From owner-freebsd-security Sat Jun 24 12:57:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from merlin.prod.itd.earthlink.net (merlin.prod.itd.earthlink.net [207.217.120.156]) by hub.freebsd.org (Postfix) with ESMTP id 9F49E37B730 for ; Sat, 24 Jun 2000 12:57:18 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from dialin-client.earthlink.net (pool0860.cvx20-bradley.dialup.earthlink.net [209.179.253.95]) by merlin.prod.itd.earthlink.net (8.9.3-EL_1_3/8.9.3) with ESMTP id MAA12219 for ; Sat, 24 Jun 2000 12:57:08 -0700 (PDT) Received: (from cjc@localhost) by dialin-client.earthlink.net (8.9.3/8.9.3) id MAA00335 for freebsd-security@freebsd.org; Sat, 24 Jun 2000 12:55:41 -0700 (PDT) Date: Sat, 24 Jun 2000 12:55:40 -0700 From: "Crist J. Clark" To: freebsd-security@freebsd.org Subject: jail(8) Honeypots Message-ID: <20000624125540.A256@dialin-client.earthlink.net> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I searched the mail archive and read the jail(8) manpage and was surprised not to see any discussion of using jail for a honeypot, an IDS. If I understand things correctly, one of the primary motivations for the jail command is to isolate potentially exploitable daemons and other programs so any damage done by an attacker is minimized. It seems to me that it is such a logical extension to run a _known_ exploitable process in a jail then watch for and document attacks from outside that some people out there must be doing it. So, is anyone out there doing this? Have any hints, gotchas, or really cool ideas to share about setting a system like this up? It seems that there are lots of possiblilities. One good box could look like multiple machines running the same or different exploitable programs to an attacker. If no one out there is, I am going to give it a shot anyway. I'd still appreciate any ideas. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message