The hackers' honey-pot overload (idea)

A few points to think about if you're going to build a honeypot:

1. Hackers ('crackers' for you slashbots in the audience) are not stupid. A machine with every port open is obviously a honeypot, and will be ignored. You have to make the machine look interesting and vulnerable without being too obvious about it. Think about it - if you're trying to catch burglars, would you put the trap behind a door that said "TREASURE ROOM - BURGLARS PLEASE IGNORE" in flashing yellow neon?

2. Open ports actually make scans run faster. Most scanning programs have a variety of techniques to find open ports, but in essence they are all the same - Send some data to each port, and wait for a response. If there's no response after a few seconds, the port is probably closed or firewalled off. If you have every port open, the server will respond on every port, and the scanner does not have to wait for the timer to expire to decide if each port is closed.

3. Having every port respond as if it were a ftp or telnet server is uninteresting. Nobody sits around trying random usernames and passwords. For the most part, your average hax0r is going to be looking for exploitable services. You want to make the machine look as if it's running an old version of Red Hat or Solaris - something that is widely known to be remotely rootable. Similarly, old versions of bind, wu-ftpd, sendmail, and rpc.mountd are widely known to be easily exploited. Making your honeypot pretend to have common security holes is a great way to confuse and annoy. But remember:

4. Don't get cocky. Nothing will make a would-be hacker redouble his efforts more quickly than some mocking message saying "HAHA_CAUGHTYA_J00_ARE_LAME". There's a great big 'net out there, and there are hundreds of other machines much easier to penetrate than yours. You want him to waste his time, get bored, and leave. Mocking him presents a new and interesting challenge. That's when the trouble starts.

Personally, I have my doubts about the usefulness of honeypots, but if you're gonna build one, use your head. You're building this machine to lure people in. This means you will attract attention. Don't be surprised if eventually someone sees past your clever ruse and hits you where it hurts.