Honeypot

April 18, 2010

I wanted to increase my security skills by setting up my own honeypot and inspecting the results. A honeypot is a computer setup for the purpose of luring a hacker away from valuable resources. I started my honeypot with Apache, Mysql, PHP, SSH, and Postfix. I setup a simple WordPress installation and the ability to send out emails. To keep things simple I made the root password ‘password’ and another user called ‘user’ with the password ‘password’. I then installed OSSEC and Logwatch to monitor the system. OSSEC is a Host based Intrusion Detection System and Logwatch parses through logs and sends an email with important information from the logs. I added this to the ossec.conf file:

<email_alerts>
<email_to>my_phone_number_here</email_to>
<level>10</level>
<format>sms</format>
</email_alerts>

Which sends a text message to my phone if the alert level is greater than or equal to 10. I wanted the text messages to know if my SSH was being brute forced. I setup this server on Saturday night and by Sunday at noon I had over 130 text messages! The originating IP was 121.138.219.132 and GeoBytes indicated the source country as South Korea. To avoid that many text messages I changed the ossec.conf to:

<email_alerts>
<email_to>my_phone_number_here</email_to>
<rule_id>40101</rule_id>
<format>sms</format>
</email_alerts>

Which only sends a text message when a user logs in through ssh.

Leave a Reply