Bait Crackers With A Honeypot

Adding a honeypot to your arsenal can be a big boost to your network’s security, both in distracting malicious users and learning how the garden variety script kiddy or cracker thinks.

First, a few terms:

Crackers are bad guys bent on criminal
mischief. Hackers are computer nerds who create cool things. Crackers
destroy. Hackers build. This may be end up being my epitaph, given how the word ‘hacker’ is so insistently misused.

What is a honeypot? I like Lance Spitzner’s definition: “a
resource whose value lies in being probed, attacked, or compromised.”
Some people view them like the piece of meat used at a picnic to lure
wasps away from your food. Honeypots don’t perform that function any
better than the meat does, there’s always more wasps, just like
there’s always more crackers. Most cracking tools are automated, our
evil little chums simply fire them up and let them do the heavy
lifting. Building a honeypot won’t lure intruders away from your
network, and it certainly is not a substitute for proper firewalls and
system configuration. If you have to choose between improving your
existing security or implementing a honeypot, forget the honeypot.

The great value of a honeypot lies in collecting useful data
unmixed with legitimate traffic and system data. By definition, all
traffic to or from a honeypot is suspect; anytime a connection is
made, it is most likely an unauthorized intrusion. Much easier than
wading through huge server logs, no matter how ace you are at parsing
and analyzing. Capture keystrokes, which I don’t do on a production
server. Who needs megabytes of user’s typos? But for analyzing an
attack, keystrokes are gold.

Another great value of a honeypot is the ability to conduct a full
forensic analysis of an attack, without taking a production machine
out of service.

Homegrown Deception
That’s right, the whole idea is to lie your head off and fool an
intruder into believing they’ve accessed a production server full of
tasty passwords, data files, and relays. The easiest way to build a
honeypot is set up a box similar to your production servers- use the
same OS, run the same services. Put it on the Internet and wait, oh
15-30 minutes, someone will find it. No special software is needed,
simply employ the usual logs and network monitoring tools. Running it
behind a firewall adds some useful options: additional logging, event
alarms, and restrict outgoing traffic. Not a good idea to be a pawn in
compromising other systems. Some services need to be left running,
such as ftp, smtp, or http, or the intruder will smell a rat and
split. By constructing it the same way as your production servers,
you’ll learn about weaknesses and flaws that apply to your specific
setup. Another advantage to this approach is it won’t be obvious it’s
a honeypot. The longer they stick around, the more useful data will be
collected.

The system logs must be protected, as job one of any
self-respecting cracker is to take over key system files and
logs. Core Wisdom offers some nice secure logging tools for Unix and
Windows. Remember, the idea is for an intruder to gain root access,
but not let them erase their tracks. Under Linux, a competent geek can
recompile syslogd to use a remote hidden configuration file, simply
change the default /etc/syslog.conf in the source code to something
sneaky. Leave a dummy configuration file at /etc/syslog.conf.

Two other indispensable tools are a packet sniffer, such as
Ethereal or snort, and Tripwire. A packet sniffer gives realtime
monitoring of everything, including keystrokes. Tripwire should be the
very first system monitor configured and activated on a Linux
system. Go ahead and install everything, configure users and
networking- then before the machine ever connects to any network,
including local, run Tripwire. It must be installed on a clean system,
or it is worthless. It creates cryptographic “fingerprints” of
system binaries, configuration files and other likely
targets. Tripwire monitors data and file integrity, and emails an
alert when it detects suspicious changes. There are commercial and
free versions, no excuse for not having it! Use it on all machines,
not just honeypots.

While we’re on the subject, you are monitoring your outgoing
traffic, aren’t you? It’s a good way to find out if an intruder is
using your system to serve mp3s or launching attacks or some such
activity you probably don’t want to get blamed for.

Once an attacker has taken the bait, invaded your honeypot, and
left a trail of highly useful data, simply reboot to kick them out. A
real slick trick is to create an installation CD, with apps and
configurations, for quick restoration.

Ready-Mades
There are quite a number of ready-made honeypots, free and
commercial. A couple of freebies that I like, not only for their
functionality, but because the source code is available to audit and
modify:

The Deception Toolkit is completely fake, it depends on Perl
scripts to create a simulated environment. It includes a lot of fancy
sidestepping and double-talk, such as fake coredumps, fake ports, and
fake error messages. It is designed to lure an intruder down the
garden path and keep them going until they’ve created an extensive
trace. It gives quite a bit of flexibility in creating realistic
scenarios to fool intruders, depending how advanced your scripting
skills are. The author states that it is not good enough to fool a
truly skilled cracker, but will create enough confusion to foil most
of them.

LaBrea creates a tarpit or, as some have called it, a “sticky
honeypot”. (I think of it as a roach motel for crackers.) It takes
unused IP addresses on a network and creates virtual machines that
answer connection attempts. Intruders get hung up, sometimes for a
long time. It uses what it calls “persist mode trapping” to maintain a
connection for the longest possible time, tying up the intruder’s time
and bandwidth. What is really cool is it also throttles your
bandwidth- what a perfect world, wasting an attacker’s time and
bandwidth while preserving your own.

Risks
A poorly-contained honeypot puts the rest of your
network at risk. There is also the temptation to retaliate. Be
careful, stay within legal means. Returning tit for tat only gets you
in trouble. Remember, the goal is to increase your own security, not
go to war with the script kiddies.

Resources:


»


See All Articles by Columnist
Carla Shroder

Latest Articles

Follow Us On Social Media

Explore More