Study Hacker 01

Mission of our research honeypot

-To create a realistic incident response
environment
-Detect an attack and compromise
-Examine the evidence left by both
-Fully understand the chain of events
-Identify the hacker (or get as close to him as
possible)


What is a Research Honeypot?

-A system or group of systems specifically deployed for
the purpose of observing a hacker probe, attack and
exploit network services
-Must have traffic capture abilities
-Must maintain control over outbound network traffic
(attacks)
-The system should be identical to a production system
in every possible way
-Should be as weak or as strong as you want the
hacker to be
-You must be able to quickly and effectively isolate the
system before a successful intruder can attack others


Our Research Solution


-Linux PCs running apache web servers
-OpenBSD layer 2 bridge
-Packet Filter FW
-Snort NIDS
-AIDE file system integrity application
-Tcpdump
-Ethereal protocol analyzer


The Servers
-Default but patched installations
-RedHat Linux 6.2 (the lower bar)
-RedHat Linux 7.0 (the higher bar)
-Neither showed vulnerable services when
scanned with the Nessus vulnerability scanner
-Default apache web page showing
-All devices time synchronized using NTP