honeypots .. any experience?

[lund99]

I'm planning to put W2K on one of the boxes as well, I'm guessing this will attract a lot of stuff, I just hope it won't end up being torn apart by some script kiddies.

But so far I got BT3 on an old desktop computer which I am planning to use as my bridge, I will take an extra NIC with me home from work today and hopefully I'll get some work done.

First of all, though, I am a bit unsure as to how I am supposed to set up the NIC's on this bridge. If I understand the rooster completely, the NIC's wont have their own IP address and won't be easily detectable by anyone else, they just forward the traffic in the right direction - incoming or outgoing - right?

So how do I set up these NICs to just forward traffic like that?

[the_rooster]

Cormega, first off honeynets are an awesome way to learn about security, hacking, and networking in general. I would be happy to share with you experiences and setup info.

I was using 3 nics with my setup, two for the bridge and one for remote ssh access, since the honeynet was at work. Using bridge-utils, you will make a virtual interface out of two nics. i'll paste below the firewall script below that i was using. I was also running snort_inline with this which is why you'll see "QUEUE" targets where you would expect "ACCEPT" targets. i've only ben working with linux for about a year, so if this script sucks in some way let me know...appreciate the feedback. You dont have to run snort_inline but its fun to see how much actually gets by snort and its good to block low level boring script kiddie stuff.

I would run a script that had a ton of the sysInternals type tools (fport, procmon...etc) on the honey pot box before you put in out in the wild, so that way you can run the same script after you suspect the box gets jacked so you can compare whats changed in terms of opened ports and new processes...etc. I was also running sebek to capture command line input on the compromised boxes.

From there you could log traffic with tcpdump either on the outbound nic or the virtual interface bridge. I wrote some java programs to parse the data and sum it up by unique communications (ie src ip and port -> dst ip and port) and email it to me every couple of hours.

Feel free to pm any questions, or keep this thread going

Firewall script:

#/bin/sh
IPTABLES="/sbin/iptables"
BRCTL="/usr/sbin/brctl"

$BRCTL addbr br0
$BRCTL addif br0 eth0
$BRCTL addif br0 eth1
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig br0 up

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

##ethernet filtering
for f in /proc/sys/net/bridge/bridge-nf-*; do echo "1" > $f; done

## Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

## Enable dynamic Ips
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

## Helper modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_state
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/secure_redirects; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
echo 200 > /proc/sys/net/ipv4/icmp_ratelimit
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 256 > /proc/sys/net/ipv4/tcp_max_syn_backlog



# Allow all on loopback
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

#bridge rules
ACTIVEIP="192.168.1.129 192.168.1.130 192.168.1.131 192.168.1.132"
for i in $ACTIVEIP;do
#$IPTABLES -A FORWARD -s 123.123.123.123 -m physdev --physdev-is-in -j DROP
$IPTABLES -A FORWARD -i br0 -s $i -m physdev --physdev-is-out -m limit \
--limit 1000/day --limit-burst 1000 -j QUEUE
$IPTABLES -A FORWARD -i br0 -s $i -m physdev --physdev-is-out -j DROP
$IPTABLES -A FORWARD -s $i -d 192.168.1.133 -p udp --dport 1101 -j QUEUE
$IPTABLES -A FORWARD -s $i -d 192.168.1.133 -j DROP
$IPTABLES -A FORWARD -s $i -d 123.123.123.213 -j DROP
$IPTABLES -A FORWARD -s $i -d 123.123.213.213 -j DROP
$IPTABLES -A FORWARD -s $i -d 222.222.222.222 -j DROP
done

$IPTABLES -A FORWARD -m physdev --physdev-is-in -j QUEUE


#bridge....keep this one...simple config
#$IPTABLES -A FORWARD -j QUEUE

#save for eth2
SAFEIP="123.123.123.123 123.123.123.124"
for i in $SAFEIP;do
$IPTABLES -A INPUT -i eth2 -p tcp --dport 22 -s $i -m state --state NEW,ESTABLISHED,RELATED -j QUEUE
done


$IPTABLES -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j QUEUE
$IPTABLES -A OUTPUT -o eth2 -m state --state ESTABLISHED,RELATED -j QUEUE
$IPTABLES -A OUTPUT -o eth2 -m state --state NEW -j QUEUE

$IPTABLES -A FORWARD -i eth2 -o eth2 -m state --state ESTABLISHED,RELATED -j QUEUE


Script to start and stop the firewall and snort:
#!/bin/bash
# processname: snort_inline
# config: /etc/snort_inline/snort_inline.conf
BRCTL="/usr/sbin/brctl"
. /lib/lsb/initfunctions
[ f
/usr/local/bin/snort_inline ] || exit 0
start(){
# Start daemons.
echo "Starting ip_queue module:"
lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue;
echo "Starting iptables rules:"
# Put your iptables script with QUEUE targets here.
/etc/firewall.sh
echo "Starting snort_inline: "
/usr/local/bin/snort_inline c
/etc/snort_inline/snort_inline.conf -Q -D -v
RETVAL=$?
echo $RETVAL
[ $RETVAL = 0 ] && touch /var/lock/subsys/snort_inline
}
stop() {
# Stop daemons.
echo "Shutting down snort_inline: "
killall snort_inline
RETVAL=$?
echo $RETVAL
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/snort_inline
echo "\nRemoving iptables rules:"
$BRCTL delif br0 eth0
$BRCTL delif br0 eth1
ifconfig br0 down
$BRCTL del br0
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
restart(){
stop
start
}
# Arguments passed.
case "$1" in
start)
start
;;
stop)
stop
;;

[imported_wyze]

Snort_Inline is a good way to go, however if you build a passive tap as discussed in the sniffdet thread, you can monitor/log traffic with 2 nics tapped into the line going into the pot.

[the_rooster]

I had not heard of a passive tap before reading this thread. Is there an advantage to using them over creating a bridge with bridge-utils?

[imported_=Tron=]

Is there an advantage to using them over creating a bridge with bridge-utils?

The advantage is that it will be as good as completely undetectable.

[imported_wyze]

I had not heard of a passive tap before reading this thread. Is there an advantage to using them over creating a bridge with bridge-utils?

Either way the nics have to be bridged. For the tap setup the cards are running @ Half Duplex. It allows you to plug into the line promiscuously and sniff.

[lund99]

thank you so much for your post rooster, thats just the sort of detailed info i need to get started.

I think I'll copy your set up as far as possible once i get started to avoid any newbie mistakes.

just out of curiosity - how many boxes did you set up in your honepot besides the bridge, and what did you run on them?

that sysInternal type script sounds like a great idea and i'll remember to do something like that before i go live.. also, i have a computer forensics book in my shelf thats been dusting down for a couple of years now so the plan is that once i decide to take the network down i'll run a forensics investigation on the systems as well..

that tap swc666 is talking about seems pretty cool as well, I wan't to try that out as well but I'll probably wait a little while before i try it..

great to see that this thread is staying alive and people are posting experiences and tips because I really need it to get me started..

unfortunately I probably won't get much done until next week (besides reading this thread) because I'm going away for a couple of days.. but once I'm back I'll start setting up the honeynet piece by piece and post my status here, I almost cant wait to get started

[the_rooster]

Yeah the tap is very cool. I had not appreciated the detectability of the bridge structure. I thought having no ip bought me more invisibility than it really does.

I changed jobs just a little while after setting up this honeynet, so i only got to run a few machines. i'd run 2-3 unpatched xp and 2k3 servers at a time as well a plain ubuntu install for comparison. You'll get a lot more traffic on the windows boxes when you enable/install iis and related services and take down the windows firewall.

[lund99]

so I was wondering about borrowing a Cisco Catalyst 2950 switch from work and add it to the mix to make the net appear even more authentic to an intruder, what are your thoughts about that ?

it might be a bit overkill with a 24 port switch on a honeynet with only three devices though, and the switch I'm talking about is REAL noisy so I haven't really decided yet but I would like some input and see if anyone else would find this to be a helpful addition or not...

[imported_wyze]

so I was wondering about borrowing a Cisco Catalyst 2950 switch from work and add it to the mix to make the net appear even more authentic to an intruder, what are your thoughts about that ?

it might be a bit overkill with a 24 port switch on a honeynet with only three devices though, and the switch I'm talking about is REAL noisy so I haven't really decided yet but I would like some input and see if anyone else would find this to be a helpful addition or not...

I think something that would allow you to set up a DMZ is all you really need.