From owner-freebsd-security Sun Jun 25 12:25:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id DB14137B536 for ; Sun, 25 Jun 2000 12:25:48 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA10967; Sun, 25 Jun 2000 14:23:42 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-106.max1.wa.cyberlynk.net(207.227.118.106) by peak.mountin.net via smap (V1.3) id sma010965; Sun Jun 25 14:23:39 2000 Message-Id: <4.3.2.20000625134808.00d97530@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Version 4.3 Date: Sun, 25 Jun 2000 14:23:35 -0500 To: Poul-Henning Kamp From: "Jeffrey J. Mountin" Subject: Re: jail(8) Honeypots Cc: security@FreeBSD.ORG In-Reply-To: <13330.961956810@critter.freebsd.dk> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 08:13 PM 6/25/00 +0200, Poul-Henning Kamp wrote: >If you put a gold-bar on the sidewalk which activated a burglar alarm >if touched, that would be illegal. Inciting a riot for the mad rush upon seeing it and disturbing the peace for the alarm. Not to mention the regulations pertaining to the ownership of large quantities of gold. >If you put it inside your locked house it would be 100% legal, even >if it could be seen through the window. Just hope your insurance agent doesn't find out. ;) >Setting up a honey-pot host is legal, as long as you don't try to >invite people to break into it. Ie: don't call it > nah-nah-you-can-t-hack-me.foo.com >and don't tell anybody about it. You can invite, but then must accept the loss of legal recourse to any and all who answer the call. Bad idea. Better that they stumble upon it. Likewise it is, IMO, best not to brag about security. Even to customers one should be somewhat vague. >Jails(8) are probably the currently safest way to do it, but not >the most "authentic" looking way. Finding out that you're in a >jail is trivial and I pressume that it will become common knowledge >for script-kiddies RSN. > >In other words: a high-fidelity honey pot should probably be a >machine of its own behind a rather facist firewall, but as a >tripwire/indication a jail(8) based honeypot will do just fine. Agreed, but some may with to leave door open just a tad more for the honeypot. Not to obvious. Still there is the issue of triggering. What if they try for a "real" server. Better if any IDS were part of the firewall itself. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message