5

I'm interested to see if anyone here who administers a large environment (200-500 Servers), and has a very large public customer base (100,000+), has set up (or has at least considered setting up) a honeypot? I'm specially interested for those that provide services to nasty/evil/hostile networks.

If you have set one up, can you elaborate on your experience? In fact, please comment if you don't consider your environment to be large, even a small environment that contains some hostile networks is perfect!

I'm planning to set one up where I work, but naturally that will start with a few battles from management, naturally. There are risks - the biggest risk would be that things are not setup correctly, and your production servers join your honeypot "cluster", or simply that information about your network leaks out (any information is too much information).

Production Honeypots

A production honeypot is used to assist an organization in protecting its internal IT infrastructure whereas a research honeypot is used to accumulate evidence and information in order to study hackers’ or the blackhat criminal attack patterns and motives.

Production honeypots are valuable to the organization especially commercial, as it helps to reduce or mitigate risk that a specific organization faces. Production honeypots secure the organization by policing its IT environment to identify attacks. These production honeypots are useful in catching hackers with criminal intentions. The implementation and deployment of production honeypots are relatively easier than research honeypots.

Xerxes
  • 4,133
  • 3
  • 26
  • 33

3 Answers3

3

You want Honeyd - Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.

Kurt
  • 1,293
  • 9
  • 9
2

Honeypots are extremally useful for any environment and they don't need to be anything fancy or crazy.

Examples that we do:

-Create a fake account on or mailserver (say userX) with a few fake links in his mailbox (things like user directory link, payment link, etc all pointing to an internal server). Now we monitor any access to these pages via the logs and we know that if we ever see access to them is because someone is reading someone's else email or broke to the system.

-Add a non-published system with non-used IP to our network. Any access to them is probably caused by a scan or maybe bad-configured system (yes, it happens).

And many other things... These little "honeypots" are so easy to setup and the benefits are amazing. We even had a system admin fired for looking at a fake payroll link.

sucuri
  • 2,817
  • 1
  • 22
  • 22
  • That's a great story - thankyou - I'm going to use all these ideas when writing up my proposal :) – Xerxes Jun 02 '09 at 15:39
-1

I have to be blunt and say if I was your manager I would shut down that idea before it even started. There are too many risks and zero benefits associated with setting up a honeypot within a large IT environment.

Could you elaborate on why you would want to do this? Aren't honeypots largely confined to security researchers? What are you trying to achieve?

Neobyte
  • 3,177
  • 25
  • 29
  • 2
    I think you need to study honeypots again. Firstly, a honeypot exhibits as much risk to your environment, as your currently running servers and services do - unless you don't know what you're doing. Your services are already at "risk" by virtue of being accessible. Secondly, the concept behind a honeypot is that the only traffic that will *ever* get there is guaranteed to be bad traffic, because there is no reason (if set up correctly) for good traffic to ever make it there. What this does, is give you a view of who your assailants are - Just by ignoring them doesn't mean they don't exist. – Xerxes May 31 '09 at 05:45
  • Neobyte - Have a look at "Production Honeypot" vs "Research Honeypot", perhaps you've only heard of the latter. – Xerxes May 31 '09 at 06:08
  • 1
    You're right, I was only familiar with the latter. I'll do some more reading. :) – Neobyte May 31 '09 at 06:25
  • 2
    +1 for production honeypots as intrusion detection mechanisms. It can be as simple as adding a directory with a juicy name to a production system, coupled with thorough logging/auditing on that directory. – nedm May 31 '09 at 07:45
  • Various consultancies offer honeynets as a service to their large corporate clients. And they charge quite a bit of money for the privilege. Trust me - the benefits can be rather high. – Rory Alsop Jun 03 '14 at 19:06