· KLDP.org · KLDP.net · KLDP Wiki · KLDP BBS ·
Honeypot-HOWTO

번역 : 이상인, delpai at hotmail dot com

최근에 허니팟에 대해 공부하면서 번역해보았습니다. 번역이 매끄럽지 못한 부분도 많이있으니 고칠부분있으면 고쳐주세요 ^^;

-- delpai 2004-07-09 16:43:58

1. 머리말

How To Build A Honeypot by Lance Spitzner on 06/09/02

This article is a follow up to the "Know Your Enemy" series. Many people from the Internet community asked me how I was able to track black-hats in the act of probing for and compromising a system. This paper discusses just that. Here I describe how I built, implemented, and monitored a honeypot network designed specifically to learn how black-hats work.

2. What is a Honeypot?


For me, a honeypot is a system designed to teach how black-hats probe for and exploit a system. By learning their tools and methods, you can then better protect your network and systems. I do not use honeypots to capture the bad guy. I want to learn how they work without them knowing they are being watched. For me, a well designed honeypot means the black-hat never knew he was being tracked. There are a variety of different approaches on how you can do this. Mine is only one of many.

Before I continue, I would like to post a disclaimer. First, no honeypot can catch/capture all the bad guys out there. There are too many ways to spoof/hide your actions. Instead of going into detail on how this is possible, I highly recommend you check out Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection or fragrouter. Second, keep in mind that you are playing with fire. Someone far more advanced then you may compromise your honeypot, leaving you open to attack. Third, throughout this paper I use the term black-hat. I define a black-hat as anyone who is attempting un-authorized access to a system. This could be an 15 year old kid from Seattle, or a 45 year old company employee in accounting. Also, I refer to our black-hat as a he, however we have no idea what the true gender of the black-hat is.

3. Where to Begin?


There are a variety of different approaches to building a honeypot. Mine was based on simplicity. Build a standard box that I wanted to learn how the black-hat community was compromising. In this case it was Linux, but you can just as easily use Solaris, NT, or any other operating system. Don"t do anything special to this system, build it as you would any other. Then put the system on the Internet and wait. Sooner or later someone will find the system and attack it. The system is built to be attacked and compromised, someone will gain root on that system, that is the goal. However, while they are gaining root (or Admin), you are tracking their every move.

This approach is different from other concepts. Network Associates has built a commercial product called CyberCop Sting, Designed to run on NT, this product can emulate variety of different systems at the same time, including Linux, Solaris, Cisco IOS, and NT. Fred Cohen has developed the deception toolkit, which are a variety of tools intended to make it appear to attackers as if a system has a large number of widely known vulnerabilities. One of my favorites is NFR"s BackOfficer Friendly, which emulates a Back Orifice server. All of these have their advantages. However, my goal was to build a honeypot that mirrored my production systems, so I could better understand what vulnerabilities and threats existed for my production network. Also, the fewer modifications I make to the honeypot, the less chance the black-hat will find something "fishy" on the box. I do not want the black-hat to ever learn that he was on a honeypot.

4. The Plan


My plan was simple. Build a box I wanted to learn about, put it on the network, and then wait. However, there were several problems to this. First, how do I track the black-hats moves? Second, how do I alert myself when the system is probed or compromised? Last, how do I stop the black-hat from compromising other systems? The solution to this was simple, put the honeypot on its own network behind a firewall. This solves a variety of problems.

나의 계획은 간단하다. 내가 원하는 시스템을 구축하고, 네트워크에 연결하고 기다린다. 그러나 이것에 대해서는 몇가지 문제가 있다. 첫번째, 어떻게 해커가 오게 할것인가? 두번째, 어떻게 시스템이 침입당하거나 침해되었을때 경고할 것인가? 마지막으로, 어떻게 다른 시스템을 침해할려는 해커를 멈출것인가? 해결법 역시 간단하다. 방화벽 뒤의 네트워크에 허니팟을 설치하면 된다. 이것은 다양한 문제를 해결한다.

(Black Hats: 악의적이고 파괴적인 크래커일 수록 black hat에 가깝고, 크래커와 거리가 멀 수록 white hat에 가깝습니다.)

First, most firewalls log all traffic going through it. This becomes the first layer of tracking the black-hat"s moves. By reviewing the firewall logs, we can begin to determine how black-hats probe our honeypot and what they are looking for.

첫번째, 대개 방화벽 로그는 들어오고 나가는 모든 트래픽이다. 해커가 지나간 자리의 첫번째 레이어가 된다. 방화벽 로그를 조사하여 해커가 우리의 허니팟을 조사하고 무엇을 보고 갔는지 알 수 있을 것이다.

Second, most firewalls have some alerting capability. You can build simple alerts whenever someone probes your network. Since no one should be connecting to your honeypot, any packets sent to it are most likely black-hats probing the system. If there is any traffic coming FROM the honeypot out to the Internet, then the honeypot was most likely compromised. For an example on how set up alerting with Check Point FireWall-1, click here.

두번째, 대개 방화벽은 경고 기능을 가지고 있다. 당신은 누군가가 네트워크를 조사할 때마다 간단한 경고를 만들 수 있다. 그 후 당신의 허니팟에 누군가가 접속할 것이고, 어떤 패킷이 시스템을 조사한 해커에게 보내질 것이다. 만약 인터넷을 통해 허니팟으로부터 어떤 트래픽이 생긴다면, 허니팟은 대개 침해를 당할 것이다. 체크 포인트 방화벽-1에 경고할 수 있는 기능을 설정한 예제는 다음을 클릭해라.([http]http://www.infosecwriters.com/intrusion.html)

Third, the firewall can control what traffic comes in and what traffic goes out. In this case, the firewall lets everything from the Internet in, but only limited traffic out. This way the black-hats can find, probe, and exploit our honeypot, but they cannot compromise other systems. The goal is to have our honeypot behind a controlled system. Most firewalls will do, as long as it can both control and log traffic going through it.

세번째, 방화벽은 어떤 트래픽이 들어오고 어떤 트래픽이 나가는 것을 조절할수 있다. 이 경우, 방화벽은 인터넷으로부터 모든것이 들어오게 하고, 단지 나가는 트래픽을 제한한다. 이와같은 방법으로 해커는 찾고, 조사하고, 허니팟을 침해할 수 있으나 다른 시스템을 침해하지는 못한다. 결론은 제어 시스템 뒤에 허니팟을 만드는 것이다. 대개 방화벽으로 이것을 통해 나가는 트래픽 로그와 제어를 동시에 할수 있을 것이다.

5. Tracking Their Moves


그들의 움직임을 추적해보자.

Now, the real trick becomes how to track their moves without them knowing it. First, you do not want to depend on a single source of information. Something can go wrong, things can be erased, etc. I prefer to track in layers. That way, if something does go wrong, you have additional sources of information. Also, you can compare different sources to paint a better picture.

이제 어떻게 해커가 알지 못하게 해커의 움직임을 추적할수 있는지 보자. 첫번째, 당신은 단일 자료의 정보에 의존하기를 원치 않는다. 어떤 것은 틀릴 수도 있고 어떤 것은 지워질수도 있기 때문이다. 나는 계층적으로 추적하는걸 선호한다. 그와 같은 방법으로 만약 어떤 것이 틀리더라도 나는 추가 자료의 정보를 가진다. 또한 당신이 더 좋은 상황을 그리고 다른 자료와 비교할 수 있을 것이다.

Personally, I do not like to log information on the honeypot itself. There are two reasons for this. First, the fewer modification you make to the honeypot, the better. The more changes you make, the better the chance a black-hat will discover something is up. The second reason is you can easily lose the information. Don"t forget, sooner or later the black-hat will have root on the honeypot. Several times I have had data altered, or in one case, the entire hard drive wiped clean. Our goal is to track the enemies moves, but log all the data on a system they cannot access. As we discussed above, our first layer of tracking is the firewall logs. Besides this, I track the black-hat"s moves several other ways.

개인적으로 허니팟 자신의 로그 정보는 좋아하지 않는다. 이것은 두가지 이유가 있다. First, the fewer modification you make to the honeyopot, the better. The more changes you make, the better the chance a black-hat will discover something is up. 두번째 이유는 정보를 쉽게 잃을 수 있다. 잊지 마라. 언제든지 해커는 허니팟의 루트를 획득할 것이다. 몇분만에 데이터가 변경되거나 하드 드라이브를 깨끗히 지워질 수도 있다. 우리의 목적은 적의 움직임을 추적하는 것이나 시스템안의 로그는 모든 데이터에게 접근할수 없다. 우리가 앞에서 토론했듯이 우리의 추적의 첫번째 계층은 방화벽 로그다. 이것과 비교하여 몇가지 다른 방법으로 해커의 움직임을 추적할 것이다.

A second layer I use is the system logs on the honeypot. System logs provide valuable data, as they tell us what the kernel and user processes are doing. However, the first thing a black-hat normally does is wipe the system logs and replace syslogd. So, the challenge becomes logging syslog activity to another server, but without the black-hat knowing it. I do this by first building a dedicated syslog server, normally on a different network separated by the firewall. Then I recompile syslogd on the honeypot to read a different configuration file, such as /var/tmp/.conf. This way the black-hat does not realize where the real configuration file is. This is simply done by changing the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both locally and to the remote log server (example). Make sure you maintain a standard copy of the configuration file, /etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the black-hat from realizing the true destination of our remote logging. Now, you will capture all system logs up to and including when the system is compromised. This will help tell us how the system was probed and compromised. It is also very interesting comparing these true system logs to the logs a black-hat has "cleaned" on a compromised system. This is the only time where I make a modification on the honeypot. Be advised, more advance users can detect these modifications using the command strings(1) on the syslogd binary. Then again, there are more advance ways to hide the modifications also. This is merely a suggestion you may want to consider.

두번째 계층은 허니팟의 시스템로그를 사용할 것이다. 시스템 로그는 커널과 사용자의 프로세스가 무엇을 하는지 우리에게 말해주는 귀한 데이터를 준다. 그러나 해커는 처음에 하는 일이 시스템로그를 지우고 syslogd를 바꾸는 것이다. 그래서 로깅하는 syslog는 다른서버에서 활동 하게 하지만 해커는 그것을 알지 못한다. 나는 첫번째로 전용 syslog 서버를 만들고, 평소대로 방화벽에 의해 다른 네트워크와 분리한다. 그 다음에 나는 허니팟이 /var/tmp/.conf같은 다른 환경설정 파일을 읽도록 syslogd를 다시 컴파일한다. 이렇게 하면 해커는 실제 환경설정파일이 어디에 있는지 알지 못한다. 소스코드 안에 /etc/syslog.conf라고 적혀 있는 것을 당신이 원하는 어떤 파일로 바꿈으로써 간단히 끝난다. 우리는 로컬과 원격 로그서버에 동시에 로그가 기록되도록 한 새로운 환경설정파일로 설치한다.(예제:[http]http://www.infosecwriters.com/syslog.txt) 당신은 /etc/syslog.conf, 환경 설정 의 복사 파일을 유지함으로 모든 로컬 로깅을 확인한다. 이 환경설정 파일은 이제 쓸데없더라도 원격 로깅의 용도는 해커를 추적하는데 유용하다는 것을 실감할 것이다. 이제 당신은 시스템이 위태로울때 모든 시스템 로그를 갈무리하고 포함할수 있을 것이다. 이것은 어떻게 시스템이 조사하고 침해당하는지 우리에게 말해줄 것이다. 또한 해커가 침해 시스템이 깨끗하게 지웠다고 생각하는 로그와 실제 시스템 로그와 비교할 수 있을 것이다. 나는 허니팟을 변형하여 만들었다. 충고를 하자면 고급사용자는 syslogd 바이너리안에 명령 문자열(1)을 사용하여 변형된걸 발견할 수 있다. 반면에 많은 이 변형또한 숨길수 있는 고급기술이 있다. 이것은 단지 당신이 고려하기를 원하여도 좋은 제안이다.

The only problem with using a remote syslog server is it can be detected with a sniffer. Normally, black-hats either kill or replace syslogd when they gain root. If so, they can no longer sniff the syslog packets, since there are no longer any packets sent. However, if the black-hat does not modify nor kill the syslogd dameon, then they could sniff the packets sent. For the truly devious, you could send your syslogd traffic using a different protocol, such as IPX, which are normally not sniffed. Your level of paranoia may vary. There are also several alternatives you can use to standard syslogd. CORE-SDI has ssyslog, which implements a cryptographic protocol called PEO-1 that allows the remote auditing of system logs. For you NT users, they also have a Windows version, called slogger. There is also syslog-ng, developed by BalaBit Software, which is similiar in use to ssyslog, but uses SHA1 instead. All versions are free and open source.

단지 문제점은 원격 syslog 서버를 사용하면 스니퍼를 통해 발견할 수 있다. 보통 해커는 루트를 획득했을 때 syslogd를 죽이거나 대체한다. If so, they can no longer sniff the syslog packets, since there are no longer any packets sent. 그러나 만약 해커가 syslogd 데몬을 죽이거나 대체 하지 않는 다면 그들은 packet이 보내지는 것을 눈치 챌수 있다. 정확히 숨기기 위해 당신은 보통 스니핑 당하지 않는 IPX같은 다른 프로토콜을 사용하여 syslogd 트래픽을 보낼 수 있다. Your level of paranoia my vary. 또한 표준 syslogd가 사용할 수 있는 몇가지 대안이 있다. CORE-SDI는 시스템로그의 원격 감사를 허락하는 PEO-1을 호출하는 암호화된 프로토콜 도구인 ssyslog이다. NT 유저를 위하여 slogger를 호출하는 윈도우즈 버젼도 있습니다. 또한, BalaBit 소프트웨어에 의해 발전된 ssylog가 사용한것과 비슷하나 SHA1로 대체한 syslog-ng이 있다. 모든 버젼은 무료이고 오픈 소스이다.

My third layer of tracking (the firewall is the first, syslogd hack is the second) is to use a sniffer. I run a sniffer on the firewall that sniffs any traffic going to or from the honeypot. Since the honeypot is isolated by the firewall, you know all traffic goes through the firewall. The advantage of a sniffer is it picks up all keystrokes and screen captures, to include STDIN, STDOUT, and STDERR. This way you see exactly what the black-hat is seeing. Also, all the information is stored on the firewall, safely protected from the black-hat (I hope :-). A disadvantage is the black-hat can hide his moves with encryption, such as ssh. However, if you are not running any such services on your honeypot, the blackhat may not use them. Also, a sniffer can be spoofed by advanced users, as discussed by the paper linked above.

추적의 세번째 계층은 스니퍼를 사용하는 것이다.(첫번째는 방화벽이고 두번째는 syslogd를 변형한것이다). 방화벽에 스니퍼를 실행시켜 어떤 트래픽이 나가거나 허니팟으로 오는 트래픽을 스니핑할 것이다. 허니팟이 방화벽에 의해 분리된 후, 방화벽을 통해 나가는 모든 트래픽을 알수 있다. 스니퍼의 이점은 STDIN, STDOUT, 그리고 STDERR를 포함한 모든 키스트로크를 얻을수 있고 스크린 캡쳐를 할 수 있다. 이 방법으로 해커가 보는 것을 당신도 정확히 볼수 있다. 또한 모든 정보는 방화벽안에 기록되고 해커로부터 안전하게 보호된다.(I hope :-). 이 이점은 해커가 ssh같은 암호화와 함께 그의 움직임을 숨길수 있다. 그러나 만약 당신의 허니팟안에 서비스가 돌아가지 않으면, 해커는 그것을 사용할 수 없을 것이다. 또한 스니퍼는 고급 유저에 의해 속일 수 있다.(as discussed by the paper linked above.)

My sniffer of choice is snort. Written by Marty Roesch, snort is a powerful ids sniffer that has all the functionality of tcpdump and much more. You can capture all the keystrokes in most plaintext sessions (example). It also has builtin IDS functionality, including customizable alerting and logging feartues. For examples of an IDS database, check out www.whitehats.com, which has an online signature database and several example config files. To check out the config file I use for snort, click here. You may want to run several different sniffers and/or IDS systems at the same time, such as Dragon, NFR, or Real Secure. Another idea I am playing with is running proxy servers on the firewall. That way specific traffic that runs through the firewall is proxied, allowing for more control and logging. I"m trying it out now with just a http proxy server on the firewall.

나는 snort를 스니퍼로 결정하였다. Marty Roesch가 만든 snort는 모든 tcpdump와 더 많은 기능을 가진 강력한 ids 스니퍼다. 당신은 대개 평문 세션안의 모든 키스트로크를 캡쳐할 수 있다.([http]http://www.infosecwriters.com/keystrokes.txt) 또한 본래 갖춰진 맞춤화된 경고기능과 로깅 feartues를 포함한 IDS 기능을 넣을 수 있다. 예를 들면 IDS 데이터베이스는 온라인 서명 데이터베이스와 몇가지 예제 설정파일을 가지고 있는 www.whitehats.com을 점검한다. snort가 사용하는 설정파일을 점검할려면 여기를 클릭해라.([http]http://www.infosecwriters.com/snort.txt) 당신은 동시에 Dragon, NFR이나 Real Secure와 같은 몇가지 다른 스니퍼와/나 IDS 시스템을 실행 할수 있을 것이다. 다른 아이디어로 방화벽에 프록시 서버를 운영하는 것이다. 프록시는 방화벽을 통해 실행되는 특정 트래픽을 더 제어하고 로깅하는 것을 허락한다. 나는 방화벽안에 http proxy server를 함께 운영해 볼 것이다.

Another option for capturing keystrokes is to modify the shell. Most shells can be modified so that not only are all the keystrokes stored in the history file (such as .sh_history or .bash_history) but the shell can be modified to log all the keystrokes to syslog. Thus, the unknowning black-hat will have his keystrokes logged to syslog, and potentially a remote syslog server. Antonomasia has provided code to modify the bash file. Once again, use this with caution. The more modifications you make to a system, the greater the chance the modifications (and your honeypot) will be discovered. However, the advantage to this method is you will capture all keystrokes, including those from an encrypted session.

키스트로크를 캡쳐하는데 다른 옵션으로 쉘을 수정하는 것이다. 대개 쉘은 모든 키 스트로크를 히스토리 파일안에 저장하지만 쉘은 syslog에게 모든 키스트로크를 로깅하도록 수정할 수 있다. 그래서 알지 못하는 해커는 syslog와 원격 syslog 서버에 키스트로크를 로깅할 수 있다. Antonomasia has provided code to modify the bash file. 다시한번 신중하게 사용하여라. the more modifications you make to a system, the greater the chance the modifications(and your honeypot) will be discovered. 그러나 이 방법의 이점은 암호화된 세션으로부터 모든 키스트로크를 캡쳐할 수 있다.

Finally, I run tripwire on the honeypot (there is also a NT version). Tripwire tells us what binaries have been altered on a compromised system (such as a new account added to /etc/passwd or a trojaned binary). I do this by running tripwire from a floppy, then storing the tripwire database to a floppy. You do NOT want any tripwire information stored locally on the system. By storing it on removable media, you can guarantee the integrity of the data. As an added precaution, I recommend compiling tripwire as statically linked. This way you are not using libraries that may be compromised on the honeypot. For the truly paranoid, boot off a floopy (such as tomsrtbt), then run tripwire. This protects against trojaned kernel modules. Tripwire is an excellent way to determine if you system has been compromised. Also, it is an excellent forensic tool that helps identify what modifications the black-hat has made.

마지막으로, 나는 허니팟에 tripwire을 실행하였다.(이것 또한 NT 버젼이 있다.) Tripwire는 침해 시스템안의 변형된 바이너리를 우리에게 알려준다(/etc/passwd에 새로운 계정이 추가되거나 트로이쟌 바이너리같은). 나는 플로피디스크로부터 tripwire를 실행하고, 플로피 디스크에 tripwire 데이터베이스를 저장하였다. 당신은 시스템안에 저장된 tripwire 정보를 원하지 않을 것이다. 이동가능한 미디어에 그것을 저장하여 나는 데이터의 무결성을 보장할 수 있다. 부가적인 예방책으로 나는 tripwire를 정적 링크로 컴파일하는 것을 추천한다. 이와 같은 방법으로 허니팟이 침해당할 경우 라이브러리를 사용할 수 없다. For the truly paranoid를 위해 tomsrtbt같은 플로피디스크로 부팅한다음에 tripwire를 실행하였다. 이것은 트로이쟌 커널 모듈에 대비하여 보호한다. Tripwire는 만약 시스템이 침해당한다면 an excellent way to determine. 또한 해커가 만들어 변형된 것이 무엇인지 확인하는데 도움을 주는 포렌식도구로도 훌륭하다.

You may find these layers as redundant. But remember, no single layer of information can capture all the traffic. Also, different sources give you different information. For example, most systems cannot detect stealth scans, however, many firewalls can. If your firewall logs your honeypot being scanned, but there is nothing in the system logs, then you were most likely scanned by a "stealth" scanner, such as nmap. Also, we are not perfect. Often while tweaking one service, you munge another. You could accidentally kill system logging or the sniffer. By having other layers of information, you still can put a picture together of what happened. If you develop any of your own methods of tracking, I highly recommend you implement them. The more layers you have, the better off you are. If you have any methods you would like to recommend, I would love to hear from. Additional methods can include hacking the system shell or kernel to log keystrokes, but to be dead honest, I haven"t developed the skills yet to do that.

당신은 중복되는 계층들을 발견할지도 모른다. 하지만 기억해라,정보의 한 계층도 없이는 모든 트래픽을 캡쳐할 수 없다. 또한, 서로 다른 자료들은 당신에게 서로다른 정보를 준다. 예를 들어, 대부분의 시스템들은 비밀스럽게 스캔하는것을 발견 할 수없지만, 많은 방화벽들은 할 수 있다. 예를 들어 대개 nmap같은 "비밀스런" 스캐너에 의해 스캔당한 경우, 방화벽 로그에 허니팟이 스캔당한 기록이 있지만 시스템 로그에는 없다. 또한, 우리는 완벽하지 않다. Often while tweaking one service, you munge another. 당신은 우연히 시스템 로깅이나 스니퍼를 죽일수도 있다. 정보의 다른 계층에 의해 당신은 어떤 일이 일어났는지의 계획을 함께 얻을 수 있을 것이다. 당신은 당신의 추적 방법을 개발한다면 나는 당신의 도구를 추천할 것이다. 더 많은 레이어를 당신이 가지고 있다면 더 좋을 것이다. 만약 당신이 어떤 방법을 추천하기 원한다면 나는 기쁜 마음으로 들을 것이다. 추가적인 내용은 시스템 쉘이나 커널에 로그 키스트로그를 포함할수 있지만, 솔직하게 말해서 나는 그 것을 할 수 있는 기술을 개발하지 못했다.

6. The Sting


고민거리(?)

Remember, our goal is to learn about the black-hat, without him ever knowing he was had. To gain a better understanding of this strategy, I highly recommend you watch one of my favorite movies, The Sting. We want to attract the black-hats, monitor them, let them gain root, and then eventually kick them off the system, all without them getting supicious. To attract black-hats, I like to name my honeypot enticing names, such as ns1.example.com (name server), mail.example.com (mail server), or intranet.example.com (internal web server). These are often primary targets for black-hats. Once we have enticed them, use the methods discussed above to track their actions.

기억해라. 우리의 목적은 해커에 대해서 배우는 것이다.(without him ever knowing he was had.) 이 전력의 좋은 이해를 위해, 나는 내가 좋아하는 영화 The Sting을 매우 추천한다. 우리는 해커가 관심을 가지기 원하고, 모니터링하며, 루트를 획득하게 하게 하고, 그들이 가진 supicious(?)없이 시스템에서 쫓아낸다. 해커가 관심을 가지도록 나는 내 허니팟 이름을 ns1.example.com(네임서버), mail.example.com(메일서버)나 intranet.example.com(internal web server)처럼 매혹적이게 할것이다. 이런 이름은 해커들의 원시적인 타켓이다. Once we have enticed them, use the methods discussed above to track their actions.

Once the black-hat gains root, the question becomes, now what? Normally, I continue to monitor the black-hat for several days, to learn what he is up to. However, you have to be careful, eventually the black-hat will catch on that he is on a honeypot. If he does, bad things can happen. What I like to do is once I learn everything I can, I kick the black-hat off, normally by rebooting the box. I do this with the shutdown command, sending a message to all logged on users (the black-hat), stating the system is going down for routine maintenance. I then take the system off-line, remove the backdoors the black-hat made, and bring the system back online. Or, you can reinstall, building a new system. I recommend you fix the vulnerability that was used to gain access last time, so you can learn about new exploits/vulnerabilities.

The other issue is limiting the black-hat, we do not want him launching attacks from our own system. I do this by using the firewall. Remember, all traffic to and from the honeypot must go through the firewall. I use a rulebase that allows anything from the Internet to reach our firewall, but only limited traffic outbound (basically, the exact opposite of what a firewall is designed to do). The trick is, allowing enough outbound traffic so a black-hat does not get supicious, but we still have to limit their capabilities. If you block everything outbound, the black-hat will know right away that something is up. If you allow everything outbound, the black-hat can blatantly scan the Internet from your system. You now become liable for his actions, so we have to find a balance. Normally the first thing a black-hat does following access is to download their tool set. If they can"t reach the Internet, they are going to cover their tracks and leave your system. What has worked for me is to allow all traffic inbound, and allow FTP, ICMP, and DNS (UDP) outbound. Normally, this is enough for the black-hat without them getting supiscious right away, but denies them utilizing most of their tools outbound. Your mileage may vary.

Thats it. All that is let left is to wait for the black-hat to strike (kind of like fishing). Ensure you have a good alerting mechanism, so you know as soon as possible when your system is being probed or has been compromised. You want to get as much information as soon as possible. You do not want the black-hat to catch on before you know he is there, bad karma may be coming your way. Good luck!

7. Conclusion


Honeypots are an extremely powerful tool that allows you to learn about the black-hat community. Correctly implemented, they give you an inside window on how the black-hat community works. There are a variety of different approaches to building and implementing a honeypot, mine is only one of many. My goal is to build a simple system that mirrors the production network, then sit back and wait. The key to tracking the enemy is layers. Do not depend on a single layer of information, as it can be altered or lost. By comparing different layers of information, you can also gain a better understanding of what the black-hat was doing. Happy hunting


ID
Password
Join
"Perl is executable line noise, Python is executable pseudo-code."


sponsored by andamiro
sponsored by cdnetworks
sponsored by HP

Valid XHTML 1.0! Valid CSS! powered by MoniWiki
last modified 2004-12-04 19:16:41
Processing time 0.0075 sec