Huong Dan Cai Dat Honeynet

7/21/2019 Huong Dan Cai Dat Honeynet

1/40

Figure 1. General Architecture

1- Configure Honeywall:

Booting Up

1 .Start the Honeywall Virtual Machine and boot it with Honeywall CDROM. Boot loader with The HoneynetProject slash screen should aear. !t this oint the syste" will #o into a ause$ lettin# you interact with theinstallation rocess. %& you ress the 'nter button$ the syste" will o(erwrite the e)istin# hard dri(e and be#in thinstallation rocess.

Hit Enterto install.


2/40

Once the installation be#ins it is a &ully auto"ated rocess$ there is no need to interact with the the installation&ro" this oint on.

!&ter the installation is co"lete$ the syste" will auto"atically reboot. *hen it reboots$ alter the boot order +tohard dri(e &irst$ then CD, or ta-e the CDROM out to re(ent another install cycle &ro" be#innin#. !&ter thesyste" reboots$ your installation is co"lete and will be resented with a co""and line lo#in ro"t. our hadri(e now has a "ini"i/ed and hardened 0edora Core oeratin# syste" with Honeywall &unctionality. !t thisoint you can lo#in and be#in the standard con&i#uration rocess. The Honeywall co"es with two de&aultsyste" accounts$ rooand root. Both share the sa"e de&ault assword honey$ which you will want to chan#eri#ht away. ou cannot lo#in as root$ so you will ha(e to lo#in as roothen su-.


3/40

2 . First Login Message

*hen you lo#in to Honeywall &or the &irst ti"e$ it #i(es an alert sayin# that your Honeywall is not yet con&i#uredand reco""ends usin# the Honeywall Con&i#uration otion on the "ain "enu. Select OKto roceed.

3- Honeywall Configuration :Main "enu allows you to #o throu#h Honeywall Con&i#uration. Select HoneywaCon&i#uration otion &ro" the Main Menu and hit Enter.


4/40

4- Limitation of Liability Message

2i"itation o& 2iability "essa#e aears be&ore recedin# the installation. There are ris-s in(ol(ed in Honeynetas well as Virtual Honeynet deloy"ent. !s we are deloyin# a Virtual Honeynet$ there can be ris-s in(ol(ed iit. %& an attac-er is able to co"ro"ise the oeratin# syste" on which (irtuali/ation so&tware is runnin#$ hewould be able to control the whole syste". Secondly$ i& an attac-er co"ro"ises the syste" in your VirtualHoneynet$ he "ay be able to detect that the syste" is runnin# in a (irtual en(iron"ent. ou "i#ht want to try

VMware 0in#errintin# Counter Measuretoolde(eloed by0rench Honeynet Projectwhich "a-es the VMwadetection di&&icult by "odi&yin# the de(ices na"es$ PC% (endor$ and de(ice %D. ou can re&erence the 3now o'ne"y4 Honeynetsaer &or learnin# "ore about the ris-s. Read and clic-es&or the ac-nowled#e"ent.
http://www.securityfocus.com/archive/119/349385http://honeynet.rstack.org/tools/vmpatch.chttp://honeynet.rstack.org/tools/vmpatch.chttp://honeynet.rstack.org/tools/vmpatch.chttp://honeynet.rstack.org/http://honeynet.rstack.org/http://www.honeynet.org/papers/honeynet/http://www.honeynet.org/papers/honeynet/http://www.honeynet.org/papers/honeynet/http://www.securityfocus.com/archive/119/349385http://honeynet.rstack.org/tools/vmpatch.chttp://honeynet.rstack.org/http://www.honeynet.org/papers/honeynet/http://www.honeynet.org/papers/honeynet/


5/40

5- !nitial "etup Met#o$

%nitial Setu Method "enu allows you to select the installation "ethod. %t ro(ides three "ethods &or con&i#urinthe Honeywall 5 0loy$ De&aults$ and %nter(iew.

Floppy"ethod &etches the Honeywall con&i#uration +honeywall.con&, &ro" the &loy dis-. This "ethod is use&or deloyin# lar#e nu"ber o& Honeywalls &aster.

%efaults"ethod restores the Honeywall to &actory de&ault con&i#uration. This uses the de&ault honeywall.con&con&i#uration &ile that co"es with the syste".

!nter&iew"ethod as-s you series o& 6uestions &or con&i#urin# the Honeywall. %& you are con&i#urin# Honeywa&or the &irst ti"e$ it is reco""ended to use this otion.

Select !nter&iewand hit Enter.
http://www.honeynet.org/tools/cdrom/roo/manual/txt/honeywall.confhttp://www.honeynet.org/tools/cdrom/roo/manual/txt/honeywall.conf


6/40

Read the !nitial "etup "essa#e and hit Enterto roceed.

6- Honeynet 'ubli( !' )$$ressesTye the ublic %P addresses &or the honeyots. These are the %P addresses which attac-ers will attac-. HitEnterto roceed.

Tye the Honeynet networ- in C%DR +Classless %nter5Do"ain Routin#, notation. Hit Enterto roceed.


7/40

Tye the broadcast address &or honeyots ublic %P addresses. Hit Enterto roceed.

7- Select OKto roceed con&i#urin# re"ote "ana#e"ent.


8/40

8- Management !nterfa(eThird inter&ace will be used &or re"ote "ana#e"ent. ou will be able to re"otely "ana#e your Honeywallthrou#h SSH and *alleye web inter&ace.

Selectesto con&i#ure "ana#e"ent inter&ace.

Honeywall will auto"atically detect et#*&or "ana#e"ent inter&ace. Hit Enterto roceed.

Tye the %P address o& the "ana#e"ent inter&ace and hit Enter.


9/40

Tye the networ- "as- o& the "ana#e"ent inter&ace %P and hit Enter.

Tye the de&ault #ateway &or the "ana#e"ent inter&ace %P and hit Enter.


10/40

Tye the D7S do"ain &or "ana#e"ent %P and hit Enter.

Tye the %P addresses o& D7S ser(er that "ana#e"ent inter&ace will use and hit Enter.

Selectesto acti(ate "ana#e"ent inter&ace.


11/40

Selectesto start "ana#e"ent inter&ace on ne)t boot.

9- Configure ""HSelectesto con&i#ure SSH.


12/40

Tye the ort on which you want SSHD to listen and hit Enter. By de&ault it listens on ort 88.

Tye in the user na"e you want to re"otely lo#in with. Hit Enter.

Selectesto chan#e new user9s assword.


13/40

Tye in the new assword and hit Enter. %t will as- to enter it a#ain &or con&ir"ation.

Hit Enterto roceed.


14/40

Selectesto chan#e root9s assword.

Tye in the new assword and hit Enter. %t will as- to enter it a#ain &or con&ir"ation.


15/40

Hit Enterto roceed.

SSHD autostart otion will let enable : disable to auto"atic startu o& SSHD at boot. Selectesto enable theSSH at startu and hit Enter.


16/40


17/40

'nter sace deli"ited list o& %P addresses or networ-s that can access the "ana#e"ent inter&ace. %t is

reco""ended to allow seci&ic trusted %P addresses &or "ana#in# the Honeywall. Tye the %P address and hitEnter.

Selectesto enable *alleye *eb


18/40

Restrict the &irewall &ro" "a-in# any outbound connections. Selectesand hit Enter.

Seci&ically enter the TCP orts you want to allow &or outbound connections &ro" the "ana#e"ent inter&ace.Tye the orts and hit Enter.


19/40

'nter the =DP orts you want to allow &or outbound connections &ro" the "ana#e"ent inter&ace. Tye the orand hit Enter.


20/40

10 - Select OKto roceed con&i#urin# outbound control li"its.

11- Configure Outboun$ Conne(tion Limits

!s you -now tyically we allow anythin# inbound to the honeyots$ but li"it outbound connections. Theconnection li"itin# "enu will let you set the li"it &or outbound connections. So that once a li"it has been "et&or outbound connections$ all &urther atte"ts are bloc-ed$ re(entin# the co"ro"ised honeyot &ro" har"inother syste"s.Connection li"itin# otion #i(es you &i(e scales &or li"itin# outbound connections.

Second > er second ti"e scale will be alied on connection li"it.Minute > er "inute ti"e scale will be alied on connection li"it.Hour > er hour ti"e scale will be alied on connection li"it.Day > er day ti"e scale will be alied on connection li"it.

Month > er "onth ti"e scale will be alied on connection li"it.0or e)a"le i& you set TCP li"it to ? outbound connections er hour. This will allow an attac-er to "a-e ? TCPoutbound connections in an hour. Once this li"it is reached$ he won@t be able to "a-e any "ore connections.The li"it will be reset a&ter an hour.Tye the scale and hit Enter.


21/40

'nter the li"it &or TCP outbound connections and hit Enter.

Tye the li"it &or =DP outbound connections and hit Enter.


22/40

Tye the li"it &or %CMP outbound connections and hit Enter.

Tye the li"it &or other rotocols outbound connections and hit Enter.

12- Configure "nort !nlineSnort %nline lets you dro$ reject$ and relace -nown attac-s.

Selectesto con&i#ure the &irewall to send ac-ets to snort inline and hit Enter.


23/40

Select action you want snort inline to ta-e on ac-ets that "atch the rules. Select %ropand hit Enter.

13- Configure FilteringHoneywall o&&ers (arious ac-et &ilterin# &eatures$ which ro(ides &urther data control caabilities.

Blac- list > Dros %P addresses and C%DR bloc-s without lo##in#.*hite list > !llows %P addresses and C%DR bloc-s without lo##in#.0ence list > Protects %P addresses and C%DR bloc-s &ro" any honeyots #ettin# access to.Roach "otel > Disallows all outbound tra&&ic &ro" honeyots.

Tye na"e o& &ile containin# blac-list and hit Enter.


24/40

Tye na"e o& &ile containin# whitelist and hit Enter.

Selectes to enable Blac- list and *hite list &ilterin# and hit Enter.


25/40

Tye na"e o& &ile containin# &encelist and hit Enter.

2et9s not enable 0ence list &or now. Select +o to disable 0ence list &ilterin# and hit Enter.

2et9s not enable Roach "otel as well. Select +o to disable Roach "otel "ode bloc-in# and hit Enter.


26/40

14- Select OKto roceed con&i#urin# D7S acti(ity o& honeyots.

15- Configure Honeypots %+" )(ti&ityD7S li"itin# will let you con&i#ure the D7S access &or your honeyots. ou wouldn@t want your honeyots to"a-e unli"ited D7S connections anywhere.

2et9s allow honeyots to ha(e unli"ited D7S access. Selectesand hit Enter.


27/40

2et9s not restrict seci&ic honeyots to ha(e unli"ited access to an e)ternal D7S ser(er. Select +oand hitEnter.

But let@s restrict honeyots to ha(e unli"ited access to seci&ic e)ternal D7S ser(ers. Selectesand hit Ente


28/40

Tye D7S ser(ers to which you want honeyots to ha(e unli"ited access. Selectesand hit Enter.

16- Select OKto roceed con&i#urin# re"ote alertin#.

17- Configure ,emote )lerting'"ail alerts will noti&y you when so"eone brea-s into your honeyots.

Selectesto enable e"ail alerts and hit Enter.


29/40

'nter an e"ail address to recei(e alerts and hit Enter.

Selectesto enable alertin# to start auto"atically at boot and hit Enter.

18- Configure "ebe .ariables


30/40

Sebe- is a data cature tool desi#ned to cature the attac-ers acti(ities on a honeyot. %t has two co"onentsThe &irst is a client that runs on the honeyots$ its urose is to cature all o& the attac-ers acti(ities+-eystro-es$ &ile uloads$ asswords, then co(ertly send the data to the ser(er. The second co"onent is theser(er which collects the data &ro" the honeyots. The ser(er nor"ally runs on the Honeywall #ateway. Thenew


31/40

Select )((ept an$ Logand hit Enter.

19- Finis#ing Up'nter the hostna"e o& your Honeywall and hit Enter.


32/40

Con#ratulations ou ha(e just &inished the Honeywall setu. Select OKto reboot the syste".

ou will see Honeywall loadin# (arious ser(ices.

Once ser(ices are loaded$ con&i#uration "enu will be aeared.


33/40

20- Maintaining the Honeywall Quan trong

After Honeywall is installed, key issue is to aintain it !ro!erly. "#e new Honeywall $i%es you t#reeo!tions for &onfi$urin$ and aintainin$ your installation.

'ialo$ (enu ) *t is t#e &lassi& interfa&e to adinisterin$ t#e Honeywall +'(. "#e new %ersion i%ery siilar to t#e older one, e&e!t it #as new features added. /e #a%e already &onfi$ured ourHoneywall usin$ 'ialo$ (enu in !er%ious ste!s. *t &an e loaded y ty!in$ enu on s#ell.

enu

H/+" ) *t is a !owerful &oand line utility t#at allows you to &onfi$ure t#e syste %ariales usey %arious !ro$ras, and t#e aility to startstart ser%i&es. "#e ad%anta$e wit# t#is tool is you &ansi!ly odify t#e e#a%ior of t#e syste at t#e &oand line %ia lo&al or H a&&ess. ollowin$ arsoe ea!les taken fro an file.

#ow all %ariales &urrently set wit# A( :A; for ?

#w&tl -a

@ust !rint on standard out!ut t#e %alue of HwH"A(?

#w&tl -n HwH"A(

et all four &onne&tion rate liits and restart any ser%i&es t#at de!end on t#ese %ariales?

#w&tl -r Hw"+A"20 Hw;'A"10 Hw*+(A"30 Hw"HA"10

oad a &o!lete new set of %ariales fro etoneywall.&onf and for&e a sto! efore an$in$%alues, and a start afterwards?


34/40

# hwctl -R-f /etc/honeywall.conf

/alleye ) *t is t#e B;* we ased interfa&e &alled /alleye. "#e #oneywall runs a weser%er t#at &an

e reotely &onne&ted to o%er a &onne&tion on t#e ana$eent interfa&e. "#is B;* allows t#euser to &onfi$ure and aintain t#e syste usin$ a si!le !oint and &li&k a!!roa. *t #as an e!andinenu akin$ it easy to a&&ess and %isualiCe all t#e inforation. *t also &oes wit# ore in-de!t#e!lanations of t#e different o!tions. *t also #as different roles, allowin$ or$aniCations to &ontrol w#o&an a&&ess w#at t#rou$# t#e B;* de!endin$ on t#e role t#ey #a%e een assi$ned. "#e !riaryad%anta$e of /alleye is its u easier to use t#en t#e ot#er two o!tions. "#e disad%anta$e is it &anne used lo&ally, ut reDuires a 3rd network interfa&e on t#e #oneywall used for reote &onne&tions."#e we-ased B;* &urrently su!!orts eit#er *nternet !lorer or irefo rowsers.

et=s laun t#e rowser and !oint it to ana$eent interfa&e * address, #tt!s?ana$eenti!.

Login with !er "ae$ roo an% &a!!wor%$ honey.


35/40

*hen you lo#in to *alleye &or the &irst ti"e$ it will as- to chan#e assword.


36/40

Data !nalysis inter&ace will be dislayed a&ter you ha(e success&ully lo##ed in.


37/40

yste Adin interfa&e lets you ana$e your Honeywall t#rou$# /e.


38/40

2- '(i )*t +( c,u hnh ee '(i )*t trn c3c Honey4ot5$a5 '(i )*t

+#En$ ta t#F& #iGn &i IJt eek &lient trKn &L& #oney!ot n#M t#F& #iGn t#n#Nn &L& #n# IOn$ &Pa #a&ker trKn tQn$ #oney!ot.

+i IJt eek &lient trKn #G IiRu #n# /*'/- "Si tG! tin eek ) /in32 ) 3.0.4.Ci!

- BiSi nTn tG! tin % Uy tG! &i IJt etu!.ee

- au k#i &i IJt on$, t#F& #iGn &Vu #Wn# t#Xn$ Dua YZn$ trWn

+onfi$uration /inCard.ee +i IJt eek &lient trKn #G IiRu #n# *;_ ' HA" 9.0- "Si tG! tin seek ) linu ) 3.0.3.tar.$C

- "#F& #iGn DuL trWn# &i IJt

tar )Cf seek-linu-3.0.3.tar.$C&d seek-linu-3.0.3


39/40

.&onfi$ureakeake install- `uL trWn# &i IJt tUo ra tG! seek ) linu ) 3.0.3 ) in.tar, t#F& #iGn ti

%iG& &i IJt"ar )f seek-linu-3.0.3-in.tar+d seek-linu-3.0.3-in- bt t#E& DuL trWn# &i IJt, t#F& #iGn s#ell skcinstall.s#

.skcinstall.s#

Ch :"rY& k#i t#F& #iGn s#ell skcinstall.s# En$ ta !#Si t#F& #iGn sa Ii ndun$ &Pa tG! ny t#eo &L& t#a s[ &i IJt o eek &lient

5 ',u hnh'Yi Igy l Ot s[ t#a s[ &Z Sn s dhn$ &Vu #Wn# o eek &lient * Cu hnh trn Linux :

----- '"*A"*c*?---------- sets destination * for seek !a&kets-----6789"A89:";9&[email protected]= CDa chE n(y 4hi trng +i )Da chE

9& hai 3o I Jc ee hi c,u hnh Honeywall----- '"*A"*c(A+?---------- sets destination (A+ addr for seek !a&kets-----6789"A89:";MA'


40/40

* Cu hnh trn Windows :

Hnh 2.11- Cu hnh Sebek Client trn Windows

Documents

Huong Dan Cai Dat Honeynet