by June 30, 2004 0 comments

In the past couple of issues, we’ve talked about setting up various types of HoneyPots in Linux. To recap, a HoneyPot is a system that’s intentionally set up with a lot of fake vulnerabilities in order to attract and trap hackers. The HoneyPot then captures all hacker activity in log files, which can be analyzed later. It can also be set up to
give alarms in real time, as the attacks happen. In this article, we’ll explain how to set up a HoneyPot
on a Windows 2000 Server (with SP 4 installed).

Typically, a HoneyPot is implemented in parallel to the firewall, and the firewall is configured such as to divert any potential hacking attempt to the HoneyPot machine using DMZ (De Militarized Zone) pinholing in the firewall. 

Network and security administrators
Create multiple scenarios to attract hackers 
to it

If you want to get a quick feel of how HoneyPot works, you can try out HoneyWeb-a small HoneyPot software that
emulates a Web server. 

HoneyWeb is there on our last month’s DVD (\HoneyPot). Copy to your desktop and unzip it in a separate folder. Double click on HoneyWeb.exe. And then click on HYB Server>Settings. It will open a small dialog box. Here in the ‘Listen on port’ text box give any port number, say 80. Then in the ‘WWW Root’ text box give the path of your dummy Web pages (you can give any dummy path, which may not even exist on that machine). Now click on OK and restart the service. HoneyWeb is now operational. HoneyWeb is a basic HoneyPot that is best described as a technology

When the firewall senses any hacking attempt, it diverts the attack to a HoneyPot sitting in the De-Militarized Zone

If you want a feature-rich product that can be deployed on live servers, then check out KFsensor. It can simulate standard TCP and UDP services as well as many standard servers such as Terminal server, VNC and an RDBMS. The trial version of KFsensor is also available on the DVD (\HoneyPot). It costs $990 per instance
to deploy.

When the firewall senses any hacking attempt, it diverts the attack to a HoneyPot sitting in the De-Militarized Zone

Installing and configuring KFsensor 
KFsensor is easy to install and has an excellent interface. On running KFsensor for the first time, you will get a configuration wizard. First, give it a fake (any) domain name, and the real e-mail ID of the administrator to whom the software will send alerts. Next, choose the components (fake services) that you will like to run on the HoneyPot. By default all the components are selected. Finally, choose to install it as a Windows service and click on Finish. With this, KFsensor is configured. 

KFsensor comes with an extensive list of services to simulate and the action to be taken when some one comes visiting that particular port or service. It can also sandbox a number of Trojans and P2P applications. You can edit any of the standard settings, including port, severity level and action to take. You can also add your own rules and settings. Obviously, such editing should be done by someone who knows what he is doing. The easiest way to do this is to create scenarios. Multiple scenarios, each with its own custom settings, can be created and saved. The administrator can switch between the scenarios if required, when testing.

Sanjay Majumder

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.