November 5th, 2003, 05:51 PM
I'm Intrested at setting up a honey pot . Does anyone have any experiace setting up such device. If so what should i be woried about when i set one up. I don't care if they break in i just want to track their movements and prevent them from crashing the hard drives other than that they can do what they want.
I know that i should probobly stop outgoing traffic from the machine so they dont use it as a spring board to attack other computers any other things I should do.
fixed the name
November 5th, 2003, 05:57 PM
I believe you mean honeypot. Visit http://www.honeynet.org for up-to-date info and ideas. I've been playing with one on Linux and and FreeBSD. You can get some for Windows if you want or use VMWare as an alternative.
November 5th, 2003, 06:47 PM
Embalmed: Learn a _whole_ lot more before you start. Not to be offensive but if you don't know what it is called you surely aren't ready to start playing with one.
any other things I should do
I have considered it in the past and decided against it. Why? Because even with all the time and study I have put into this field I know I'm not good enough at it yet to make it a worthwhile and _safe_ exercise....... Catching a couple of script kiddies is one thing but getting yourself one of the "bigger fish" is a whole different ballgame.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
November 5th, 2003, 07:39 PM
As if security isn't hard enough. Could the lawyers make it tougher? The article below is only an opinion article.
Honeypots: Are They Illegal?
November 5th, 2003, 08:01 PM
November 5th, 2003, 08:19 PM
embalmedlenin, you will have to do a lot of research. You will need to talk to your ISP and honestly i do not think that they will approve. You also need to learn about the difference between virtual honeypots and having the honeypot directly connected to the internet with its own ip... so that you can have a different ip address for monitoring. It might be better just to read some white papers on it, and learn how to do it rather than actually setting one up.
November 5th, 2003, 10:16 PM
I just forgot the name i went alittle brain dead. Any way thanks for all the hints
November 6th, 2003, 04:52 PM
I did an Independent Study course on Honeypots as an undergrad last semester that was just awesome. At the beginning of the semester, I had no clue what they were or how they worked, but by the end, I was running and configuring some left and right. Below, I'll list some links I used.
Honeypots: Tracking Hackers Yes, I know this link has already been posted, but this is the main book I used for the course. One word describes it: OUTSTANDING!! A very easy read, yet at the same time, very informative technically. A must read for anyone interested in Honeypots or Honeynets.
Back Officer Friendly - An incredibly simple honeypot that just emulates open ports and logs attempts to them. Hardly any installation, easy configuration, but when you telnet to 23 of the host box, the password is visible when you type it. Runs on Win9x/ME/2000/XP.
Specter - Another low interaction Honeypot, but this one emulates services and (attempts to emulate) OS's. Last I looked, it was very expensive to purchase and the demo verson on the "Tracking Hackers" CD only ran for a second or so. Runs on Windows NT/2000 systems. The good: When you emulate an OS, it also emulates OS specific servers/software/etc. For example, tell it to emulate Linux and port 80 as being open, when someone connects port 80, a fake generic Apache page is shown. The bad: an NMAP scan using the -o option can reveal the true OS (Windows) no mater what OS your trying to emulate.
Honeyd is the honeypot I have the most experience with, but unfortunately, I don't have a valid link for it. It's another low interaction honeypot, which runs on *nix, that emulates open ports, and can emulate the services behind them. People contribute their own service emulation scripts to the project, which can make this honeypot highly customizable. The coolest thing about this one is that it uses the same fingerprint file that NMAP uses to ID scanned hosts to fool NMAP into falsely identfying host OSes. Honeyd was written by Neils Provos while at the University of Michigan. Unfortunately, Michigan, a few months back, passed a DMCA-ish law that outlawed forged source teleco communications (Honeyd used arpd to claim unused IP addresses and pretended that they were valid machines, with the perp on the other end hopefully unaware), causing Neils to go host it offshore somehwere. American IPs were no longer allowed to download it, or even access the site it was on. Bummer, Honeyd was awesome.
OK, that's enough of a brain dump for one sitting. I gotta get to homework. Hope this all helped.
November 6th, 2003, 05:35 PM
Other interesting "pre-fab" honeypots:
The Deception Toolkit (aka TDK)
I've played with honeyd and BnS. BnS is interesting but requires iproute2 (which doesn't like 2.4.22 kernel -- ugh). Both are neat to play with.
I've added honeyd as an attachment. I obtained it from the link above. I wasn't aware they were blocking American downloads (I'm a Canuck).
Oh.. And I'm fixing the title of the thread. It's bugging me.
November 6th, 2003, 06:48 PM
Sweet, you can download it still from Provos' site. Last I saw, it had some massive questionare that you had to answer before you were admitted to the stie. That was a few months ago though. Thanks for posting the link Ms. Mittens, I should have checked.
As for the IP blocking thing, that was more of a guess than anything. I couldn't get to it/find it, so I made an assumption. And yes, I know what happens when you assume something...