Re: Some questions about my first honeypot

[Graeme Connell <gconnell () middlebury edu>]

In-Reply-To: <4576.80.1.172.118.1081442061.squirrel () secure uksolutions co uk>

First of all, I'd suggest going to honeynet.org and reading everything, especially the whitepapers on GenI and GenII 
honeynets.

> 1. Is this setup about as secure as I could make it using only 1 IP
> address ? I realise the intruder could attack the gateway aswell but its
> locked down pretty good and doesnt have anything running which could be
> exploited remotely however would there be a way the intruder could get
> into my other network from being where they were located on the honeypot ?

Since it sounds like you have a pretty small network, it might be a good idea to create firewall rules explicitly 
blocking all traffic from the honeypot to each of the other computers on your internal network.  You should also 
configure snort_inline (read ahead) or some other form of packet filter to alert and possibly drop packets from the 
eth2 honeypot to anything on eth1.

> 2. Logging. Obviously im looking to gather as much information to learn
> from as possible but not being familiar with hidden keyloggers, etc all I
> dont have anything running directly on the honeypot to log sessions and
> instead just have a snort rule on the slack box to log everything which
> originates from eth2 (the honeypot network). What im a little concerned
> about though is that if the attack enters the box through SSH the session
> will be encrypted and i wont be able to gain any information from the
> conversation. Is there anything I could look into do get around this ?

The best thing I've heard of for logging is Sebek, which you can find out and download for free from honeynet.org.  
That'll forward a lot of neat info from the honeypot to a Sebek server setup on your Slack machine.

> 3. As its only been 1 day since ive had it live, activity has been pretty
> minimal however should an intruder break in and start using the box as a
> base to scan from I could be in big trouble with my ISP, is there anyway I
> can limit connections outbound from the honeypot so thats its not obvious
> to the intruder something is wrong, but protects me from unknowingly
> participating in some DoS attack?

This is termed the "Data Control" problem of honeynets, and is probably one of the thorniest problems around.  There 
are, though, a few basic ways to get around this.  Once again, almost all of my info comes from honeynet.org.

  Way #1) On the slack box, type "iptables -P INPUT DROP".  This will stop absolutely all outgoing connections from the 
honeypot, and is probably the safest route.
  Way #2) You say you have snort on the slackbox.  Try switching to snort_inline, also available from honeynet.org.  
This new snort allows dynamic packet scrubbing that will nullify many attacks from the honeypot.
  Way #3) A less secure way (but possibly simpler) than #2 is to use the rc.firewall script from honeynet.org to block 
all outgoing connections over 5 from the honeypot.  This will easily stop most denial of service attacks, but if an 
attacker launches one single effective attack from your machine, this script will happily allow that, and you could be 
in hot water pretty quickly.

I recommend Ways 1 or 2.  1 is simple, but restrictive.  Two is a bit more complex, but if you already know snort 
pretty well, it shouldn't be too hard.  Both of these ways will also help protect your home network, as well.

Once again, I suggest going to honeynet.org and reading AT LEAST the whitepapers:
  Know Your Enemy: Honeynets
  Know Your Enemy: GenII Honeynets
If you want to use Sebek, also check out
  Know Your Enemy: Sebek

Hope that was helpful.

                 Graeme Connell