Tweet
A honeypot is a device or system in place to attract and trap attackers that are trying to gain access to a system. They are not just a trap for hackers but also a distraction or decoy from more critical systems. Honeypots usually represent a low-hanging fruit for the attacker. Another very useful feature for a honeypot is the ability to help researchers study attacks or just collect information. Some honeypots have the capability to record every command executed by an attacker, store tools uploaded by the attacker, store usernames and passwords used in a password attack on services such as ssh and generate very complete statistics on probed services, record the geographical location of the attacker and much more. A honeypot is not designed to address any specific security problem and is not part of a critical corporate system. Because of the position and function of this kind of a device, it is safe to assume that all interactions with this device are malicious.
High vs. Low Interaction
There are two main types of honeypots, high interaction and low interaction honeypots. Low-interaction honeypots rely on the emulation of service and programs that would be found on a vulnerable system. If that service or program is attacked, the system detects the malicious activity and throws an error that can be reviewed by the system owner. It may be capable of collecting exploit information sent to the target service.
High-interaction honeypots are much more complex and more like the real service that the honeypot represents. They may also be much more than a Virtual Machine (VM) pretending to be an attractive target such as a complete network, a honeynet. Any activity target at this tightly controlled and monitored environment is reported. Another difference is that a service is not just emulated as a listening and vulnerable port but more like a real system with real applications present. One such application could be a SSH service that a malicious party can attack using a password attack. It would also be possible for the attacker to actually log on and execute commands as if a real server was penetrated.
High vs. Low Interaction
There are two main types of honeypots, high interaction and low interaction honeypots. Low-interaction honeypots rely on the emulation of service and programs that would be found on a vulnerable system. If that service or program is attacked, the system detects the malicious activity and throws an error that can be reviewed by the system owner. It may be capable of collecting exploit information sent to the target service.
High-interaction honeypots are much more complex and more like the real service that the honeypot represents. They may also be much more than a Virtual Machine (VM) pretending to be an attractive target such as a complete network, a honeynet. Any activity target at this tightly controlled and monitored environment is reported. Another difference is that a service is not just emulated as a listening and vulnerable port but more like a real system with real applications present. One such application could be a SSH service that a malicious party can attack using a password attack. It would also be possible for the attacker to actually log on and execute commands as if a real server was penetrated.