From owner-freebsd-security Sat Jun 24 23:13:21 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.rookie.org (mail.rookie.org [212.43.72.181]) by hub.freebsd.org (Postfix) with ESMTP id 537B437B531 for ; Sat, 24 Jun 2000 23:13:13 -0700 (PDT) (envelope-from dfens@rookie.org) Received: by mail.rookie.org (Postfix, from userid 1000) id 7728BF805; Sun, 25 Jun 2000 07:20:49 +0200 (CEST) Date: Sun, 25 Jun 2000 07:20:49 +0200 From: Stephan Holtwisch To: freebsd-security@freebsd.org Subject: Re: jail(8) Honeypots Message-ID: <20000625072049.A48985@rookie.org> References: <20000624125540.A256@dialin-client.earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000624125540.A256@dialin-client.earthlink.net>; from cristjc@earthlink.net on Sat, Jun 24, 2000 at 12:55:40PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, On Sat, Jun 24, 2000 at 12:55:40PM -0700, Crist J. Clark wrote: > I searched the mail archive and read the jail(8) manpage and was > surprised not to see any discussion of using jail for a honeypot, > an IDS. If I understand things correctly, one of the primary > motivations for the jail command is to isolate potentially exploitable > daemons and other programs so any damage done by an attacker is > minimized. It seems to me that it is such a logical extension to run a > _known_ exploitable process in a jail then watch for and document > attacks from outside that some people out there must be doing it. > > So, is anyone out there doing this? Have any hints, gotchas, or really > cool ideas to share about setting a system like this up? It seems that > there are lots of possiblilities. One good box could look like > multiple machines running the same or different exploitable programs > to an attacker. > > If no one out there is, I am going to give it a shot anyway. I'd still > appreciate any ideas. I do not know the jail implementation in FreeBSD too well. However, to me it seems a very bad idea to run _known_ vulnerable software within a jail, since that would mean the jail implemenation must not have bugs. You wouldn't run buggy software in a chrooted environment either, would you ? In addition to this i don't see a real sense to run a 'victim' Host as an IDS, where is the purpose of that ? It may be fun to watch people trying to mess up your system, but most likely you will just catch lots of script kiddies. Stephan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message