Honeynet Configuration Record

xiaoxiao2021-03-06  103

Honeynet Configuration Record

Create time: 2003-04-04

Article attribute: original

Article submission:

SAN (SAN_AT_XFOCUS.ORG)

First, Honeynet host configuration

Gen i is converted with NAT in three layers, and the configuration is relatively convenient, but routing forwarding will drop a TTL.

GEN II is a two-layer BRIGE forwarding control, and the configuration is relatively complicated, and the TTL is not consumed, and some are more concealed.

Do not compile the kernel, use Gen I.

1, host system configuration

Compare Debian, because User-Mode-Linux is only in Debian's Testing and UnStable, so you will choose a fast mirror site for system update, software installation. Geekbone's Mirror is very complete, and it is good, recommended.

# APT-GET UPDATE

# APT-GET UPGRADE

Need SSH to manage hosts:

# APT-GET Install SSH

Remove some unnecessary services:

# Update-rc.d -f inetd Remove

# Update-rc.d -f PPP Remove

# Update-rc.d -f evim remove

2, install user-mode-linux

# APT-GET Install User-Mode-Linux

Debian's UML kernel is not equipped with Mount Devfs, so adds DEVFS = MOUNT parameters when startup.

System image uses the redhat 7.2 provided by HoneyNet, you can download from the following address:

http://honeynet.xfocus.neet/misc/files/root_fs.rh-7.2-server.pristine.20021012.gz

Use this file system to start UML after decompression:

# Linux ubd0 = root_fs.rh-7.2-server.pristine.20021012 eth0 = Tuntap, 00: 90: 0B: 03: 04: 05, 192.168.0.254 Devfs = mount

If the file system image file name is root_fs, it doesn't need to add ubd0 =, eth0 = tuntap, 00: 90: 0B: 03: 04: 05, 192.168.0.254 means using TUN / TAP binding / dev / TAP0, IP is 192.168.0.254, the front MAC address is the MAC address of the UML NIC, otherwise the default is Fe: fd: 00: 00: 00: 00.

The username and password of this system are root.

3, data control

Data Control Use the rc.firewall script provided by Honeynet, you can download from the following address:

http://honeynet.xfocus.net/papers/honeynet/toLS/rc.firewall

Do some slight modifications:

Rc.firewall defaults to use 2 layers of BridGing mode, modified to:

Mode = "nat"

You need to configure the IP of the virtual system to specify multiple spaces separated by spaces:

PUBLIC_IP = "192.168.7.144"

Configure the virtual system real IP, you can specify multiple spaces separated by spaces, pay attention to public_ip:

HPOT_IP = "192.168.0.144"

Configure the host management interface:

Manage_iface = "eth0"

Host true IP:

Manage_ip = "192.168.7.99" # ip of management interfaceManage_netmask = "255.255.255.0" # Netmask of management Interface

Allow access to the port, you can separate multiple spaces:

ALLOWED_TCP_IN = "22"

Allow access to the source IP, you can use any:

Manager = "192.168.7.9/24"

Data Control Interface:

Lan_iface = "TAP0"

Rc.fireWall defaults to allow 9 TCP connections, 20 UDP connections, 50 ICMP connections, and 10 other IP connections. Of course, you can modify these parameters in the script.

4, data capture

Install Snort:

# APT-GET Install Snort

Remove its automatic start:

# Update-rc.d -f Snort Remove

Snort.conf provided by Honeynet and startup script, download address:

Http://honeynet.xfocus.net/papers/honeynet/tools/snort.conf

http://honeynet.xfocus.net/papers/honeynet/tools/snort-start.txt

Snort.conf has some errors, making the following modifications:

Var Home_Net 192.168.7.99/24

Output alert_full: / data / snort / snort_full

Output alert_fast: / data / snort / snort_fast

Snort-start.txt startup script is slightly modified:

PID = / var / run / snort_tap0.pid

DIR = / data / SNORT

Snort = / usr / sbin / SNORT

$ SNORT -D -D -C /ETC/SNORT/SNORT.CONF - VMNET1 -L $ DIR / $ DATE NOT HOST YYY.YY.YYY.YYY

Among them, YYY.YYY.YYY.YY is my client's IP, which ignores the record of their IP, avoiding the connection, especially file transmission, etc., so that the log will become huge because of their operations Increase interference information. Of course, the premise is that the IP of the client is fixed, otherwise even if it is.

Of course, the Snort rule can be eligible for the data that needs to capture.

5, install VMware

Using VMware-GSX-2.5, commercial software care is installed. Attention to the installation, the network is to be installed as a Host Only mode, the set IP is the gateway address, which can be modified with VMware-Config.pl after installation. Do not use Wizard using Editor to use Editor.

The data control and data capture are the same as the above UML, that is, the corresponding interface is changed from TAP0 to VMNETX.

6, precautions

Clearing the iptables rules cannot be simple to come to iptables -f, because the rc.firewall script sets the INPUT and FORWARD's policies to DROP, if such revoked rc.firewall is not available. Use a small script with the following:

#! / bin / sh

# -----------------------------------------

# stop-firewall.sh

# -----------------------------------------

# Safely Stop rc.firewall

/ sbin / iptables -f / sbin / iptables -p Input Accept

/ sbin / iptables -p forward accept

/ sbin / iptables -p output accept

/ sbin / iptables -x icmphandler

/ sbin / iptables -x otherhandler

/ sbin / iptables -x tcphandler

/ sbin / iptables -x udphandler

Echo "Honeynet rc.firewall Safely Stoped!"

#Eof

Unfortunately, UML and VMware cannot be used at the same time, and they are different, maybe change Rc.fireWall can be implemented. Then, hosted the machine to the IDC. You have to open a few virtual machines, you need a few external IP, don't tell IDC what you do, or others may feel uncomfortable, you have to explain for a long time.

Second, data analysis

1, Honeynet host log

In order to reduce the burden of the HoneyNet host, Snort simply records all logs, so it is also possible to use TCPDUMP. If possible, you can install a business IDS detector, and check the status of IDS leaks, two can observe the Honeynet host in real time, this business IDS is generally very beautiful.

In addition, FWANALOG is installed on firewall logs:

# APT-GET Install Fwanalog

There will be some configurations after installation. Then write a shell script for crontab for a daily log package:

#! / bin / sh

# -----------------------------------------

# Backupdata.sh

# -----------------------------------------

CD / DATA / SNORT

DIR = `LS -F | grep / $`

DM = `Date % Y% M% D`

#fwanalog

CD / VAR / LOG

TAR CZF FWANALOG- $ DM.TAR.GZ FWANALOG

MV FWANALOG- $ DM.TAR.GZ / DATA / SNORT / $ DIR /

/ usr / bin / killall Snort

CD / DATA / SNORT

TAR CZF DATA- $ DM.TAR.GZ $ DIR

RM-RF / DATA / SNORT / $ DIR

/Root/vmware/snort-start.sh

#Eof

Two programs have been run in crontab:

0 8 * * * / usr / sbin / fwanalog

30 8 * * * /Root/VMware/backupdata.sh

2, log transmission

Logs are transmitted via SSH, generate a pair of keys via SSH-KEYGEN, you can use the SCP transfer file without passwords in the script.

Linux / unix:

$ ssh-keygen -d

When you have a prompt, you will enter the bus directly, so you will generate two files for ID_DSA and ID_DSA.pub in $ home / .ssh /. Upload id_dsa.pub to a user / .ssh / authorized_keys of a user / .ssh / authorized_keys, so that you can use this user without password using the SSH, SCP.

PUTTY under Windows:

To generate a pair of keys with PUTTYGEN, use SSH2 DSA, when generated, use the mouse to stop in the blank portion to generate random numbers. Similarly, upload the generated public key to the server side (HoneyNet host) $ HOME / .SSH / Authorized_keys, in the PUTTY CONNECTION -> SSH -> Auth, select the generated private key file, save this session, you can There is no need to log in. PSCP can use -i to specify the generated private key file, no password transfer file, such as:

Pscp -i private.ppk file user@192.168.7.140: / tmp

3, client analysis log

Since the log is data using Snort record TCPDUMP format, it has to be decomposed with SNORT after the data is passed, and can be used in conjunction with SnortSnarf. In addition, data is imported into the database for analysis statistics in the future. But because the fixed Linux machine is not found, it can only be taken in the WinXP's work. Snort, MySQL, Apache, PHP, ACID, Perl, SnortSnarf. Since there will be a lot of work every day, the daily rough analysis wants to take the time as possible, from TK to a SH.exe, form the following BT script:

#! / bin / sh

# -----------------------------------------

# daily_get.sh

# -----------------------------------------

# Note that the DATE / TAR / GZIP / RM used inside is all

# GNU's Windows Corresponding software.

# -----------------------------------------

DM = `Date % Y% M% D`

# Because the packaging directory is used by the previous day, this is better than the GNU Date implementation.

Da = `Date -d Yesterday % B_% D`

PSCP -I SSH.PPK Honeynet@xxx.xxx.xxx.xxx: /data/snort/data- (Data- DM.TAR.GZ logs

# If there is a Codered and other scans in the log file, Norton will delete the log.

NET STOP "Norton AntiVirus Client"

# 解 解, the z parameter of TAR under Windows does not find Gzip, so this is stupid.

Gzip -d logs / data- $ dm.tar.gz

TAR XF logs / data- $ dm.tar -c Daily /

# 开 mSQL

Net Start MySQL

# Use the Snort analysis log and generate a warning log to the log directory, and import the database for overall statistical analysis. This needs to be configured SNORT

CD // Snort

RM-RF log

Mkdir log

BIN // Snort-C etc // snort.conf -r //working//honeynet//daily/ ($ d //*-snort.log

# Reope with Norton

Net Start "Norton AntiVirus Client"

# Generate a daily summary log with SnortSnarf. First clearly, one day

CD // Working // Honeynet // TMP

RM-RF Snortsnarf

Mkdir Snortsnarf

CD // Working // HoneyNet // Snortsnarf

Perl snortsnarf.pl ..//..//..//snort//log//alert.ids -d ..//tmp/snortsnarfcd ..//tmp//snortsnarf

"C: / Program Files / Internet Explorer / IExplore.exe" "D: /working/honeynet/tmp/snortsnarf/index.html"

# 看看 f 的 的

CD // Working // Honeynet // Daily / / $ DA

Gzip -d fwanalog- $ dm.tar.gz

TAR XF FWANALOG- $ DM.TAR

"C: / program files / Internet explorer / ipplore.exe" D: //working/ / //fwanalog//today.html

#Eof

Write a batch, ft.bat:

sh -x daily_get.sh

In the planned task, add ft.bat every day. When the hard disk is left at 9 o'clock, the hard drive is pulled out after a burst of the IE window. If there is nothing to attack, it will take a look, if you are interested, you need manual analysis. TCPDUMP log, find out what others do in Honeypot, maybe you can find a lot of fun. Generally, if the log suddenly increases, there must be a large-scale scan from attack or online worms. For example, the recent Codered II is popular like atypical pneumonia, and there are countless machines every day to scan you.

The above BT scripts are tools using the GNU. If you use Linux as a desktop platform, everything is simpler.

Reference:

Http://honeynet.xfocus.net/papers/uml/

http://honeynet.xfocus.net/papers/vmware/

转载请注明原文地址:https://www.9cbs.com/read-124665.html

New Post(0)