Intelligence Gathering: Watching a Honeypot at Work

Monday, 13 January 2003, 11:23 AM EST

The purpose of this article is share with the security community the data I collected from my honeypot. There are many papers available that explain how to set up honeypots and the risks one takes when running a honeypot. While this paper will briefly cover touch upon these topics, it is written for people who want to understand what data honeypot will provide them. This discussion will include the attacker's recon, the attack, the attempted cover-up, and the reason for the attack on the honeypot.

The honeypot I was running at the time of the attack was an OpenBSD 3.1 machine (10.10.10.40). I had two machines in front of the honeypot. The first was my Linksys cable router. I configured the cable router to logically place all traffic in front of my DMZ (192.168.1.50). Once the router did that I had a Linux box running an IPtables script that the Honeynet project has developed. As far as logging is concerned, I configured the honeypot to log to my remote log server. My remote log server was also used as my intrusion detection system. To make sure that my IDS would not be compromised by any holes in syslog, I shutdown all ports on the IDS/syslog server and ran the following commands:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

To ensure that I received all of my syslog entries I also ran TCPDUMP on my IDS. By doing this, I was guaranteed to receive my log entries.

[ Read more ]

Related items




Spotlight

Infographic: 25 years of the firewall

Posted on 24 July 2014.  |  The firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. If you take a moment to scan the infographic, you’ll notice the firewall's introduction and evolution coincide with certain security events.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //