RE: Honeypot on DSL

[Christian Kreibich <christian () whoop org>]

Hi,

I did something similar a while ago. The simplest way was to have the
firewall *block* everything inbound so the machine's real IP stack
couldn't start to process the packets. Honeyd will still work because
pcap will snoop the packets before they get dropped at the firewall.
Besides that, I allowed outbound, and also ssh inbound from a remote
management machine (making sure that this traffic wasn't fed into
honeyd).

So something like the below (this is recalled from memory so might be
bogus).

# Drop everything we have
iptables -F INPUT
iptables -F FORWARD

# Allow connections initiated outbound, drop everything else.
iptables -A INPUT -s <my remote machine> -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP

# Don't forward either.
iptables -A FORWARD -j DROP

Cheers,
Christian.

On Tue, 2005-05-10 at 22:05 +0200, Andreas Rittershofer wrote:
> Am Dienstag, den 10.05.2005, 14:54 -0500 schrieb Stejerean, Cosmin:
> > > From the internet you should only receive traffic directed at your IP
> > address and for DSL you usually only get one IP address which might be why
> > you can not get it to work listening on another IP address.
>
> I don't want it to listen to another IP address; the honeypot should
> listen to the IP address I have when I'm online.
>
> > If you make it listen on the same address check to see if the firewall on
> > the host machine is turned off, it might be intercepting the traffic before
> > the honeypot sees it.
>
> The firewall is off.
>
> mfg ar


-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org