I am interested in seeting up a honeypot on one of my home systems, but I'm not quite certain how to go about it. I'll tell you my best idea so far and gladly take suggestions on how to make it work better.
My current configuration is a linux iptables firewall that has an interface to the rest of the world and an interface to my internal subnet. I block almost everything that I didn't initiate and log the rest. Unfortunately, I don't get much information on whether the traffic I get is more than just a scan because I only see one packet that I drop and never hear from them again.
So what I want to do is to set up a honeypot and not just drop all the packets. Since I plan on this machine geting hacked from time to time, I obviously don't want it on my internal network. So I was thinking about adding another NIC to my firewall that runs over a crossover cable directly to the honeypot. Then I'll change the configuration on my firewall to route all of the unknown packets to the honeypot instead. Then, if I understand this correctly, all I have to do is set up tcpdump on the firewal to do full packet capture on that interface, and I should be able to see everything that happens. Am I correct or am I missing puzzle pieces? Thanks for any info you may be able to give me.