top of page
Writer's pictureDiv0 Blog Editor

Tiny Honeypot (THP)

Updated: May 23, 2020

Tiny Honeypot (THP) is probably the easiest low-interaction honeypot I’ve deployed, and it produced a reasonable amount of results from the work I’ve put in.

Tiny Honeypot is a simple honeypot program based on iptables redirects and xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), THP can reside on production hosts with negligible impact on performance.

(Source: Security Focus)

Installing THP

CentOS 5.5 is the base OS I used for my THP deployment.

The original residential of THP tarballs (http://www.alpinista.org/thp) has depreciated. But you can still obtain it from the Wayback Machine here.

1. Download the latest version and untar it: # tar -xvzf LATEST-IS-thp-0.4.6.tar.gz


2. Create a directory for your (default) log to reside in:

mkdir /var/log/hpot 
chown nobody:nobody /var/log/hpot 
chmod 700 /var/log/hpot 

3. As mentioned, “THP is a simple honeypot program based on iptables redirects and xinetd listener.” In your THP directory,

./iptables.rules 
cp ./xinetd.d/* /etc/xinetd.d  	
service portmap restart  	
pmap_set < /usr/local/thp/fakerpc 

4. Ensure all your new xinetd listeners are enabled by changing “disable = no”,

service xinetd restart 

5. You have successfully deployed your THP!


THP Logs

THP captures three different types of logs.


1. /var/log/hpot/captures

This log file contains a summary for each connection. You can have it summarised into a single line which makes it easier to post-process the data or have it in a multiline format which is easier to read. You should look into your Netfilter logs in /var/log/messages if you need more connection information.


2. /var/log/hopt/<sessionid.protocols>

Each session gets its own log file that contains more detailed information about the interaction with THP responder. Over time, many session logs are going to accumulate in this directory. You probably want to keep the number of files in this directory below 10,000 or so.


3. /var/log/messages | grep

  • HPOT_DATA This log type is used for connections that are being redirected to THP. The log entry contains additional information contained in the IP and TCP headers.

  • FRAG_UDP Logs the occurrence of fragmented UDP packets that are dropped instead of being forwarded to the honeypot.

  • FRAG_ICMP Logs the occurrence of fragmented ICMP packets that are dropped instead of being forwarded to the honeypot.

  • BADTHINGS_IN-limit Logs the occurrence of FIN scans, and so on.

  • BADTHINGS_IN Logs the occurrence of anything else that is being dropped instead of being forwarded to the honeypot.

Testing Your THP

In Richard Hammer’s GIAC Gold paper “Enhancing IDS using, Tiny Honeypot“, he presented a couple of test cases you can play around with your THP setup!

 

References

  1. Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Neils Provos, Thorsten Holz. 2007.

  2. UNIX03/ Setup Tiny Honeypot with Snort, Samuel Hart, 2003.

  3. Enhance IDS using, Tiny Honeypot, Richard Hammer. 2006.

 

Author

Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter.

454 views0 comments

Comments


Post: Blog2_Post
bottom of page