Our third Honeynet infrastructure is now in place. A second Generation
Honeynet with Honeypots Linux (Redhat, Debian), Solaris and WINDOWS
XP/2000 servers. Data Capture and Data Control is implemented on a Redhat
Linux 7.3 with the bridging-firewalling patch applied. The Honeynet
Project's
IPTables script is used to limit the outgoing connections. Well known
attacks originating from the Honeynet are taken down with the help of
Snort-inline [http://snort-inline.sourceforge.net/].
Keystrokes
are logged in a remote Syslog server, through the use of sebek2 [http://www.honeynet.org/tools/sebek/]
. Local syslogd servers have been modified to read a different configuration
file in order to fool the attacker. The standard conf file named /etc/syslog.conf
has been left in its default location. Additional measures have been
taken to protect the remote syslogd server by applying one way routing
to the server and ACL.
For bandwith limitation rc.firewall has been modified with tc. Tests
by Alliance members are positive.
A network diagram of our honeynet can be found here.
Details
of our deployment is shown in the recent book by The Honeynet Project/Honeynet
Research Alliance , chapter 5 [www.honeynet.org/book]