I am aware of the pakistani project - and I read it before I posted here ;)
One of the things that probably confused me more than anything was their
diagrams or rather screenshots. They showed vmware settings, the same way as
I have them - first network card bridged, second bridged, third was host
only. With honeywall's automatic setup this meant that eth0 and eth1 both
were "bridges" with no IP, and a host only for remote management access ...
According to your words I simply changed the settings in vmware now, making
the second network card entry to host only (so that the inner side of the
bridge points to host only), and the third one to bridged - finally i was
able to access my remote managemt ;-)
Due to the host only address though the honeypot is not able to access the
internet currently (host only being in the 192.168.40.0/24, the host and
remote interface being in 192.168.2.0/24). Do I really have to use ICS to
allow the host only network to access the internet? Or would it be possible
to set both - eth1 of the honeywall and the honeypots themselves to bridged
mode?
You said that the IP/Subnet of the honeypots shoudl be like the same of the
network the wall is connected to - that'd mean the host I take. This would
require the honeypot being in the subnet 192.168.2.0/24 - which would not
match the "host only" anymore.
As for the malicious traffic: as soon as I have the wall running properly
i'll switch my NAT router to modem only functionality, using dial up for
access internet - that way I might be able to get some unwanted pings ... or
so I hope :)
Another stupid question: What IP do I have to set the "sebek server" to? the
IP for the remote interface (192.168.2.20)? Eth0 and eth1 do not have an IP,
yet - as far as I understood , the deamon for logging works on the wall.
Concerning the PATH issue: I am running roo-1.0.hw-189.iso. Neither roo (you
cant login with root) nor root set the PATH properly for me. I have to do it
manually so far with the export command.
thanks already in advance. I know it's some rather dull and boring questions
...
Sid
> --- Ursprüngliche Nachricht ---
> Von: george chamales <george (at) overt (dot) org [email concealed]>
> An: Sid <TheSid (at) gmx (dot) net [email concealed]>
> Kopie: honeypots (at) securityfocus (dot) com [email concealed]
> Betreff: Re: Honeynet behind DSL router
> Datum: Mon, 1 May 2006 09:13:58 -0400
>
> Sid,
>
> The Pakistan Honeynet Project has a good paper on how to set up a
> virtual honeynet in VMware. Take a look at their diagrams:
>
> http://www.honeynet.org.pk/honeywall/roo/
>
> There's a good chance that the problem that you're seeing with CPU usage
> in VMware is the result of a misconfiguration of your VM's network
> interfaces rather than a problem with the Honeywall CDROM.
>
> When I set up the honeywall and honeypots in VMWare I place the internal
> interface of the honeywall and the interface of the honeypot on a
> "Custom: Specific Virtual Network" typically vmnet1 (to correspond to
> eth1 on the honeywall).
>
> The external interface of your honeywall should be bridged, to connect
> it to the same network as the machine you are running VMware on. The
> management interface should also be bridged and configured with an IP
> for the network the machine running VMware is connected to.
>
> Are you setting this up as a testing environment on your local, private
> lan? If you are setting up your honeynet behind a router that performs
> network address translation you probably won't see very much malicious
> traffic.
>
> Regarding the menu window not showing up in the PATH. Are you running
> as root? Which version of the honeywall are you using, the version
> number is listed on the name of the ISO you used to install.
>
> As far as ICS on Win XP. You should use the same IP information
> (gateway, DNS, IP address/netmask) as the network that your honeywall is
> connected to. If your local address space is using 192.168.2/24 then
> 192.168.2.128 should work just fine. Be sure and set that IP address
> on the honeywall either through the menu interface or through walleye.
> The same goes for the IP address for the management interface. If you
> do not set these variables, the honeywall will block all traffic from
> these IP addresses.
>
> Best of luck,
> george
>
>
> On Mon, May 01, 2006 at 12:45:51PM +0200, Sid wrote:
> > Hello,
> >
> > I tried to set up a virtual honeynet with the honeywall roo , but faced
> some
> > troubles in the end - sadly. The wall most likely quits working when
> loading
> > the HAL it seems, at least my CPU Usage goes up to 100 % for quite a
> long
> > while.. until i decide to either disconnect one bridge or shut off the
> > virtual guest system.
> >
> > So I take it's probably some misconfiguration within the wall. I am
> > connected to internet with a DSL router. Behind there is a windows xp
> host
> > (I know, Linux might be better choice, but it should work with windows
> too I
> > hope ;-) ). Guest systems are the honeywall + several honeypots.
> >
> > The IP of the router is 192.168.2.1 . The host is 192.168.2.128 . The
> host
> > only IP adress of vmware is 192.168.2.40.
> >
> > That's the currently given IP settings. The honeypot i set to IP
> > 192.168.2.20 ... which would be the "honeynet subnet", the public ip
> address
> > for the honeypots (the actual IP i get from the ISP or the internal
> private
> > addresses ?) Does it have to be host only or bridged? And will the
> honeywall
> > be able to log all information?
> >
> > I tried to set up the management interface too, set it to 192.168.2.41 -
> and
> > allowed the 40, 41 and 128 to it. I never was able to access the ssh
> > interface though. I start to feel stupid ;-)
> >
> > The issue with the "menu" not popping up after the installation is also
> > known to me. Occurs with the newest roo it seems. The PATH is not being
> set
> > correctly.
> > export PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin helps.. but i wonder
> why
> > it does not correctly work with the settings in the /etc/profile. There
> it
> > should do the pathmurge already ...
> >
> > Ah.. to come to an end with my tons of questions:
> > Do I need to set up ICS on my LAN card of winxp? the dial-in to the ISP
> is
> > done by the router ...
> >
> > Thanks for all the help in advance :)
> >
> > --
> > GMX Produkte empfehlen und ganz einfach Geld verdienen!
> > Satte Provisionen f?r GMX Partner: http://www.gmx.net/de/go/partner
>
--
Analog-/ISDN-Nutzer sparen mit GMX SmartSurfer bis zu 70%!
Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer
I am aware of the pakistani project - and I read it before I posted here ;)
One of the things that probably confused me more than anything was their
diagrams or rather screenshots. They showed vmware settings, the same way as
I have them - first network card bridged, second bridged, third was host
only. With honeywall's automatic setup this meant that eth0 and eth1 both
were "bridges" with no IP, and a host only for remote management access ...
According to your words I simply changed the settings in vmware now, making
the second network card entry to host only (so that the inner side of the
bridge points to host only), and the third one to bridged - finally i was
able to access my remote managemt ;-)
Due to the host only address though the honeypot is not able to access the
internet currently (host only being in the 192.168.40.0/24, the host and
remote interface being in 192.168.2.0/24). Do I really have to use ICS to
allow the host only network to access the internet? Or would it be possible
to set both - eth1 of the honeywall and the honeypots themselves to bridged
mode?
You said that the IP/Subnet of the honeypots shoudl be like the same of the
network the wall is connected to - that'd mean the host I take. This would
require the honeypot being in the subnet 192.168.2.0/24 - which would not
match the "host only" anymore.
As for the malicious traffic: as soon as I have the wall running properly
i'll switch my NAT router to modem only functionality, using dial up for
access internet - that way I might be able to get some unwanted pings ... or
so I hope :)
Another stupid question: What IP do I have to set the "sebek server" to? the
IP for the remote interface (192.168.2.20)? Eth0 and eth1 do not have an IP,
yet - as far as I understood , the deamon for logging works on the wall.
Concerning the PATH issue: I am running roo-1.0.hw-189.iso. Neither roo (you
cant login with root) nor root set the PATH properly for me. I have to do it
manually so far with the export command.
thanks already in advance. I know it's some rather dull and boring questions
...
Sid
> --- Ursprüngliche Nachricht ---
> Von: george chamales <george (at) overt (dot) org [email concealed]>
> An: Sid <TheSid (at) gmx (dot) net [email concealed]>
> Kopie: honeypots (at) securityfocus (dot) com [email concealed]
> Betreff: Re: Honeynet behind DSL router
> Datum: Mon, 1 May 2006 09:13:58 -0400
>
> Sid,
>
> The Pakistan Honeynet Project has a good paper on how to set up a
> virtual honeynet in VMware. Take a look at their diagrams:
>
> http://www.honeynet.org.pk/honeywall/roo/
>
> There's a good chance that the problem that you're seeing with CPU usage
> in VMware is the result of a misconfiguration of your VM's network
> interfaces rather than a problem with the Honeywall CDROM.
>
> When I set up the honeywall and honeypots in VMWare I place the internal
> interface of the honeywall and the interface of the honeypot on a
> "Custom: Specific Virtual Network" typically vmnet1 (to correspond to
> eth1 on the honeywall).
>
> The external interface of your honeywall should be bridged, to connect
> it to the same network as the machine you are running VMware on. The
> management interface should also be bridged and configured with an IP
> for the network the machine running VMware is connected to.
>
> Are you setting this up as a testing environment on your local, private
> lan? If you are setting up your honeynet behind a router that performs
> network address translation you probably won't see very much malicious
> traffic.
>
> Regarding the menu window not showing up in the PATH. Are you running
> as root? Which version of the honeywall are you using, the version
> number is listed on the name of the ISO you used to install.
>
> As far as ICS on Win XP. You should use the same IP information
> (gateway, DNS, IP address/netmask) as the network that your honeywall is
> connected to. If your local address space is using 192.168.2/24 then
> 192.168.2.128 should work just fine. Be sure and set that IP address
> on the honeywall either through the menu interface or through walleye.
> The same goes for the IP address for the management interface. If you
> do not set these variables, the honeywall will block all traffic from
> these IP addresses.
>
> Best of luck,
> george
>
>
> On Mon, May 01, 2006 at 12:45:51PM +0200, Sid wrote:
> > Hello,
> >
> > I tried to set up a virtual honeynet with the honeywall roo , but faced
> some
> > troubles in the end - sadly. The wall most likely quits working when
> loading
> > the HAL it seems, at least my CPU Usage goes up to 100 % for quite a
> long
> > while.. until i decide to either disconnect one bridge or shut off the
> > virtual guest system.
> >
> > So I take it's probably some misconfiguration within the wall. I am
> > connected to internet with a DSL router. Behind there is a windows xp
> host
> > (I know, Linux might be better choice, but it should work with windows
> too I
> > hope ;-) ). Guest systems are the honeywall + several honeypots.
> >
> > The IP of the router is 192.168.2.1 . The host is 192.168.2.128 . The
> host
> > only IP adress of vmware is 192.168.2.40.
> >
> > That's the currently given IP settings. The honeypot i set to IP
> > 192.168.2.20 ... which would be the "honeynet subnet", the public ip
> address
> > for the honeypots (the actual IP i get from the ISP or the internal
> private
> > addresses ?) Does it have to be host only or bridged? And will the
> honeywall
> > be able to log all information?
> >
> > I tried to set up the management interface too, set it to 192.168.2.41 -
> and
> > allowed the 40, 41 and 128 to it. I never was able to access the ssh
> > interface though. I start to feel stupid ;-)
> >
> > The issue with the "menu" not popping up after the installation is also
> > known to me. Occurs with the newest roo it seems. The PATH is not being
> set
> > correctly.
> > export PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin helps.. but i wonder
> why
> > it does not correctly work with the settings in the /etc/profile. There
> it
> > should do the pathmurge already ...
> >
> > Ah.. to come to an end with my tons of questions:
> > Do I need to set up ICS on my LAN card of winxp? the dial-in to the ISP
> is
> > done by the router ...
> >
> > Thanks for all the help in advance :)
> >
> > --
> > GMX Produkte empfehlen und ganz einfach Geld verdienen!
> > Satte Provisionen f?r GMX Partner: http://www.gmx.net/de/go/partner
>
--
Analog-/ISDN-Nutzer sparen mit GMX SmartSurfer bis zu 70%!
Kostenlos downloaden: http://www.gmx.net/de/go/smartsurfer
[ reply ]