Tiny Honeypot
Tiny Honeypot (thp) is a simple honey pot program based on iptables redirects and an xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), thp can reside on production hosts with negligible impact on performance.
| Tags | Security |
|---|---|
| Licenses | GPL |
| Operating Systems | POSIX Linux |
| Implementation | Perl |
Recent releases
- 23 May 2003 23:32
Changes: More flexible time stamping was implemented and some logging enhancements were made. The shell now responds to cd, pwd, uname (-avsm), id, and wget, and a number of bugfixes were made.
- 02 Aug 2002 16:36
Changes: Capture logs now include the source address and port of the attacker. Log entries can now be either on a single line, syslog style and suitable for machine parsing, or old style multi-line. HTTP functions are completely rewritten, achieving RFC 2616 compliance whenever possible. Other features include subroutines for errors 400, 414, and 501, correctly built HTTP return headers for several MIME types, a new "chameleon" mode which will change responses (if turned on) to emulate an IIS server when an attacker requests certain types of resources, regardless of the primary setting, and many other small tweaks and fixes.
- 23 Jul 2002 02:44
Changes: Adjusted xinetd.d file port numbers and removed o-x from the config files. GOODNET and GOODSVCS were added to the INPUT chain, along with a section in iptables.rules to allow a multi-homed system to trust either an entire interface or a network. A test was added to bomb out if someone accidentaly ran iptables.rules directly. Escapes and array references were fixed in ftp(), as they were causing some versions of Perl to complain.
- 16 Jul 2002 06:07
Changes: This release fixed an extra shell prompt on exit, added the GPL blurb to all files, and removed duplicate xinetd.d files from the tarball. The iptables script requires less post-install tweaking for hpot_svcs, and the port range for listeners was moved to 40k+ to avoid conflicts with fakerpc. Several other little tweaks and bugfixes were made.
- 15 Jul 2002 04:59
Changes: Added session timeouts, simple HTTP emulation, a PID on the capture log start line (to allow correlation with xinetd logging), and xinetd per-source limits by default.
gbakos
15 Jul 2002 02:51
Heartbeat
- Popularity Score
- 134.70
- Vitality Score
- 2.37
- Subscriptions
- 23
- All comments
Recent commentsThe perfect IDS spice
This package is perfect for those who are not intimately familiar with packet bits and c source code. The listener is just that, a listener. The responses are there to illicit a further degree of attacker activity without actually running the service. Attackers won't know what they're hitting until they've tipped their hands!
What does this do for you? If you want to understand more about network shenanigans, this will lay bare RPC and FTP attacks. It's in PERL, so if you want more services, grab an RFC and write it! A CAVEAT! If you're running a production network, think long and hard before putting this up! If you are not comfortable that your IDS is showing you everything, don't even think about it! Just say no!!!!
If you are still here, that means you know what xinetd and iptables do, can analyze their settings, and have them working. Open this in a test directory, and check out what it does first! You may have to manually add some rules, or adjust some services. Do it, and enjoy watching the script kiddies bounce off your walls.