Integrating a Honey Pot into Your Network

November 4, 2015 | Views: 8226

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello –

This post will cover integrating a Honey Pot into your DMZ or internal Network. This information is for security enthusiasts, professionals and administrators.

 

First, lets define what a Honey Pot is:

A Honey Pot is a computer, usually of the Linux variety, that emulates various services and ports (this is not a WikiPedia definition). Truth be told, Honey Pots are not understood for the fantastic tool they actually are and not currently adopted into the Corporate Security Structure, which in itself, is a shame.

Your Honey Pot can be an old laptop, Desktop, Server or even a Raspberry Pi.

Personally I prefer the Raspberry Pi 2 B as it comes with a 4 core ArM processor and 1GB of working memory. With Anti Virus, Rootkit, Malware and my own monitoring scripts, along with a Dionaea Honey Pot installed and running, it holds its own. Of course, I pen tested and even ran a DDOS script against it and with open source Anti DDOS, it held it’s ground and put every attempt into null.


Lets begin…

Install your favorite OS, one that will support any of the various Honey Pot platforms out there. Snort, Dionaea, Kippo, Galstoph, etc. Do your research here, as I will not be going into detail on any of the platforms. This write-up is simply how to integrate.

Install the security software, depending on your OS.

# For Centos, Fedora, RedHat

yum install clamav maldetect, fail2ban chkroot, rkhunter (sudo if needed)

# For Debian/Ubuntu

sudo apt-get install clamav maldetect, fail2ban chkroot, rkhunter
If maldetect isn’t found (usually so), get maledetect HERE.

Secure your server and install whichever Honey Pot you choose to use.

Lets place this somewhere, internally or externally.

# If DMZ

Configure your internet router to push the DMZ traffic to the Honey Pots IP Address. Isolate your internal network behind a firewall and see this post.

Remove any Port forwarding for Web, Mail, AD, etc.

Monitor its logs and just watch, it will get hit. Use this information to see and analyze what they’re after and how they’re trying to get it. With it sitting in your DMZ and your internal network isolated, it’s safe and very useful. It generally keeps the bad actors away from your internal network and allows you to see just how unsafe the internet really is.

# If Internal

Run a cable from your Hub/Switch/Router/Firewall, and plug the Honey Pot in.

Monitor, analyze and see if any machines within your internal network are compromised. If they are, they’ll find the Honey Pot and attempt to exploit it. If this happens, repair, patch and re-image the effected system.

 

Short and to the point, I do hope this helps those out there who are interested in securing their network.

For Network honey pot monitoring, please see Twisted Security

 

~ Scott

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
13 Comments
  1. Thanks for this information it will help a lot.

  2. Thank you.

  3. thanks a lot … good informations

  4. very helpful…

  5. I think you can complete your definition of a honey pot.
    More than a coumputer it can be a complete network. The purpose is for attacker to thought he suceed in his attack. In fact he explores just a virtual network and you analyse all his move.
    The main advantage of a honey pot is all the log function. After an attack on it, you can apply your forensic skill to describe how the attacker work. Analyse the possibility of a similar attack on your network and more send a report to authorities

    • @blafarus indeed, it can be much more but this is just a basic introduction, perhaps in the future I will do a write up on a honey net which I am currently building. This write up is for simplicity for those who wish to implement a honey pot in their home or even company network.

Page 1 of 212»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel