These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Setup Tiny Honeypot With Snort

Classnotes | UNIX03 | RecentChanges | Preferences

NOTE: Before proceeding, you will probably want to turn off our adaptive firewall from last week so that, while troubleshooting your install, you don't have any extra security tools enabled in our mix.

We will now set up thp (Tiny Honeypot) with Snort. You could also add SHADOW to this mix rather easily, but we will not be doing it today.

Before configuring thp, we must have a working IDS installed. So first install and configure Snort:

Installing Snort under Debian

As we are using Debian, we can install Snort using apt-get:
 # apt-get install snort

Snort consists of several packages under Debian, and we will install all of them.

When we first install Snort under Debian, we will be presented with the following initial configuration dialogs:

Snort for Debian comes with the ability to send network notifications about intrusion attemps. This is simply telling us where to look to set that up (we will not be setting it up). If you would like more information about what this is, then check out this link

This allows us to specify a network interface.

This is where we would specify our network.

Finally, this is who should receive e-mails.

Once Snort has installed, be sure to configure the /etc/snort.conf file as detailed previously (see /Snort Configuration).

Installing thp

You can get Tiny Honeypot from it's homepage :

You will want to unarchive this file into /usr/local. This will create a directory /usr/local/thp-X.X.X. Symlink 'thp' to this directory. By doing this, we can upgrade our thp install in the future, and not have to drastically reconfigure our system:

 # cd /usr/local
 # tar xzf ~/thp-X.X.X.tar.gz
 # ln -s thp-X.X.X thp

Edit thp.conf to your pleasing. I would recommend using fortune as your MOTD script (apt-get install fortune, if fortune is not already installed). You probably also want to specify logtype as multi, or else you will not get a log entry for thp if an intruder is actively in the pot.

Next, you will want to setup the directories for thp to log its files into. We will have thp run as non-priviledged user "nobody", but in production, we might want to change this to a "thp"-specific user:

 # mkdir /var/log/hpot
 # chown nobody:nobody /var/log/hpot
 # chmod 700 /var/log/hpot

If you do not yet have xinetd installed, then you might wish to do

 # apt-get install xinetd

Next, install the xinetd.d scripts from /usr/local/thp:

 # cd /usr/local/thp
 # cp ./xinetd.d/* /etc/xinetd.d

Edit xinetd in /etc/xinetd.d files to change to :"disable = no", so that we re-enable our ports. Also, make any path & preferences adjustements in thp.conf & iptables.rules in the /usr/local/thp directory.

Now, we will setup our iptables rules. Before doing so, you probably want to make sure your iptables are clean. Refer to our discussion last week on iptables, and delete any existing entries from your firewall.

Once your iptables are clean, run the thp iptables script:

 # /usr/local/thp/iptables.rules

Start portmap (or restart it), and add the fakepc file to the mapped ports:

 # /etc/init.d/portmap start
 # pmap_set < /usr/local/thp/fakerpc

Finally, start xinetd:

 # /etc/init.d/xinetd start

Congratulations! If all went well, you now have Snort watching your network, and thp providing a number of special traps for unsuspecting crackers. Connect to your system on the known ports and verify that thp is working. Also, check your logs and ensure that the entire IDS/Honeypot? system is functionning in harmony.

Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited June 28, 2003 6:33 pm (diff)
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.