HowTo: Set up an Amun Honeypot

Publiziert am 15/03/2009 von duke

Hello.

Some days ago I wrote a tutorial for the installation of an amun honeypot. I now made the translation for non german-speaking people. I’m sorry if my english isn’t that good. But I think you will understand the most things clearly.

Ahead: I will explain this whole tutorial with the current version of the amun honeypot, version 0.1.7. As testsytem I used debian linux 5.0 (Lenny). You should be ready in dealing with basic linux commands and meanings.

What do you need?

First of all, you need a working hostsystem. You may want to rent a small vServer or build a homeserver. Be aware that you need more IP addresses if you want to run more networking services on the server, because amun honeypot will use a lot of ports for his vuln modules. You may first remove or stop all networking services that could interrupt amun honeypots vuln modules to use the ports. (eg. webserver, ftp, mail…)

Amun is written in an interpreted language, called Python. If the interpreter isn’t installed, you can install it with:

$ su -
$ apt-get install python

You also need the psyco module for python. It should be located in the debian repository and can be installed with:

$ su -
$ apt-get install python-psyco
$ exit

At least you need the main program, the amun honeypot. Grab your copy at: http://sourceforge.net/project/platformdownload.php?group_id=221628

if you wanna use submit-mysql or log-mysql, you will also need to grab the MySQLdb module for python. If you want log-surfnet, youhave to install psycopg2.

Preparations & Configuration

You have a fresh Debian system with an installed python interpreter and also python-psyco.
Creatae a new user “amun” and su into him. Go in your home directory and download the current amun version with wget. Extract the tar.gz archive and go in that folder. You will find other subdirectorys like config/, log-modules/ and so on. Before we proceed with the configuration of the honeypot, we should give the system the order to start the honeypot, whenever the system will boot. Therefore we need a small startscript:

#!/bin/sh
# Amun Honeypot Startscript

# path to amun server
amuncommand=”/usr/bin/env python /home/amunserver/amun/amun_server.py”

case “$1″ in
start)
echo -n “Starting Amun Honeypot… ”
start-stop-daemon –start –quiet –pidfile /var/run/amunserver.pid –make-pidfile –background –exec $amuncommand
echo “done.”
;;
stop)
echo -n “Stoping Amun Honeypot… ”
start-stop-daemon –stop –quiet –pidfile /var/run/amunserver.pid
echo “done.”
;;
*)
echo “Usage: /etc/init.d/amun {start|stop}”
exit 1
;;
esac

In the variable amuncommand enter the path to your amun_server.py along with the pythonenviroment. Save the script among /etc/init.d/amun.
Now you can start and stop amun with /etc/init.d/amun {start|stop}.

Now we just have to fit it into the bootable programs.

$ su -
$ update-rc.d amun defaults
$ exit

Done. For now on, your honeypot will start along with the system.

Go back in the folder, where your honeypot is located. Proceed to the conf/ directory. First we will customize the amun.conf. Open it with your preferred text editor.

### define the amun server ip
ip: 0.0.0.0

If you have more IP addresses within your server, you can enter the address what amun should use, otherwise it will listen on ALL addresses.

### define submission modules
submit_modules:
submit-md5,
# submit-anubis,
# submit-cwsandbox,
# submit-joebox

If you want to submit your malware to several sandbox services, delete the # from submit-anubis and/or submit-cwsandbox and/or submit-joebox.

### define logging modules
log_modules:
# log-surfnet

Here are the logging modules. Standard you will only have the log-surfnet module, commented out. Optionally you can add the log-blastomat, log-mail, log-mysql and log-syslog. But I won’t be able to explain these modules, because I haven’t yet worked with them. But it should be easy to us them, because everything needful is commented in the configuration files of the modules.

You don’t have to change anything under the section vuln_modules. If you are behind a router or a firewall, you have to look at the ports and forward them in your firewall, otherwise you won’t get any attacks on your honeypot. The easiest thing is to open a DMZ (Demilitarized Zone).

Now we come to the submit modules.

### define the email address reports should be sent to
### (set to None if only logging to submission.log should be enabled)
reportToEmail: None

Replace the None with one of your e-mail addresses to get the logs sent to them. (Be aware that you will get MANY reports sent to your e-mail, so you should use an extra box.)
You will do this with all 3 submit modules, if you use all 3.

Now, we are done. You could proceed with configure the log modules, but as said upper, I haven’t used them much.

Have fun with your fresh installed amun honeypot.

Post to Twitter

Dieser Beitrag wurde unter Allgemein veröffentlicht. Setze ein Lesezeichen auf den Permalink.

Eine Antwort auf HowTo: Set up an Amun Honeypot

  1. Pingback: botnetz.com » Blog Archive » Tutorial: Aufsetzen eines Amun Honeypots

Hinterlasse eine Antwort

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

*

Du kannst folgende HTML-Tags benutzen: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>