Free Honeypot Review #1

 

THP-0.4.4

 

Table of Contents

Free Honeypot Review #1. 1

THP-0.4.4. 1

Introduction. 1

Installation. 3

Etc. 3

 

 

Introduction

Thp is short for Tiny Honeypot, and tiny it is.  Written by George Bakos, the program can be downloaded at http://alpinista.dyndns.org/files/thp/.  Taking up a total of 21k of space, it was simple to install and configure.  The concept behind THP is simple, “listen and record.”  And this little program does just that.  The following is an excerpt from the README file that explains the idea behind this Honeypot:

 

Text Box: CONCEPT ------- The concept is simple: listen and record. The only problem is that the badguys can't speak until after a connection comes up. So we give them one. On any port they want. Period. Upon connecting, they are presented with a greeting (I use fortune) and a root prompt. W00p! They are leet. If you prefer a silent listener (no greeting or prompt), that's cool, too. See the section xinetd.d/inetd, below. xinetd is used to open a single port. New connections to it get handed off to a simple Perl script that builds two files: a running connection tracker, and a unique session file, into which we merely capture all data. That's also where the root prompt comes from. Keystrokes, autorooter scripts, exploit reconnects, whatever. (If you want other services emulated, you add another xinetd.d file & change the commandline param & port) iptables REDIRECT is used to pass all incoming connection requests, regardless of destination port, to that xinetd listener, unless we make an exception. Portmap is one such exception. In order for the intruder-to-be to know what port rpc.cmsd (or any other rpc service) is listening on, she needs to ask the target system's portmapper. So we fire up a portmapper, and feed it bogus mappings for every service we can. Sort of like building a static arp table, only more funnerer. Now, all of this port redirect tomfoolery is TCP only, but that's ok. UDP is connectionless; once the attacker believes she knows what port to use, off it flies. And we capture it, even if there is no service at the near end. I personally use Snort & SHADOW to alert me & capture everything, you go ahead and roll your own solution. Mine accommodates a pretty busy DSL that serves my family, while still grabbing every bit of nastiness that is sent to it. There are also several large sites running this on much busier production systems/networks with no noticeable impact on performance.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Installation

Installation was fairly easy.  A step by step set of instructions was also located in the README.

 

cd /usr/local

zcat <tgz file> | tar -xvf -

ln -s thp-0.x.x thp

mkdir /var/log/hpot

chown nobody:nobody /var/log/hpot

chmod 700 /var/log/hpot

cp ./thp/xinetd.d/* /etc/xinetd.d

edit xinetd files to change to :"disable = no"

make any path & preferences adjustements in thp.conf & iptables.rules

./thp/iptables.rules

/etc/rc.d/init.d/portmap start

pmap_set < ./thp/fakerpc

/etc/rc.d/init.d/xinetd start

 

The only part that was not clear, were the instructions on how to implement the IPTables script.  There are good comments in the script for customization, but for someone with little IPTables experience, one would have to ask for help or do some research to know what to do with the script.

 

Setup

Coming soon…

Strengths and Weaknesses

Coming soon…

Logging Samples

Coming soon…

Etc.

Stay Tuned for the results of this Honeypot