Intrusion detection on the cheap: Roll your own honeypot

Back up your network security defenses by turning an old PC into an early-warning system for malware and attacks

Deploying a specialized honeypot program such as KFSensor, HoneyPoint, and Honeyd offers many advantages (see "Intrusion detection honeypots simplify network security"). They can ease setup, mimic large networks using a single host, and prevent attackers from carrying out exploits by serving up fake instead of full services. But any old computer -- or Cisco router, Ethernet switch, or control system, for that matter -- can serve as a useful early-warning system.

To use an old PC as a honeypot, start by removing any remaining data, user profiles, and applications (unless you want those applications to be part of your honeypot trap). I generally recommend that the computer receive the same patching and antimalware policies and software as the other computers in your environment; you want it to blend in. Then install any software that makes the honeypot attractive to snoops: Web server, SQL Server, FTP, SMTP, NetBIOS file sharing, and so on.

Finally, place the honeypot inside the perimeter, in places that seem to garner a lot of network traffic -- data centers, busy client segments, server farms, and more. Traditionally, honeypots were placed in the DMZ or forward facing on the Internet. For a business, honeypots provide the most value as early-warning systems when they are placed inside the protected perimeter. You want to know what malicious item has made it past the hardened exterior and into the soft, chewy center.

You should enable all logging on the honeypot computer, especially logons and firewall auditing-only policies. You want to catch and alert on any attempted logons, pings, and enumeration activity. You will probably spend a day or two filtering out normal broadcast and exploratory traffic, such as DHCP broadcasts, NetBIOS broadcasts, and pushing probes from your antimalware install servers. After all the normal, expected probes are filtered out, you want to alert on every other item. Even the best hackers have to probe and explore an asset to learn how it can be compromised.

When an alert is generated, make sure someone responds and looks to see why the remote origin point is trying to touch a fake asset. Unlike your firewall logs, which are full of noise from events that are often legitimate, a properly filtered honeypot is worth its weight in gold. Every connection attempt and probe needs to be explored.

Because a honeypot often catches trusted insiders attempting unauthorized acts (in my personal experience, about half of the catches are insiders), it's best if the honeypot is known to only a few people. Use a code word when referring to it in emails because you never know when an attacker hasn't compromised your email system. Not even the people assigned to responding to honeypot incidents need to know of its existence. All they need to be told is that an intrusion detection system alerted on the suspicious traffic.

Read the related articles:

This story, "Intrusion detection on the cheap: Roll your own honeypot," was originally published at Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at

Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform