Security

Create a simple honeypot with Debian and Nepenthes


We all know how important it is to run a firewall; whether it be the default Windows firewall, third-party software, or a hardware firewall on your network gateway, you would be mad to connect to the Internet without at least one! The ‘survival time' is the amount of time an unprotected machine will last before it's infected with malware-it's shocking to see that this survival time is generally no more than 90 minutes! Almost all of these malware infections are the result of self-propagating worms and viruses spreading themselves around using known vulnerabilities.

I wanted to see for myself just how quickly a machine would be infected, how it would be infected, and how frequently it would be probed. Rather than putting a target machine openly on the Internet, I decided to use the Nepenthes malware collector. Nepenthes is a low interaction Honeypot, which emulates known vulnerabilities and captures worms as they attempt to infect it. While the way that Nepenthes operates means that it won't detect attackers trying to exploit unknown vulnerabilities, it does allow us to detect new ways of exploiting known vulnerabilities.

For convenience, I chose to build my Honeypot on a virtual machine; if you have a spare machine hanging around, then you may prefer to use that.

First of all I grabbed a copy of the Debian-netinst image; this is only around 160MB. You could use the full Debian install disks but seeing as I'm not going to use X-windows it didn't seem worth downloading the larger file. I won't go over the basic installation and setup of Debian as the process is pretty self-explanatory.

Once the base install of Debian has finished, it would be a good idea to set a static IP address on the main network adaptor (eth0 in my case); to do this open up /etc/network/interfaces with nano:

# nano /etc/networking/interfaces

Change the line:

iface eth0 inet dhcp

To:

iface eth0 inet static

Add the static IP information underneath that line:

address 192.168.0.240
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

Obviously you may want to adjust these to suit your own network; it's worth double checking /etc/resolv.conf to see that the correct DNS server is in place. Make the changes live with:

# /etc/init.d/networking restart
# ifup eth0

Now make sure the system is up to date:

# apt-get update
# apt-get upgrade

Remove the exim4 MTU as this will stop the honeypot from listening on port 25:

# apt-get remove exim4

And install Nepenthes with its associated dependencies:

# apt-get install nepenthes

Once Nepenthes is installed there is actually very little configuration to be done to get things up and running. First of all, open up /etc/nepenthes/nepenthes.conf and see that the following lines are not commented out:

    "submitfile.so"    "submit-file.conf"
    "submitnorman.so"    "submit-norman.conf"
    "logdownload.so"    "log-download.conf"

Also change replace_local_ips to 0.

Now check the configuration files above-they are all found in the /etc/nepenthes directory.

Inside submit-file.conf, you will find the path to a directory in your filesystem. This is where downloaded malware will be stored.

Norman sandbox is an automated malware analyser. Enter a valid e-mail address in submit-norman.conf; malware captured by your honeypot will be submitted to the Norman analyser and reports on the analysis will be sent to this address.

The file log-download.conf specifies the location of log files that will list downloaded malware and malware submissions.

Now restart Nepenthes with the updated configuration (the installation may have started it with the default config:

# /etc/init.d/nepenthes restart

The last step very much depends on the router/firewall in use. In my case, I'm using a Netgear ADSL router; this allows me to set a DMZ destination. The router then passes all incoming traffic to this address if there is no other rule defined for that particular port. If your router does not have a DMZ feature, you can manually redirect incoming connections on interesting ports to the Nepenthes collector.

I must say that I found it quite alarming how quickly Nepenthes has started to collect information about attempted break-ins and automated malware downloads! It's very interesting to see the large number of entries for ‘Unknown DCOM Shellcode'. By far the most frequently seen piece of malware has been mssmpp.exe,which seems to be a derivative of the W32.IRCBot Trojan which has been hanging around since 2002; this Trojan will infect the host, which then becomes a member of a botnet. As previously discussed, these botnets are used for all sorts of underground activities, most frequently spamming, launching denial of service attacks, and online fraud.

Do you currently run any honeypots? I'd be interested to hear which software you have chosen to use and how you have deployed it.

32 comments
Shahrooz-Khan
Shahrooz-Khan

Hi, What IP address did you set as DMZ? Have you set 192.168.0.240 as the DMZ on your ADSL router? or 192.168.0.1 ? thanks

darrenleecannon
darrenleecannon

Hi There thanks for the tutorial on how to do this. i was atempting to set up the honeywall one on vmware workstation and fedora 4 bu thave had massive problems with fedora 4 and vmware configuration that i have jus given up. i would prefer not to use vmware, is it ok to just use a partitioned debian dual boot? and do i need to have debian virus protected? thanks

GsyMoo
GsyMoo

As I'm sure with many others here, I've been using Windows with a permanent connection to the internet for years with no problems, using hardware and software firewalls, keeping windows and AV up to date and not running in Administrator. Sure, I've had viruses in e-mails, been attacked on websites and the firewalls constantly log stuff but none of my computers have been infected for several years now (although I do keep DVD backups of everything just in case). My nephew's computers on the other hand get infected with monotonous regularity. I set them up the same as my own, but this most recent time I have just finished cleaning one of their PCs of at least 14 types of virus. Trojans, worms, spyware, they had the lot. Their AV vault currently contain 124 infected files collected in the last 3 months, not including the stuff I weeded out with Smitrem, RougueRemover and all the rest. What do they do differently from me? When I checked they invariably have their PCs running in Admin and full of warez. They install anything that says it will get them free games and music. Apparently if you try and make something idiot proof then you will simply develop a better class of idiot!

Endoscopy
Endoscopy

Many people think the computer is going out and asking for this. There have been several tests like this. A variety of computers are put on the internet just sitting there and the results are very rapid. Today the computer just sitting there is attacked in seconds. I read one result where the first guy in protected the machine from everything else so he would have unfettered use of it. As time goes on the results get faster. No one is doing anything on these machines. They just don't have complete protection against the evil hackers out there. Never put a machine on the internet until it is complete updated and has plenty of protection on it. Otherwise it will be attacked while you are trying to do this.

miksuh
miksuh

"By far the most frequently seen piece of malware has been mssmpp.exe,which seems to be a derivative of the W32.IRCBot Trojan which has been hanging around since 2002; this Trojan will infect the host, which then becomes a member of a botnet." That trojan is for Windows, and it wont infect Debian or any other Linux system, so who cares :-) If you use Windows, you can be sure that your system will be infected sooner or later, most likely sooner. Just don't use Windows and your problem is solved :)

Sarahperez
Sarahperez

No you don't need to have Debian virus protected. A secondary virus scanner wouldnt really hurt, there are plenty of free AV's for Linux. Yes, it's possible to use it Duel boot, but it's so much better to run it as the sole OS. Changing from Windows to Linux can seem a great hurdle, but their is plenty of documentation available on-line to help you take the plunge. If you really don't want to loose your Windows installation, Linux runs just fine on some older hardware, so see if you can find or dig up an old PC, like a Mac Power_PC with PPC architecture.

Oktet
Oktet

What do they do differently from me? When I checked they invariably have their PCs running in Admin and full of warez. They install anything that says it will get them free games and music. Wow, I am surprised their computers are still running with warez. That's just asking for trouble on your comptuer. With all the worms/trojans and good stuff you get in addition to "free" software, I will pass. I like to keep my worms and trojans on a DVD-R and not on my Hard Drive, and paying is really not that bad compared to data loss or the time that it takes to remove those guys of the hard drive depending on their location.

Dumphrey
Dumphrey

its a bit of a puzzler really, do not go on the internet until updated, but cant update until on the internet..... (This was actually posed to me.) I had to explaine the need to install the av and firewall before connecting that cat 5, and how a program going out to get an update was a little less risky then random web surfing, or even web surfing in general with the prevelance of exploits being injected into legit sites.

PasserDomesticus
PasserDomesticus

A rather immature remark. No, I don't like Windows either, but if nearly 100% of computers run Linux 100% of malware will be written for Linux. So, in spite of all its good points, there is nothing inherently holy about Linux.

mrogers
mrogers

Thinking this way will only get you into trouble, oh young grasshopper student dude! I have been working with computers for over ten years now and I have had many trials and tribulations for each and every differnent solution/issue/resolution/deployment/customer I have had. Sure, Linux hasn't had malware or worms made for it, but that will happen sooner or later when some idiot kid thinks he is "l33t" and wants to be "z3r0 c00l" and make a name for himself. (You may be a bit too young for this, but that comes from the movie "Hackers") Unfortunately if you are running a server farm with your employer explaining that the government agency (DoT for us) requires certain protocol and standards and works with "this" software that way and requires our production documents to "look" exactly this way and "do" exactly that, you don't have an option if the contract your company signed for $10 million requires you to run MS Exchange with SQL server (application compatibility purposes) and MS SharePoint Portal Server. So.. Mr. "I know everything 'cuz I have no experience but I get A's in school"... Tell me, how do you do this in Linux? Oh, and if you did, how do you get all this stuff with an extremely high level of support and compatibility and still work only 8 hours a day? How in the hell can you get OWA on Linux and sync 1,000+ public folders from DoT's Exchange to your servers if they don't have MS Pr0ductz, yo?

Genera-nation
Genera-nation

never had a malware infection yet. Zippo, Zilch! SO you were saying....

halibut
halibut

I noticed you are a student, how long have you been working with computers? Enough said. I have been working with computers for about 20+ years, in IT for about 10 and IT security for about 4 years now and I still realize how much I still need to learn. Just saying the Linux will cure all your security woes is just plain short sighted. The honeypot, and honeynet project are purely for learnings to how to defend and what are primary attack vectors to setup first. Try reading the entire blog before commenting next time.

!demi!
!demi!

I think you are missing the entire point to her post. Yes this application runs on Linux, but that really has nothing to do with anything in the first place. You can run a honeypot on linux that emulates a windows machine, you can run a honeypot on a windows OS and have it emulate a LInux box. The point is you are either gathering information or fooling hackers into thinking they are compromising a system in your network. Here is a good place to start reading about it and they have many links to other projects and white papers. http://project.honeynet.org/tools/index.html

Nitrous19
Nitrous19

Spoken like a true Linux user lol I Also wouldnt mind trying this on a windows machine. What would be the best way to go about doing this? Grez

Jaqui
Jaqui

really? they all only scan for viruses to protect windows systems. and they are all the "enterprise" version of the commercially available AV products. [ clamav being the ONE exception to the expensive option ] There are no AV applications that look for viruses that could infest any os but windows.

Altiris_Grunt
Altiris_Grunt

To commenters who state, "I've used OS xyz for xx number of years without infection", in my mind, sounds like a person who claim "I've never been sick a day in my life" only to discover they harbor an inoperable, incurable disease! Please believe me; I do not make my commentary as a joke, because I have lost family who said the same thing! As another poster has commented, Ignorance is NOT bliss!

mrogers
mrogers

By the way.. All of our servers are running MS Server 2003 R2, and have never had a hint of malware / spyware / viruses on them. Even after having 20 of our users infected one time because they all forwarded each other an infested e-mail. What it really comes down to is the user. If you can eliminate stupid users, you can eliminate viruses spreading. (Everybody in our office is a BA, BS, or PhD, and of everybody here, only 5% actually understand what malware or spyware is. This is SAD when it comes to e-mails.) They weren't trained on computers, they are all over-educated idiots.

Justin Fielding
Justin Fielding

I've been using Windows my entire computing life and have never been infected unless I had wanted to be; simple steps like not opening unknown attachments, keeping AV and Windows up-to-date and avoiding 'dodgy' software will all help you to keep your machine clean; it's common sense really. Unfortunately as network/system administrators we know that common sense doesn't come naturally to many people!

cmnetworx
cmnetworx

Consider yourself lucky. Are you behind a hardware firewall? or some kind of router that isn't forwarding anything? I cannot imagine how you made it 12 years without any malware, I put my windows 2000 machine on the internet and it lasted maybe 12 minutes.

jpb
jpb

...to take a good look at your computer(s), and find out how many botnets it/they are members of, and how much crap is all over them without you being aware of it.

Dumphrey
Dumphrey

that the term "rootkit" originated in unix and by association, linux, environments. Linux may not be prone to virus and malware outbreaks, but thats partly a matter of the choices being made by the coders. Linux is still vulnerable to overflows, DoS, escalation, blah, blah, blah, blah... Security in linux is different, not less, then Windows. The trade off is that you can get a "more secure" system, not a completely secure system. Anyway, thanks for pointing out the "linux rulez" error in security. I like linux, I use linux, but I am not brain dead...

rkuhn040172
rkuhn040172

Ignorant Windows users get infected. Educated ones don't. That is an easy concept now isn't it? Simply using Linux because it is "safe" is both ignorant and being unprepared. There will come a day with Linux's growing popularity that it too will have a Pearl Harbor. Something akin to MyDoom, Nimda, Code Red, Klez...take your pick. It's not a matter of if, it's a matter of when.

meryllogue
meryllogue

...but then you started knocking degrees and women. I REALLY was with you. Now I see you are of the same ilk as the original poster... you have your blinders and your sweeping generalizations.

burnite
burnite

mrogers certianly nailed on the head about the LARGER the degree it seems the less common sense they have. Also I have a lot female users, and boy do they like their Smiley sites, and e-cards, sheesh. I should leave open the front door and let the crooks take the systems, it would be easier than having to recreate, or clone-up all the time. But it keeps employed :)

Dumphrey
Dumphrey

years problem free, but I have not had any virus or malware (not counting tracking cookies here) on my XP machine in 4 years. I have a hadware firewall, run a software firewall, and use up to date AV. I keep everything updated, oh, and do not run as an admin acount for daily computing...funny how much that helps. Avoiding war3z and pr()n sites helps as well.

Genera-nation
Genera-nation

but that would be the case no matter what OS I choose run. It makes no difference to the equation then.

Nitrous19
Nitrous19

Na you aint scared me off. I think you all took my last statement as I thought Linux was the nuts. I agree there are some security differences between the 2 OS's but like stated before Linux isnt bullet proof. When a hacker writes a virus they want it to cause as much damage as possible, so it would make sence to attack the most popular operating system. Hence i think Microsoft has had more of the uphill struggle. I've been working with computers for approx 6 years and I agree with the way virus creaters are adapting code and thinking of new ways to attack coperations and the home user there is never going to be a time when you can sit in front of a computer and think ... im 100% Safe. Spose thats just LIFE :P Grez

Genera-nation
Genera-nation

You (above) have all scared off another potential TR user. Well done. Hope you are all pleased with yourself. I doubt they will return after your remarks

Editor's Picks