Linux Today: Linux News On Internet Time.

ZDNet: Building Your Own Honeypot

Nov 11, 2000, 17:07 (2 Talkback[s])
(Other stories by David Raikow)

"One trick favored by hunters since prehistoric times still proves useful in the world of digital networks: bait. Security specialists often construct systems that appear vulnerable to attack, but actually offer no access to valuable data, administrative controls, or other computers. These machines, known as "honeypots," are intended to be attacked, and have no legitimate users or traffic, leaving a foiled intruder exposed and relatively easy to monitor. Placed strategically within a LAN or alone on a dedicated Internet connection, honeypots can lure attackers away from valuable network hosts, collect data for research or legal action, and alert administrators of attacks in progress."

"Another option is a "sacrifice box," a fully functional computer running a standard server operating system like Linux or Windows 2000. This machine is intentionally left vulnerable so attackers can gain full administrative access. While this approach carries substantial risks, a sacrifice box also provides a number of advantages over simulations. Unlike commercial honeypots, sacrifice boxes have minimal hardware requirements and can implemented relatively cheaply. Moreover, because they use standard operating systems and software, they can be extremely difficult to distinguish from normal, non-honeypot machines; in some cases, an intruder may spend days or even weeks inside without ever realizing they've been caught. Since the sacrifice box isn't limited to pre-established responses, the data collected can be used to examine new or unknown types of attacks in greater detail."

"The second data collection tool is the honeypot's own system logs. These logs will be one of the intruder's primary targets and are highly vulnerable to alteration, so it is absolutely critical to duplicate the logging process on a remote system. Free remote logging tools are available for both Linux and Windows. Under Linux, remote logging can be achieved by modifying and recompiling the syslog daemon to use a hidden configuration file. A dummy configuration file--left at /etc/syslog.conf, for example--may also keep intruders from spotting any alterations in the logging process."

Complete Story [ Story in small parts spread across multiple pages ]

Related Stories: