Thursday, August 7, 2008

Fresh start

Sweet! I got the WEB GUI running after getting some more help from the honeynet.org mailing list.

I submitted my question and 20 minutes later it was up and running and I could easily configure my Honeywall through a nice Web Interface which is way more intuitive than the old school one.

BUT after only about 20 minutes, the W2K box was flooded with worms, spyware and other pretty uninteresting stuff so I decided to ditch the whole project as it were and start again - this time at a little higher level to avoid that whole worm/spyware crap.

For starters, a Windows 2000 Pro box will get compromised by worm and other automated traffic in about 3 minutes whether you surf online or not, and this is NOT what I am looking for at all. So because of this I decided to kick it up a notch and install a Win 2003 x64 enterprise edition as my honeypot. I will patch it with the latest available Microsoft updates and install some services like IIS and perhaps SQL.

In addition to this, I want to add some sort of Linux box to the mix with some vulnerable services (I'm hoping that the Linux boxes won't attract so much automated worm traffic).

I have now learned how to configure the Honeywall under VMWare, set it up as a bridge for other VMWare machines and get the Web GUI running.

Therefore I'm guessing this set-up will be complete within a day or two and when it is done I will finally have a honeypot which has a level of security that will exclude the risk of getting flooded with worm traffic but still will look appealing to anyone who might be interested in doing some damage.

I'm sorry that I don't have any screens of the Honeywall and how the GUI looked when it was monitoring the W2K box, but if you give me some time now I will give you everything you desire and more :) plus, it will be much more interesting to analyze the actions performed by an actual person as opposed to the automated traffic from worms etc...

No comments: