When it comes to computer security, honeypots are all the rage. Honeypots can detect unauthorized activities that might never be picked up by a traditional intrusion detection system. Furthermore, since almost all access to a honeypot is unauthorized, nearly everything in a honeypot's logs is worth paying attention to. Honeypots can act as a decoy to keep hackers away from your production servers. At the same time though, a honeypot can be a little tricky to deploy. In this article, I will walk you through the process of deploying a honeypot.
Before we begin
Before I get started, I want to take a moment and point out that there are many different types of honeypot systems. Honeypots can be hardware appliances or they can be software based. Software based firewalls can reside on top of a variety of operating systems. For the most part though, honeypots fall into two basic categories; real and virtual.
A virtual honeypot is essentially an emulated server. There are both hardware and software implementations of virtual honeypots. For example, if a network administrator was concerned that someone might try to exploit an FTP server, the administrator might deploy a honeypot appliance that emulates an FTP server.
Virtual honeypots have both their good and bad points. The primary advantages to virtual honeypots are that they are cheaper, easier to deploy and more secure than real honeypots. The down side is that virtual honeypots will not fool a skilled hacker for long, and they have limited information gathering capabilities.
A real honeypot uses a real server running a real operating system. The main advantage to using a real honeypot is that because a real operating system is involved, the honeypot will react to a hack attempt in exactly the same way that a production server would. Because a real honeypot is not limited to the constraints of an emulator, it can log any type of attempt to breach security, even if the attack uses a previously unknown technique.
There are several negative issues associated with real honeypots though. First, they are expensive. Remember that a real honeypot runs a real operating system. This means that in addition to purchasing the honeypot software, you will also have to purchase server hardware and an operating system license.
Real honeypots are also more difficult to deploy than virtual honeypots are. This is because you must make every effort to secure the honeypot's operating system. That leads me to the most serious negative aspect to real honeypots. If a hacker does manage to take control of a honeypot machine, the honeypot can be used as a staging area from which to attack the rest of the network. In case you are wondering, virtual honeypots can not be used in such an attack.
For the purposes of this article, I will be demonstrating how to set up a virtual honeypot. As I mentioned earlier, honeypots come in all shapes and sizes. For this article, I will be using a Windows based honeypot known as KF Sensor. The Key Focus Web site offers a 14 day trial that you can try out for yourself.
Downloading and installing KFSensor
KFSensor has some modest hardware requirements. At a minimum, it requires a 1 GHz processor, 30 MB of hard disk space, and 128 MB of RAM. The manufacturer recommends a 1.5 GHz processor, 500 MB of hard disk space, 512 MB of RAM, and a SQL database.
The KFSensor download consists of a 1.7 MB self extracting executable file. Download the file and copy it into an empty folder on your computer. When you double click on the file, it will launch a very basic Setup program. The only thing special that you need to know about the Setup process is that it will require a reboot.
After the initial installation completes and the computer has had a chance to reboot, the Setup wizard restarts and walks you through the configuration process. Click Next to bypass the wizard's Welcome screen and you will be prompted to enter a domain name for the honeypot network. You can use your network's real domain name, or you can make something up. The installer cautions you not to use a domain name that someone else already owns though.
The next screen that you will see gives you the chance to transmit alerts through E-mail. If you want to use this feature then enter a To and From address. Click Next to continue. You will now see a screen that asks what components you want to install. KFSensor is designed to detect a lot of different types of intrusions. You can configure KFSensor to emulate a lot of different services, based on the components that you select. For the purposes of this article, select all of the available components and click Next.
The next screen that you encounter asks you if you want to install KFSensor as a system service. The advantage to installing KFSensor as a system service is that the software runs independently of whether or not you are logged into the system. Even if another user were to login, KFSensor will continue to run in the background.
There are a couple of downsides to installing KFSensor to run as a system service though. First, you can only install the software as a system service if you are logged in as a local administrator. The other disadvantage is that if a hacker were to somehow find a hole in the KFSensor software (unlikely, but not impossible), then they could theoretically gain system level permissions over the computer. In my opinion though, you should install the software as a system service. I believe that the benefits outweigh the risks.
Click Next and you will see a screen indicating that Setup is complete. Click Finish to complete the installation process.
Now that installation has completed, it's time to start using KFSensor. When the Setup wizard closes, you will see the main KFSensor screen shown in Figure A.
|This is the main KFSensor screen.|
As you can see, the column on the left contains a list of port numbers and what the port is typically used for. If the icon to the left of a port listing is green, it means that KFSensor is actively monitoring that port for attacks. If the icon is blue, it means that there has been an error and KFSensor is not watching for exploits aimed at that particular port.
In case you are wondering why there are blue, error state icons on my box, it's because I loaded KFSensor onto a Windows 2003 Server that has a copy of Exchange Server 2003 installed on it. The ports that are shown as errors are already in use by Exchange. I'm not recommending that you run KFSensor on an Exchange Server though. The machine that I am running KFSensor on is a lab machine, not a production server.
Once you've got the software up and running, one of the best things that you can do is to test the software by launching a port scan against the machine that's running KFSensor. For the port scan, I am using a shareware utility that I got from download.com called HostScan. It simply scans a block of IP addresses, looking for open ports. Figure B shows how the KFSensor reacts to a partial port scan.
|This is how the KFSensor console looks after a partial port scan.|
If you look at Figure B, you will notice that the icons next to ports that were scanned turn red to indicate recent activity. You will notice that there is a summary of all of the detected activity in the column to the right. The icon next to each entry is color coded either red or yellow according to the severity of the event. You can also click on any of the individual ports, and the column on the right will display only events related to that specific port. You can then double click on an event to gain more detailed information about it. For example, you can determine the event's start and end time, the IP address of the machine that the activity is coming from, and even the domain that the attacking machine belongs to.
Building an activity log
OK, so we've proven that the honeypot can detect activity, and we've even logged some activity. That's great for short term testing, but in a real life situation, you would probably want to log activity to a database. That way you have a more permanent record of the activity. Having such a record is important in case you need to do some in depth forensics or in case you need to get law enforcement involved after a security breach.
Don't get me wrong. KFSensor does log activity by default, but it uses a text file rather than a database. The reason why it's important to use a database is because a database generally has a higher capacity and makes it easier to search for what you need than a text file does. Furthermore, if a hacker were to figure out that you were running KFSensor, and they were able to gain control over the system, then they could easily erase the log file to cover their tracks.
The database of choice for KFSensor is SQL. Simply create a SQL database in the usual manner. After doing so, select the Log Database command from the KFSensor console's Settings menu. When you do, you will see the dialog box shown in Figure C. Simply fill in the blanks to connect KFSensor to the database that you have created.
|The Database Log dialog box allows you to connect KFSensor to a SQL database.|
Modifying the honeypot's behavior
So far I have shown you how to deploy a KFSensor based honeypot and how to log the data that is collected. The last thing that I want to show you is how to change the honeypot's behavior. Like most honeypots, KFSensor is rules based. All of the data that was produced in Figure B was the result of KFSensor detecting certain types of activity and then using a rule to determine what type of action should be taken. The nice thing about KFSensor is that you can easily modify the existing rules or add your own.
To create or modify rules, select the Edit Active Scenario command from the Scenario menu. When you do, you will see a dialog box which contains a summary of all of the existing rules. You can either select a rule and click the Edit button to edit a rule, or you can click the Add button to create a new rule. Both procedures work similarly.
Click the Add button and you will see the Add Listen dialog box, shown in Figure D. The first thing that this dialog box asks for is a name. This is just a name for the rule. Pick something descriptive though, because the name that you enter is what will show up in the logs whenever the rule is triggered.
|The Add Listen dialog box allows you to create your own rules.|
The next few fields are protocol, port, and Bind Address. These fields allow you to choose what the rule is listening for. For example, you could configure the rule to listen to TCP port 1023 on IP address 192.168.1.100. The bind address portion of the rule is optional though. If you leave the bind address blank, the rule will listen across all of the machine's NICs.
Now that you have defined the listener, it's time to configure the action that the rule takes when traffic is detected on the specified port. Your options are close, read and close, Sim Banner, and Sim Std Server. The close option tells the rule to just terminate the connection. Read and close logs the information and then terminates the connection. The Sim Std Server and Sim Banner options pertain to server emulation. The Sim Banner option allows you to perform a very simple server emulation, such as what you might use to emulate an FTP server. The Sim STD Server option allows you to emulate a more complex server, such as an IIS server. If you choose to use one of the sim options, you will have to fill in the simulator's name just below the Time Out field.
The other part of the Action section that's worth mentioning is the severity section. You saw in Figure B that KFSensor treated some events as severe and other events as a more moderate threat. The dialog box's Severity drop down list allows you to determine what level of severity should be associated with the event that you are logging.
The final portion of the Add Listen dialog box is the Visitor DOS Attack Limits section. This section allows you to prevent denial of service attacks against KFSensor. You can determine the maximum number of connections to the machine per IP address (remember that this applies on a per rule basis). If your threshold is exceeded, you can choose to either ignore the excessive connections or you can lock out the offending IP address.
Now that you have configured the new rule, select the Active check box to enable the rule and click OK. The new rule should now be in effect.