蜜罐配置(honeyd) - 发现攻击 [英] honeypot configuration (honeyd) - finding attack
问题描述
我想配置一个本地蜜罐来找到一些攻击,为此我已经在我的vmware上安装的Ubuntu12.04.4上安装了honeyd。
这里是我的配置文件:
### Linux Suse 8.0模板
创建suse80
设置suse80个性 Linux 2.4.7(X86)
设置suse80默认tcp动作过滤
设置suse80默认udp动作块
设置suse80默认icmp动作打开
设置suse80正常运行时间79239
设置suse80 droprate in 4
添加suse80 tcp端口21sh scripts / unix / linux / suse8.0 / proftpd.sh $ ipsrc $ sport $ ipdst $ dport
add suse80 tcp port 22sh scripts / unix / linux / suse8.0 / ssh.sh $ ipsrc $ sport $ ipdst $ dport
添加suse80 tcp端口23sh scripts / unix / linux / suse8.0 / telnetd.sh $ ipsrc $ sport $ ipdst $ dport
add suse80 tcp port 25 sh scripts / unix / linux / suse8.0 / sendmail.sh $ ipsrc $ sport $ ipdst $ dport
add suse80 tcp port 79sh scripts / un ix / linux / suse8.0 / fingerd.sh $ ipsrc $ sport $ ipdst $ dport
add suse80 tcp port 80sh scripts / unix / linux / suse8.0 / apache.sh $ ipsrc $ sport $ ipdst $ dport
add suse80 tcp port 110sh scripts / unix / linux / suse8.0 / qpop.sh $ ipsrc $ sport $ ipdst $ dport
add suse80 tcp port 111perl scripts / unix / general / rpc / bportmapd --proto tcp --host scripts / unix / general / rpc / hosts / debian --srcip $ ipsrc --dstip $ ipdst --srcport $ srcport --dstport $ dport --logfile / var / log / honeyd --logall
add suse80 tcp port 143sh scripts / unix / linux / suse8.0 / cyrus-imapd.sh $ ipsrc $ sport $ ipdst $ dport
添加suse80 tcp端口515sh scripts / unix / linux / suse8.0 / lpd.sh $ ipsrc $ sport $ ipdst $ dport
添加suse80 tcp端口3128sh脚本/ unix / linux / suse8.0 / squid.sh $ ipsrc $ sport $ ipdst $ dport
添加suse80 tcp端口8080sh scripts / unix /linux/suse8.0/squid.sh $ ipsrc $ sport $ ipdst $ dport
add suse80 tcp port 8081sh scripts / unix / linux / suse8.0 / squid.sh $ ips rc $ sport $ ipdst $ dport
add suse80 udp port 53 proxy 24.35.0.12:53
add suse80 udp port 111perl scripts / unix / general / rpc / bportmapd --proto udp --host scripts / unix / general / rpc / hosts / debian --srcip $ ipsrc --dstip $ ipdst --srcport $ srcport --dstport $ dport --logfile / var / log / honeyd - logall
add suse80 udp port 161perl scripts / unix / general / snmp / fake-snmp.pl public private --config = scripts / unix / general
添加suse80 udp port 514sh scripts / unix / linux / suse8.0 / syslogd.sh $ ipsrc $ sport $ ipdst $ dport
bind 192.168.1.201 suse80
### Suse7.0电脑
创建suse70
设置suse70个性Linux 2.2.12 - 2.2.19
设置suse70默认tcp动作重置
设置suse70默认udp动作块
设置suse70默认icmp动作打开
设置suse70正常运行时间97239
设置suse70 droprate in 2
添加suse70 tcp端口21sh scripts / unix / linux / suse7.0 / pr oftpd.sh $ ipsrc $ sport $ ipdst $ dport
add suse70 tcp port 22sh scripts / unix / linux / suse7.0 / ssh.sh $ ipsrc $ sport $ ipdst $ dport
添加suse70 tcp端口23sh脚本/ unix / linux / suse7.0 / telnetd.sh $ ipsrc $ sport $ ipdst $ dport
添加suse70 tcp端口25 sh scripts / unix / linux / suse7.0 / sendmail.sh $ ipsrc $ sport $ ipdst $ dport
add suse70 tcp port 79sh scripts / unix / linux / suse7.0 / fingerd。 sh $ ipsrc $ sport $ ipdst $ dport
添加suse70 tcp端口80sh scripts / unix / linux / suse7.0 / apache.sh $ ipsrc $ sport $ ipdst $ dport
添加suse70 tcp端口110sh脚本/ unix / linux / suse7.0 / qpop.sh $ ipsrc $ sport $ ipdst $ dport
添加suse70 tcp端口143sh脚本/unix/linux/suse7.0/cyrus-imapd.sh $ ipsrc $ sport $ ipdst $ dport
add suse70 tcp port 515sh scripts / unix / linux / suse7.0 / lpd。 sh $ ipsrc $ sport $ ipdst $ dport
add suse70 tcp port 3128sh scripts / unix / linux / suse7.0 / squid.sh $ ipsrc $ sport $ ipdst $ dport
添加suse70 tcp端口8080sh scripts / unix / linux / suse7.0 / squid.sh $ ipsrc $ sport $ ipdst $ dport
添加suse70 tcp端口8081sh scripts / unix / linux / suse7。 0 / squid.sh $ ipsrc $ sport $ ipdst $ dport
add suse70 udp port 53 proxy 24.35.0.12:53
add suse70 udp port 161perl scripts / unix / general / snmp / fake-snmp.pl public private --config = scripts / unix / general
add suse70 udp port 514sh scripts / unix / linux / suse7.0 / syslogd。 sh $ ipsrc $ sport $ ipdst $ dport
bind 192.168.1.202 suse70
nmap(192.168.1.202)的结果为按照:
从2014-12-15 02:08开始Nmap 6.47(http://nmap.org)伊朗标准时间
NSE:加载了118个用于扫描的脚本。
NSE:脚本预扫描。
在02:08启动Ping扫描
扫描192.168.1.202 [4个端口]
在02:08完成Ping扫描,0.11秒(总共1个主机)
启动1个主机的并行DNS解析。在02:08
已完成1台主机的并行DNS解析。在02:08,0.05s过去
在02:08启动SYN Stealth Scan
扫描192.168.1.202 [65535端口]
发现打开端口110 / tcp在192.168.1.202
在192.168.1.202上发现开放端口23 / tcp
在192.168.1.202上发现开放端口21 / tcp
在192.168.1.202上发现开放端口8080 / tcp
在192.168.1.202上发现开放端口22 / tcp
在192.168.1.202上发现开放端口80 / tcp
在192.168.1.202上发现开放端口143 / tcp
在192.168.1.202上发现开放端口25 / tcp
在192.168上发现开放端口3128 / tcp .1.202
在192.168.1.202上发现开放端口8081 / tcp
在192.168.1.202上发现开放端口79 / tcp
发现开放端口515 / tcp on 192.168.1.202
在02:08完成SYN Stealth扫描,12.59s已过去(65535总端口)
启动服务扫描02:08
扫描192.168.1.202上的12项服务
已完成Se在02:08进行设备扫描,经过0.03秒(1个主机上有12个服务)
启动操作系统检测(尝试#1)对抗192.168.1.202
重试操作系统检测(尝试#2)对抗192.168.1.202
在02:08启动Traceroute
在02:08完成Traceroute,过去0.09秒
启动并行DNS分辨率为1的主机。在02:08
已完成1台主机的并行DNS解析。在02:08,13.00s过去了
NSE:脚本扫描192.168.1.202。
在02:08启动NSE
在02完成NSE :09,5.02s已过去
Nmap扫描报告为192.168.1.202
警告:来自192.168.1.202端口21的RST - 此端口是否真的开放?
警告:来自192.168.1.202端口21的RST - 此端口是否真的打开?
警告:来自192.168.1.202端口21的RST - 此端口是否真的开放?
警告:来自192.168.1.202端口21的RST - 此端口是否真的打开?
警告:来自192.168.1.202端口21的RST - 此端口是否真的开放?
警告:来自192.168.1.202端口21的RST - 此端口是否真的打开?
警告:来自192.168.1.202端口21的RST - 此端口是否真的开放?
警告:来自192.168.1.202端口21的RST - 此端口是否真的打开?
警告:来自192.168.1.202端口21的RST - 此端口是否真的开放?
警告:来自192.168.1.202端口21的RST - 此端口是否真正打开?
警告:来自192.168.1.202端口21的RST - 此端口是否真的打开?
警告:来自192.168.1.202端口21的RST - 此端口是否真的打开?
主机已启动(延迟时间为0.059秒)。
未显示:65523已关闭端口
端口状态服务版本
21 / tcp open tcpwrapped
22 / tcp open tcpwrapped
| _ssh-hostkey:
23 / tcp open tcpwrapped
25 / tcp open tcpwrapped
| _smtp-commands:无法在端口25上建立连接
79 / tcp open tcpwrapped
| _finger:错误:脚本执行失败(使用-d进行调试)
80 / tcp open tcpwrapped
110 / tcp open tcpwrapped
143 / tcp open tcpwrapped
| imap-capabilities:
| _错误:连接服务器失败
515 / tcp open tcpwrapped
3128 / tcp open tcpwrapped
8080 / tcp open tcpwrapped
8081 / tcp open tcpwrapped
激进的操作系统猜测:Scientific Atlanta WebSTAR EPC2203电缆调制解调器(86%),D-Link DPR -1260打印服务器;或DGL-4300,DGL-4500,DIR-615,DIR-625,DIR-628,DIR-655或DIR-855 WAP(85%)
没有确切的OS匹配主机(测试条件不理想)。
网络距离:1跳
TRACEROUTE(使用端口53 / tcp)
HOP RTT ADDRESS
1 79.00 ms 192.168.1.202
NSE:脚本扫描后扫描。
阅读数据文件来自:C:\Program Files \Nmap
执行操作系统和服务检测。请在http://nmap.org/submit/报告任何不正确的结果。
完成Nmap:1个IP地址(1个主机)在39.34秒内扫描
原始数据包发送:65614(2.890MB)| Rcvd:128417(5.138MB)
它将所有开放端口服务识别为tcpwrapped。虽然端口23,80,21是开放的我无法建立telnet,http,ftp连接就可以了!问题是什么,如何解决?
ipsrc
sport
< BLOCKQUOTE> ipdst
I want to config a local honeypot to find some attack, to do this I have installed honeyd on Ubuntu12.04.4 which is installed on my vmware.
here is my config file:
### Linux Suse 8.0 template
create suse80
set suse80 personality "Linux 2.4.7 (X86)"
set suse80 default tcp action filtered
set suse80 default udp action block
set suse80 default icmp action open
set suse80 uptime 79239
set suse80 droprate in 4
add suse80 tcp port 21 "sh scripts/unix/linux/suse8.0/proftpd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 22 "sh scripts/unix/linux/suse8.0/ssh.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 23 "sh scripts/unix/linux/suse8.0/telnetd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 25 "sh scripts/unix/linux/suse8.0/sendmail.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 79 "sh scripts/unix/linux/suse8.0/fingerd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 80 "sh scripts/unix/linux/suse8.0/apache.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 110 "sh scripts/unix/linux/suse8.0/qpop.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 111"perl scripts/unix/general/rpc/bportmapd --proto tcp --host scripts/unix/general/rpc/hosts/debian --srcip $ipsrc --dstip $ipdst --srcport $srcport --dstport $dport --logfile /var/log/honeyd --logall"
add suse80 tcp port 143 "sh scripts/unix/linux/suse8.0/cyrus-imapd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 515 "sh scripts/unix/linux/suse8.0/lpd.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 3128 "sh scripts/unix/linux/suse8.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 8080 "sh scripts/unix/linux/suse8.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse80 tcp port 8081 "sh scripts/unix/linux/suse8.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse80 udp port 53 proxy 24.35.0.12:53
add suse80 udp port 111"perl scripts/unix/general/rpc/bportmapd --proto udp --host scripts/unix/general/rpc/hosts/debian --srcip $ipsrc --dstip $ipdst --srcport $srcport --dstport $dport --logfile /var/log/honeyd --logall"
add suse80 udp port 161 "perl scripts/unix/general/snmp/fake-snmp.pl public private --config=scripts/unix/general"
add suse80 udp port 514 "sh scripts/unix/linux/suse8.0/syslogd.sh $ipsrc $sport $ipdst $dport"
bind 192.168.1.201 suse80
### Suse7.0 computer
create suse70
set suse70 personality "Linux 2.2.12 - 2.2.19"
set suse70 default tcp action reset
set suse70 default udp action block
set suse70 default icmp action open
set suse70 uptime 97239
set suse70 droprate in 2
add suse70 tcp port 21 "sh scripts/unix/linux/suse7.0/proftpd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 22 "sh scripts/unix/linux/suse7.0/ssh.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 23 "sh scripts/unix/linux/suse7.0/telnetd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 25 "sh scripts/unix/linux/suse7.0/sendmail.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 79 "sh scripts/unix/linux/suse7.0/fingerd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 80 "sh scripts/unix/linux/suse7.0/apache.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 110 "sh scripts/unix/linux/suse7.0/qpop.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 143 "sh scripts/unix/linux/suse7.0/cyrus-imapd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 515 "sh scripts/unix/linux/suse7.0/lpd.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 3128 "sh scripts/unix/linux/suse7.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 8080 "sh scripts/unix/linux/suse7.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse70 tcp port 8081 "sh scripts/unix/linux/suse7.0/squid.sh $ipsrc $sport $ipdst $dport"
add suse70 udp port 53 proxy 24.35.0.12:53
add suse70 udp port 161 "perl scripts/unix/general/snmp/fake-snmp.pl public private --config=scripts/unix/general"
add suse70 udp port 514 "sh scripts/unix/linux/suse7.0/syslogd.sh $ipsrc $sport $ipdst $dport"
bind 192.168.1.202 suse70
the result of nmap (192.168.1.202) is as follow :
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-15 02:08 Iran Standard Time
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 02:08
Scanning 192.168.1.202 [4 ports]
Completed Ping Scan at 02:08, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:08
Completed Parallel DNS resolution of 1 host. at 02:08, 0.05s elapsed
Initiating SYN Stealth Scan at 02:08
Scanning 192.168.1.202 [65535 ports]
Discovered open port 110/tcp on 192.168.1.202
Discovered open port 23/tcp on 192.168.1.202
Discovered open port 21/tcp on 192.168.1.202
Discovered open port 8080/tcp on 192.168.1.202
Discovered open port 22/tcp on 192.168.1.202
Discovered open port 80/tcp on 192.168.1.202
Discovered open port 143/tcp on 192.168.1.202
Discovered open port 25/tcp on 192.168.1.202
Discovered open port 3128/tcp on 192.168.1.202
Discovered open port 8081/tcp on 192.168.1.202
Discovered open port 79/tcp on 192.168.1.202
Discovered open port 515/tcp on 192.168.1.202
Completed SYN Stealth Scan at 02:08, 12.59s elapsed (65535 total ports)
Initiating Service scan at 02:08
Scanning 12 services on 192.168.1.202
Completed Service scan at 02:08, 0.03s elapsed (12 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.202
Retrying OS detection (try #2) against 192.168.1.202
Initiating Traceroute at 02:08
Completed Traceroute at 02:08, 0.09s elapsed
Initiating Parallel DNS resolution of 1 host. at 02:08
Completed Parallel DNS resolution of 1 host. at 02:08, 13.00s elapsed
NSE: Script scanning 192.168.1.202.
Initiating NSE at 02:08
Completed NSE at 02:09, 5.02s elapsed
Nmap scan report for 192.168.1.202
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
WARNING: RST from 192.168.1.202 port 21 -- is this port really open?
Host is up (0.059s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
22/tcp open tcpwrapped
|_ssh-hostkey:
23/tcp open tcpwrapped
25/tcp open tcpwrapped
|_smtp-commands: Couldn't establish connection on port 25
79/tcp open tcpwrapped
|_finger: ERROR: Script execution failed (use -d to debug)
80/tcp open tcpwrapped
110/tcp open tcpwrapped
143/tcp open tcpwrapped
| imap-capabilities:
|_ ERROR: Failed to connect to server
515/tcp open tcpwrapped
3128/tcp open tcpwrapped
8080/tcp open tcpwrapped
8081/tcp open tcpwrapped
Aggressive OS guesses: Scientific Atlanta WebSTAR EPC2203 cable modem (86%), D-Link DPR-1260 print server; or DGL-4300, DGL-4500, DIR-615, DIR-625, DIR-628, DIR-655, or DIR-855 WAP (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 79.00 ms 192.168.1.202
NSE: Script Post-scanning.
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.34 seconds
Raw packets sent: 65614 (2.890MB) | Rcvd: 128417 (5.138MB)
it recognize all open port services as tcpwrapped. also although port 23,80,21 are open I couldn't establish telnet, http , ftp connection on it ! what is the problem, how can I fix it ?
ipsrc
sport
ipdst
这篇关于蜜罐配置(honeyd) - 发现攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
