Honeynet Configuration Record
Create time: 2003-04-04
Article attribute: original
Article submission:
SAN (SAN_AT_XFOCUS.ORG)
First, Honeynet host configuration
Gen i is converted with NAT in three layers, and the configuration is relatively convenient, but routing forwarding will drop a TTL.
GEN II is a two-layer BRIGE forwarding control, and the configuration is relatively complicated, and the TTL is not consumed, and some are more concealed.
Do not compile the kernel, use Gen I.
1, host system configuration
Compare Debian, because User-Mode-Linux is only in Debian's Testing and UnStable, so you will choose a fast mirror site for system update, software installation. Geekbone's Mirror is very complete, and it is good, recommended.
# APT-GET UPDATE
# APT-GET UPGRADE
Need SSH to manage hosts:
# APT-GET Install SSH
Remove some unnecessary services:
# Update-rc.d -f inetd Remove
# Update-rc.d -f PPP Remove
# Update-rc.d -f evim remove
2, install user-mode-linux
# APT-GET Install User-Mode-Linux
Debian's UML kernel is not equipped with Mount Devfs, so adds DEVFS = MOUNT parameters when startup.
System image uses the redhat 7.2 provided by HoneyNet, you can download from the following address:
http://honeynet.xfocus.neet/misc/files/root_fs.rh-7.2-server.pristine.20021012.gz
Use this file system to start UML after decompression:
# Linux ubd0 = root_fs.rh-7.2-server.pristine.20021012 eth0 = Tuntap, 00: 90: 0B: 03: 04: 05, 192.168.0.254 Devfs = mount
If the file system image file name is root_fs, it doesn't need to add ubd0 =, eth0 = tuntap, 00: 90: 0B: 03: 04: 05, 192.168.0.254 means using TUN / TAP binding / dev / TAP0, IP is 192.168.0.254, the front MAC address is the MAC address of the UML NIC, otherwise the default is Fe: fd: 00: 00: 00: 00.
The username and password of this system are root.
3, data control
Data Control Use the rc.firewall script provided by Honeynet, you can download from the following address:
http://honeynet.xfocus.net/papers/honeynet/toLS/rc.firewall
Do some slight modifications:
Rc.firewall defaults to use 2 layers of BridGing mode, modified to:
Mode = "nat"
You need to configure the IP of the virtual system to specify multiple spaces separated by spaces:
PUBLIC_IP = "192.168.7.144"
Configure the virtual system real IP, you can specify multiple spaces separated by spaces, pay attention to public_ip:
HPOT_IP = "192.168.0.144"
Configure the host management interface:
Manage_iface = "eth0"
Host true IP:
Manage_ip = "192.168.7.99" # ip of management interfaceManage_netmask = "255.255.255.0" # Netmask of management Interface
Allow access to the port, you can separate multiple spaces:
ALLOWED_TCP_IN = "22"
Allow access to the source IP, you can use any:
Manager = "192.168.7.9/24"
Data Control Interface:
Lan_iface = "TAP0"
Rc.fireWall defaults to allow 9 TCP connections, 20 UDP connections, 50 ICMP connections, and 10 other IP connections. Of course, you can modify these parameters in the script.
4, data capture
Install Snort:
# APT-GET Install Snort
Remove its automatic start:
# Update-rc.d -f Snort Remove
Snort.conf provided by Honeynet and startup script, download address:
Http://honeynet.xfocus.net/papers/honeynet/tools/snort.conf
http://honeynet.xfocus.net/papers/honeynet/tools/snort-start.txt
Snort.conf has some errors, making the following modifications:
Var Home_Net 192.168.7.99/24
Output alert_full: / data / snort / snort_full
Output alert_fast: / data / snort / snort_fast
Snort-start.txt startup script is slightly modified:
PID = / var / run / snort_tap0.pid
DIR = / data / SNORT
Snort = / usr / sbin / SNORT
$ SNORT -D -D -C /ETC/SNORT/SNORT.CONF - VMNET1 -L $ DIR / $ DATE NOT HOST YYY.YY.YYY.YYY
Among them, YYY.YYY.YYY.YY is my client's IP, which ignores the record of their IP, avoiding the connection, especially file transmission, etc., so that the log will become huge because of their operations Increase interference information. Of course, the premise is that the IP of the client is fixed, otherwise even if it is.
Of course, the Snort rule can be eligible for the data that needs to capture.
5, install VMware
Using VMware-GSX-2.5, commercial software care is installed. Attention to the installation, the network is to be installed as a Host Only mode, the set IP is the gateway address, which can be modified with VMware-Config.pl after installation. Do not use Wizard using Editor to use Editor.
The data control and data capture are the same as the above UML, that is, the corresponding interface is changed from TAP0 to VMNETX.
6, precautions
Clearing the iptables rules cannot be simple to come to iptables -f, because the rc.firewall script sets the INPUT and FORWARD's policies to DROP, if such revoked rc.firewall is not available. Use a small script with the following:
#! / bin / sh
# -----------------------------------------
# stop-firewall.sh
# -----------------------------------------
# Safely Stop rc.firewall
/ sbin / iptables -f / sbin / iptables -p Input Accept
/ sbin / iptables -p forward accept
/ sbin / iptables -p output accept
/ sbin / iptables -x icmphandler
/ sbin / iptables -x otherhandler
/ sbin / iptables -x tcphandler
/ sbin / iptables -x udphandler
Echo "Honeynet rc.firewall Safely Stoped!"
#Eof
Unfortunately, UML and VMware cannot be used at the same time, and they are different, maybe change Rc.fireWall can be implemented. Then, hosted the machine to the IDC. You have to open a few virtual machines, you need a few external IP, don't tell IDC what you do, or others may feel uncomfortable, you have to explain for a long time.
Second, data analysis
1, Honeynet host log
In order to reduce the burden of the HoneyNet host, Snort simply records all logs, so it is also possible to use TCPDUMP. If possible, you can install a business IDS detector, and check the status of IDS leaks, two can observe the Honeynet host in real time, this business IDS is generally very beautiful.
In addition, FWANALOG is installed on firewall logs:
# APT-GET Install Fwanalog
There will be some configurations after installation. Then write a shell script for crontab for a daily log package:
#! / bin / sh
# -----------------------------------------
# Backupdata.sh
# -----------------------------------------
CD / DATA / SNORT
DIR = `LS -F | grep / $`
DM = `Date % Y% M% D`
#fwanalog
CD / VAR / LOG
TAR CZF FWANALOG- $ DM.TAR.GZ FWANALOG
MV FWANALOG- $ DM.TAR.GZ / DATA / SNORT / $ DIR /
/ usr / bin / killall Snort
CD / DATA / SNORT
TAR CZF DATA- $ DM.TAR.GZ $ DIR
RM-RF / DATA / SNORT / $ DIR
/Root/vmware/snort-start.sh
#Eof
Two programs have been run in crontab:
0 8 * * * / usr / sbin / fwanalog
30 8 * * * /Root/VMware/backupdata.sh
2, log transmission
Logs are transmitted via SSH, generate a pair of keys via SSH-KEYGEN, you can use the SCP transfer file without passwords in the script.
Linux / unix:
$ ssh-keygen -d
When you have a prompt, you will enter the bus directly, so you will generate two files for ID_DSA and ID_DSA.pub in $ home / .ssh /. Upload id_dsa.pub to a user / .ssh / authorized_keys of a user / .ssh / authorized_keys, so that you can use this user without password using the SSH, SCP.
PUTTY under Windows:
To generate a pair of keys with PUTTYGEN, use SSH2 DSA, when generated, use the mouse to stop in the blank portion to generate random numbers. Similarly, upload the generated public key to the server side (HoneyNet host) $ HOME / .SSH / Authorized_keys, in the PUTTY CONNECTION -> SSH -> Auth, select the generated private key file, save this session, you can There is no need to log in. PSCP can use -i to specify the generated private key file, no password transfer file, such as:
Pscp -i private.ppk file user@192.168.7.140: / tmp
3, client analysis log
Since the log is data using Snort record TCPDUMP format, it has to be decomposed with SNORT after the data is passed, and can be used in conjunction with SnortSnarf. In addition, data is imported into the database for analysis statistics in the future. But because the fixed Linux machine is not found, it can only be taken in the WinXP's work. Snort, MySQL, Apache, PHP, ACID, Perl, SnortSnarf. Since there will be a lot of work every day, the daily rough analysis wants to take the time as possible, from TK to a SH.exe, form the following BT script:
#! / bin / sh
# -----------------------------------------
# daily_get.sh
# -----------------------------------------
# Note that the DATE / TAR / GZIP / RM used inside is all
# GNU's Windows Corresponding software.
# -----------------------------------------
DM = `Date % Y% M% D`
# Because the packaging directory is used by the previous day, this is better than the GNU Date implementation.
Da = `Date -d Yesterday % B_% D`
PSCP -I SSH.PPK Honeynet@xxx.xxx.xxx.xxx: /data/snort/data- (Data- DM.TAR.GZ logs
# If there is a Codered and other scans in the log file, Norton will delete the log.
NET STOP "Norton AntiVirus Client"
# 解 解, the z parameter of TAR under Windows does not find Gzip, so this is stupid.
Gzip -d logs / data- $ dm.tar.gz
TAR XF logs / data- $ dm.tar -c Daily /
# 开 mSQL
Net Start MySQL
# Use the Snort analysis log and generate a warning log to the log directory, and import the database for overall statistical analysis. This needs to be configured SNORT
CD // Snort
RM-RF log
Mkdir log
BIN // Snort-C etc // snort.conf -r //working//honeynet//daily/ ($ d //*-snort.log
# Reope with Norton
Net Start "Norton AntiVirus Client"
# Generate a daily summary log with SnortSnarf. First clearly, one day
CD // Working // Honeynet // TMP
RM-RF Snortsnarf
Mkdir Snortsnarf
CD // Working // HoneyNet // Snortsnarf
Perl snortsnarf.pl ..//..//..//snort//log//alert.ids -d ..//tmp/snortsnarfcd ..//tmp//snortsnarf
"C: / Program Files / Internet Explorer / IExplore.exe" "D: /working/honeynet/tmp/snortsnarf/index.html"
# 看看 f 的 的
CD // Working // Honeynet // Daily / / $ DA
Gzip -d fwanalog- $ dm.tar.gz
TAR XF FWANALOG- $ DM.TAR
"C: / program files / Internet explorer / ipplore.exe" D: //working/ / //fwanalog//today.html
#Eof
Write a batch, ft.bat:
sh -x daily_get.sh
In the planned task, add ft.bat every day. When the hard disk is left at 9 o'clock, the hard drive is pulled out after a burst of the IE window. If there is nothing to attack, it will take a look, if you are interested, you need manual analysis. TCPDUMP log, find out what others do in Honeypot, maybe you can find a lot of fun. Generally, if the log suddenly increases, there must be a large-scale scan from attack or online worms. For example, the recent Codered II is popular like atypical pneumonia, and there are countless machines every day to scan you.
The above BT scripts are tools using the GNU. If you use Linux as a desktop platform, everything is simpler.
Reference:
Http://honeynet.xfocus.net/papers/uml/
http://honeynet.xfocus.net/papers/vmware/