Integrating a Honey Pot into Your Network

Hello -This post will cover integrating a Honey Pot into your DMZ or internal Network. This information is for security enthusiasts, professionals and administrators. First, lets define what a Honey Pot is:A Honey Pot is a computer, usually of the Linux variety, that emulates various services and ports (this is not a WikiPedia definition). Truth be told, Honey Pots are not understood for the fantastic tool they actually are and not currently adopted into the Corporate Security Structure, which in itself, is a shame.Your Honey Pot can be an old laptop, Desktop, Server or even a Raspberry Pi.Personally I prefer the Raspberry Pi 2 B as it comes with a 4 core ArM processor and 1GB of working memory. With Anti Virus, Rootkit, Malware and my own monitoring scripts, along with a Dionaea Honey Pot installed and running, it holds its own. Of course, I pen tested and even ran a DDOS script against it and with open source Anti DDOS, it held it's ground and put every attempt into null.

---

Lets begin...Install your favorite OS, one that will support any of the various Honey Pot platforms out there. Snort, Dionaea, Kippo, Galstoph, etc. Do your research here, as I will not be going into detail on any of the platforms. This write-up is simply how to integrate.Install the security software, depending on your OS.# For Centos, Fedora, RedHat

yum install clamav maldetect, fail2ban chkroot, rkhunter (sudo if needed)

# For Debian/Ubuntu

sudo apt-get install clamav maldetect, fail2ban chkroot, rkhunterIf maldetect isn't found (usually so), get maledetect HERE.

Secure your server and install whichever Honey Pot you choose to use.Lets place this somewhere, internally or externally.# If DMZConfigure your internet router to push the DMZ traffic to the Honey Pots IP Address. Isolate your internal network behind a firewall and see this post.Remove any Port forwarding for Web, Mail, AD, etc.Monitor its logs and just watch, it will get hit. Use this information to see and analyze what they're after and how they're trying to get it. With it sitting in your DMZ and your internal network isolated, it's safe and very useful. It generally keeps the bad actors away from your internal network and allows you to see just how unsafe the internet really is.# If InternalRun a cable from your Hub/Switch/Router/Firewall, and plug the Honey Pot in.Monitor, analyze and see if any machines within your internal network are compromised. If they are, they'll find the Honey Pot and attempt to exploit it. If this happens, repair, patch and re-image the effected system. Short and to the point, I do hope this helps those out there who are interested in securing their network.For Network honey pot monitoring, please see Twisted Security ~ Scott