分类: LINUX
2007-11-18 23:23:54
Know Your Enemy: Learning with User-Mode Linux
Building Virutal Honeynets using UML.
Last Modified: 20 December, 2002
认识你的敌人: 以使用者- 模态 Linux
建筑 Virutal Honeynets 使用 UML
Honeynet 计划
http://
Honeynets can be difficult to configure and resource intensive to deploy, requiring a variety of technologies and systems. Many users or organization that want to research Honeynets may not have the resources for deployments. Therefore, this paper will focus on building a Honeynet using a single computer and free, OpenSource software. This will be accomplished by building a , using the OpenSource solutions User-Mode Linux (often called UML) and IPTables. The format of this is paper is a HOWTO, it will describe step by step how to build a Honeynet on a single computer and then discuss one method of deploying Honeynet Data Control and Data Capture. This paper assumes you have already read and understand the concepts in and the paper . This paper will not go into detail on how to deploy advance Honeynet technologies. That will come later in the future paper Know Your Enemy: GenII Honeynet . Instead, this paper will cover in detail how to build a Honeynet testing environment using basic Honeynet technologies. If this is the first time you have ever built or deployed a Honeynet, we HIGHLY recommend that you first deploy this in a lab or test environment. You have been warned.
Honeynets 可能对配置是困难的和资源强烈的展开,需要多种技术和系统。 许多使用者或研究 Honeynets 的组织为配置可能没有资源。 因此,这一张纸将会把重心集中在建筑 Honeynet 使用一部单一计算机和自由的,OpenSource 软件。 这藉由建筑虚拟的 Honeynet ,使用 OpenSource 解决使用者- 模态 Linux(时常叫做 UML) 和 IPTables 将会是完成的。 格式这是纸是 HOWTO,它将会一步一步地描述该如何展开 Honeynet 数据控制和数据抓取建立在一部单一计算机上的 Honeynet 然后讨论一个方法。 这一张纸承担你已经读而且 KYE 的观念: Honeynets 和报纸 KYE: 虚拟的 Honeynets。 这一张纸将不进入关于该如何展开进步 Honeynet 技术的细节。 那未来稍后将会来纸认识你的敌人: GenII Honeynet。 改为,这一张纸将会详细地包括该如何建立 Honeynet 测试的环境使用基本的 Honeynet 技术。 如果这曾经是第一次你已经建造或展开 Honeynet,我们高度地推荐你在一个中心或测试环境中最初展开这。 你已经被。
Plan of Attack
This paper is broken down into five parts. In the first part we will describe what UML is, how it works, and how to install and configure it. In the second part, we describe how to create a network of multiple systems on your single computer, including all network issues. In the third part we describe how to implement Data Control on your UML Honeynet using IPTables. In the fourth part we describe how to implement Data Capture using Snort. Finally, in the fifth part, we describe how to test your setup.
攻击的计划
这一张纸进入五个部份之内被故障。 在第一个部份中我们将会描述 UML 是什么,它工作的方式, 和该如何安装并且配置它。 在第二个部份中,我们描述该如何产生在你的单一计算机上的多样系统的一个网络, 包括所有的网络议题。 在第三的部份中我们描述该如何实现在你的 UML Honeynet 上的数据控制使用 IPTables 。 在第四个部份中我们描述该如何实现数据抓取使用鼻息。 最后,在第五个部份中,我们描述该如何测试你的装备。
Part I: User Mode Linux
User-Mode Linux is an OpenSource solution that creates a virtual Machine. Created and maintained by Jeff Dike, you can find it at . UML allows you to run multiple instances of Linux on the same system at the same time. This capability is similar to the commercial solution , however UML is currently limited to Linux. UML is designed for a variety of purposes, such as kernel debugging, testing applications, etc. We are going to use this capability to run a Honeynet on a single computer, specifically a single gateway with one honeypot behind it. For this purpose of this paper, we will explain how to install and run UML on a Red Hat 7.3 system. We will use the same terminology used in VMware software, specifically the Host system is the original operating system running on the box. Any and all additional operating systems added (the virtual operating systems) will be called Guest systems. To visualize this deployment, refer to in the KYE: Virtual Honeynets paper.
Part I: 使用者模态 Linux
使用者- 模态 Linux 是产生一部虚拟的机器 OpenSource 解决。 产生而且被杰夫堤防维护,你能在 http:// user-模态-linux.sourceforge.net 找它。 UML 允许你同时跑在相同的系统上的 Linux 的多样例证。 这一个能力与商业的解决 VMware 类似,然而 UML 现在被限制到 Linux 。 UML 被设计来作多种目的, 像是核心除错,测试申请等。我们将要使用这一个能力跑在一部单一计算机上的 Honeynet, 明确地和在它后面的 honeypot 的单一出入口。 对于这一张纸的这一个目的,我们将会该如何安装并且跑在一个红色的帽子 7.3 系统上的 UML 。 我们将会使用被用于 VMware 软件的相同用辞,明确地主人系统是最初的操作在盒子上的系统赛跑。 任何的和所有的附加操作被增加 (虚拟的操作系统) 的系统将会被称为客人系统。 使这一个配置看得见,在 KYE 中提及图 1: 虚拟的 Honeynets 纸。
Unlike VMware, UML does not require any additional virtualization software. Instead, you patch the source of the Linux kernel you want to run as your Guest OS. This UML patch converts the kernel into a executable binary called 'linux', which allows the Guest kernel to run on your system as a seperate operating system. When you run this UML patched kernel, all you need to do is give it a filesystem to use, and you now have a independent Linux system running on your computer, two for the price of one! This new kernel is a userspace application running on the real kernel (Host OS). The UML kernel receives system calls from its applications and sends/requests them to the Host kernel. There are also additional management and networking UML tools you can install on the computer that makes your life easier.
不像 VMware , UML 不需要任何的附加 virtualization 软件。 改为,你补缀你跑如你的客人操作系统的 Linux 核心的来源。这 UML 片把核心转换成被称为 'linux' 的可运行的二进,允许客人核心涉及你的系统如 seperate 操作系统。当你跑这被补缀核心的 UML 的时候,你做的全部是给予它 filesystem 使用 , 和你现在让一个独立的 Linux 系统流动的在你计算机上 , 二作为一的价格! 这个新的核心是在真正的核心上的 userspace 申请赛跑。 (主人操作系统) UML 核心接受来自它的申请系统呼叫而且送/ 请求他们到主人核心。 也有附加的管理而且网络 UML 用工具工作你能在使你的生活更容易的计算机上安装。
Some of the most exciting features that have recently been added to UML are designed specifically for honeypots. These capabilities signifigantly improve our UML Honeynet. We will highlight three of these capabilities below, however you can find the technical details and HOWTO at .
一些最近已经被增加到 UML 的最令人兴奋的特征被明确地为 honeypots 设计。 这些能力 signifigantly 改良我们的 UML Honeynet 。 我们将会在下面加亮这些能力中的三个,然而你能找在 http:// user-模态-linux.sf.net/honeypots.html 的技术上的细节和 HOWTO 。
To build and install UML we will use a prebuilt rpm. RPM is a package manager for Red Hat Linux, allowing us to simply install entire packages of software. The UML package will do two things for us. First, it installs a prebuilt kernel with the UML patch, this is installed as the executable binary 'linux'. This will allow us to run a seperate Linux kernel. In addition, this package contains all of the UML utilities. You can download all UML binaries and source code from the . Below is the command used to install a prebuilt UML rpm for a 2.4.19 kernel. You can then see what files and utilities it installs.
建立并且安装我们决意的 UML 使用一个 prebuilt 转/每分。 RPM 是红色的帽子 Linux 的包裹,允许我们只是安装软件的整个包裹。 UML 包裹将会为我们做二件事物。 首先,它用 UML 片安装一个 prebuilt 核心,这被安装如可运行的二进 'linux' 。 这将会允许我们跑一个 seperate Linux 核心。 除此之外,这一个包裹包含所有的 UML 公用程序。 你能下载从 UML 下载位置来的所有 UML 二进和原始码。 在下面是指令过去一直为一个 2.4.19 核心安装一个 prebuilt UML 转/每分。 你然后能申请的东西和它安装的公用程序。
host #rpm -ivh user_mode_linux- 2.4.19 .5um-0.i386.rpm
host #rpm -ql user_mode_linux- 2.4.19 .5um-0.i386
/usr/bin/jailtest
/usr/bin/linux <- executable binary that is really the UML kernel, the Guest OS
/usr/bin/tunctl
/usr/bin/uml_mconsole
/usr/bin/uml_moo
/usr/bin/uml_net
/usr/bin/uml_switch
/usr/lib/uml/config
/usr/lib/uml/modules-2.2.tar
/usr/lib/uml/modules-2.4.tar
/usr/lib/uml/port-helper
Thats it! By installing this RPM you have accomplished two things. First, you have installed the executable kernel (/usr/bin/linux), this is our Guest kernel. Second, you have installed various UML utilities. If you want to run any additional kernels at the same time, you only have to download the prebuilt UML kernels, or use the UML patch on kernel source code. (** NOTE: Based on our testing, it appears the RPM uml version 2.4.19 -5 can only handle running one running kernel at a time. If you want to run multiple kernels, you will have to download the latest UML kernel patch.)
那藉由安装这 RPM 你有完成的二件事物。 首先,你已经安装可运行的核心 (/usr//linux),这是我们的客人核心。 其次,你已经安装各种不同的 UML 公用程序。 如果你同时跑任何的附加核心,你只必须下载 prebuilt UML 核心, 或使用 UML 在核心原始码上的片。 基于我们的测试, 它只出现 RPM uml 2.4.19 版-5 能处理赛跑一次一个流动的核心。 如果你跑多样的核心,你将会必须下载最近的 UML 核心片)。
Okay, there is only one step left for our Guest kernel, a file system. What good is having another kernel when there is no file system for an attacker to interact with? Once again, we go to the and find pre-built filesystem images. Or if you prefer, you can simply build your own taking a dd(1) image of an existing file system. For the purpose of this HOWTO, we install and use the RedHat 7.2 server file system image (65 MB in compressed size). We have modified this file system to include the binaries telnet(1), vi(1), and pico(1). Once you have downloaded the image, you are ready to go, no configuration involved. To start your new Guest operating system, you simply uncompress the downloaded filesystem image, then startup your linux binary using the filesystem. The command would look like:
host #gzip -d root_fs.rh-7.2-server.pristine.20021012.gz
host #linux ubd0=root_fs.rh-7.2-server.pristine.20021012 eth0=tuntap,,,192.168.0.254
好, 剩下只有步骤为我们的客人核心,一个文件系统。 善行正在有另外的一个核心什么当为一个攻击者互相影响没有文件系统由于? 再一次,我们去 UML 下载位置而且找预先建造 filesystem 图像。 或如果你,你能只是建立你自己的带 dd(1) 一个已存在的文件系统的图像。 为了这 HOWTO ,我们安装并且使用 RedHat 7.2 伺候器文件系统图像。 (被压缩的大小 65个万位元组) 我们已经修正这一个文件系统包括二进远端登入 (1) , vi(1) 和微微。 (1) 一经你已经下载图像,你准备好去,积极参与的没有结构。 为了要开始你的新客人操作系统,你只是不压缩被下载的 filesystem 图像, 然后启始你的 linux 二进位的使用 filesystem。 指令会看起来像:
host #gzip -d root_fs.rh-7.2-server.pristine.20021012.gz
host #linux ubd0=root_fs.rh-7.2-server.pristine.20021012 eth0=tuntap,,,192.168.0.254
When you execute the 'linux' command, you should see in your terminal a new . You should hopefully end up with a login prompt. Just login with the user 'root' and the password 'root' giving you access to the operating system. Congrats, you did it! Now, lets explain what you just did, and where to go from here.
当你运行 'linux' 指令的时候,你应该以你的终端机口吻新的操作系统向上踢。 你应该有希望地以一个登录提示作为结束。 和使用者 '根' 和密码 '根' 给的正直登录你存取到那个操作系统。 祝贺,你做了它! 现在, 让你刚刚做的, 和该哪里从在这里去。
Part II: Setting up the Network
Okay, now that you are running two operating systems, the next step is to get the Guest OS, our honeypot, to route through our gateway and out to the Internet. This means, if anyone wants to talk to our Guest OS, they first have to go through the Host. You may not realize it, but you have already setup all the issues involved. Refer to the last command above we executed, where we launched the command 'linux', specifically the part eth0=tuntap,,,192.168.0.254 . This command does two things. First, it creates a new logical interface on the Host system called tap0. This logical interface is now the gateway interface for the Guest OS, our honeypot. The IP address of the tap0 interface, and the default gateway of the Guest OS, is 192.168.0.254. The only thing that will be different for you is the IP address of eth0 on your Host system, this will vary depending on whatever you configured it as. In the case of our example, it will be 192.168.1.1. To confirm your setup, on the Host OS run the command:
Part II: 建立网络
好, 既然你正在跑二操作系统, 下一个步骤要拿客人操作系统,我们的 honeypot, 定路线过我们的出入口和在外到英特网。 这意谓,如果任何人和我们的客人操作系统说话,他们首先必须穿过主人。 你不可能它,但是你已经让装备所有的议题积极参与的。 提到到最后命令在我们运行,在我们发射了指令 'linux' 的地方上面, 明确地 part eth0=tuntap,,,192.168.0.254. 这一个指令做二件事物。 首先,它产生在主人系统上的一个新的合乎逻辑的接口叫做了 tap0。 这个合乎逻辑的接口现在是为客人操作系统出入口接口,我们的 honeypot。 tap0 接口的 IP 住址 , 和假设值客人操作系统的出入口,是 192.168.0.254 。将会对你是不同的唯一事物是在你的主人系统上的 eth0 的 IP 住址, 这将会改变仰赖无论什么你配置它当做。 在我们的例子情况,它将会是 192.168.1.1 。 确定你的装备,在主人操作系统上跑指令:
host #ifconfig -a
The eth0 part of the command creates the interface eth0 on the Guest OS, telling it the interface logically routes through tap0 on the Host system. The only thing we have left is to give the eth0 on our Guest OS an IP address on interface eth0. This is already done on our pre-built file systems. In the case of our pre-built RedHat 7.2 server, its IP address on eth0 is 192.168.0.144. If you want to change any of the configurations on the Guest RedHat server, you simply make those modifications like you would on any other system. To confirm this setup, run on the Guest OS the commands:
指令的 eth0 部份产生在客人操作系统上的接口 eth0, 告诉它接口合乎逻辑地定路线过在主人系统上的 tap0。 我们已经留下的唯一事物要给在我们的客人操作系统上的 eth0 在接口 eth0 上的一个 IP 住址。 这已经在我们的文件系统上被做。 在我们的预先建造 RedHat 7.2 伺候器的情况,在 eth0 上的它 IP 住址是 192.168.0.144 。 如果你改变在客人 RedHat 伺候器上的任何一个结构, 你只是作像你一样的那些修正会在任何其他的系统上。 确定这一种装备,涉及客人操作系统指令:
guest #ifconfig -a
guest #netstat -nr
For a better idea of what your virtual network now looks like, refer .
The next step is to confirm that the Guest system can talk to and route through the gateway. This means you want to first ping the IP address of the default gateway, in this case 192.168.0.254. This is in reality interface tap0 on the Host system. Once you confirm that you can ping the internal interface, attempt to ping the external interface of Host system (most likely the IP address bound to eth0). This ensure that you are also routing through the Host system. If ping did not work, ensure you are not running a firewall on the Host, and double check your network setting on the Host and Guest operating system. To confirm this setup, on the Guest OS run the commands:
对于你的虚拟网络现在看起来像的一个较好的概念,提及图 2.
下一个步骤要确定客人系统能到和经过出入口的路径。 这意谓你首先咻地假设值出入口的 IP 住址,在这一个情形 192.168.0.254 中. 这在主人系统上的真实接口 tap0 中。 一经你确定你能咻地内在的接口, 尝试咻地外部主人系统的接口.(很有可能 IP 住址约束的到 eth0) 这确定你也是经过主人系统工作路线排定。 如果子弹飞过空中的声音不工作, 确定你不在跑在主人上的一个防火墙, 而且加倍检查你的网络在主人和客人操作系统上设定。 确定这一种装备,在客人操作系统上跑指令:
guest #ping 192.168.0.254
guest #ping (external IP of Host OS, interface eth0)
Part III: Data Control
Once you have setup the UML and networking, the next step is Data Control. The purpose of Data Control is to contain what the attacker can do inbound and outbound of the Honeynet. Typically, we allow anything inbound to the Honeynet systems, but limit outbound connections. For the purpose of this paper, we will use IPTables, an OpenSource firewall solution that comes with Linux. IPTables is a highly flexible stateful firewall, including the ability for connection limiting, network address translation, logging, and many other features. We will configure IPTables to act as a filter on our Host, counting outbound packets. Once a limit has been met for outbound connections, all further attempts are blocked, preventing the compromised honeypot from harming other systems. Configuring and implementing these capabilities can be extremely complex. However, the Honeynet Project has develop an IPTables script called that does all the work for you. You merely have to modify the script variables as they apply to your Honeynet, then run the script.
Part III: 数据控制
一经你有装备 UML 而且网络,下一个步骤是数据控制。 数据控制的目的要包含攻击者能做的回内地的和 Honeynet 的出境。 典型地,我们允许对 Honeynet 系统 , 但是界限出境连接的回内地的东西。 为了这一张纸,我们将会使用 IPTables ,带 Linux 来的 OpenSource 防火墙解决。 IPTables 是一个高度地有柔性的 stateful 防火墙, 包括为连接极限,网络住址翻译,砍伐原木和多数其他的特征能力。 我们将会配置 IPTables 担任在我们的主人,计算出境储存器上的一个过滤器。 一经一个界限为出境连接已经被碰到,所有的进一步的尝试被阻塞,阻止被妥协处理的 honeypot 伤害其他的系统。 配置和实现这些能力可能是极端复杂。然而, Honeynet 计画有发展一个被称为为你做所有的工作 rc.firewall 的 IPTables 手写体。 当他们适用于你的 Honeynet 的时候 , 你只必须修变量,然后手写。
The first thing you have to decide is if you want your gateway to run in layer three routing mode, or layer two bridging mode. Layer two bridging (also known as GenII, or 2nd generation) is the prefered method. When your gateway is acting as a bridge, there is no routing or TTL decrement of packets, it acts as an invisible filtering device, making it much more difficult for attackers to detect. However, for IPTables to work in bridging mode, your kernel must be patched to support it. By default, most kernels do not support IPTables in bridging mode. Red Hat kernel 2.4.18 -3 is one of the few that does support this by default. If you want to patch your kernel to support this, you can find the patch at . For the purpose of this howto, we will assume your Kernel does NOT support IPTables in bridging mode. So we will describe how to build your virtual Honeynet with your gateway in routing mode using Network Address Translation.
如果你你的出入口在层三个工作路线排定模态 , 或层二个剪刀撑模态中跑,你必须决定的第一件事物是。 层二个剪刀撑 (也即是 GenII, 或第二代) 是被的方法。 当你的出入口正在当作一座桥用的时候,没有储存器的工作路线排定或 TTL 渐减,它担任一个看不见的过滤装置,为攻击者使它更加困难发现。 然而, 为 IPTables 在剪刀撑模态中工作,你的核心一定被补缀支援它。 预先设定地,最大多数的核心不支援剪刀撑模态的 IPTables 。 如果你补缀你的核心支援这,你为了这 howto 能在 http:// bridge.sourceforge.net/download.html. 找片, 我们将会承担你的核心不支援剪刀撑模态的 IPTables。 因此我们将会描述该如何用工作路线排定模态的你出入口建立你的虚拟 Honeynet 使用网络住址翻译。
Lets cover how to configure the script to implement this functionality. There are two critical areas to configure, the networking issues and control issues. For networking, we have to identify the IP addresses and the networks of the Host and Guest systems. If you are running in layer three routing mode, the script takes care of all Network Address Translation issues. If you are running in layer two bridging mode, the script takes care of all bridging issues. Remember, for the purpose of this paper we are using layer three routing. For control, we have to define how many outbound connections we allow from the Guest systems. There will be at least five variables that will be different on your system, and you will have to modify. Specifically,
让掩护该如何配置 rc.firewall 手写体实现这一个功能性。 有二个紧要关头的区域配置,那个网络议题和控制议题。 因为网络,我们必须识别主人和客人系统的 IP 住址和网络。 如果你正在层三个工作路线排定模态中跑,手写体照顾所有的网络住址翻译议题。 如果你正在层二个剪刀撑模态中跑,手写体照顾所有的剪刀撑议题。 ,为了我们正在使用层三个工作路线排定的这一张纸。 对于控制,我们必须定义我们从客人系统允许多少出境连接。 那里将会至少是五个变数以将会是不同的在你系统上,而且你将会必须修正。 明确地,
First, by default the script runs in layer two bridging mode. You will have to modify it to run in layer three routing mode.
# The MODE variable tells the script to #setup a bridge HoneyWall
# or a NATing HoneyWall.
MODE="nat"
#MODE="bridge"
Second, you will need to set the public IP address of the Guest OS. This is the external IP address you use for Network Address Translation. This is also the IP address hackers will use to attack your virtual honeypot. If you are using your gateway in bridging mode, this variable will also be used, however you give it the real IP's of the honeypots, as there is no address translation. PUBLIC_IP="192.168.1.144"
Third, you will need to configure the internal IP address of the honeypot. This is the real IP address of your Guest OS. This variable is not used if you are in bridging mode.
HPOT_IP="192.168.0.144"
Fourth, you will need to configure the external IP address of the Host OS. This is the external IP address of your firewall, your gateway. For our example, we use the following.
INET_IP="192.168.1.1"
Last, you will need to identify the name of the internal interface of the Host OS. By default, this is eth1. However, we are using the virtual interface tap0, and have to modify this variable.
LAN_IFACE="tap0"
第一, 预先设定地 rc.firewall 手写体层二个剪刀撑模态的奔跑。 你将会必须修正它在层三个工作路线排定模态中跑。
# The MODE variable tells the script to #setup a bridge HoneyWall
# or a NATing HoneyWall.
MODE="nat"
#MODE="bridge"
其次,你将会设定客人操作系统的公众 IP 住址。 这是外部你为网络住址翻译使用的 IP 住址。 这也是 IP 住址 hackers 将会使用攻击你的虚拟 honeypot。 如果你正在使用剪刀撑模态的你出入口,这一个变数也将会被用,然而你给它 honeypots 的真正 IP's, 当没有住址翻译之时。 PUBLIC_IP="192.168.1.144"
第三,你将会配置 honeypot 的内在 IP 住址。 这是你的客人操作系统的真正 IP 住址。 这一个变数不被用如果你是在剪刀撑模态中。
HPOT_IP="192.168.0.144"
第四的,你将会配置外部主人操作系统的 IP 住址。 这是外部你的防火墙的 IP 住址,你的出入口。 对于我们的例子,我们使用下列各项。
INET_IP="192.168.1.1"
最后,你将会识别主人操作系统的内在接口的名字。 预先设定地,这是 eth1 。 然而,我们正在使用虚拟的接口 tap0, 和必须修正这一个变数。
LAN_IFACE="tap0"
These are the minimum varaibles you have to modify, there may be others depending on the configuration of your system. There are other options you can update, such as remote management, limiting what connections the firewall can initiate, and giving your honepyots unrestricted DNS access. Also, by default, the script limits each honeypot the following outbound connections per hour; 9 TCP connections, 20 UDP connections, 50 ICMP connections, and 10 IP other. Details of the script are beyond the scope of this paper. To better understand these variables, we recommend you review the script in detail and try out the different options in a lab environment. Once you have configured the script, you implement it by executing the script.
host #/.rc.firewall
这些是最小量你必须修正的 varaibles,可能有其它仰赖你的系统结构。 有你能更新的其他选项,像是遥远的管理,限制什么连接防火墙能开始, 而且给你的 honepyots 无限制的 DNS 通路。 也,预先设定地 ,手写体极限每 honeypot 一小时下列各项出境连接;另外地的 9个传输控制协议连接, 20个 UDP 连接, 50个 ICMP 连接和 10 IP。 手写体的细节是超过这一张纸的范围。 为了要更这些变数, 我们推荐你详细地检讨手写体和出自中心环境的不同选项尝试。 一经你已经配置 rc.firewall 手写体,你藉由运行手写体实现它。
host #/.rc.firewall
To confirm you have successfully ran the script, there are two thing you want to check. First, ensure that address translation is working. You can confirm this if a new, logical interface has been added to the Host system. Second, review the IPTables rules.
Once confirmed, your Data Control is in place. There are also a variety of other tools for implementing Data Control. For example, you can incorporate the use of Snort-Inline to block or modify known attacks. This is done by taking advantage of the QUEUE option in the IPTable scripts. Other options include use of bandwidth throttling. However, these advance capabilities are beyond the scope of this paper. For additional options, check out .
确定你已经成功地跑手写体,有你检查的二件事物。 首先, 确定那住址翻译正在工作。 如果一个新的, 合乎逻辑的接口已经被增加到主人系统,你能确定这。 其次,检讨 IPTables 规则。
host #ifconfig -a
host #iptables -L -n
一次被证实的,你数据控制在适当的位置。 为实现数据控制也有多种其他的工具。 举例来说,你能合并鼻息- 线内的使用阻塞或修正已知的攻击。 这被藉由利用 IPTable 手写体的储列选项做。 其他的选项包括带宽阻塞的使用。 然而,这些进步能力是超过这一张纸的范围。 对于附加的选项, 检查 Honeynet 用工具工作区段。
Part IV: Data Capture
Once we have completed Data Control, the next step is Data Capture. The purpose of Data Capture is to capture all of the attacker's activity, without them knowing. There are a variety of methods to implement this, however we will focus on two, IPTable logs and Snort. IPTable logs are the logs generated by the firewall whenever there is an inbound or outbound connection. is an OpenSource IDS solution which we will use to capture all network activity. As we discussed earlier, UML also has the capabilities to capture all TTY activity from kernel space.
For IPTables, the logging has already been configured for us with the rc.firewall script. It is configured to log all new inbound and outbound connection to /var/log/messages. Any inbound connection is an indication of a probe, scan, or attack. Any outbound connection indicates that a honeypot has been compromised. The value of IPTable logs is one primarily for alerting. The logs do not have enough information to tell us what the attacker is doing. For Snort, we configure it to capture every packet and its full payload that enters or leaves the Honeynet. Linked here is a that will capture and log attacker activity.. You will find a that starts Snort and uses the recommended Snort config file. Be sure to update the startup script to monitor the tap0 interface of the Host OS. You will most likey want to run this script daily, running the script from cron.
host #./snort-start.sh
There are also a variety of other tools for implementing Data Capture which are beyond the scope of this paper, such as Sebek. For additional options, check out .
Part IV: 数据抓取
一经我们已经完成数据控制,下一个步骤是数据抓取。 数据抓取的目的要捕获所有的攻击者的活动,没有他们博学。 有多种方法实现这, 然而我们将会把重心集中在二,IPTable IPTable 圆木是被防火墙产生每当有的圆木一回内地的或出境连接。 是我们将会使用捕获所有的网络活动的 OpenSource 身份证解决。 当我们更早地讨论的时候,UML 也有能力捕获来自核心空间的所有 TTY 活动。
对于 IPTables ,砍伐原木已经为我们被 rc.firewall 手写体配置。 它配置成伐木全新的回内地的和出境的关联 /变容体/圆木/信息。 任何的回内地的连接是探查,扫描或攻击的指示。 任何的出境连接指出 honeypot 已经被妥协处理。 IPTable 的价值主要地为提醒是一。 没有充足的数据告诉我们攻击者正在做的。 我们配置它捕获每个储存器和它的进入,或留下 Honeynet 的完整负载量。 在这里联编是一个 config 文件以将会捕获并且攻击者活动。。 你将会找一个开始,而且使用的简单启始手写体那被推荐 config 文件。 确定更新启始手写体检测主人操作系统的 tap0 接口。 你意志最大多数的 likey 跑这一个手写体每日的,跑来自 cron 的手写体。
host #./snort-start.sh
为实现数据是超过这一张纸的范围抓取, 像是 Sebek 也有多种其他的工具。 对于附加的选项, 检查 Honeynet 用工具工作区段。
Part V: Testing Your UML Honeynet
The fifth, and final step, of building our UML Honeynet is to test our c
