Honeypot overview – what is a honeypot, and why do I want one?
A honeypot server is essentially a fake server – something that presents itself as a real server of one type or another, but has no data or function behind it, other than logging and alerting on any connection activity.
Why would you want something like this? Remember in Chapter 13, Intrusion Prevention Systems on Linux, when we were dealing with false positive alerts? These are alerts that report an attack but are actually triggered by normal activity. Well, honeypots generally only send what you could call "high fidelity" alerts. If a honeypot triggers, it's either because of real attacker behavior, or misconfiguration.
For instance, you might have a honeypot SQL server up in your server's VLAN. This server would be listening on port 1433/tcp
(SQL) and possibly also on 3389/tcp
(Remote Desktop). Since it's not an actual SQL server, it should never (ever) see a connection on...