Honeypots mailing list archives
Some questions about my first honeypot
From: <x0x () ukshells co uk>
Date: Thu, 8 Apr 2004 17:34:21 +0100 (BST)
Hello honeypots list, Ive just created my first honeypot and was wondering if anyone could spare a few minutes in helping me out. Apologies if this is a little long but because its my first pot i have a fair few questions. I have a cable connection but I only have 1 IP Address. My setup before I implemented a honeypot was a slackware box acting as router with 2 network cards inside one to my cable provider the other to my internal network connected by an old bay networks hub. Then i was using some standard IP Tables rules on the slack box for NAT so my internal machines could get out onto the web. Now i figured that if I just plugged the honeypot into my old bay network hub, gave it a local IP address and added some rules on the slack box to forward xyx ports to it, that would be a bad move because potential intruders would be able to sniff my internal network and attack my local machines from it. So what I did was put another network card into the slack box as eth2 and gave this card a different netmask of 255.0.0.0 and assigned an IP of 192.0.0.10, i then got another old hub and, plugged the eth2 into there and then plugged my honeypot into this hub and assigned it to the 255.0.0.0 netmask with an ip of 192.0.0.11 and pointed its gateway as 192.0.0.10. I then changed the iptables rules on the slack box to forward out for eth2 aswell, tested my honeypot could see the web, it could. I then setup some rules to forward certain ports to the honeypot. With my limited knowledge that setup was about as far away from my internal network as I could make it, the honeypot is running redhat 7.2 unpatched and its gateway is the slack box which is running no services at all. Ok well now ive rambled on about my setup here are my questions. 1. Is this setup about as secure as I could make it using only 1 IP address ? I realise the intruder could attack the gateway aswell but its locked down pretty good and doesnt have anything running which could be exploited remotely however would there be a way the intruder could get into my other network from being where they were located on the honeypot ? 2. Logging. Obviously im looking to gather as much information to learn from as possible but not being familiar with hidden keyloggers, etc all I dont have anything running directly on the honeypot to log sessions and instead just have a snort rule on the slack box to log everything which originates from eth2 (the honeypot network). What im a little concerned about though is that if the attack enters the box through SSH the session will be encrypted and i wont be able to gain any information from the conversation. Is there anything I could look into do get around this ? 3. As its only been 1 day since ive had it live, activity has been pretty minimal however should an intruder break in and start using the box as a base to scan from I could be in big trouble with my ISP, is there anyway I can limit connections outbound from the honeypot so thats its not obvious to the intruder something is wrong, but protects me from unknowingly participating in some DoS attack? I think thats about it in terms of my questions, if anyone can provide answers or advice to my setup and questions I would really appreciate it. Thanks in advance. Stan
Current thread:
- Some questions about my first honeypot x0x (Apr 08)
- Re: Some questions about my first honeypot Thorsten Holz (Apr 09)
- Re: Some questions about my first honeypot Valdis . Kletnieks (Apr 12)
- <Possible follow-ups>
- Re: Some questions about my first honeypot Graeme Connell (Apr 09)
- RE: Some questions about my first honeypot Andy Streule (Apr 20)
- Re: Some questions about my first honeypot Thorsten Holz (Apr 09)