RE: [Honeywall] SEBEK SERVER & TRIPWIRE Configuration - PLEASEHELP!!!!!!!!!!!

Earl esammons at hush.com
Mon Jul 28 19:20:59 EDT 2008



On Mon, 28 Jul 2008 16:08:58 -0400 "Jefferson, Shawn" 
<Shawn.Jefferson at bcferries.com> wrote:

>As for the other question, you definitely want outbound 
>communication on for your honeypots.  

I argue that this is a very distinct choice to make based on what 
you are after.  If you just want to set up something you never 
really have to worry about being used as a launch point as soon as 
it's owned (something you are unable to watch closely) then turn on 
"Roach Motel" mode (nothing allowed to originate from a pot) and 
let it run.

That said, obviously the joy is *very* limited with no outbound.

>If you go through the interview setup it secures the Honeywall 
> pretty well (IMO), the only thing additional I did on my
>system was add some entries to the fencelist (since I had some
>production systems I don't want the Honeypot to touch at all.)

Excelent!  Exactly what the fencelist was designed for.


>It might be a better idea to post your Honeywall config to the 
>list, so
>that others who have more experience with Honeywall can take a 
>look at
>it.  

Suggest you omit the admin IP unless it's natt-ed or you dont care 
about publishing it.

>but you may have to rebuild it (I had to, since I've made many 
>changes since I originally went through the interview setup).  
>You can rebuild that file by going to 
>Honeywall Administration->Manage configuration subsystem->Create
>/etc/honeywall.conf from /hw/conf files in the menu program.

Nothing wrong with that method... can also be done by:

'dumpvars /etc/honeywall.conf'

Does the same thing without the dialog front-end, unless I'm 
dropping packets.... courtesy of Dave Dittrich :)


Earl



More information about the Honeywall mailing list