Honeypot Recommendations

I wasn't sure if this inquiry would fit better in "Software" or "Networking". I hope this is the best spot to post...

I'm wondering if anyone might be able to provide me with recommendations on a decent honeypot. I'm looking for something that can pick up on services like FTP, SSH, Telnet, RDP, etc. My intention is to set it up as an internal network device that would alert via email on any type of connection, since no one should be connecting to it. When an alert is triggered, I'd need to at least know source IP. My preference would be an OpenSource (or otherwise "free" solution). I would also like something Windows based but would settle for something that runs on Linux if there is little or no cost associated with it. "Specter" looks nice, and it has a lot of bells and whistles, but it's also pretty pricy. There appear to be several flavors of these out there. I don't necessarily need something that acts as an open relay for email. If there is a honeypot that you are running, I'd love to hear your recommendations (even if the solution costs something). Thanks!

 

Don't know if this is exactly what you need, but does generate logs with IP and Port/Protocol info for you.
You will have to load up some lists.
All free, for windows...

http://www.peerblock.com/

sample entry from mine:

Range Source Destination Protocol Action
botnet on Renome 78.26.128.172 xxx.xxx.x.x:29408 UDP Blocked

 

Hi Cipher,
Thank you for the response. I looked at PeerBlock but it appears to be an application designed to prevent specific IP addresses from accessing the computer PeerBlock is running on (and vice versa). Although PeerBlock does log activity (in a fashion similar to what a firewall log might look like), it does not appear to alert. It may have worked if I could have it report on connection attempts against particular ports and not just IP addresses; however, I'm looking for a honeypot application that will alert if someone "jiggles the door handle", so-to-speak. For clarification, I intend to have a computer on the internal network running the honeypot. If someone on the internal network attempts to connect to this system in any way, I want an alert. If someone runs an Nmap scan of the network, looking for common services, I want to receive an alert when it gets to the honeypot. I want the honeypot application to emulate (or at least listen for connection attempts against) a range of services like FTP, SSH, etc. (Something to act like a poor man's IDS.)

I'm currently looking at Atomic Software Solutions' HoneyBOT...
http://www.atomicsoftwaresolutions.com/honeybot.php

I'm still evaluating HoneyBOT but, so far, it seems to do everything I'm looking for--including email alerts. (It also appears to be free.)

If there are any other recommendations, I'd love to hear them. Thanks!

 

Yes, PeerBlock's only alert mechanism is to blink the tray icon. Which would be nearly constant judging from the activity I see in my logs. I average about 50/hour...

Thanks for the Atomic info, I'll be checking them out myself...