Download Securing Debian Manual

Chapter 10. Before the compromise
115
• The firewall technology you will use (provided by the Linux kernel).
• syslog-ng, useful for sending logs from the honeypot to a remote syslog server.
• snort, to set up capture of all the incoming network traffic to the honeypot and detect the attacks.
• osh, a SETUID root, security enhanced, restricted shell with logging (see Lance Spitzner’s article below).
• Of course, all the daemons you will be using for your fake server honeypot. Depending on what type of attacker you
want to analyse you will or will not harden the honeypot and keep it up to date with security patches.
• Integrity checkers (see ‘Checking file system integrity’ on page 56) and The Coroner’s Toolkit (tct) to do post-attack
audits.
• honeyd and farpd to setup a honeypot that will listen to connections to unused IP addresses and forward them to
scripts simulating live services. Also check out iisemulator.
• tinyhoneypot to setup a simple honeypot server with fake services.
If you cannot use spare systems to build up the honeypots and the network systems to protect and control it you can use
the virtualisation technology available in xen or uml (User-Mode-Linux). If you take this route you will need to patch your
kernel with either kernel-patch-xen or kernel-patch-uml.
You can read more about building honeypots in Lanze Spitzner’s excellent article To Build a Honeypot (http://www.
net-security.org/text/articles/spitzner/honeypot.shtml) (from the Know your Enemy series). Also, the
Honeynet Project (http://project.honeynet.org/) provides valuable information about building honeypots and auditing the attacks made on them.