Click here to Skip to main content
15,884,893 members
Search within:


honeypot configuration (honeyd) - finding attack
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
security
I want to config a local honeypot to find some attack, to do this I have installed honeyd on Ubuntu12.04.4 which is installed on my vmware.

here is my config file:

### Linux Suse 8.0 template
create suse80
set suse80 personality "Linux 2.4.7 (X86)"
set suse80 default tcp action filtered
set suse80 default udp action block
set suse80 default icmp action open
set suse80 uptime 79239
set suse80 droprate in 4
add suse80 tcp port 21 "sh scripts/unix/linux/suse8.0/proftpd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 22 "sh scripts/unix/linux/suse8.0/ssh.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 23 "sh scripts/unix/linux/suse8.0/telnetd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 25 "sh scripts/unix/linux/suse8.0/sendmail.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 79 "sh scripts/unix/linux/suse8.0/fingerd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 80 "sh scripts/unix/linux/suse8.0/apache.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 110 "sh scripts/unix/linux/suse8.0/qpop.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 111"perl scripts/unix/general/rpc/bportmapd --proto tcp --host scripts/unix/general/rpc/hosts/debian --srcip $ipsrc --dstip $ipdst --srcport $srcport --dstport $dport --logfile /var/log/honeyd --logall"
add suse80 tcp port 143 "sh scripts/unix/linux/suse8.0/cyrus-imapd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 515 "sh scripts/unix/linux/suse8.0/lpd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 3128 "sh scripts/unix/linux/suse8.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 8080 "sh scripts/unix/linux/suse8.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 8081 "sh scripts/unix/linux/suse8.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse80 udp port 53 proxy 24.35.0.12:53
add suse80 udp port 111"perl scripts/unix/general/rpc/bportmapd --proto udp --host scripts/unix/general/rpc/hosts/debian --srcip $ipsrc --dstip $ipdst --srcport $srcport --dstport $dport --logfile /var/log/honeyd --logall"
add suse80 udp port 161 "perl scripts/unix/general/snmp/fake-snmp.pl public private --config=scripts/unix/general"
add suse80 udp port 514 "sh scripts/unix/linux/suse8.0/syslogd.sh $ipsrc $sport $ipdst $dport"
bind 192.168.1.201 suse80


### Suse7.0 computer
create suse70
set suse70 personality "Linux 2.2.12 - 2.2.19"
set suse70 default tcp action reset
set suse70 default udp action block
set suse70 default icmp action open
set suse70 uptime 97239
set suse70 droprate in 2
add suse70 tcp port 21 "sh scripts/unix/linux/suse7.0/proftpd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 22 "sh scripts/unix/linux/suse7.0/ssh.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 23 "sh scripts/unix/linux/suse7.0/telnetd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 25 "sh scripts/unix/linux/suse7.0/sendmail.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 79 "sh scripts/unix/linux/suse7.0/fingerd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 80 "sh scripts/unix/linux/suse7.0/apache.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 110 "sh scripts/unix/linux/suse7.0/qpop.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 143 "sh scripts/unix/linux/suse7.0/cyrus-imapd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 515 "sh scripts/unix/linux/suse7.0/lpd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 3128 "sh scripts/unix/linux/suse7.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 8080 "sh scripts/unix/linux/suse7.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 8081 "sh scripts/unix/linux/suse7.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse70 udp port 53 proxy 24.35.0.12:53
add suse70 udp port 161 "perl scripts/unix/general/snmp/fake-snmp.pl public private --config=scripts/unix/general"
add suse70 udp port 514 "sh scripts/unix/linux/suse7.0/syslogd.sh $ipsrc $sport $ipdst $dport"
bind 192.168.1.202 suse70

the result of nmap (192.168.1.202) is as follow :

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-15 02:08 Iran Standard Time
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 02:08
Scanning 192.168.1.202 [4 ports]
Completed Ping Scan at 02:08, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:08
Completed Parallel DNS resolution of 1 host. at 02:08, 0.05s elapsed
Initiating SYN Stealth Scan at 02:08
Scanning 192.168.1.202 [65535 ports]
Discovered open port 110/tcp on 192.168.1.202
Discovered open port 23/tcp on 192.168.1.202
Discovered open port 21/tcp on 192.168.1.202
Discovered open port 8080/tcp on 192.168.1.202
Discovered open port 22/tcp on 192.168.1.202
Discovered open port 80/tcp on 192.168.1.202
Discovered open port 143/tcp on 192.168.1.202
Discovered open port 25/tcp on 192.168.1.202
Discovered open port 3128/tcp on 192.168.1.202
Discovered open port 8081/tcp on 192.168.1.202
Discovered open port 79/tcp on 192.168.1.202
Discovered open port 515/tcp on 192.168.1.202
Completed SYN Stealth Scan at 02:08, 12.59s elapsed (65535 total ports)
Initiating Service scan at 02:08
Scanning 12 services on 192.168.1.202
Completed Service scan at 02:08, 0.03s elapsed (12 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.202
Retrying OS detection (try #2) against 192.168.1.202
Initiating Traceroute at 02:08
Completed Traceroute at 02:08, 0.09s elapsed
Initiating Parallel DNS resolution of 1 host. at 02:08
Completed Parallel DNS resolution of 1 host. at 02:08, 13.00s elapsed
NSE: Script scanning 192.168.1.202.
Initiating NSE at 02:08
Completed NSE at 02:09, 5.02s elapsed
Nmap scan report for 192.168.1.202
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
Host is up (0.059s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open tcpwrapped
|_ssh-hostkey:
23/tcp open tcpwrapped
25/tcp open tcpwrapped
|_smtp-commands: Couldn't establish connection on port 25
79/tcp open tcpwrapped
|_finger: ERROR: Script execution failed (use -d to debug)
80/tcp open tcpwrapped
110/tcp open tcpwrapped
143/tcp open tcpwrapped
| imap-capabilities:
|_ ERROR: Failed to connect to server
515/tcp open tcpwrapped
3128/tcp open tcpwrapped
8080/tcp open tcpwrapped
8081/tcp open tcpwrapped
Aggressive OS guesses: Scientific Atlanta WebSTAR EPC2203 cable modem (86%), D-Link DPR-1260 print server; or DGL-4300, DGL-4500, DIR-615, DIR-625, DIR-628, DIR-655, or DIR-855 WAP (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 79.00 ms 192.168.1.202

NSE: Script Post-scanning.
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.34 seconds
Raw packets sent: 65614 (2.890MB) | Rcvd: 128417 (5.138MB)
it recognize all open port services as tcpwrapped. also although port 23,80,21 are open I couldn't establish telnet, http , ftp connection on it ! what is the problem, how can I fix it ?
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 14 Dec 2014
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900