I agree, limit the risk as much as possible without restricting the access that is necessary for that specific machine.Quote:
Originally posted here by SFNative
As far as hardening goes, it's not that it's a prerequisite for the type of machine I'd be using. I just can't see any reason to not harden a box, provided that hardening doesn't restrict you from making use of features you desire.
Well here lies one of the biggest problems when implementing a honeypot. If you don't "harden" the box at all (I.E firewall rules, basic securtiy practices) then the intruders may get suspicious very quickly, causing them to leave before you get to learn anything about what they do once they are in (I.E preserving root access.)Quote:
Which I guess brings up another question: Is there a good reason to not harden? For example, in the case of a honeypot, I would imagine you would not want it hardened much, if at all.
Also, If you neglect to secure your honeypot then the attackers that manage to get in will have full access to the server and your network. The intruder could then use your machine to scan and compromise more servers. If they use your machine to attack other networks, then you could be held liable for any damage.
On the other side of the scale, is hardening your honeypot too much. If it is too secure, then intruders will not even bother.
So as you can see, there is a very fine balance between hardening your honeypot too much and hardening too little (or not at all.)
As far as I know, IDS is generally run on a firewall machine, a gateway or in the situation of a honeypot. The level of "hardening" really depends on the machines application.Quote:
Could the same be said for a machine being used as an IDS? Would not hardening it allow you to get a more accurate view of intrusions?
Well, obviously if you limit or disallow all outgoing connections, then yes it would prevent you from exploring your network. However, you could probally safely drop all incoming packets, and only allow connections that you started.Quote:
Following that logic, what about the exact kind of box we are talking about here? Would hardefree reignning it prevent you from seeing little holes into your network you might spot otherwise?
--Sudo
