TYPES
OF HONEYNETS (previous version)
- Our
very first Honeynet is now in place. It is a second
Generation Honeynet with Linux (Redhat, Debian) and Solaris servers.
Data Capture and Data Control is implemented on a Redhat Linux 7.2.
with the bridging-firewalling patch applied. The Honeynet
Project's IPTables script was used to limit the number of outgoing
connections. Well known attacks originating from the Honeynet are taken
down with the help of the Hogwash
package.
Keystrokes are logged in a remote Syslog server, through a modified version of the bash shell. Local syslogd servers have been modified to read a different configuration file in order to fool the attacker. The standard conf file named /etc/syslog.conf has been left in its default location. Additional measures have been taken to protect the remote syslogd server by applying one way routing to the server and ACL.
The possibility to intercept ssh communication in the Data Capture, Data Control device using tools such as sshmitm based on warchild's email to the honeypots mailing list is under investigation.
In addition to the iptables script, the suggestion of Johan Augustsson for bandwith limitation is under exploration
A network diagram of our honeynet can be found here
- A
virtual Honeynet is also under construction. Techniques bases on VMWARE
and User Mode Linux, will be examined. This honeynet will be deployed
soon, aiming to provide additional data for correlation analysis with
the ones collected by the first one.
