Use a Honeypot System to Protect Your Web Server

\[Editor's Note: Email your Windows and .NET security tips or solutions (400 words or less) to Reader to Reader at [email protected] We edit submissions for clarity, style, grammar, and length. If we print your contribution, you receive $100.\]

Honeypots are programs that simulate network services on your computer's ports. To attackers, honeypots are servers that appear to be vulnerable running services that the attackers can use to break into your network. You can use honeypots to log access attempts to those ports—including an attacker's keystrokes. Such information can provide advance warning about concerted attacks. Here's a way to use a honeypot system to protect your Web server.

Suppose your company has an e-commerce Web site. The Web site consists of one Web server, one database server, and an archive server. The Web server is a firewall-protected Windows machine running Microsoft IIS. Visitors connect to the Web site by communicating nonsecurely (i.e., over port 80) with the Web server, which contains the welcome pages and other general information. Visitors log on to the site through a Secure Sockets Layer (SSL) connection (i.e., over port 443), and all further communication is encrypted. Therefore, all sensitive data that comes from the database and other servers is encrypted.

Although this scenario offers reasonable protection, an intruder who uses an IIS exploit to attack the server can easily gain access to deeper system components (e.g., the database server). A honeypot program can help you prevent, or at least delay, an attacker's access to such components.

For example, you can disguise your system so that an attacker who penetrates your Web server obtains false information about the system type and is therefore blind to accessible data. By using a Linux server disguised as a Windows server, you can foil potential intruders.

In this example, the Web server will have two open ports: The first is port 80, which will be the Linux Web server daemon (e.g., Apache) and will present simple welcome pages, and the second is port 443. Redirection software on the Linux server will redirect this port (SSL data) to the operative Windows server.

The operative server will have a virtual IP (VIP) address, so it's inaccessible from the Internet unless the connection occurs through the Linux server. The Web server is behind the Linux server, so an Intrusion Detection System (IDS) placed between the two can provide precise information if an intruder attempts to crack the Web server.

On the Linux server, you need to install Tripwire's Tripwire for Servers ( or a similar host-based IDS that checks file integrity; a redirection program (e.g., portredird at that redirects all SSL requests to the actual Web server; two firewalls, one for each NIC; and the open-source network-based IDS called Snort. By installing Snort between the two firewalls, you can obtain reliable, detailed information about intruder attempts.

By modifying the Linux Web server's source code, you can ensure that if the attacker uses Netcraft ( or a similar basic tool to discover the Web server's OS, he or she will get the false Windows result. You can also modify the Linux shell so that it records successful intruders' keystrokes into the syslog daemon.

Now, even if someone successfully cracks your Linux server, he or she will have fallen into the "spoofing" system's trap. By the time the attacker realizes that he or she has attacked a dummy system, you'll have an email message (or another form of communication that you've enabled) informing you about the crack.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.