This repository has been archived by the owner on Jan 14, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathINSTALL
109 lines (85 loc) · 6.28 KB
/
INSTALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
High Interaction Honeypot Analysis Toolkit
==================================================
Content: I. Introduction
II. Installation
a) Preparation of the logserver
b) Installation of a web-based honeypot
c) Installation of the analysis tool HIHAT
I. Introduction
---------------
This toolkit consists of two components:
1. The Honeypot-Creator
2. The Analysis Tool HIHAT (High-interaction Honeypot Analysis Tool)
Description:
1. The Honeypot-Creator transforms arbitrary PHP-based web applications into high-interaction web-based honeypots which
allow to monitor and observe any step a user or attacker performs at a web application. All data is stored in an SQL
database at an external logserver.
2. The analysis tool HIHAT supports the process of gaining the important information out of the collected data. It provides
a web surface to observe, monitor and analyse the data. It can automatically detect attacks, provide details about an
attack and generate a geographical mapping of the attack sources. Moreover various statistics can be shown providing
detailed information about attacks, attack sources and the overall traffic that was observed.
For a more detailed description of the toolkit please refer to the diploma thesis "Web-based Honeypot Decoys".
II. Installation
----------------
Content:
a) Preparation of the logserver
b) Installation of a web-based honeypot
c) Installation of the analysis tool HIHAT
a)
At first the logserver needs to be prepared. Remember, according to the architecture of the web-based honeynet
this logserver should not be a honeypot or located in the honeynet itself.
1. Prepare the logserver and make sure it has a secure configuration. This comprises the installation of a minimalistic
system, holding only the software and tools that are absolutely necessary to run the honeypot. Furthermore all
non-required services should be disabled or removed if possible, resulting in a minimalistic system. In order to secure
the system further all available patches need to be downloaded - the system has to be kept completely updated at the
time of installation and also during the entire time of use. Make sure privileges are configured properly.
2. Install an SQL database, preferably MySQL version 5.0 or higher.
3. Create a new database named "honeyweb".
4. Use the file "HIHAT-Create-Tables.sql" to create the required tables in the database.
5. Create a new login profile in the SQL database and restrict its privileges to the database "honeyweb". This profile is
used in b) and c) to store and access the data at the logserver.
b) Description of the necessary steps for the installation of a web-based honeypot:
1. Select a PHP-based web application to transform into a web-based honeypot(=module) and store the source code of the application
in a directory. For the transformation process write permission is needed in the directory.
2. Set the name of the honeypot by configuring the name of the module for the Honeypot-Creator.
Therefore, open the file "insertionFile.txt" and change the content of the variable "$thisModule_23cdx_" to a module
name of your choice.
Remember, the module name identifies the honeypot in the analysis process later on and has to match
the name of the module-file in the analysis tool (see below).
3. Set the login information for the SQL database at your logserver. Therefore, open the file "insertionFile.txt" and
change the server-address, username and password in the line "$link23 = mysql_connect" at the beginning of the file.
4. Install the Java Runtime Environment 1.4x or higher.
5. Run the Honeypot-Creator by typing "java honeypot_creator XXX", where XXX stands for the directory your PHP-based web
application is located in. Example: "java honeypot_creator /var/www/phpmyadmin/". Remember, for the transformation
process write permission is needed in the directory.
Now your web application is ready to serve as a honeypot, which recognizes and stores any access at the logserver you
selected.
c) Description of the necessary steps for the installation of the analysis tool HIHAT:
1. Create a new subdirectory in the www-path of your webserver. Remember, according to the architecture of the web-based
honeynet this webserver should not be a honeypot or located in the honeynet itself.
2. Make sure the access to the directory is protected, e.g. by using the ".htaccess" and ".htusers" files of the
Apache webserver.
3. Copy the analysis tool HIHAT (including subdirectories) to the webserver.
4. Adjust the file "inc/constant.php" to your configuration settings. Mandatory is the definition of the SQL database,
username and password to access the data. For using the geolocation mapping function the corresponding database and
a key for Google Maps has to be configured as well.
Additional configuration options can be selected in that file.
5. To enable automatic downloading of malicious tools make sure "check_downloads.php" is accessed regularly. Therefore I suggest to
install a new cronjob which runs the following command every five minutes:
"lynx -dump http://localhost/your-directory/autodownloader/check_downloads.php?verobse=false".
6. If you want to use graphical statistics, please check if you need to acquire a license for JpGraph. The installation of
additional files and the GD Libraray v2 may be necessary, too.
Now the analysis tool HIHAT should be installed properly and can be accessed via web browser.
------------------
(c) HIHAT version 1.0
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.