[置顶] 从僵尸网络追踪到入侵检测 第3章 Honeyd服务(23端口防御)
Honeyd服务(23端口防御)
环境准备
1、Honeyd系统RHEL6.4 IP 10.10.10.135
2、攻击系统windows 2008R2 IP 10.10.10.134
步骤
1、23端口防御脚本
[root@MIGUANG scripts]# cat hello.sh
#!/bin/sh
echo "hello you!"
while read data
do
echo "$data"
Done
2、honeyd 23端口配置文件
[root@MIGUANG scripts]# cat /etc/test.config
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
create linux
set linux ethernet "dell"
set linux default tcp action reset
add linux tcp port 23 "/usr/local/share/honeyd/scripts/hello.sh"
dhcp linux on eth0
3、运行honeyd服务,分配虚拟DHCP IP地址为10.10.10.139
[root@MIGUANG ~]# honeyd -d -f /etc/test.config
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[2611]: started with -d -f /etc/test.config
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[2611]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:0c:29:0b:cf:2a
honeyd[2611]: [eth0] trying DHCP
honeyd[2611]: Demoting process privileges to uid 99, gid 99
honeyd[2611]: [eth0] got DHCP offer: 10.10.10.139
honeyd[2611]: Updating ARP binding: 00:c0:4f:e6:40:30 -> 10.10.10.139
honeyd[2611]: arp reply 10.10.10.139 is-at 00:c0:4f:e6:40:30
honeyd[2611]: Sending ICMP Echo Reply: 10.10.10.139 -> 10.10.10.254
honeyd[2611]: arp_send: who-has 10.10.10.254 tell 10.10.10.139
honeyd[2611]: arp_recv_cb: 10.10.10.254 at 00:50:56:e3:b7:b0
4、使用windows2008R2攻击系统远程链接防御系统服务器
使用telnet链接10.10.10.139
![[置顶] 从僵尸网络追踪到入侵检测 第3章 Honeyd服务(23端口防御)_第1张图片](http://img.e-com-net.com/image/info5/60d8b722c0984009912150dd979671c9.png)
这时链接后进入防御措施执行了服务器上的脚本如下图
![[置顶] 从僵尸网络追踪到入侵检测 第3章 Honeyd服务(23端口防御)_第2张图片](http://img.e-com-net.com/image/info5/9f90c4ba8f364e2f9315da8f62f444e9.png)
5、攻击系统执行的命令全部被反弹回去
![[置顶] 从僵尸网络追踪到入侵检测 第3章 Honeyd服务(23端口防御)_第3张图片](http://img.e-com-net.com/image/info5/1209cf084b084f829f1247666d131eab.png)