Classnotes | UNIX03 | RecentChanges | Preferences A Honeypot is a difficult thing to define. For some, a honeypot is a system designed to teach how crackers probe for and exploit a system. The theory is, by learning a crackers tools and methods, you can then better protect your network and systems.
For others, a honeypot is a system designed to act as bait or a "busy-box" for crackers attempting to compromise a system. Here, a honeypot sits someplace on your network (or system) and offers something enticing to a cracker to attack. Once the cracker attacks, one or more of the following could occur:
The cracker is tracked (IP, MAC, etc) for the authorities
The cracker is distracted while more extensive traces occur
On the legality of Honeypots
Presently, the concepts of honeypots are being challenged on two fronts:
There is a strong push from groups like the MPAA to enforce a so-called "Super DMCA" law that would possibly make the sort of work that honeypots do illegal (for more information, see http://www.freedom-to-tinker.com/superdmca.html)
There is another strong push to classify the use of honeypots as "entrapment"
As such, care must be given before implimenting a honeypot on your network. Certainly, you will wish to consult with any managers, lawyers, etc. to determine if honeypots should be used in your organizations. If you are the decision-maker for you network, then you should research the legality for yourself. At present, the state of Arizona does not have any law which explicitly or implicitly outlaws the use of honeypots (to the best of my knowledge), however the entrapment argument is really anyone's guess. Certainly, the small honeypot we will be setting up for educational purposes is legal, but if we were to actually impliment it on a given server for security purposes this issue becomes murkier.
At the risk of editorializing, it is my firm belief that the use of honeypots for any purpose should not be illegal. The honeypot can both be an excellent educational tool as well as security device. I personally use honeypots on several servers that I maintain, and honestly have no intention to curtial my usage any time soon.
Honeypots and Tarpits Available
For UNIX systems there are numerous honeypots and tarpits to choose from. Each has different intentions and secure different aspects of your system. The following is not intended to be a comprehensive list, but instead of overview of some of the more prevalent ones:
This is one of the most well-known honeypots around. HoneyD? works by creating virtual hosts on a network. These virtual hosts can then show signs of running known services. HoneyD? improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.
It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. Instead of simulating a service, it is also possible to proxy it to another machine.
LaBrea? Tarpit is another well-known tool. Unfortunately, it has been shut down due to the aforementionned "Super DMCA". You can follow the ongoing case here http://www.hackbusters.net/whatsnew.html .
(This is the one we will be installing today) Tiny Honeypot (thp) appears to listen on all ports otherwise not in legitimate use, providing a series of phony responses to attacker commands. Some are very simple, others are somewhat more interactive. The goal isn't to fool a skilled, determined attacker...merely to cloud the playing field with tens of thousands of fake services, all without causing unreasonable stress on the thp host.
HoneyWeb? is a deception based web server like program that can be used as a standalone server or in conjunction with HoneyD? to provide request based http header spoofing and page serving. HoneyWed? does basic regex comparison to incoming request to determine what associated headers to return. Attack specific pages can be specified to make HoneyWeb? appear more real for interactive attackers. HoneyWeb? logs request specific info into hw-log files in the log directory. In addition, unmatched requests are logged in the newsigs file.
Though it is more complex than the others (because it's not really a honeypot), you can technically use User Mode Linux (UML) to provide very realistic fake services running in a very non-privilaged (possibly even chrooted) UML install. The big advantage to using UML as a honeypot is that you can have real services answering instead of fake ones working from service "fingerprints".
