Parsing the configuration mode and information collection of Honeypot

Honeypot Configuration Mode

① Deception service)

A spoofing service is an application that listens to a specific IP Service port frame and responds to various network requests as the application service program does. DTK is such a service product. The trick of using DTK to attract attackers is executable, But it interacts with attackers by imitating systems with attack vulnerabilities. Therefore, the response can be very limited. In this process, all behaviors are recorded, reasonable responses are provided, and the system is insecure for attackers who break into the system. For example, when we configure the spoofing service as the FTP service mode. When an attacker connects to port TCP/21, the attacker will receive an FTP identifier sent from the honeypot. If attackers think that the deception service is the FTP to be attacked, they will attack the FTP service to access the system. In this way, the system administrator can record the Attack Details.

② Weakened system)

As long as a computer runs Microsoft Windows or Red Hat Linux without patches on the external internet. This feature makes it easier for attackers to access the system and the system can collect effective attack data. As hackers may set up traps to obtain the computer's log and review functions, they need to run other additional record systems to achieve remote storage and backup of log records. Its disadvantage is "high maintenance and low benefits ". It is meaningless to obtain known attack behaviors.

③ Harden the system)

The enhancement system provides a real environment like the weakening system. However, at this time, the system has been armed with seemingly safe enough. When attackers break in, the honeypot starts to collect information, which can collect the most effective data in the shortest time. Using this honeypot requires the system administrator to have a higher level of professional technology. If an attacker has higher technology, it is likely to replace the Administrator's control over the system and attack other systems.

④ User mode server)

A user-Mode Server is actually a user process that runs on a host and is simulated as a real server. In a real host, each application is treated as an operating system and service with independent IP addresses. A user-Mode Server is nested in the Application Space of the host operating system. When an INTERNET user sends a request to the IP address of the User-Mode Server, the host will accept the request and forward it to the User Mode Server. (We use this image to express the relationship between them): the success of this mode depends on the degree of access and deception of the attacker. Its advantage is that the system administrator has absolute control over the user's host. Even if the honeypot is compromised, because the User Mode Server is a user process, the Administrator only needs to close the process. In addition, you can centralize FIREWALL and IDS on the same server. Of course, its limitations are not applicable to all operating systems.

Honeypot Information Collection

When we notice that the attacker has entered the honeypot, the next task is data collection. Data collection is another technical challenge for setting up a honeypot. The honeypot monitor can clearly understand what hackers do as long as it records every packet that goes in and out of the system. The log files on the honeypot itself are also a good source of data. However, log files are easily deleted by attackers. Therefore, the common method is to allow the honeypot to send log backups to remote system log servers on the same network but with a sound defense mechanism. (Be sure to monitor the log server at the same time. If attackers break into the server using a new method, the honeypot will undoubtedly prove its value .)

In recent years, as more and more groups of black hats use encryption technology, the difficulty of data collection tasks has been greatly increased. Today, they accept the advice of many computer security professionals and use SSH and other password protocols to ensure that network monitoring is powerless for their communication. The computation of passwords on the honey network is to modify the operating system of the target computer so that all the characters, transmitted files, and other information can be recorded in the logs of another monitoring system. Because attackers may find such logs, the honey Network Plan uses a hidden technology. For example, you can hide the typed characters in the NetBIOS broadcast packet.