Installing Honeyd 1.5c And Arpd 0.2 Under CentOS 5 (With gcc 4.x)

This tutorial shows how you can install your honeypot by using Honeyd (Virtual Honeypot). Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.

Introduction

Traditionally, information security has been primarily defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one’s resources. The strategy is to defend one’s organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it [is] purely defensive, the enemy has the initiative. In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.

This tutorial shows how you can compile and install honeyd 1.5c on CentOS 5.5 server. I do not issue any guarantee that this will work for you!

Preliminary Note

In this tutorial I will use the following hosts:

     * Host Server : 192.168.245.128
     * Virtual Honeypot 1 : 192.168.245.200
     * Virtual Honeypot 2 : 192.168.245.201

Here's a little diagram that shows our setup:

       Host IP=192.168.245.128

  192.168.245.200 192.168.245.201
     -------+------------+--------
               |                 |
          +--+--+         +--+--+
          | hp1  |         | hp2   |
          +-----+          +-----+
          Virtual            Virtual
        Honeypot1     Honeypot2

Preparation

You need to remove libdnet and libevent packages otherwise you wont be able to compile honeyd.(See note)

yum remove libevent libevent-devel libdnet libdnet-devel
yum install autoconf gcc python-devel

Note: Don't use latest version of libevent and libdnet because of some inconsistency in honeyd

Download required packages

You need to download few packages before installing honeyd.

cd /tmp
wget http://monkey.org/~provos/libevent-1.3a.tar.gz
wget http://space.dl.sourceforge.net/project/libdnet/libdnet/libdnet-1.11/libdnet-1.11.tar.gz
wget http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz

Important Note: Don't download latest version of libevent and libdnet because of some inconsistency in honeyd.

Install required packages

cd /tmp
tar -xvf libevent-1.3a.tar.gz
cd libevent-1.3a
./configure
make
make install

cd /tmp
tar -xvf libdnet-1.11.tar.gz
cd libdnet-1.11
./configure
make
make install

Download Arpd updated packages

For arpd-0.2 to compile under gcc 4.0.0 the file arpd.c must be modified. Replace it with the one from the Iran Honeynet Project web site , then compile and install.

cd /tmp
tar -xvf arpd-0.2.tar.gz
cd arpd
wget http://www.honeynet.ir/software/honeyd/arpd.c
./configure
make
make install

Run arpd

Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots.

/usr/local/sbin/arpd '192.168.245.200-192.168.245.201'

Install Honeyd 1.5c

cd /tmp
wget http://www.honeyd.org/uploads/honeyd-1.5c.tar.gz
tar -xvf honeyd-1.5c.tar.gz
cd honeyd-1.5c
./configure
make
make install

Configure Honeyd

cd /usr/local/share/honeyd
cp -v config.ethernet honeyd.conf
vi honeyd.conf

Some configurations that outline features available in Honeyd.org Web Site.

This is sample configuration:

create default
set default default tcp  action block
set default default udp  action block
set default default icmp action block
create honeypot-template
set honeypot-template  ethernet "00:22:FA:cc:dd:ee"
set honeypot-template  personality "Microsoft Windows XP SP2"
set honeypot-template  uptime 1234567
set honeypot-template  default tcp  action reset
set honeypot-template  default udp  action reset
set honeypot-template  default icmp action open
add honeypot-template  tcp port 135  open
add honeypot-template  tcp port 139  open
add honeypot-template  tcp port 445  open
add honeypot-template  tcp port 3389 block
add honeypot-template  tcp port 53 proxy 8.8.8.8:53
bind 192.168.245.200 honeypot-template
bind 192.168.245.201 honeypot-template

Important Note: The IP Addresses should be in the same network segment with the hosting machine, or you should modify the routing table of your router to allow the packets destined to those IP Addresses to reach your honeyd hosting computer.

Configure Linux firewall

Modify the rules of your firewall to accept packets for the IP Addresses defined in the honeyd's configuration file. You should have something like this:

$IPTABLES -A INPUT -d 192.168.245.200 -j ACCEPT
$IPTABLES -A INPUT -d 192.168.245.201 -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Run Honeyd

/usr/local/bin/honeyd -d -f /usr/local/share/honeyd/honeyd.conf -p /usr/local/share/honeyd/nmap.prints -x /usr/local/share/honeyd/xprobe2.conf -a /usr/local/share/honeyd/nmap.assoc --disable-webserver '192.168.245.200-192.168.245.201'

Test Honeyd

Run this test only from an IP Addresses outside host machine.

nmap -T4 -A -v 192.168.245.200

Links

Iran Honeynet Project: http://www.honeynet.ir/
The Honeynet Project: http://www.honeynet.org
Honeypot: http://en.wikipedia.org/wiki/Honeypot_(computing)
Honeyd Virtual Honeypot: http://honeyd.org/
CentOS: http://www.centos.org/