The Plan

The network setup for this project is fairly simple:

The bridge is completely transparent to the attacker - they have no knowledge that they are passing through this machine. Therefore, it makes for an excellent machine to carry out the network logging between the honeypot and the internet. I will use the OpenBSD 3.1 native packet filtering tool, pf, to allow all inbound connections to the honeypot and only allow outbound icmp echo requests, tcp 21 (FTP, active), tcp/udp 53 (DNS), tcp 80 (HTTP), and tcp 6667 (IRC). I take the previous measures to bring down my liability yet try not to raise suspicion from the attacker. The second logging facility on the bridge, pf being the first, will be Snort, a powerful sniffer and IDS. The third and final logging facility will be the trusty tcpdump. It will capture full packet dumps going to and from the ip of the honeypot. Data control from the honeypot is also controlled on the bridge. Refer the paper about data control for honeypots at The Honeynet Project. Thanks to the Brazil team of the Honeynet Research Alliance I can use a tool specifically developed for OpenBSD's pf for data control called sessionlimit. After compromise of the honeypot it will interact with pf in order to contain activity of the intruders. There is no way I can guarantee that the intruders will not indulge in malicious activity but I hope to limit that possibility with this tool. The interface on the bridge with the public ip will be used strictly for remote management purposes. This interface will be packet filtered to only allow SSH connections from specific ips and only allow outbound HTTP traffic to update Snort rules and email notification of said updated rules.

The Configuration

First I configured the OpenBSD bridge. When I refer to interfaces they are set up as follows - rl0 is the interface without an ip connected to the internet, rl1 is the interface without an ip connected to the honeypot, and rl2 is the interface with a public ip for remote management purposes connected to the internet.

Changes to /etc/rc.conf:

pf=YES portmap=NO inetd=NO ntpd=NO

net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets

# echo up > /etc/hostname.rl0

# echo up > /etc/hostname.rl1

# echo dhcp NONE NONE NONE > /etc/hostname.rl2

# echo add rl0 add rl1 up > /etc/bridgename.bridge0

# pf.conf ruleset # # to view the logfiles: # tcpdump -n -e -ttt -r /var/log/pflog # # to tail -f the logfile: # tcpdump -n -e -ttt -i pflog0 # VARIABLES # my mgmt interface. pf can interpret interface as an ip # very practical for dynamic ips mgmtif="rl2" # these interfaces do not have an ip stack outif="rl0" inif="rl1" # remote management ip addresses mgmtips ="{ x.x.x.x/32, x.x.x.x/32 }" # honeypot public ip honeypot ="x.x.x.x/32" # honeypot allowed TCP outbound services allowed_svcs_tcp="{ ftp, domain, www, ircd }" # honeypot allowed UDP outbound services allowed_svcs_udp="{ domain, bootps }" # http://www.iana.org/assignments/ipv4-address-space # http://rfc.net/rfc1918.html reserved ="{ 0.0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255 }" # SPOOFERS # don't allow spoofed reserved addresses block in quick on $outif from $reserved to any block out quick on $outif from $honeypot to $reserved # block and log outgoing packets that don't have honeypot address as source block out log quick on $outif from ! $honeypot to any # DEFAULT POLICY # filtering on the bridge will be done on the outside (rl0) interface # predetermined svc's from the honeypot will be allowed out individually block out log on $outif all # everything is allowed in to the honeypot pass in on $outif all keep state # only ssh will be allowed to the mgmt interface block in log on $mgmtif all # only smtp, domain, and http will be allowed out from the mgmt interface block out log on $mgmtif all # NOISE # noise from my cable modem segment that is silently dropped block in quick on $mgmtif inet from any to { 255.255.255.255, 224.0.0.1 } # HONEYPOT OUTBOUND CONNECTIONS pass out log quick on $outif inet proto tcp from $honeypot to any \ port $allowed_svcs_tcp flags S/SA keep state pass out log quick on $outif inet proto udp from $honeypot to any \ port $allowed_svcs_udp keep state pass out log quick on $outif inet proto icmp from $honeypot to any \ icmp-type 8 code 0 keep state # REMOTE MANAGEMENT CONNECTIONS pass in log quick on $mgmtif inet proto tcp from $mgmtips to $mgmtif \ port ssh keep state pass out quick on $mgmtif inet proto tcp from $mgmtif to any \ port { smtp, domain, http } flags S keep state pass out quick on $mgmtif inet proto udp from $mgmtif to any \ port domain keep state

0 15 * * * cd $HOME/oinkmaster-0.6 ; TMP=`mktemp /tmp/oinkmaster.XXXXX` && (./oinkmaster.pl -o $HOME/rules/ -q -c > $TMP 2>&1; if [ -s $TMP ]; then mail -s "Snort Oinkmaster Update `date +%m-%d-%Y`" me@foo.bar < $TMP; fi; rm $TMP)

# /usr/local/bin/sessionlimit -H x.x.x.x -i rl1 &

# sysctl -w net.inet.ip.forwarding=1

# ifconfig rl0 delete # ifconfig rl1 delete # brconfig bridge0 add rl0 add rl1 up # dhclient rl2

# ifconfig rl0 # ifconfig rl1 # ifconfig rl2 # brconfig bridge0

# pfctl -e # /sbin/pfctl -R /etc/pf.conf

# /home/snort/snort-1.9.0/src/snort -i rl1 -deq -h x.x.x.x/32 -l /home/snort/log -c /home/snort/rules/snort.conf -D

# tcpdump -i rl1 -n -s 1500 -C 2 -w /var/log/tcpdump/tcpdump.log host x.x.x.x &

#!/bin/sh # snort, tcpdump, sessionlimit startup for honeypot SNORT=/home/snort/snort-1.9.0/src/snort CONFIG=/home/snort/rules-1.9.0/snort.conf SNORTLOG=/home/snort/log TCPDUMP=/usr/local/bin/tcpdump TCPDUMPLOG=/var/log/tcpdump/tcpdump.log SESSIONLIMIT=/usr/local/bin/sessionlimit if [ -n "$1" ]; then ip=$1 else echo -n "Usage: `basename $0` (honeypot ip)\n" exit fi if [ -x $SNORT ]; then echo -n " Snort starting...\n" $SNORT -i rl1 -g snort -u snort -deq -h $ip/32 \ -l $SNORTLOG -c $CONFIG -D >/dev/null 2>&1 fi if [ -x $TCPDUMP ]; then echo -n " Tcpdump starting...\n" $TCPDUMP -i rl1 -n -s 1500 -C 2 -w $TCPDUMPLOG host $ip & \ >/dev/null 2>&1 fi if [ -x $SESSIONLIMIT ]; then echo -n " Sessionlimit starting...\n" /usr/local/bin/sessionlimit -H $ip -i rl1 & \ >/dev/null 2>&1 fi

The OS I chose for my first honeypot is OpenBSD 3.1 vanilla. There isn't much to explain here - just install the OS and connect the honeypot to the bridge. With everything up and humming along now, all I have to do is sit back and wait for someone to take the bait. I have ssh access to the bridge's management interface so I can log in from my management ip's and look at the alert file in /home/snort/log/alert. I actually created a quick and dirty script in the ~snort directory to see a summary of attacks:

#!/bin/sh grep -v 'spp' ~snort/log/alert | grep '\[\*\*\]' | sort | uniq -c

# ./summary 9 [**] [1:1227:4] X11 outbound client connection detected [**] 3 [**] [1:1394:3] SHELLCODE x86 NOOP [**] 5 [**] [1:1418:2] SNMP request tcp [**] 4 [**] [1:1420:2] SNMP trap tcp [**] 4 [**] [1:1421:2] SNMP AgentX/tcp request [**] 1 [**] [1:1810:1] MISC Successful Gobbles SSH exploit [**] 1 [**] [1:1812:1] MISC Gobbles SSH exploit attempt [**] 1 [**] [1:249:1] DDOS mstream client to handler [**] 5 [**] [1:469:1] ICMP PING NMAP [**] 7 [**] [1:474:1] ICMP superscan echo [**] 1 [**] [1:498:3] ATTACK RESPONSES id check returned root [**] 1 [**] [1:587:2] RPC portmap request status [**] 1 [**] [1:598:5] RPC portmap listing [**] 9 [**] [1:618:2] SCAN Squid Proxy attempt [**] 3 [**] [1:628:1] SCAN nmap TCP [**]

Conclusion

This complete setup, which included getting the right hardware together, took me a few hours here and a few hours there over the course of a weekend. I am using old hardware - a Pentium 133MHz for the OpenBSD bridge and a Pentium 166MHz as the honeypot. After my setup was up and running smoothly I was overall pretty pleased with the honeynet design I had chosen, both in its simplicity and elegance.

To Do

Run Snort under DJB's daemontools. chroot() Snort. chroot() and run as non-root tcpdump.