I'm thinking of setting up a Honeypot on my server, since I've getting many attempted logins from users such as test, guest, apache, etc...The IP ranges tend to vary. And I'm curious as to
what these people try to do once they log into a system...And I figure it would be funny to scare them once they get a message from Root saying something like...No fucking around, I am
watching! I have process accounting turned on in my 2.6.6 kernel, and I'm planning on setting the shell to a script, which when called, will run a self-contained system inside a chroot.
Therefore the guest user won't have access to the rest of the filesystem, they will be able to play with things that I give them. I have also disabled root logins via SSH, the user has to su.
Anyone have any other ideas as to what to do while tracking the intruders? Edit...One more thing I thought of. Keep a realtime tail on their .bash_history file.