From: Marcin Nawrocki <marcin.nawrocki@fu...> - 2011-11-10 14:39:17
Dear Honeytrap users / developers,
during my use of Honeytrap I encountered the following situation:
[*] running instance of Honeytrap using nfq,
[*] iptables rulesset which forwords all packets to the queue
[*] portconf_default set to "normal" (no exceptions)
I am still able to SSH the host which runs honeytrap! Why?
Honeytrap logs this event but it seems that it does not answer it, as
default reaction would be sending '\n'. I can simply login on my host,
edit files etc...
Stopping Honeytrap and _not_ deleting the iptables ruleset ends up with
timeouts... Therefore I guess Honeytrap performs some kind of
From: Tillmann Werner <tillmann.werner@gm...> - 2011-11-10 21:18:51
-----BEGIN PGP SIGNED MESSAGE-----
> I am still able to SSH the host which runs honeytrap! Why?
> Honeytrap logs this event but it seems that it does not answer it, as
> default reaction would be sending '\n'. I can simply login on my host,
> edit files etc...
> Stopping Honeytrap and _not_ deleting the iptables ruleset ends up with
> timeouts... Therefore I guess Honeytrap performs some kind of
Since your sshd is already listening on port 22/tcp, honeytrap fails to
bind to that port and hands queued SYN packets back to the kernel. The
same happens for other services.
If you stop honeytrap, all queued packets remain in the queue forever,
hence you are not able to access affected services. Your nfqueue rule
basically acts as a "drop" rule.
It's probably a good idea to exclude SYN segments to ports from other
services from the nfqueue rule.
Hope that helps,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
Get latest updates about Open Source Projects, Conferences and News.