This is an excerpt from “Information Warfare: Understanding Network Threats through Honeypot Deployment” by  Greg M. Bednarski and Jake Branson of Carnegie Mellon University.  They setup several honeypots of different configurations.  The results are interesting from each different honeypot scenario.

Deployment Procedures
Deploying a physical Honeypot can be very time intensive and expensive as different operating systems may require specialized hardware. Additionally, every Honeypot requires its own physical system and numerous configuration settings.

Select Hardware for the Host
The first step for deploying a Honeypot is finding a machine that you are willing to sacrifice for the cause of being exploited, hacked and potentially purged of all data.  This can be any computer capable of running the software for data capture and control.

Operating System Installation
The second step includes either making the necessary modifications to the current Operating System or performing a clean installation of a base operating system onto the machine. A clean installation of your target operating system offers the best method of controlling what vulnerabilities exist in the soon-to-be deployed host.

If you decide to keep the current operating system settings you should be aware of the dangers of someone exploiting this machine while it is configured as a Honeypot and released into the wild. For example, sensitive information about you or someone else may be stored on the machine – this information may be corrupted, deleted, or stolen during its lifetime as a Honeypot. If you have chosen to keep the current operating system configuration you may want to perform additional configurations to the machine in order to attract malicious traffic. Some common procedures to make your Honeypot more attractive and susceptible include opening known vulnerable ports, starting known vulnerable services, creating network shared drives, using weak passwords and usernames (if any!), and disabling antivirus or firewall software.

If you decide to perform a disk wipe (format) and clean installation of the operating system your flexibility and range of options increase for the Honeypot. You won’t have to worry about the disclosure of any sensitive information previously stored on the host’s hard drive that the attacker may disclose if he or she gains access. If you decide to go down this path then some of the common tools you may need include the following: a common disk wipe utility such as WIPE, boot disk to create partitions and repartition your wiped hard drive, operating system installation disks, and any other software or applications you prefer to put on the machine. Keep in mind additional software packages may include vulnerabilities useful to a potential intruder.

Network Architecture
Step three involves determining strategic network architecture designed to capture, log, and prevent unauthorized access to other machines on your LAN, as well as capture data to analyze. You want to strategically place and connect your network devices so that there are defined areas of your network where intruder traffic is expected and where intruder traffic is not allowed. You can accomplish this by configuring network devices involved (such as firewalls, intrusion detection systems, other local machines, cable modems or DSL, and the data capture host). Next we examine a sample setup used in common honeypots.

Alerts and Intrusion Detection
Fourth, determine how you are going to check, log, and receive alerts when your Honeypot is experiencing malicious activity such as port scans, connecting to network shares, or other malicious network traffic signatures.