Cover V09, I01
Article
Figure 1
Listing 1
Sidebar 1
Sidebar 2

jan2000.tar

Sidebar 1: Choosing the Hardware and Operating System

Remember that the central idea behind the honey pot concept is that all of its components should be “non-assets”.; In other words, given a cracker's habit of altering whatever system he gains access to, you should have no qualms if irreparable damage is done. Find some sort of throw-away machine that was surplussed or replaced, perhaps an old x486 or an older Pentium PC, and claim it as your own. Here is a good rule of thumb setup for a minimal honey pot system that I will describe:

• X386 Intel Processor PC or greater

• 200 MB or more hard drive space

• 4MB RAM

• Compatible (with your network) Network Card

A successful trap system does not take much to run on. If you absolutely cannot find a spare system, don't swipe your co-worker's workstation just yet. Many versions of Linux come on bootable floppies that can be used to create a virtual OS that runs completely off a disk. Not only is this a portable option, but there's no need to alter the computer system it runs on at all. Just boot the floppy and, once your monitoring is done, reboot the computer system and it should return to normal. The best bootable Linux example that comes to mind is Trinux, which was designed with UNIX security in mind. There are even many security tools prepackaged for Trinux (http://www.trinux.org) that will save you time and effort when fortifying and rigging your system.

The reason I prefer Linux to NT and Solaris is purely for performance issues. More often than not, Linux will run smoothly on almost all low-grade PC systems without major compatibility or computation problems. Additionally, the source, installation files, and hundreds of software packages are readily and freely available over the Internet. If you happen to have Solaris (Sparc or x86) lying around, it will do just as well and you can follow most of these instructions in the same way.

When installing the OS, include the minimal services required to get the system started. You will need a compiler to build most of the public domain software you plan to download. It is a good idea to remove the compiler on your final honey pot once you have installed all of your software. Remember that you want to fool an intruder into thinking that your system acts and feels like a normal, albeit stripped down, vulnerable host, without disclosing that he is being monitored. Once you have prepared an appropriate tool to rig each network service with, you should activate that service. inetd is the daemon that manages other service daemons, and uses the file inetd.conf to determine which network ports it should listen to. For instance, you can glance at your inetd.conf file (usually /etc/inetd.conf but sometimes /usr/etc/inetd.conf) to see which services are activated. Commenting a line by prepending a “#” will deactivate that network service the next time inetd is restarted. I recommend commenting most of the services once you install your OS, and then reactivating them when the appropriate Trojan binary is ready to rig a respective service.
 

© 2002 CMP Media LLC. All Rights Reserved.
www.samag.com