 |
||
|
|
 |
|
|
||
|
|
|
 |
 |
 |
|
|
|
|||||||||||
 |
 Main Page AmigaSmoothWall My SmoothieMakin' Mods SmoothWall Mods DansGuardianClamAVDansGuardian Anti-VirusFireWall Audio AlertsWhereIsLaBrea Tarpit/IDSBandwidthdTips & InfoHistoryLinks |
 |
|
|
LaBrea 2.5 Stable 1 for SmoothWall Express 2.0
LaBrea is a program that creates a tarpit or, as some have called it, a "sticky honey pot" to catch worms and other malware. LaBrea takes over unused IP addresses on a network and creates "virtual machines" that answer to connection attempts. LaBrea answers those connection attempts in a way that causes the machine at the other end to get "stuck", sometimes for a very long time. It runs on an interface of your choice and listens to traffic arriving at that interface. When it first starts up it checks your network for and occupies IPs that are not in use. If an IP is legitimately in use then LaBrea will not use that IP. Once running LaBrea will detect traffic that is destined for an IP address that belongs to your network but isn't in use. LaBrea will then pretend to be a computer on that IP address and will respond to the traffic. If the traffic has been generated by a worm LaBrea will attempt to 'trap' the program. It does this by letting the worm connect but keeps it in this initial 'connecting' stage for as long as possible. Depending on the particular worm it could either slow down its spread or totally stop it completely. Even if it cannot trap the worm it will keep a log allowing you to see which computers on your network may be infected. For a more technical look at the process please take a look at the LaBrea read me. From what I've read LaBrea should ideally be used on an interface that connects to the internet. This would allow you to slow down / stop attempts to access your IP range also slowing the overall rate of infection on the internet. If you own an external IP range then you could set this up to watch them. I don't own a block of IP addresses that I could use and I doubt my ISP would like me trying to take over any of their unused ones so I looked at other ways to use LaBrea. I experimented with running it on my SmoothWall's green network. In theory if a virus or trojan ever did gain access to my green network it would believe there to be 254 computers connected! LaBrea can give you more time to respond to an infection by slowing down the rate of infection. At the very least you can use LaBrea to see if any of your machines are showing signs of infection by checking the log to see where any connections are coming from and which machines on your network might be infected. |
|
||||||||||
 |
 |
 |
|
|
|
|||||||||||
|
|
|
|
|
|
|
|
 |
Main PageAmigaSmoothWallMy SmoothieMakin' ModsSmoothWall ModsDansGuardianClamAVDansGuardian Anti-VirusFireWall Audio AlertsWhereIsLaBrea Tarpit/IDSBandwidthdTips & InfoHistoryLinks |
 |
|
|
Requirements LaBrea should run on any SmoothWall Express 2.0 installation but it is recommended you have installed all available fixes. Get the archive from here (243kb) and copy it to your temp directory. Extract the archive with the following command:
Generally Labrea will work fine with the default configuration file (which specifies nothing) However, if you feel you want to specify certain IPs not to block or ports to ignore then take a look at the configuration file. The instructions in here and the instructions in the config file are examples of how to configure LaBrea further. You can jump to the 'Starting LaBrea' section if you don't need to configure anything just yet. Excluding Hosts
Ignoring Hosts There may be some hosts on your network that you don't want LaBrea to capture by mistake or for testing purposes. If this is the case then add the following to your config file so that LaBrea ignores the packets coming from that host or range of hosts. Again, you can use the same notations as above just put IPI at the end of the line:
Ignoring Ports If there are any ports you
don't want LaBrea to trap traffic on then you can specify these here by entering
the port or port range and adding POR at the end of the line.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Main PageAmigaSmoothWallMy SmoothieMakin' ModsSmoothWall ModsDansGuardianClamAVDansGuardian Anti-VirusFireWall Audio AlertsWhereIsLaBrea Tarpit/IDSBandwidthdTips & InfoHistoryLinks |
|
|
|
Now it is installed we need to see if it will start up. We can do this with the following command:
It should end with something like this:
If you get any problems then
please post them in the LaBrea thread on the SmoothWall forum and I'll do
my best to help. Alternatively you can type
If you had no problems you
can start
LaBrea with the following command:
If you want / need to change the
default start-up options you will need to edit the You can verify the start-up by pinging an address on your network you know is not in use. The first 3 / 4 replies will show nothing but after that it should look as if a host is responding. To get LaBrea to start each time your SmoothWall boots you will need to add it to the inittab. To do this open /etc/inittab in your text editor and add the following at the bottom of the file:
Before you save it make sure you have a blank line at the bottom of the file! |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Main PageAmigaSmoothWallMy SmoothieMakin' ModsSmoothWall ModsDansGuardianClamAVDansGuardian Anti-VirusFireWall Audio AlertsWhereIsLaBrea Tarpit/IDSBandwidthdTips & InfoHistoryLinks |
|
|
|
To uninstall LaBrea you just need to remove the above start-up information from /etc/inittab and remove the following files:
To Do
This has been tested on a
fresh SmoothWall installation with no noticeable problems. It's been
running on my main Smoothie for over a month with no problems. Apparently
LaBrea can have problems with some switches. You can make LaBrea switch
safe by adding the Please post any question or problems onto the LaBrea thread. Kev |
|
|
|
|
|
|
|
|
