a legitimate reason for a SSH server to allow null authentication, to anyone?
Current License: CC BY-SA 4.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 17, 2024 at 20:48 | comment | added | schroeder♦ | @security_paranoid honeypots, like all software, can have vulnerabilities, yes. That's why you run them in restricted zones and not in production. | |
| Oct 17, 2024 at 9:06 | comment | added | security_paranoid | @schroeder right- I get what you are saying now. “One honeypot I used blocked the first X attempts, whatever they were, then let in the X+Yth, whatever that was. Gave the illusion of there being valid passwords.” this is quite an advanced idea itself, and I can sure see how it might successfully work. But isn’t there always risks with these kind of things associated with excessive resources being wasted, accidental damage, etc.? Sorry to bring this up again, “one question at a time, right”, but I appreciate your information. | |
| Oct 17, 2024 at 8:22 | comment | added | schroeder♦ | @security_paranoid Wayne is explaining a high-level concept that has multiple implementations. The link he provides is for a basic SSH honeypot that can capture ssh logins and record what credentials were tried. But that's not the only kind or reason to run a honeypot. | |
| Oct 17, 2024 at 8:17 | comment | added | security_paranoid | @schroeder do you think your description is what this answer OP is saying? I think that they aren’t exactly talking about a sole honeypot as such, but more of a “let anyone in but not actually” kind of idea… | |
| Oct 17, 2024 at 8:11 | comment | added | schroeder♦ | @security_paranoid honeypots is a big subject. They are not valid servers or services. They are fake servers/services designed to gather info on attacks. Some are "low interaction" (even so far as just being an open port with no services to look for port scans, etc.) to "high interaction" (sometimes providing an entirely fake network with servers, users, endpoints, etc, but all exist entirely in a virtual environment). I ran a few ssh honeypots for attack research that were eye-opening for me in my early days. | |
| Oct 17, 2024 at 8:08 | comment | added | schroeder♦ | One honeypot I used blocked the first X attempts, whatever they were, then let in the X+Yth, whatever that was. Gave the illusion of there being valid passwords. | |
| Oct 17, 2024 at 5:07 | comment | added | security_paranoid | @Joshua I think this is what the answerer is saying, because there wouldn’t be much point admitting that you didn’t actually need correct credentials :) | |
| Oct 17, 2024 at 4:45 | comment | added | Joshua | Seems like people ought to get wise to that one fast; better to have the honeypot say password auth enabled and just don't actually check what the password was. | |
| Oct 17, 2024 at 2:55 | comment | added | Wayne Conrad | @security_paranoid I see it as a simple backup to the IDS. Maybe the IDS is down/broken/misconfigured and didn't detect someone mapping the network and trying to ssh into every box they can see. The SSH honeypot is one more thing to let me know there's hanky panky on my network. There is also some value in the honeypot's logs to show me what the intruder tried to do after they were granted the fake access. | |
| Oct 16, 2024 at 23:44 | comment | added | security_paranoid | So you mean a legitimate server that lets anyone in, but obviously without any privileges? If so, this is quite a good point, but what would the point of such a system be, seeing as there's nothing you can really do if someone is 'poking around.' | |
| S Oct 16, 2024 at 23:03 | review | First answers | |||
| Oct 17, 2024 at 5:39 | |||||
| S Oct 16, 2024 at 23:03 | history | answered | Wayne Conrad | CC BY-SA 4.0 |