"A server that is configured to detect an intruder by mirroring a real production system. It appears as an ordinary server doing work, but all the data and transactions are phony. Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system"
In practice, honeypots are computers which masquerade as unprotected. The honeypot records all actions and interactions with users. Since honeypots don't provide any legitimate services, all activity is unauthorized (and possibly malicious). Talabis presents honeypots as being analogous to the use of wet cement for detecting human intruders
http://www.cse.wustl.edu/~jain/cse571-09/ftp/honey/index.html
This pdf white paper gives detail how it can be implemented..
http://www.tracking-hackers.com/conf/slides/implementing.pdf