Date: Sun, 25 Jun 2000 07:20:49 +0200 From: Stephan Holtwisch <sh@rookie.org> To: freebsd-security@freebsd.org Subject: Re: jail(8) Honeypots Message-ID: <20000625072049.A48985@rookie.org> In-Reply-To: <20000624125540.A256@dialin-client.earthlink.net>; from cristjc@earthlink.net on Sat, Jun 24, 2000 at 12:55:40PM -0700 References: <20000624125540.A256@dialin-client.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, On Sat, Jun 24, 2000 at 12:55:40PM -0700, Crist J. Clark wrote: > I searched the mail archive and read the jail(8) manpage and was > surprised not to see any discussion of using jail for a honeypot, > an IDS. If I understand things correctly, one of the primary > motivations for the jail command is to isolate potentially exploitable > daemons and other programs so any damage done by an attacker is > minimized. It seems to me that it is such a logical extension to run a > _known_ exploitable process in a jail then watch for and document > attacks from outside that some people out there must be doing it. > > So, is anyone out there doing this? Have any hints, gotchas, or really > cool ideas to share about setting a system like this up? It seems that > there are lots of possiblilities. One good box could look like > multiple machines running the same or different exploitable programs > to an attacker. > > If no one out there is, I am going to give it a shot anyway. I'd still > appreciate any ideas. I do not know the jail implementation in FreeBSD too well. However, to me it seems a very bad idea to run _known_ vulnerable software within a jail, since that would mean the jail implemenation must not have bugs. You wouldn't run buggy software in a chrooted environment either, would you ? In addition to this i don't see a real sense to run a 'victim' Host as an IDS, where is the purpose of that ? It may be fun to watch people trying to mess up your system, but most likely you will just catch lots of script kiddies. Stephan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000625072049.A48985>