discuss: Honeypot Howto
Subject:
Honeypot Howto
From:
"Alan Evans" ####@####.####
Date:
12 Jul 2002 06:44:20 -0000
Message-Id: <001a01c2296f$8e611170$0b01a8c0@aidanpride>
Hello all, my name is Alan Evans and I am a recent graduate of Rochester
Institute of Technology (RIT) in Rochester NY. I figure I have taken
enough from various HOWTOs around the net and it is time to give back to
my Linux User community.
While at school I took a class called Computer System Security which was
offered for the first time and one of the projects we took on as a class
was to create a Linux-Linux VMWare Virtual Honeypot for another class
(System Admin II) to er um evaluate (cough cough hack into). Well
myself and the class all learned a lot though I think I learned the most
as I was kind of the lead of that project.
Anyway I am writing to put forth an idea for a HOWTO I would like to
author and submit. The HOWTO would be a general Honeypot HOWTO based
mostly on what I did for that class. I would then include a section,
probably a rather significant section on doing a Linux-Linux VMWare
honeypot. I figure it would be best to make it a Honeypot HOWTO and
include VMWare as a section in the HOWTO because most of the tricks we
or I rather applied to the VMWare honeypot would work just as well on a
plain old Honeypot.
Here is a list of some of the things I think I would discuss in the form
of a general outline.
Introduction
Disclaimer
Legal implications ??
What is a honeypot?
Why a honeypot?
Where can I learn more?
Honeynet project
Search <insert search engine here>
Syslog
Using an alternate configuration file
Logging to normal log file locations
Logging to a secondary location
Hiding your new logs (modify atime, ctime and mtime)
Network logging
Serial port logging (don't know much about this!! May need help
here)
Logging bash_history to the syslog
Snort
Physical Security
VMWare Linux-Linux Honeypot
Why VMWare
Why Linux-Linux
Choosing/Building a box
Two NICs
Two Hard Drives
VMWare
Choosing a Host OS
Securing the Host OS
Snort on the Host OS
Syslog
Alternate config logging
Network logging
Really secure logs!! (Copying them to the host OS)
Physical Security
That's all I can come up with at the moment but I have a lot of ideas
that I have been running around in my head.
I look forward to comments and to hearing if this is a good idea.
Thanks,
-Alan