---

ZDNet: Building Your Own Honeypot

“One trick favored by hunters since prehistoric times still
proves useful in the world of digital networks: bait. Security
specialists often construct systems that appear vulnerable to
attack, but actually offer no access to valuable data,
administrative controls, or other computers. These machines, known
as “honeypots,” are intended to be attacked, and have no legitimate
users or traffic, leaving a foiled intruder exposed and relatively
easy to monitor. Placed strategically within a LAN or alone on a
dedicated Internet connection, honeypots can lure attackers away
from valuable network hosts, collect data for research or legal
action, and alert administrators of attacks in progress.”

“Another option is a “sacrifice box,” a fully functional
computer running a standard server operating system like Linux or
Windows 2000. This machine is intentionally left vulnerable so
attackers can gain full administrative access. While this approach
carries substantial risks, a sacrifice box also provides a number
of advantages over simulations. Unlike commercial honeypots,
sacrifice boxes have minimal hardware requirements and can
implemented relatively cheaply. Moreover, because they use standard
operating systems and software, they can be extremely difficult to
distinguish from normal, non-honeypot machines; in some cases, an
intruder may spend days or even weeks inside without ever realizing
they’ve been caught. Since the sacrifice box isn’t limited to
pre-established responses, the data collected can be used to
examine new or unknown types of attacks in greater detail.”

“The second data collection tool is the honeypot’s own
system logs.
These logs will be one of the intruder’s primary
targets and are highly vulnerable to alteration, so it is
absolutely critical to duplicate the logging process on a remote
system. Free remote logging tools are available for both Linux and
Windows. Under Linux, remote logging can be achieved by modifying
and recompiling the syslog daemon to use a hidden configuration
file. A dummy configuration file–left at /etc/syslog.conf, for
example–may also keep intruders from spotting any alterations in
the logging process.”

Complete
Story
[ Story in small parts spread across multiple pages
]

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis