NOTE: Before proceeding, you will probably want to turn off our adaptive firewall from last week so that, while troubleshooting your install, you don't have any extra security tools enabled in our mix.
We will now set up thp (Tiny Honeypot) with Snort. You could also add SHADOW to this mix rather easily, but we will not be doing it today.
Before configuring thp, we must have a working IDS installed. So first install and configure Snort:
Installing Snort under Debian
As we are using Debian, we can install Snort using apt-get:
# apt-get install snort
Snort consists of several packages under Debian, and we will install all of them.
When we first install Snort under Debian, we will be presented with the following initial configuration dialogs:
Snort for Debian comes with the ability to send network notifications about intrusion attemps. This is simply telling us where to look to set that up (we will not be setting it up). If you would like more information about what this is, then check out this link http://www.cysol.co.jp/contrib/snortsnmp/snortSnmpGuide.html
This allows us to specify a network interface.
This is where we would specify our network.
Finally, this is who should receive e-mails.
Once Snort has installed, be sure to configure the /etc/snort.conf file as detailed previously (see /Snort Configuration).
You will want to unarchive this file into /usr/local. This will create a directory /usr/local/thp-X.X.X. Symlink 'thp' to this directory. By doing this, we can upgrade our thp install in the future, and not have to drastically reconfigure our system:
# cd /usr/local
# tar xzf ~/thp-X.X.X.tar.gz
# ln -s thp-X.X.X thp
Edit thp.conf to your pleasing. I would recommend using fortune as your MOTD script (apt-get install fortune, if fortune is not already installed). You probably also want to specify logtype as multi, or else you will not get a log entry for thp if an intruder is actively in the pot.
Next, you will want to setup the directories for thp to log its files into. We will have thp run as non-priviledged user "nobody", but in production, we might want to change this to a "thp"-specific user:
If you do not yet have xinetd installed, then you might wish to do
# apt-get install xinetd
Next, install the xinetd.d scripts from /usr/local/thp:
# cd /usr/local/thp
# cp ./xinetd.d/* /etc/xinetd.d
Edit xinetd in /etc/xinetd.d files to change to :"disable = no", so that we re-enable our ports. Also, make any path & preferences adjustements in thp.conf & iptables.rules in the /usr/local/thp directory.
Now, we will setup our iptables rules. Before doing so, you probably want to make sure your iptables are clean. Refer to our discussion last week on iptables, and delete any existing entries from your firewall.
Once your iptables are clean, run the thp iptables script:
# /usr/local/thp/iptables.rules
Start portmap (or restart it), and add the fakepc file to the mapped ports:
Congratulations! If all went well, you now have Snort watching your network, and thp providing a number of special traps for unsuspecting crackers. Connect to your system on the known ports and verify that thp is working. Also, check your logs and ensure that the entire IDS/Honeypot? system is functionning in harmony.