Security Basics mailing list archives
Re: recommended honeynet configuration
From: Florian Streck <streck () papafloh de>
Date: Tue, 6 Jul 2004 16:56:21 +0200
On Fri, Jul 02, 2004 at 02:39:29PM -0400, steve wrote:
Have a project where we are able to set up a honeynet in order to learn from
the damage/results. We have hardware and network connectivity apart from
our regular production network. I think it would be interesting to maybe
set up a few machines on the honeynet, running various OSes and web servers
such as:
Windows NT / IIS 4
Windows 2000 / IIS 5
Windows 2003 / IIS 6
FreeBSD / Apache
I guess to make this a true honeynet we should do the base installs of each
OS and not patch them. We need a firewall to restrict outbound but allow
inbound to the open ports. We need to log events while keeping intruders
from knowing they are being monitored. We need to analyze the data.
Is this the hardware above the right mix? Should we have other services
running like SMTP and FTP? Should we add other hardware like a router to be
exploited? Has anyone run such a project and have recommendations / lessons
learned? How to best save off the logs for review to determine impact? What
does the group think?
It depends highly on what you want to find out. How attacks in general work or the risks to your production network? If it's the impact on your production network the services and patchlevels should be about the same. Same applies to additional hardware. If it's more about the general idea how attacks work, you'll perhaps want to add a few linux-boxes with standard distribution (suse, red hat, debian) and standard services (ftp, ssh, telnet, http, https, ntp, smtp, pop3, imap, ...). But in this case you'll always have the problem that there is a wide variety of combinations and you simply can't get them all in your net. You'll perhaps also want to test how attacks on systems with most recent patchlevel are done. For the logging I'd put in a hub and add a linux with tcpdump. To prevent it from beeing seen I'd put in some iptables rules that prevent this box from sending any network packets. The logs of the hopefully compromised boxes are perhaps not worth much since a part of an attack could be to change the logfiles. And I have no idea how to prevent that with windows. Hope this helps, further questions are welcome. Florian -- "...Deep Hack Mode--that mysterious and frightening state of consciousness where Mortal Users fear to tread." (By Matt Welsh)
Attachment:
_bin
Description:
Current thread:
- Port 80 open without WebServer Paulo (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer Paulo (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer David Roman Esteban (Jul 05)
- Re: Port 80 open without WebServer Paulo (Jul 01)
- Re: Port 80 open without WebServer Nelson Santos (Jul 01)
- Re: Port 80 open without WebServer Javier Larrea Jaspe (Jul 01)
- Re: Port 80 open without WebServer Carlos Bergero (Jul 01)
- Re: Port 80 open without WebServer mike (Jul 01)
- recommended honeynet configuration steve (Jul 06)
- Re: recommended honeynet configuration Florian Streck (Jul 06)
- recommended honeynet configuration steve (Jul 06)
- Re: Port 80 open without WebServer Hemil (Jul 05)
- Re: Port 80 open without WebServer Paul Kurczaba (Jul 05)
- <Possible follow-ups>
- RE: Port 80 open without WebServer BANIER Jeremie (Jul 01)
- Re: Port 80 open without WebServer pingywon MCSE (Jul 05)
- RE: Port 80 open without WebServer Hamish Stanaway (Jul 05)
- Re: Port 80 open without WebServer Ivan Coric (Jul 05)
- Re: Port 80 open without WebServer Marcus Taylor (Jul 06)
- RE: Port 80 open without WebServer Thomas48 (Jul 06)
- Fw: Port 80 open without WebServer Todd . Bailey (Jul 05)
- Re: Port 80 open without WebServer Webb Wang CS (Jul 05)