Honeypots
 

1 - What level should I have my security setup on my linux honeypot. I guess that I should just leave it wide open on a DMZ and have no firewall running correct?

What is your opinion about honeywall cdrom package?

If you're just wanting to try and get any kind of attack or activity, drop the security right down, use weak passwords, leave all your network services wide open, etc. I tried that once for a laugh at work just to see what happened. It depends on what you're trying to get out of it though. Along with our snort box picking up a few things, I wanted to see a bit more activity and see if anyone was paying attention to us, so dropped a box outside the DMZ with a standard config, i.e. only running services I'd leave running normally, fairly strong passwords joe user would have, a few basic iptable rules, etc. I don't know any distros specifically for this but am sure there are some. I just used a basic debian box.

What happened, the suspense is killing me!

Yea! You have our interest.

I bet he is just posting to act cool man.

and the conclusion is?

Re: Honeypots
 

Actually your better to set up to log everything through your firewall and syslog and have the logs sent to another computer. The idea of a honeypot is to gather information about the attack, so log files are your best friend.

can you give me an example on how to send them to another server?

Never down it before myself but you can setup syslog to send the files to another computer as it's logging, what's usually refered to as a syslog server. This can reside on the same network or on a remote site. All you need for the syslog server is to allow it to accept logs files from other hosts. If your setting up a honeypot you cant trust the log files since their the first things that are deleted or altered to cover their tracks.

So I guess that basically when I setup my honeypot, should I :

1 - not use a firewall or have a firewall with ports open like ssh,ftp,login and etc...

2 - no patches

3 - have it on its own DMZ and tell my DMZ to not have any connections period to inside of my network.

I am a little confused.

help!!

I have never setup a honeypot before so I cannot give you any guarenteed way of doing this, but if I was wanting to set one up I would do as followed:

Definetly set the honeypot up on a dmz and have no way of it to connect to your network other than the port used by syslog so the honeypot can send all log files too you. I would set the router (firewall) up to forward all the traffic straight to the honeypot (dmz), but log all packets, since they will usually scan for unsecured hosts this will help identify what sort of attack they used to find you.

On the honeypot i would have not firewall, no patches and just the standard services running and setup syslog to send all log files to your remote machine, these log files will tell you everything they do to the honeypot from login attempts, account creation etc.... Usually once they gain control they delete log files to cover their tracks, so you cant trust the logs once it's been compromised. I would probably look at bandwith throttling if you are running broadband, take it down to 28 k/bytes so they can't use it for an illegal things like warez server, or download large files at you expence.