March 25th, 2002 01:32 AM
I am interested in seeting up a honeypot on one of my home systems, but I'm not quite certain how to go about it. I'll tell you my best idea so far and gladly take suggestions on how to make it work better.
My current configuration is a linux iptables firewall that has an interface to the rest of the world and an interface to my internal subnet. I block almost everything that I didn't initiate and log the rest. Unfortunately, I don't get much information on whether the traffic I get is more than just a scan because I only see one packet that I drop and never hear from them again.
So what I want to do is to set up a honeypot and not just drop all the packets. Since I plan on this machine geting hacked from time to time, I obviously don't want it on my internal network. So I was thinking about adding another NIC to my firewall that runs over a crossover cable directly to the honeypot. Then I'll change the configuration on my firewall to route all of the unknown packets to the honeypot instead. Then, if I understand this correctly, all I have to do is set up tcpdump on the firewal to do full packet capture on that interface, and I should be able to see everything that happens. Am I correct or am I missing puzzle pieces? Thanks for any info you may be able to give me.
March 25th, 2002 01:43 AM
I have used honeypots before and it is a good concept but, I would recommend for you to use a tarpit instead of a honeypot. Unlike a honeypot, a tarpit will simulate actual machines on your network. Using this utility, if you only have one box online from your ip block, you can simulate all of the others being online by using a tarpit. Tarpits greatly slow down any type of IP scan, DoS, DDoS, etc, attacks, and like honeypots, tarpits can be used to trace the intruder. And since the intruder thinks that he is busy nuking about 255 of your machines, he is really only attacking 1 real one and 254 clones. All the while, you are using your box to trace back to him and from there report him to the proper authorities. The best tarpit that I have used is LaBrea, available for download at www.hackbusters.net/LaBrea.html
March 25th, 2002 01:51 AM
I wish I were so lucky to have an entire subnet. Then I would truly have some fun. Alas, I have but one lone IP address, and a internal non-routable subnet. So unless I misunderstand tarpits, I don't think they would apply in this situation. Thanks for the help though. Should I ever be so lucky to have a full routable subnet, I'll definitely take your advice and set up an tarpit.
March 25th, 2002 02:00 AM
Are you running off a dial-up connection? If so, you should not bother IMO with either Honeypots nor Tarpits, they are mostly for networks w/fast connections that are always on connections.
March 25th, 2002 02:07 AM
It's a cable modem, but I still only have one IP address.
March 25th, 2002 08:30 PM
For the best information about Honeynets, what they are, and how to build them, visit this site:
March 25th, 2002 08:31 PM
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
March 26th, 2002 12:01 AM
As far as static IPs are concerned...
Quote from Dick Archer...
"In addition to packet filtering, many (hardware) firewalls utilize a technology called NAT (network address translation). NAT completely hides the IP addresses of the computers behind the firewall by translating outside(public) addresses into inside(private) addresses. The private IP addresses of computers are never revealed to any users on the outside. <sic> For example, suppose your broadband provider assigned you a single static IP address, such as 126.96.36.199. To implement dynamic NAT, you would need to assign this address to the outside network interface and of your firewall and assign the inside interface an address consistent with your private network.."
In otherwords, designate yourself as a network to your computer, get a hardware firewall, and, since you have a static connection(cable modem), enable a proxy to give yourself anonymity through your firewall, thinking of your firewall as a line between you and the Internet...
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
March 26th, 2002 01:31 PM
It's good to see that someone suggested the methods I am already using. That lets me know that I am on the right track. My curret setup is really only different from your suggestion in one way. My firewall isn't a hardware firewall, but rather a linux box runnning iptables and ipmasquerading and nat. It works exactly as you described it, hiding all of the ip's behind it and making five machines appear like one to the outside world. Only I don't have to use a proxy - I simply point all my internal machines to the firewall as a gateway and it does the rest. All of this is up and currently functioning fawlessly. I just wanted to know the best way to hang a honeypot off the side of my firewall so that it wouldn't be on the same lan as the rest of my boxes. Thanks for the suggestion though. It's nice to know I'm doing something right.
April 18th, 2002 05:09 PM
Re: Firewall/Honeypot Advice
well simply i would go out and buy or geta cracked version of VM ware 3.0 or higher it aloows you to setup virtual machines on one system and allows them to bridge network witch means setup up a network with x machines on one system for more advice i would go to the web site
and do some reserach coz far as i know its the best program out there and at the same time you can learn about networks and there problems i use this software daily for free and all other microsoft products.
Regards Agent Nomad