December 2012
Intermediate to advanced
552 pages
13h 16m
English
Content preview from Web Application Defender's CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Recipe 3-1: Adding Honeypot Ports
This recipe shows you how to add additional listening ports to your web server configuration to alert on any clients sending requests.
Ingredients
- Apache Listen directive1
Instead of needing to deploy an entirely new honeypot system, we can easily reuse the existing, legitimate web server platform. We will implement our honeytrap by adding more network ports that will accept HTTP request traffic. These ports have no legitimate purpose, so any traffic we receive is suspect by definition. This recipe shows you how to enable these honeytrap ports using the Apache web server. This process, however, can be duplicated on any other web server software.
Apache Listen Directive
The Apache Listen directive allows us to define on which port(s) or IP address and port combinations we want to accept incoming requests. By default, the httpd.conf file enables one Listen directive that listens on the standard HTTP port 80:
#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80For our honeytrap port implementation, we want to add Listen ports to catch automated attack probes that are scanning our IP address space, looking for web services. There are three other common alternative HTTP ports:
- 8000
- 8080