Some questions about my first honeypot

[<x0x () ukshells co uk>]

Hello honeypots list,

Ive just created my first honeypot and was wondering if anyone could spare
a few minutes in helping me out. Apologies if this is a little long but
because its my first pot i have a fair few questions.

I have a cable connection but I only have 1 IP Address. My setup before I
implemented a honeypot was a slackware box acting as router with 2 network
cards inside one to my cable provider the other to my internal network
connected by an old bay networks hub. Then i was using some standard IP
Tables rules on the slack box for NAT so my internal machines could get
out onto the web.

Now i figured that if I just plugged the honeypot into my old bay network
hub, gave it a local IP address and added some rules on the slack box to
forward xyx ports to it, that would be a bad move because potential
intruders would be able to sniff my internal network and attack my local
machines from it. So what I did was put another network card into the
slack box as eth2 and gave this card a different netmask of 255.0.0.0 and
assigned an IP of 192.0.0.10, i then got another old hub and, plugged the
eth2 into there and then plugged my honeypot into this hub and assigned it
to the 255.0.0.0 netmask with an ip of 192.0.0.11 and pointed its gateway
as 192.0.0.10. I then changed the iptables rules on the slack box to
forward out for eth2 aswell, tested my honeypot could see the web, it
could. I then setup some rules to forward certain ports to the honeypot.

With my limited knowledge that setup was about as far away from my
internal network as I could make it, the honeypot is running redhat 7.2
unpatched and its gateway is the slack box which is running no services at
all.

Ok well now ive rambled on about my setup here are my questions.

1. Is this setup about as secure as I could make it using only 1 IP
address ? I realise the intruder could attack the gateway aswell but its
locked down pretty good and doesnt have anything running which could be
exploited remotely however would there be a way the intruder could get
into my other network from being where they were located on the honeypot ?

2. Logging. Obviously im looking to gather as much information to learn
from as possible but not being familiar with hidden keyloggers, etc all I
dont have anything running directly on the honeypot to log sessions and
instead just have a snort rule on the slack box to log everything which
originates from eth2 (the honeypot network). What im a little concerned
about though is that if the attack enters the box through SSH the session
will be encrypted and i wont be able to gain any information from the
conversation. Is there anything I could look into do get around this ?

3. As its only been 1 day since ive had it live, activity has been pretty
minimal however should an intruder break in and start using the box as a
base to scan from I could be in big trouble with my ISP, is there anyway I
can limit connections outbound from the honeypot so thats its not obvious
to the intruder something is wrong, but protects me from unknowingly
participating in some DoS attack?

I think thats about it in terms of my questions, if anyone can provide
answers or advice to my setup and questions I would really appreciate it.

Thanks in advance.

Stan