This tutorial shows how you can install your honeypot by using Honeyd (Virtual Honeypot). Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.
Traditionally, information security has been primarily defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one’s resources. The strategy is to defend one’s organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it [is] purely defensive, the enemy has the initiative. In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.
This tutorial shows how you can compile and install honeyd 1.5c on CentOS 5.5 server. I do not issue any guarantee that this will work for you!
In this tutorial I will use the following hosts:
* Host Server : 192.168.245.128
* Virtual Honeypot 1 : 192.168.245.200
* Virtual Honeypot 2 : 192.168.245.201
Here’s a little diagram that shows our setup:
| hp1 | | hp2 |
You need to remove libdnet and libevent packages otherwise you wont be able to compile honeyd.(See note)
yum remove libevent libevent-devel libdnet libdnet-devel
yum install autoconf gcc python-devel
Note: Don’t use latest version of libevent and libdnet because of some inconsistency in honeyd
Download required packages
You need to download few packages before installing honeyd.
Important Note: Don’t download latest version of libevent and libdnet because of some inconsistency in honeyd.
Install required packages
tar -xvf libevent-1.3a.tar.gz
tar -xvf libdnet-1.11.tar.gz
Download Arpd updated packages
For arpd-0.2 to compile under gcc 4.0.0 the file arpd.c must be modified. Replace it with the one from the Iran Honeynet Project web site , then compile and install.
tar -xvf arpd-0.2.tar.gz
Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots.
Install Honeyd 1.5c
tar -xvf honeyd-1.5c.tar.gz
cp -v config.ethernet honeyd.conf
Some configurations that outline features available in Honeyd.org Web Site.
This is sample configuration:
create default set default default tcp action block set default default udp action block set default default icmp action block create honeypot-template set honeypot-template ethernet "00:22:FA:cc:dd:ee" set honeypot-template personality "Microsoft Windows XP SP2" set honeypot-template uptime 1234567 set honeypot-template default tcp action reset set honeypot-template default udp action reset set honeypot-template default icmp action open add honeypot-template tcp port 135 open add honeypot-template tcp port 139 open add honeypot-template tcp port 445 open add honeypot-template tcp port 3389 block add honeypot-template tcp port 53 proxy 126.96.36.199:53 bind 192.168.245.200 honeypot-template bind 192.168.245.201 honeypot-template
Important Note: The IP Addresses should be in the same network segment with the hosting machine, or you should modify the routing table of your router to allow the packets destined to those IP Addresses to reach your honeyd hosting computer.
Configure Linux firewall
Modify the rules of your firewall to accept packets for the IP Addresses defined in the honeyd’s configuration file. You should have something like this:
$IPTABLES -A INPUT -d 192.168.245.200 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.245.201 -j ACCEPT
$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
/usr/local/bin/honeyd -d -f /usr/local/share/honeyd/honeyd.conf -p /usr/local/share/honeyd/nmap.prints -x /usr/local/share/honeyd/xprobe2.conf -a /usr/local/share/honeyd/nmap.assoc –disable-webserver ‘192.168.245.200-192.168.245.201’
Run this test only from an IP Addresses outside host machine.
nmap -T4 -A -v 192.168.245.200
Iran Honeynet Project: http://www.honeynet.ir/
The Honeynet Project: http://www.honeynet.org
Honeyd Virtual Honeypot: http://honeyd.org/