From owner-freebsd-security Mon Jun 26 0:20: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3b058.neo.rr.com [24.93.181.58]) by hub.freebsd.org (Postfix) with ESMTP id 5B42A37BA0E for ; Mon, 26 Jun 2000 00:19:57 -0700 (PDT) (envelope-from mike@argos.org) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e5Q73vF10643; Mon, 26 Jun 2000 03:03:57 -0400 Date: Mon, 26 Jun 2000 03:03:57 -0400 (EDT) From: Mike Nowlin To: Poul-Henning Kamp Cc: "Jeffrey J. Mountin" , Cy Schubert - ITSD Open Systems Group , Narvi , security@FreeBSD.ORG Subject: Re: jail(8) Honeypots In-Reply-To: <13330.961956810@critter.freebsd.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > In other words: a high-fidelity honey pot should probably be a > machine of its own behind a rather facist firewall, but as a > tripwire/indication a jail(8) based honeypot will do just fine. I'm sure that most people have a 386 floating around that would work nicely for this... You can make them more appealing to break into if you provide lots of fake services - a simple C program can make it accept TCP connect requests on a whole bunch of weird ports - port scanners will jump at finding these machines.... I'll even give the machines away if you pick them up - you get several for buying me a (cheap) lunch. I'm cleaning out the "dump the unused junk in here" rooms at work. :) --mike - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Understated/funny man-page sentence of the current time period: From route(4) on FreeBSD-3.4, DESCRIPTION section: "FreeBSD provides some packet routing facilities." ...duh....... Mike Nowlin, N8NVW mike@argos.org http://www.viewsnet.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message