NOTE: Before proceeding, you will probably want to turn off our adaptive firewall from last week so that, while troubleshooting your install, you don't have any extra security tools enabled in our mix.
We will now set up thp (Tiny Honeypot) with Snort. You could also add SHADOW to this mix rather easily, but we will not be doing it today.
Before configuring thp, we must have a working IDS installed. So first install and configure Snort:
Installing Snort under Debian
As we are using Debian, we can install Snort using apt-get:
# apt-get install snort
Snort consists of several packages under Debian, and we will install all of them.
When we first install Snort under Debian, we will be presented with the following initial configuration dialogs:
Snort for Debian comes with the ability to send network notifications about intrusion attemps. This is simply telling us where to look to set that up (we will not be setting it up).
This allows us to specify a network interface.
This is where we would specify our network.
Finally, this is who should receive e-mails.
Once Snort has installed, be sure to configure the /etc/snort.conf file as detailed previously (see /Snort Configuration).
You will want to unarchive this file into /usr/local. This will create a directory /usr/local/thp-X.X.X. Symlink 'thp' to this directory. By doing this, we can upgrade our thp install in the future, and not have to drastically reconfigure our system:
# cd /usr/local
# tar xzf ~/thp-X.X.X.tar.gz
# ln -s thp-X.X.X thp
