³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij +-+-+-+-+-+-+-+-+ ÛÛÛÛÛÛÛÛÛ²²²²²±±±±±°°°ð|O|u|t|b|r|e|a|k|ð°°°±±±±±²²²²²ÛÛÛÛÛÛÛ +-+-+-+-+-+-+-+-+ Issue #2 - Page 1 of 12 ³ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄij --=Honeynets: A Simple Overview=-- -by `Enigma- -------------------------------- 1. What the hell is a honeynet? -------------------------------- let me first explain what a honeynet is for those of you that don't know. a honeynet is a network that is designed to be broken into. this network of computers is wired with sensors to monitor the actions of intruders. it is then put up on the internet, giving it a appealing name and alluring content. when hackers break into the network their actions are then recorded such as: how they break in, when they are successful, what they do when they succeed. -------------------------------- 2. Layers of Security -------------------------------- the most important thing when constructing a honeynet is layers. layers of security are vital when it comes to analyzing an attack on your honeynet. you need to anticipate failure on your honeypots. therefore by having multiple security layers built into your architecture you solve the problem of single layer failure. failures include firewalls not warning you of suspicious traffic, syslog failure (send or receive system logs), DNS not resolving. you would be surprised at what will go wrong. -------------------------------- 3. Selecting Your Hardware -------------------------------- one of the nice things about setting up a honeynet is that the systems you use don't have to be geared towards performance. for example i used old pentiums with 64MB of RAM, and a some old sparc5 boxes. for the internet connection use whatever you have available. -------------------------------- 4. What OS should I use? -------------------------------- the operating systems on your boxes is entirely up to you. i recommend using default installations of RedHat and/or NT 4.0 running IIS webserver. if you want to use solaris, end user package 2.6 (unpatched) should work well. it is a good idea to use easily exploitable versions of operating systems. default installations are a good idea in most cases, as they are the least secure. remember these systems are designed to be compromised, but don't make this obvious to the intruder. the idea is to keep the intruders attention without scaring him off. as for keeping their attention, turn your network into some sort of classified NSA project. use your imagination. -------------------------------- 5. In order to learn you must... -------------------------------- regular maintenance of your honeypots is vitally important. you can't just set up your network and leave it expecting to learn. you must regularly check logs for signs of an attack. you never know when or how your systems will compromised, but they will. i guarantee you will capture some interesting activity. -------------------------------- 6. Closing -------------------------------- in closing let me say that you can't go about this project half assed. so if you just want to set a honeynet to fuck with some script kiddies please disregard everything you just read. constant monitoring of your systems is required for a successful learning experience. so have fun! for futher reading on honeynets i recommend the book "Know Your Enemy: Revealing the security tools, tactics and motives of the blackhat community."