Linux Today: Linux News On Internet Time.

Using and Extending Kojoney SSH Honeypot

May 28, 2009, 17:33 (0 Talkback[s])
(Other stories by Justin Klein Keane)

[ Thanks to Justin Klein Keane for this link. ]

"This is useful because you can use fingerprints to set up alerting or protective mechanisms that can detect compromise quickly and aid in response. For instance, running a honeypot you might discover that most attackers, after compromising an apache web server, attempt to write a file into the /tmp directory. You can use this information to set up monitoring of the /tmp directory, and alert administrators whenever apache writes new files into /tmp. This can tip off systems administrators to a possible compromise, by alerting them that there is behavior occurring on their system that typically corresponds to post compromise attacker behavior.

"Honeypots can be generally divided into two categories: low interaction and high interaction. A high interaction honeypot is a complete system stack, set up on either a real or virtual appliance. The high interaction honeypot is a real system for all intensive purposes and provides intruders with all the capabilities and tools that a real system would have. High interaction honeypots can be a wonderful source of information about attackers, but they carry a high risk as well. There are significant legal ramifications to running a high interaction honeypot that should be carefully considered before installing or running one. You need to think very carefully about your deployment so you don't end up providing a platform from which an attacker could compromise other systems."

Complete Story

Related Stories: