Tiny Honeypot (THP) is probably the easiest low-interaction honeypot I’ve deployed, and it produced a reasonable amount of results from the work I’ve put in.
Tiny Honeypot is a simple honeypot program based on iptables redirects and xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), THP can reside on production hosts with negligible impact on performance.
(Source: Security Focus)
Installing THP
CentOS 5.5 is the base OS I used for my THP deployment.
The original residential of THP tarballs (http://www.alpinista.org/thp) has depreciated. But you can still obtain it from the Wayback Machine here.
1. Download the latest version and untar it: # tar -xvzf LATEST-IS-thp-0.4.6.tar.gz
2. Create a directory for your (default) log to reside in:
mkdir /var/log/hpot
chown nobody:nobody /var/log/hpot
chmod 700 /var/log/hpot 3. As mentioned, “THP is a simple honeypot program based on iptables redirects and xinetd listener.” In your THP directory,
./iptables.rules
cp ./xinetd.d/* /etc/xinetd.d
service portmap restart
pmap_set < /usr/local/thp/fakerpc 4. Ensure all your new xinetd listeners are enabled by changing “disable = no”,
service xinetd restart 5. You have successfully deployed your THP!
THP Logs
THP captures three different types of logs.
1. /var/log/hpot/captures
This log file contains a summary for each connection. You can have it summarised into a single line which makes it easier to post-process the data or have it in a multiline format which is easier to read. You should look into your Netfilter logs in /var/log/messages if you need more connection information.
2. /var/log/hopt/<sessionid.protocols>
Each session gets its own log file that contains more detailed information about the interaction with THP responder. Over time, many session logs are going to accumulate in this directory. You probably want to keep the number of files in this directory below 10,000 or so.
3. /var/log/messages | grep
HPOT_DATA This log type is used for connections that are being redirected to THP. The log entry contains additional information contained in the IP and TCP headers.
FRAG_UDP Logs the occurrence of fragmented UDP packets that are dropped instead of being forwarded to the honeypot.
FRAG_ICMP Logs the occurrence of fragmented ICMP packets that are dropped instead of being forwarded to the honeypot.
BADTHINGS_IN-limit Logs the occurrence of FIN scans, and so on.
BADTHINGS_IN Logs the occurrence of anything else that is being dropped instead of being forwarded to the honeypot.
Testing Your THP
In Richard Hammer’s GIAC Gold paper “Enhancing IDS using, Tiny Honeypot“, he presented a couple of test cases you can play around with your THP setup!
References
Virtual Honeypots: From Botnet Tracking to Intrusion Detection, Neils Provos, Thorsten Holz. 2007.
UNIX03/ Setup Tiny Honeypot with Snort, Samuel Hart, 2003.
Enhance IDS using, Tiny Honeypot, Richard Hammer. 2006.
Author
Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter.
Comments