Author: Electronic Information, Sichuan University Liu Song wlb015@163.com What is a honeypot honeypot (Honeypot) is a computer system that runs on the Internet. It is designed to be designed to attract and deceive those who try to illegally break into other people's computer systems (such as computer hackers). The honey tank system is a tuceable system containing a vulnerability, which simulates one or more vulnerable hosts. Provide an attacker to an easy attack goal. Since the honeypot does not provide a genuine valuable service to the outside, all the honeypot trials are considered suspicious. Another use of honeypots is to delay the attacker's attack on the real goal, so that the attacker waste time on honeypots. Simply click: honeyps are a trap of trapping attackers. Honeypot Features (1) It is not a single system, but a network, is a highly interactive Honeypot, with multiple systems and application software. (2) All systems placed in Honeynet are standard product systems, namely, real systems and applications are not imited. Honeypot category can be classified in a variety of ways: depending on the design purpose of the honeypot, can be divided into two kinds of product honey tanks and research honeypot; according to honeypots can be divided into sacrificial honeypot Two kinds of appearance honeypot. The main technical honeypots of honeyps have network deception, port redirection, alarm, data control and data capture. 1. Network fraud technology: In order to make honeypots more attractive to intruders, we must adopt a variety of deception. For example, in the deception host, some of the ports of some online attackers, some of the "happy" ports, and various vulnerabilities that believe that there is an invasion. 2. Port Redirection Technology: Port Redirection Technology can simulate a non-work service in the working system. For example, we use the web service (80), and use Telnet (23) and FTP (21) to redirect into the honeyman system, and the two services are not open, and the attacker is scanned to discover this The two ports are open, and the actual two ports are HoneyPot virtual, and their servers do not have hazards. 3. Attack (Intrusion) Alarm and Data Control Honey Tank System itself can simulate into an operating system, we can set itself to a host that is easy to attack, which is open, and set, and set Out of the corresponding response program, such as the shell in Linux, and the FTP program, when the attacker "intrusion" enters the system (herein is a Honeypot virtual system), it is equivalent to the attacker after entering. Ding "trap", then the attacker does everything in its monitoring: such as Telnet password violent crack, add new users, permissions, delete add files, you can also give an intruder a network connection allowed to drive network transmission And can be used as a springboard 4. Data capture technology At the same time as the attacker invaded, the honeygoon system inputs the attacker input to the output information, the keyboard record information, screen information, and the tool used by the attacker, and analyzes the next step to be made by the attacker. The captured data cannot be placed on the host with Honeypot, because it is possible that the attacker finds that this is a "trap" to exit an example: Figure 1 Typical Sebek deployment.
The client module is installed in a honeypot (blue), and the attacker behavior in honey tankers is captured to the network (not visible to the attacker) and is collected by the Honey Wall Gateway. Tiny Honeypot Introduction Tiny Honeypot is initially written by George Bakos, Tiny Honeypot is the best thing is to be attacked, don't worry about computer hackers and computer masters can't invade, generally succeeded, Tiny Honeypot has good collections of bad The information and information preservation mechanism of the invasive guy (intruder).
Tiny Honeypot Installation: First, you must download the THP-0.4.6.tar.gz program and perform the following command: CD / usr / local # switching directory to / usr / local zcat thp-0.4.6.tar.gz | tar -xvf - # 解 解 GZ file ln -s THP-0.4.6.tar.gz THP # established soft link MKDIR / var / log / hpot # New Directory Chown Nobody: Nobody / var / log / hpot # Set Directory Permissions CHMOD 700 / VAR / log / hpot # Modify View Log Permissions cp ./thp/xinetd.d/* /etd files to change to: "disable = no" # Modify parameters (Back Detailed) #make Any Path & Preferences Adjustements in trp.conf & iptables.rules ./thp/iptables.rules # Modify rules /etc/rc.d/init.d/portmap start # boot portmap pmap_set <./thp/fakerpc /etc/rc.d/init .d / xinetd Start # launched the xinetd configuration process: 1. It is recommended to install on the root user, "ChMOD 700 / VAR / LOG / HPOT" modifies the permission to access the log, so that only There is ROOT to access 2.EDit xinetd files to change to: "disable = no" 3 ../ THP / IPTABLES.RULES Compile IPTables.Rules Access Rules, pay attention to modify their IP_forward environment variables "". 0 4. Network configuration for HoneyPot is configured to network and environment variables for Honeypot, such as IP addresses, allowing normal use ports, ports with Honeypot redirected ports, such as WWW services, 21, 23 ports, using the 80-port, in the Normal network service, 103 ports Honeypot can virtually many services, such as FTP services, WWW services, remote shell, SMTP services, etc., here is nothing more than one.
