Honeypot is a vulnerable system which is intended to be
probed and exploited.
Honeypot is an intrusion detection technique deployed on a
network to monitor and study movements of hacker’s activities.
Usually, honeypots are meant to aid collect information about
attackers (IP,MAC address), find out reason for the attack, and strategies intruders use for conducting attacks.
Kinds of honeypot
High interaction honeypot:
Uses a real and working OS to be attacked Virtual environment: Several VMs in one physical machine Advantages: - Real OS, services - Real interaction to be captured. Disadvantage: - Time consuming to build and maintain - Could be used as stepping stone.
Low interaction honeypot:
No real OS No real services. Only simulates specific network services. One physical or virtual machine which runs honeypot software (e.g. honeyd) and creates many OS and services. Advantage: - Simple program and easy to install - No risk, no vulnerable OS or software to be attacked Disadvantage: - No real interaction to be captured - Easily detected.
Honeyd-Low interaction honeypot
Open source honeypot software which runs mostly on unix
systems. Honeyd can be installed and run on a single machine to create many virtual hosts. The created virtual hosts can be configured to run arbitrary services. Likewise the personalities of the created virtual hosts can be configured to appear they are running certain OS. Installing and running honeyd
- Honeyd utilizes many libraries or modules including libraries for
packet sniffing, event notification, etc. Download the libraries: sudo apt-get install libevent-dev libdumbnet-dev libpcap-dev libpcre3-dev libedit-dev bison flex libtool automake
sudo apt-get install zlibc zlib1g zlib1g-dev
- From the folder Honeyd-master, build honeyd with the
following commands:
./autogen.sh
./configure
make
sudo make install
The heart of honeyd lies in the configuration file to be used in running the honeyd daemon. Create the configuration file and specify which operating systems and services to be emulated.
By default honeyd provides samples of configuration files after
installation. These configuration files are located in the folder Honeyd-maste/sample-config.
- Create a default template and indicate what actions are to be
taken for tcp, udp and icmp protocols. - Create virtual hosts specifying the host, personality and ports to be opened. Note: Make sure you set the right personality, otherwise you will encounter errors when you run the daemon. - Set Ethernet MAC address for your virtual host. - Assign IP address to the virtual host. Either static or DHCP. - To log attacks and probes of your honeypot, you can make a directory and create a file at /var/log/honeypot/honeydlog. Allow permissions to write to the file with: chmod 766 /var/log/honeypot/honeyd.log - Run honeyd: honeyd –d –f <config_file> -l /var/log/honeypot/honeydlog