Honeypot Fun11 Aug 2002
So I set up a honeypot here at home, to try and learn a bit about computer security. I don't know a whole lot about security beyond the obvious (strong passwords, ssh, turn off services, firewall), so I figured this would be a good way to learn. I took an old Pentium, installed Red Hat 6.2, and away I went.
Welp, as the good folks at Project Honeynet suggested, the first while was spent making mistakes and learning from them. First, I went for the default workstation install -- which meant no services running. After a day, I took it down and installed a default server install. Next, I watched as there were a million probes for NetBIOS or IIS (there's a guy at work with a Win98 box at home on cable w/no firewall...I should show him the logs), and then...aha! SunRPC probes! Whee! ...only I was firewalling the replies. D'oh!
That was last weekend. I didn't want to leave it running w/o me being around to keep an eye on it, so I left it 'til this weekend to turn it back on. Friday night I booted and watched.
...and then it happened: inside of *ten seconds* the cracker detected the ftp server and rooted me. I was agog; all of a sudden I was watching commands being typed in by the cracker, who had logged in with the new user ID he'd just added for himself.
Unfortunately, the timing was bad (silly cracker!). My wife's company was having a [boat cruise|http://www.konawindscharters.com/] that afternoon, and he got in literally ten minutes before I had to leave. I watched for a little while, then shut everything down and ran out the door. (Not that I was sad to go. The boat cruise took us up Indian Arm and it was absolutely amazing: beautiful weather, free food and Bheer...a gorgeous day.)
I'll add more on my honeypot later, but it was pretty stock: RH6.2, firewall, tcpdump, Bash patch to log commands, logging offsite. The one thing I forgot to do was run tripwire.
Music: such a cliched thing to add to something like this (can't even bring myself to say "weblog" or "journal entry"), but: Harry Belafonte and Kate Bush. Old Harry Belafonte is so very much fun; Kate Bush's "Running Up That Hill" is incredible.