Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

Tiny Honeypot

Tiny Honeypot (THP) is probably the easiest low-interaction honeypot I’ve deployed, and it produced a reasonable amount of results from the work I’ve put in.

 

"Tiny Honeypot is a simple honeypot program based on iptables redirects and xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), THP can reside on production hosts with negligible impact on performance."(Source: Security Focus)

 

Installing THP

CentOS 5.5 is the base operating system I used for my THP deployment.

 

The original residential of THP tarballs (http://www.alpinista.org/thp) has depreciated. But you can still obtain it from the Wayback Machine here.

  1. Download the latest version and untar it:
    # tar -xvzf LATEST-IS-thp-0.4.6.tar.gz

  2. Create a directory for your (default) log to reside in:
    $ mkdir /var/log/hpot

    $ chown nobody:nobody /var/log/hpot
    $ chmod 700 /var/log/hpot

  3. As mentioned, “THP is a simple honeypot program based on iptables redirects and xinetd listener.” In your THP directory,

    $ ./iptables.rules
    $ cp ./xinetd.d/* /etc/xinetd.d
    $ service portmap restart
    $ pmap_set < /usr/local/thp/fakerpc

  4. Ensure all your new xinetd listeners are enabled by changing “disable = no”,

     

    $ service xinetd restart

  5. You have successfully deployed your THP!

Watching THP’s Logs

THP captures three different type of logs.

  1. /var/log/hpot/captures
    This log file contains a summary for each connection. You can have it summarised into a single line which makes it easier to post-process the data, or have it in multiline format  which is easier to read. You should look into your Netfilter logs in /var/log/messages if you need more connection information.

  2. /var/log/hopt/<sessionid.protocols>
    Each sessions get its own log file that contains more detailed information about the interaction with THP responder. Over time, many session logs are going to accumulate in this directory. You probably want to keep the number of files in this directory below 10,000 or so.

  3. /var/log/messages | grep

  • HPOT_DATA
    This log type is used for connections that are being redirected to THP. The log entry contains additional information contained in the IP and TCP headers.

  • FRAG_UDP
    Logs the occurrence of fragmented UDP packets that are dropped instead of being forwarded to the honeypot.

  • FRAG_ICMP
    Logs the occurrence of fragmented ICMP packets that are dropped instead of being forwarded to the honeypot.

  • BADTHINGS_IN-limit
    Logs the occurrence of FIN scans, and so on.

  • BADTHINGS_IN
    Logs the occurrence of anything else that is being dropped instead of being forwarded to the honeypot.

Testing your THP

In Richard Hammer’s GIAC Gold paper “Enhancing IDS using, Tiny Honeypot“, he presented a couple of test cases you can play around with your THP setup!

References

  1. Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Neils Provos, Thorsten Holz. 2007.

  2. UNIX03/ Setup Tiny Honeypot with Snort, Samuel Hart, 2003.

  3. Enhance IDS using, Tiny Honeypot, Richard Hammer. 2006.

     

     

     

     

     

     

     

     

     

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed