Tip of the Trade: Nepenthes Honeypots

Whatever operating systems are running on your network — whether Linux, BSD, Unix, Windows, Mac, or something rare and exotic — setting up your own honeypot can yield much useful information with a little effort. A honeypot is a trap, a computer that pretends to be a Web server, file server, mail server, or any sort of juicy target to entice crackers to attempt to break in. The honeypot itself must be securely walled off from your network and not contain any valuable data. Its sole purpose is monitoring activities and collecting useful information about exploits and attempted intrusions.

What's sweeter than finding out how secure your servers really are before hackers get to them? With a simple and easily set up honeypot from Nepenthes, much useful data is trapped with little effort.

Discuss this article in the ServerWatch discussion forum

Professional security researchers use honeypots to study the latest exploits and intrusion techniques. A properly setup honeypot will uncover weaknesses in your systems, so you can fix them before you become a victim. You can learn how a potential intruder probes your system for weaknesses and keep track of how many antique automated attacks are still infesting the Internet, forever roaming cyberspace like viral Flying Dutchmen. Just because they're old doesn't make them any less dangerous. Some honeypots will also give you early warnings about new exploits.

Prefab honeypots ready to be installed on the system of your choice are also available. You may be amazed at how quickly a new honeypot starts getting attacked; typically, within a few minutes of going online. Nepenthes is a good "starter" honeypot because it's simple and easy to set up. Nepenthes is a low interaction honeypot, which means it emulates known vulnerabilities and captures the malware as it attempts to infect it. It's not very useful for detecting new exploits, but it's great for building a picture of what's trying to attack your systems, and for learning how honeypots operate.

Analyzing data you collect can be a bit of a chore, so the authors of Nepenthes included an automatic query to Norman's Sandbox. Norman's Sandbox is an automated malware analyzer. Enter your e-mail address into the submit-file.conf, and Norman's Sandbox will e-mail its reports to you.

Visit Nepenthes for downloads and more information, and this Create a simple honeypot with Debian and Nepenthes article will get you up and running quickly. The best reference book of all is "Honeypots: Tracking Hackers" by Lance Spitzner. Honeypots: Definitions and Value of Honeypots is another great starting reference.

This article was originally published on Sep 24, 2007
Page 1 of 1

Thanks for your registration, follow us on our social networks to keep up-to-date