From owner-freebsd-security Sun Jun 25 11:13:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131]) by hub.freebsd.org (Postfix) with ESMTP id D846437BBD0 for ; Sun, 25 Jun 2000 11:13:45 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.9.3/8.9.3) with ESMTP id UAA13332; Sun, 25 Jun 2000 20:13:30 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: "Jeffrey J. Mountin" Cc: Cy Schubert - ITSD Open Systems Group , Narvi , security@FreeBSD.ORG Subject: Re: jail(8) Honeypots In-reply-to: Your message of "Sun, 25 Jun 2000 12:48:17 CDT." <4.3.2.20000625122615.00afbf00@207.227.119.2> Date: Sun, 25 Jun 2000 20:13:30 +0200 Message-ID: <13330.961956810@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <4.3.2.20000625122615.00afbf00@207.227.119.2>, "Jeffrey J. Mountin" writes: >At 08:56 AM 6/25/00 -0700, Cy Schubert - ITSD Open Systems Group wrote: >> > The thing is a booby-trap. It is somewhat similar to running a simulated >> > "buggy" application with the sole puropse of catching the would-be >> > attackers. >> > >> > I'm not sure if and how much it pays in the long run. >> >>I don't think it would hold up in court, as it would be entrapment. So >>what would the sense be in setting up a booby-trap? > >How so? Only if you are with a law enforcement agency would it be >entrapment. At least in the US, but then there is a term similar to >"enticement" (forget the legalese version), which may apply. Doubtful, but >entirely possible that by attracting bears with a honeypot, which is >surrounded by a fence, which the bear climbs, falls, and then has recourse >to turn around and sue you for tempting it. Regardless, I'm fairly certain >that the authorities would be interested. If you put a gold-bar on the sidewalk which activated a burglar alarm if touched, that would be illegal. If you put it inside your locked house it would be 100% legal, even if it could be seen through the window. Setting up a honey-pot host is legal, as long as you don't try to invite people to break into it. Ie: don't call it nah-nah-you-can-t-hack-me.foo.com and don't tell anybody about it. Jails(8) are probably the currently safest way to do it, but not the most "authentic" looking way. Finding out that you're in a jail is trivial and I pressume that it will become common knowledge for script-kiddies RSN. In other words: a high-fidelity honey pot should probably be a machine of its own behind a rather facist firewall, but as a tripwire/indication a jail(8) based honeypot will do just fine. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message