Honeypots
Running Honeyd on interface IP Jul 22 2009 09:10AM
Evgeniy Arbatov (arbatovevgeniy gmail com)
Hello,

I have a question concerning the configuration of Honeyd IP address.

I want to make my honeypot visible by the IP address of host computer interface.
I have the following setup, within the same physical host:

1.1.1.1 (interface IP)-> 2.2.2.2 (honeyd IP)

So if I ssh to the honeyd, I want to ssh to 1.1.1.1.

I guess this is something that can be done with iptables, for example like this:

iptables -A FORWARD -s 1.1.1.1 -p tcp --dport 22 -d 2.2.2.2 -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -j ACCEPT

I also add a route for 2.2.2.2 to be accessible from loopback:
route add -host 2.2.2.2 lo

Then I enable IP forwarding in /etc/sysctl.conf:
net.ipv4.ip_forward = 1

And in the configuration for Honeyd I say:
add sshhost tcp port 22 "./ssh.sh"
bind 2.2.2.2 sshhost

Finally, I run my Honeyd like this, binding it to my Loopback:
honeyd -d -l /tmp/honeypot/packet.log -f smtp.conf -i lo

But I am still unable to access port 22 of my honeypot. What can be missing?

I am running honeyd-1.5b. This is what I get by running Honeyd in the
debug mode:

honeyd[3388]: listening on lo: ip
honeyd[3388]: Demoting process privileges to uid 99, gid 99
honeyd[3388]: rrdtool returning errors - restarting.
honeyd[3388]: Respawing rrdtool too quickly
honeyd[3388]: Connection request: tcp (1.1.1.1:40805 - 1.1.1.1:22)
honeyd[3388]: Killing attempted connection: tcp (1.1.1.1:22 - 1.1.1.1:40805)
honeyd[3388]: Connection dropped by reset: tcp (1.1.1.1:40805 - 1.1.1.1:22)
honeyd[3388]: rrdtool returning errors - restarting.
honeyd[3388]: Respawing rrdtool too quickly

Thank you!

Regards,
Evgeniy

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus