Integrating a Honey Pot into Your Network

November 4, 2015 | Views: 7861

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello –

This post will cover integrating a Honey Pot into your DMZ or internal Network. This information is for security enthusiasts, professionals and administrators.

 

First, lets define what a Honey Pot is:

A Honey Pot is a computer, usually of the Linux variety, that emulates various services and ports (this is not a WikiPedia definition). Truth be told, Honey Pots are not understood for the fantastic tool they actually are and not currently adopted into the Corporate Security Structure, which in itself, is a shame.

Your Honey Pot can be an old laptop, Desktop, Server or even a Raspberry Pi.

Personally I prefer the Raspberry Pi 2 B as it comes with a 4 core ArM processor and 1GB of working memory. With Anti Virus, Rootkit, Malware and my own monitoring scripts, along with a Dionaea Honey Pot installed and running, it holds its own. Of course, I pen tested and even ran a DDOS script against it and with open source Anti DDOS, it held it’s ground and put every attempt into null.


Lets begin…

Install your favorite OS, one that will support any of the various Honey Pot platforms out there. Snort, Dionaea, Kippo, Galstoph, etc. Do your research here, as I will not be going into detail on any of the platforms. This write-up is simply how to integrate.

Install the security software, depending on your OS.

# For Centos, Fedora, RedHat

yum install clamav maldetect, fail2ban chkroot, rkhunter (sudo if needed)

# For Debian/Ubuntu

sudo apt-get install clamav maldetect, fail2ban chkroot, rkhunter
If maldetect isn’t found (usually so), get maledetect HERE.

Secure your server and install whichever Honey Pot you choose to use.

Lets place this somewhere, internally or externally.

# If DMZ

Configure your internet router to push the DMZ traffic to the Honey Pots IP Address. Isolate your internal network behind a firewall and see this post.

Remove any Port forwarding for Web, Mail, AD, etc.

Monitor its logs and just watch, it will get hit. Use this information to see and analyze what they’re after and how they’re trying to get it. With it sitting in your DMZ and your internal network isolated, it’s safe and very useful. It generally keeps the bad actors away from your internal network and allows you to see just how unsafe the internet really is.

# If Internal

Run a cable from your Hub/Switch/Router/Firewall, and plug the Honey Pot in.

Monitor, analyze and see if any machines within your internal network are compromised. If they are, they’ll find the Honey Pot and attempt to exploit it. If this happens, repair, patch and re-image the effected system.

 

Short and to the point, I do hope this helps those out there who are interested in securing their network.

For Network honey pot monitoring, please see Twisted Security

 

~ Scott

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
13 Comments
  1. Hypothesis:
    Some anti-viruses do roporting to somewhere while the update process and use its firewall power with trust to do so. is it possible for a honeypt to filter these outgoing requests.

  2. Hello Mr. Scott Cilley,

    This is one of the great post that I have been through.

    Just need one help:

    At the end of the post can you please change the link of “Twisted Security”?

    As the link is notactive any more. Thank You!

  3. IS there a safe way of placing on firewall as vm ? My server for firewall is overkill so im sure have way more than enough resources.

  4. Since I am frequently getting called by scammers who want to connect to my computer to “fix” a problem. I would like to put a honeypot into my network running windows instead of Linux.
    I just want to know if running a virtual machine is secure enough or could the attacker(s) get outside the virtual environment?

    • running a honey pot in a vm is very simple, but I recommend you putting the rest of your network behind a firewall.

      • Hypothesis: some anti-viruses do roporting to somewhere while the update process and use its firewall power with trust to do so. is it possible for a honeypt to filter these outgoing requests.

    • I am sure if your network requires an honeypot, since the honeypot is an additional cost and need to analyze how big is your network and how important the data on your system. On top that if you get such an anonymous or marketing calls I would recommend just say no. Basically if you are using windows 10 verify if Windows Defender is configured properly as first layer of antivirus security which is completely free.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel