Tiny Honeypot (THP) is probably the easiest low-interaction honeypot I’ve deployed, and it produced a reasonable amount of results from the work I’ve put in.
"Tiny Honeypot is a simple honeypot program based on iptables redirects and xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), THP can reside on production hosts with negligible impact on performance."(Source: Security Focus)
CentOS 5.5 is the base operating system I used for my THP deployment.
The original residential of THP tarballs (http://www.alpinista.org/thp) has depreciated. But you can still obtain it from the Wayback Machine here.
Download the latest version and untar it: # tar -xvzf LATEST-IS-thp-0.4.6.tar.gz
Create a directory for your (default) log to reside in: $ mkdir /var/log/hpot $ chown nobody:nobody /var/log/hpot $ chmod 700 /var/log/hpot
As mentioned, “THP is a simple honeypot program based on iptables redirects and xinetd listener.” In your THP directory,
Ensure all your new xinetd listeners are enabled by changing “disable = no”,
$ service xinetd restart
You have successfully deployed your THP!
Watching THP’s Logs
THP captures three different type of logs.
/var/log/hpot/captures This log file contains a summary for each connection. You can have it summarised into a single line which makes it easier to post-process the data, or have it in multiline format which is easier to read. You should look into your Netfilter logs in /var/log/messages if you need more connection information.
/var/log/hopt/<sessionid.protocols> Each sessions get its own log file that contains more detailed information about the interaction with THP responder. Over time, many session logs are going to accumulate in this directory. You probably want to keep the number of files in this directory below 10,000 or so.
/var/log/messages | grep
HPOT_DATA This log type is used for connections that are being redirected to THP. The log entry contains additional information contained in the IP and TCP headers.
FRAG_UDP Logs the occurrence of fragmented UDP packets that are dropped instead of being forwarded to the honeypot.
FRAG_ICMP Logs the occurrence of fragmented ICMP packets that are dropped instead of being forwarded to the honeypot.
BADTHINGS_IN-limit Logs the occurrence of FIN scans, and so on.
BADTHINGS_IN Logs the occurrence of anything else that is being dropped instead of being forwarded to the honeypot.