I decided to install honeytrap on a Linux laptop and open it up to the world via the DMZ option on my D-Link router. I started with Fedora Core 5 running on a 1Ghz Sony Vaio laptop with 256 Mbs of RAM. I started by locking down the host OS.
root@localhost# chkconfig –list | awk ‘/3:on/ {print $1}’
root@localhost# chkconfig service name off ; turn off service for run level 3
root@localhost# service service name stop ; stop the service
This first command will show you a list of services running on the host. To determine which service to turn off, refer to the internet. For all my purposes, I just wanted SSH running on port 2929 so I turned off any service that listens on any other port.
The first thing I did was to download honeytrap from “http://honeytrap.sourceforge.net/start.html” and compile the sources. I decided to compile with the pcap monitoring switch, however after running it and researching on the web, I found out that with the pcap option honeytrap drops the first packet and only establishes a socket with the second packet on that same port. As much of the activity I see on my FIOS connection is one off scanning and probing, this option was surely not for me.
To alleviate this problem I compiled honeytrap with the IPQ option. This uses iptables to send the initial SYN to honeytrap therefore dynamically creating a socket with the first connection attempt. I did this with the following configure switches:
root@localhost# ./configure –with-ipq-mon
I immediately got the error:
checking for libipq.h... no
I attempted to pull down the iptables sources, however these did not include “libipq.h”. After some searching I found on rpmfind, “iptables-devel-1.2.9-10.rpm”. installing this I got a dependency error for “iptables-1.2.9”. Not too discouraged, I downloaded and compiled iptables-1.2.9 and installed the devel RPM with the –nodeps switch. After installing these dependencies, I issued a:
root@localhost# find / -name libipq.h
/usr/include/libipq.h
Halleluiah!!
Now I move back to the honeytrap directory and issue:
root@localhost# ./make clean
root@localhost# ./configure –with-ipq-mon
root@localhost# make
root@localhost# make install
Now to make sure it ignored SSH port 2929, appended:
include = /etc/honeytrap/ports.conf
In the /etc/honeytrap/honeytrap.conf file and created a /etc/honeytrap/ports.conf file with the following:
port=2929,ignore
Load the IPQ module:
root@localhost# modprobe ip_queue
Issue “lsmod” command to ensure that the ip_queue module is loaded
Issue the following command to enable iptables to forward SYN’s to honeytrap:
iptables -A INPUT –i eth0 –p tcp -–syn –m state -–state NEW –j QUEUE
Once in place I envoke honeytrap:
root@localhost# ./honeytrap –u eon –g eon –D
honeytrap v0.6.2 Copyright © 2005-2006 Tillman Werner tillman.Werner@gmx.de
[2006-10-07 21:02:47] ----Trapping attacks via IPQ. ----
AT LAST!!!!!!!
This runs honeytrap with a non-root user and group and the –D flag tells honeytrap not to go into daemon mode.
On another host I have tshark runnig to capture traffic off of a switch span port:
root@localhost# tshark –w log dir -a filesize:50000 –b files:5 –i interface –f filter expression
This allows for 5 rotating 50Mb files in your log directory.
With this I can easily monitor connection attempts and capture the full payload of any inbound connection attempt to my Honeytrap.
Now I sit and wait for the interesting traffic. Being a packet monkey, I will post any interesting findings/packets to this blog.
