[Fractal5]

Background information:
A while ago my girlfriend's daughter was mollested by her father. It never went to court since a 2 year old's statement doesn't count for much these days. Soon he will be able to have visitation rights again and will be able to have her over for the night at weekends. Various events have taken place which have resulted with him being cautioned for harassing us, a couple more and he will no longer be allowed visitation. He is employed in the IT industry as am I. There is currently a court battle going on over money etc, he is very interested in what we are doing in relation to this.


What I am thinking of doing is setting up a very insecure email server from my home network, finding some reason to email him and monitoring the server. After speaking to my girlfriend it seems like he is the kind of person who would try to hack it (especially considering the on going court case.) I'm going to disconnect all other machines from the network and add a linux server, on this I will run a sniffer and VMware. Within VMWare I intend to run an XP box. I will isolate the virtual from the rest of the host OS using ebtables and from directly connecting to the router using iptables (whilst still allowing NAT and port forwarding.) I will also ask our ISP to monitor our connection.

Obviously it is very easy to make an XP machine insecure, however if I was him then I would do any hacking etc via some kind of proxy or onion routing system. I've been racking my mind for how to tackle this. The only things I can think of are UDP based services (very open rsync over UDP maybe?) TOR doesn't support UDP (I imagine I2P, Freenet etc dont either) however Socks5 proxies do support UDP. The only sure-fire way that I can think of to make sure that he doesn't use some form of proxy would be to use a service which initiates a connection back to his computer (or having a massive black list of all proxies/TOR nodes etc.) I can't think of anything which would accomplish this without seeming too obvious. Can anyone help?

Thanks,

Fractal5

[bonarez]

I wouldn't try to setup a machine like that for legal reasons. It looks like a setup > you'll never sell that in court!!

If you want proof that he is trying to hack you, setup an IDS (intrusion detection system) or a honeypot (nepenthes is really easy to setup in vmware). It shows a more professional approach and the logs you keep do hold legal value.

EDIT: it seems nepenthes is 'end of life' and has a successor: /http://dionaea.carnivore.it/ > it's been a while since i ran a honeypot..

[Fractal5]

Hi,

Thanks for the reply. Surely a machine like this actualy is a honeypot? In court if he tries to hack it (not knowing if it is real or not) then it still shows malicious intent. Is it possible to set nepenthes up in a way that would not allow him to exploit it via proxy as mentioned above?

Thanks,

Fractal5

bonarez, on 04 November 2009 - 09:59 AM, said:

I wouldn't try to setup a machine like that for legal reasons. It looks like a setup > you'll never sell that in court!!

If you want proof that he is trying to hack you, setup an IDS (intrusion detection system) or a honeypot (nepenthes is really easy to setup in vmware). It shows a more professional approach and the logs you keep do hold legal value.

EDIT: it seems nepenthes is 'end of life' and has a successor: /http://dionaea.carnivore.it/ > it's been a while since i ran a honeypot..

[bonarez]

I guess putting up a vulnerable xp in vmware can be concidered to be a honeypot, but it is still very much 'hackable'

the point of using nepenthes or dionaea is to have a machine that looks vulnerable, but isn't..

[Fractal5]

Ah, well I dont mind if it is hackable. If he gets in then he may even trash the system which would all be logged. Can you think think of a way to set it up so that it is not accessable via proxy? I could just use a long list of proxies or check for open proxy ports on the host when it connects. Any other ideas?Thanks,Fractal5

[webdevil]

These days it's alot easier to use a rdp chain and hack something.
How would you block it then?

[Fractal5]

Guess I wouldn't be able to. He isn't a hacker by trait (at least I dont think so) so I'm hoping he doesn't have access to any boxes that can't be traced to him.

[Glyph]

These days it's really easy to find a shell account.

[Fractal5]

Glyph, on 06 November 2009 - 02:22 PM, said:

These days it's really easy to find a shell account.

In that case on the linux box block access from any hosts with port 22, 3389 etc open. Does anyone know of a bit of software that will do this?

[webdevil]

Windows can do that.

[Fractal5]

webdevil, on 08 November 2009 - 10:43 AM, said:

Windows can do that.

Cool, I'm using Linux as the host OS because it's running on an old laptop with only 512mb of ram and Linux is more lightweight. How would it be done in windows? I was thinking that I would have to write something my self. Something like: monitor incoming connections. When new connection is established portscan host. If suspect ports are open (SSH, RDP etc) then run an IPTables command to block the IP.

[webdevil]

Oh, I misread your earlier question.
Yeah, you will have to do it as you were thinking. No OS will do that for you.

But you must know, what you are doing is pretty much useless. Because ports might appear closed to you while they are actually open, as in filtering.

[Fractal5]

webdevil, on 08 November 2009 - 09:56 PM, said:

Oh, I misread your earlier question.
Yeah, you will have to do it as you were thinking. No OS will do that for you.

But you must know, what you are doing is pretty much useless. Because ports might appear closed to you while they are actually open, as in filtering.

Yes but that is not the case 99% of the time. It would be pointless (and annoying if you travel alot) if every single customer of a proxy/shell service had to have their IP white listed. It might be that they have to sign in over some kind of VPN but with SSH servers a VPN would not be needed. Does anyone have any advice about my original question? Or does anyone know of software that will do what I mentioned above? I could write it my self but I'm mainly a .NET developer and quite rusty with Linux and C/PERL (and this needs to be lightweight so I probably could not use mono.) I'll ask this on the Linux forum as well.

Thanks,

Fractal5