Professional Documents
Culture Documents
Honeypot Report
Honeypot Report
Jeff Meadows
Executive Overview
For system administrators of the 21st century, the largest and most
persistent security threat to their networks is and has continued to be the
public Internet. Allowing their users Internet access while maintaining a safe
environment for internal computer networks has become a constant
paradox: an increase in interconnectivity and resource access also means
more potential security holes for attackers to exploit. Firewalls and Intrusion
Detection Systems have helped to lessen this conflict by managing
Internet/network access more intelligently, but security minded sysadmins
are constantly looking for better methods to outwit and outhack those who
would attack their networks.
Recently, more and more attention has been focused on the usage of
specialized computers/network systems known as honeypots. Honeypots are
set up to look enticing to attackers, yet are completely non-functional: they
act as a decoy to draw attention away from actual systems such as web/mail
servers or protected internal networks. In addition to their distraction factor,
honeypots are also capable of monitoring and logging attacker activity for
review by the system admins: this allows the admins to gather information
about attackers and adjust security measures to block them more efficiently.
LaBrea will also install several other packages it requires to run, namely
libc6, libdumbnet1, and libpcap. LibPcap is the Linux counterpart to WinPcap:
it enables packetsniffing. Libdumbnet, on the other hand, allows LaBrea
access to packet-manipulation abilities such as address spoofing. More
details on the LaBrea Ubuntu package can be found here:
http://packages.ubuntu.com/maverick/labrea.
After the apt-get tool has finished installing LaBrea, the administrators
of the network should thoroughly read the Man and Readme files. Once
installed, LaBrea must be run from the command line to take effect (this
provides administrators a chance to specify precisely how LaBrea should
operate, via command-line options). When being run, LaBrea must have
superuser privileges: failure to do so will result in the loss of several hours of
productivity trying to figure out why libdnet isn’t working (as you can
probably tell, the author knows this from experience). Before attempting to
run LaBrea as the command-line, it is recommended you fully research what
each option/switch does, and designed a customized command to fit your
network. More information is available in the Configuration section of this
report.
After running the LaBrea command, use the “ps –A” command to show
all the active processes on your machine. The process list generated is
usually quite long, so piping it into vi or gedit (any text editor with a search
function) should help. You should see something like this:
1? 00:00:00 init
2? 00:00:00 kthreadd
This confirms that the LaBrea command was successful, and that LaBrea
is now running on your machine as an independent process.
*This document is a redacted version of the full Labrea report. Please contact
jeffkmeadows@gmail.com for a full version.*