Russell Handorf

How-To Easily Deploy Honeypots for Production Networks

When discussing honeypots, security folks typically think of the researchers out there who are doing their best to track the shadow networks that plague the Internet. Their deployments are to gain attention and keep the attackers interested based on the mentality of “the lower hanging fruit.” To accomplish this goal, their deployment structures have been based on the following:

Step 1 : Create Honeypot

Step 2 : ???

Step 3 : Catch bad guys!

Because of this vague approach, security professionals that are not directly involved with these efforts have kept honeypots as hobbies where they can gleam new malware to tinker with later. Rarely has the use of a honeypot been considered as a tool for constructive intrusion and anomaly detection. I feel that with the right deployment strategy, a honeypot can become one of your best tools to complement your security suite.

When choosing a honeypot for your production network, you need to evaluate it like any other tool that you review. How easy is it to maintain? How much does it cost? Does it integrate with my existing suite? Because most of the tools written have been used for research purposes, most of them have a high maintenance cycle, as such can cost quite a bit of time and resources to support, and will not integrate into your security suite. However, one open source project stands out long in front of the plethora of other choices: Nepenthes.

Nepenthes is an open source honeypot project that makes the deployment and management of monitoring nodes a quick and easy project. It opens ports, and allows the user to configure a “dialogue” on those specified ports to mimic known services. Nepenthes also logs all connections to those ports, and if nasty-ware is sent it will keep a copy for your review and analysis later. There are no worries or concerns about “the honeypot getting infected and blasting the Internet with malware”, as all the services are faked and it does not execute that code (It can run an analysis of it, but I’ll let you read more into that on the project’s website). Finally, for any event that occurs Nepenthes can communicate with a syslog server or analysis engine for event aggregation and review.

Your installation will consist of a Linux host. If you want to do this the easy way, I would suggest using Debian or a Debian based distribution. After you have Debian Linux installed, simply enter apt-get install nepenthes. This will install a pre-built version of Nepenthes and start the Nepenthes service. To confirm that it is running, you can execute lsof | grep nepenthes and you should see a list of open ports with Nepenthes bonded to them. By default, all of the events that will be logged are in /var/log/nepenthes, and any binaries that are captured are in /var/lib/nepenthes/binaries. This is how the stand alone system is created by default, but in order to tie it into your syslog security event manager you’ll need to configure Nepenthes from source and download the syslog module.

1. Download Nepenthes source from one of the mirrors at: http://sourceforge.net/project/showfiles.php?group_id=137598

2. Download “log-syslog” module from:

http://zero.ram.rwth-aachen.de/nepenthes/log-syslog-20060512.tar.gz.

3. Extract the archive files for Nepenthes and log-syslog in your home directory

4. Move “log-syslog” into the Nepenthes modules directory

cd ~/nepenthes-0.2.2/modules/

mv ~/log-syslog .

5. Edit modules/Makefile.am and add log-syslog to the end of the SUBDIRS variable on the second line that also has log-download log-irc. When edited, it should read

log-download log-irc log-syslog \

6. Edit configure.ac in the nepenthes root directory and add modules/log-syslog/Makefile to the AC_CONFIG_FILES variable at the end of the file

7. While still in the ~/nepenthes-0.2.2 directory, execute autoreconf –v –i ––force

8. Providing no errors (Check for typos!), simply execute a ./configure ; make ; make install and you should be set! (Of course, providing you have all the necessary libraries installed first.)

9. The only last thing you may want to change is where the event logs are sent. Edit your

/etc/nepenthes/log-syslog.conf file to point to the right syslog host.

But the typical deployment of honeypots is where we deviate in this solution. Where they should be deployed to gain the most value is on the inside of your network, and if you place them in your DMZ(s) then block Internet access to them (no need to add more noise). When deploying these same technologies on the inside, you’ll find those Zero Days that your Antivirus is missing, or employees doing something that they’re not permitted. Keep in mind that the strategy is to have a sensor that results is closer to 100% positive event alarms; because if there is a system deployed and no one is suppose to be using it, any activity can be construed as malicious.

So there it is, in a nutshell. For all intents and purposes, that’s our “Step 2.” Using this open source, easy to deploy and manage honeypot that can be integrated into our security suites, we can add one more valuable tripwire.

More Information:

Nepenthes : http://nepenthes.mwcollect.org

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*