HPE Community
Operating System - Linux
1823415 Members
2781 Online
109655 Solutions
New Discussion юеВ

honeypot

 
SOLVED
Go to solution
Claudio Cilloni
Honored Contributor

тАО08-22-2003 12:24 AM

тАО08-22-2003 12:24 AM

honeypot

Hi all.

Reading this thread (http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x049179bb349d2249bcb59fddb8df1d49,00.html)
I found something that attracted my curiosity.
The argument about these 'honeypots' is new for me and I think it is really interesting.

I'm not going to add a honeypot to my network (I'm just a DBA :-), so I would like to hear your experiences/opinions about these 'traps'.
What do you know about? What is needed to set up a honeypots? What does the intruders do to avoid the trap? When a honeypot is needed? These are some questions that came in my mind.

Thanks to all!

P.S.: I have got some magic rabbits on my desk...
0 Kudos
Reply
6 REPLIES 6
Alexander Chuzhoy
Honored Contributor

тАО08-22-2003 01:37 AM

тАО08-22-2003 01:37 AM

Re: honeypot

go to this link
http://www.spitzner.net/honeypots.html
0 Kudos
Reply
Jerome Henry
Honored Contributor

тАО08-22-2003 03:30 AM

тАО08-22-2003 03:30 AM

Solution

Re: honeypot

Hi Claudio !

I could xrite pages on that subject... To be short, a honeypot is useful if you want to trap crackers and look at what they try. For example, I teach in several university and colleges, and we've set up 'central servers'... that are honeypots to track what our student try to get the servers down... (the real servers are behind). It can be the same if you ahve a web server being often hacked...

You don't need much material, an OS on a separate machine, or even on the same machine as something else, through vmware for example.

To learn about that, the best place to start is noneynet, you can even browse through 'scans of the month' which are monthly traps of one of the honeypot network...


http://www.honeynet.org/

J
You can lean only on what resists you...
Reply
Steven E. Protter
Exalted Contributor

тАО08-22-2003 05:40 AM

тАО08-22-2003 05:40 AM

Re: honeypot

Upon reading the prior posted documentation, a honeypot sounds like a nice add in but not the first thing you do for security.

The first thing you do is install tools like Bastille, and take steps to put ftp in a chroot jail if you can't get rid of it totally. You also want to run DNS as a non-root user, which Bastille will help you do.

A good iptables setup is a must to limit the number of holes you have.

Then you can set up the old honeypot and see if anyone gets through the castle walls. Its just technology, but the nice part is it seems to cut down on how many logs you need to go through.

If its not obvious, I have never used one, but I'm an experienced and intrigued admin and am adding my thoughts.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Jerome Henry
Honored Contributor

тАО08-22-2003 11:35 PM

тАО08-22-2003 11:35 PM

Re: honeypot

Oh yes, Bastille is a wonderful tool ! Be just cautious on setting up to understand what the suggestions are and what you do on answering yes or no... (but who is used to clicking 'yes' on each screen of an instal ? :]]]).

What is very fun is to set up a firewall on your honeypot, not a too strong one, but enough to have your script kiddies work a bit on it...
You can lean only on what resists you...
0 Kudos
Reply
Huc_1
Honored Contributor

тАО08-23-2003 02:36 AM

тАО08-23-2003 02:36 AM

Re: honeypot

Do not know could work two way's !

Fisrt perhaps by setting up these's traps "honeypot" you also create "offender's that would otherwise not have commited offense, you could argue that the potential offender prexisted ... ok this is contrevertial, dont want to create a punic war

second and more importantly in my vue you will perhaps get the attention of a real dangerous offender that would have otherwise passed by and would not have taken an other look because not worth a second look ! "for the offender to difficult and good first line defence to big time investment for small reward"

so in brief if your a big target " a big reward to offender's " like a well know compagnie that will get hit anyhow then you will get the attention no matter what so capture then with sweet honey could work for you !

Else you could just attract all sort of trouble that would have passed by !

I most case Best defence ! is

Bastille,firewall,tripewire and good dose of humility + intelligent gatekeeper ( I mean good system(s) administrator(s) to trim,read and understand the log's, to implement some diagonal and unpredictable checks )

just my 2c worth opinion.

Jean-Pierre.





Smile I will feel the difference
0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

тАО08-23-2003 05:44 AM

тАО08-23-2003 05:44 AM

Re: honeypot

Hi,

In my view ,Honeypots are very useful for security analyst or a forensic analyst than for a security administrator.

Implementing honeypot needs good understanding of the behaviour of the honeynet modules and hardening of the underlying OS. Also the approval of management is very essential bcoz of the legal issues due to possible breach of privacy.

There are many open source honeypots and commercial honeypots available in the market.

honeyd is a good open source honeypot which runs on linux.

We can check lot of things to identify a honeypot.

Passive fingerprinting is one of them , they examine and compare ISN ( initial sequence number ), TTL of the packets , windows size etc to identify the base OS and hence will deduce the network services as deceptive.

Then we can compromise the base OS with some exploit. Then honeypot itself will be a zombie host for hacker to attack other networks. Most honeypots can detect and log the attacks towards them and can't log attacks on other real hosts.

Proxy arp based honeypots are normally used to deception for a pool of IP addresses.

If you intend to run a honeypot , run a approved production honeypot outside your firewall and regular monitoring is vey necessary. Honeypots helps us to analyse the novel attack methods in real-time and to provide fair amount of forensic data.

regards,

U.SivaKumar.










Innovations are made when conventions are broken
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.