Installing Honeyd 1.5c And Arpd 0.2 Under CentOS 5 (With gcc 4.x)

This tutorial shows how you can install your honeypot by using Honeyd (Virtual Honeypot). Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems.



Traditionally, information security has been primarily defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one’s resources. The strategy is to defend one’s organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it [is] purely defensive, the enemy has the initiative. In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.

This tutorial shows how you can compile and install honeyd 1.5c on CentOS 5.5 server. I do not issue any guarantee that this will work for you!


Preliminary Note

In this tutorial I will use the following hosts:

     * Host Server :
     * Virtual Honeypot 1 :
     * Virtual Honeypot 2 :

Here's a little diagram that shows our setup:

       Host IP=
               |                 |
          +--+--+         +--+--+
          | hp1  |         | hp2   |
          +-----+          +-----+
          Virtual            Virtual
        Honeypot1     Honeypot2



You need to remove libdnet and libevent packages otherwise you wont be able to compile honeyd.(See note)

yum remove libevent libevent-devel libdnet libdnet-devel
yum install autoconf gcc python-devel

Note: Don't use latest version of libevent and libdnet because of some inconsistency in honeyd


Download required packages

You need to download few packages before installing honeyd.

cd /tmp

Important Note: Don't download latest version of libevent and libdnet because of some inconsistency in honeyd.


Install required packages

cd /tmp
tar -xvf libevent-1.3a.tar.gz
cd libevent-1.3a
make install

cd /tmp
tar -xvf libdnet-1.11.tar.gz
cd libdnet-1.11
make install


Download Arpd updated packages

For arpd-0.2 to compile under gcc 4.0.0 the file arpd.c must be modified. Replace it with the one from the Iran Honeynet Project web site , then compile and install.

cd /tmp
tar -xvf arpd-0.2.tar.gz
cd arpd
make install


Run arpd

Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots.

/usr/local/sbin/arpd ''


Install Honeyd 1.5c

cd /tmp
tar -xvf honeyd-1.5c.tar.gz
cd honeyd-1.5c
make install


Configure Honeyd

cd /usr/local/share/honeyd
cp -v config.ethernet honeyd.conf
vi honeyd.conf

Some configurations that outline features available in Web Site.

This is sample configuration:

create default
set default default tcp  action block
set default default udp  action block
set default default icmp action block
create honeypot-template
set honeypot-template  ethernet "00:22:FA:cc:dd:ee"
set honeypot-template  personality "Microsoft Windows XP SP2"
set honeypot-template  uptime 1234567
set honeypot-template  default tcp  action reset
set honeypot-template  default udp  action reset
set honeypot-template  default icmp action open
add honeypot-template  tcp port 135  open
add honeypot-template  tcp port 139  open
add honeypot-template  tcp port 445  open
add honeypot-template  tcp port 3389 block
add honeypot-template  tcp port 53 proxy
bind honeypot-template
bind honeypot-template

Important Note: The IP Addresses should be in the same network segment with the hosting machine, or you should modify the routing table of your router to allow the packets destined to those IP Addresses to reach your honeyd hosting computer.


Configure Linux firewall

Modify the rules of your firewall to accept packets for the IP Addresses defined in the honeyd's configuration file. You should have something like this:



Run Honeyd

/usr/local/bin/honeyd -d -f /usr/local/share/honeyd/honeyd.conf -p /usr/local/share/honeyd/nmap.prints -x /usr/local/share/honeyd/xprobe2.conf -a /usr/local/share/honeyd/nmap.assoc --disable-webserver ''


Test Honeyd

Run this test only from an IP Addresses outside host machine.

nmap -T4 -A -v 


Iran Honeynet Project:
The Honeynet Project:
Honeyd Virtual Honeypot:

Share this page:

Suggested articles

0 Comment(s)

Add comment