Tuesday, January 02, 2007


I decided to install honeytrap on a Linux laptop and open it up to the world via the DMZ option on my D-Link router. I started with Fedora Core 5 running on a 1Ghz Sony Vaio laptop with 256 Mbs of RAM. I started by locking down the host OS.

root@localhost# chkconfig –list | awk ‘/3:on/ {print $1}’

root@localhost# chkconfig service name off ; turn off service for run level 3

root@localhost# service service name stop ; stop the service

This first command will show you a list of services running on the host. To determine which service to turn off, refer to the internet. For all my purposes, I just wanted SSH running on port 2929 so I turned off any service that listens on any other port.

The first thing I did was to download honeytrap from “http://honeytrap.sourceforge.net/start.html” and compile the sources. I decided to compile with the pcap monitoring switch, however after running it and researching on the web, I found out that with the pcap option honeytrap drops the first packet and only establishes a socket with the second packet on that same port. As much of the activity I see on my FIOS connection is one off scanning and probing, this option was surely not for me.

To alleviate this problem I compiled honeytrap with the IPQ option. This uses iptables to send the initial SYN to honeytrap therefore dynamically creating a socket with the first connection attempt. I did this with the following configure switches:

root@localhost# ./configure –with-ipq-mon

I immediately got the error:

checking for libipq.h... no

I attempted to pull down the iptables sources, however these did not include “libipq.h”. After some searching I found on rpmfind, “iptables-devel-1.2.9-10.rpm”. installing this I got a dependency error for “iptables-1.2.9”. Not too discouraged, I downloaded and compiled iptables-1.2.9 and installed the devel RPM with the –nodeps switch. After installing these dependencies, I issued a:

root@localhost# find / -name libipq.h



Now I move back to the honeytrap directory and issue:

root@localhost# ./make clean

root@localhost# ./configure –with-ipq-mon

root@localhost# make

root@localhost# make install

Now to make sure it ignored SSH port 2929, appended:

include = /etc/honeytrap/ports.conf

In the /etc/honeytrap/honeytrap.conf file and created a /etc/honeytrap/ports.conf file with the following:


Load the IPQ module:

root@localhost# modprobe ip_queue

Issue “lsmod” command to ensure that the ip_queue module is loaded

Issue the following command to enable iptables to forward SYN’s to honeytrap:

iptables -A INPUT –i eth0 –p tcp -–syn –m state -–state NEW –j QUEUE

Once in place I envoke honeytrap:

root@localhost# ./honeytrap –u eon –g eon –D

honeytrap v0.6.2 Copyright © 2005-2006 Tillman Werner tillman.Werner@gmx.de

[2006-10-07 21:02:47] ----Trapping attacks via IPQ. ----

AT LAST!!!!!!!

This runs honeytrap with a non-root user and group and the –D flag tells honeytrap not to go into daemon mode.

On another host I have tshark runnig to capture traffic off of a switch span port:

root@localhost# tshark –w log dir -a filesize:50000 –b files:5 –i interface –f filter expression

This allows for 5 rotating 50Mb files in your log directory.

With this I can easily monitor connection attempts and capture the full payload of any inbound connection attempt to my Honeytrap.

Now I sit and wait for the interesting traffic. Being a packet monkey, I will post any interesting findings/packets to this blog.

No comments: