Honeypots mailing list archives
RE: honeyd and cable modem
From: Christian Kreibich <christian () whoop org>
Date: 19 Dec 2003 11:47:08 +0000
Hi, I'm not sure if this will help, but for a while I ran honeyd on the single IP that you get via DHCP when using a cable modem. I found that by far the simplest solution was to set up a few iptables rules on the machine running honeyd to block all incoming traffic, to prevent that machine's network stack to ever interfere with that traffic. Something like iptables -F INPUT iptables -F FORWARD iptables -A INPUT -j DROP iptables -A FORWARD -j DROP You can of course augment that to allow ssh access from somewhere outside etc, but make sure to adapt the filtering rule you pass to honeyd on startup to ignore that traffic (unless you want to test your setup, of course). Since honeyd gets its traffic via pcap, it sees the traffic nevertheless. Hope this helps, Christian. On Wed, 2003-12-17 at 13:33, Craig Sharp wrote:
Roshen, One other issue, what would I use as the gateway on the host? Currently it gets its gateway from dhcp. Craig<roshen.chandran () paladion net> 12/16/03 10:44PM >>>I know that honeyd relies on arpd to use all available addresses in anetworkbut this wont work in my situation with only a single address.If I got you correctly Craig, the problem seems to be that the Honeyd virtual honeypot has to listen for an IP that is currently assigned to the Honeyd host, and you have only 1 IP to spare between the Honeyd host and the virtual honeypot. You could bind the virtual honeypot to the IP provided by the cable modem in the honeyd.conf file, and assign just any other invalid IP to the Honeyd host itself. You can run Arpd to respond to arp requests for the IP provided by the cable modem, and the Honeyd host will thus pick up the packets and hand them over to the Honeyd virtual honeypot. Thanks! -Roshen Roshen Chandran Paladion Networks http://www.paladion.net
-- ________________________________________________________________________ http://www.cl.cam.ac.uk/~cpk25 http://www.whoop.org
Current thread:
- honeyd and cable modem Craig Sharp (Dec 16)
- RE: honeyd and cable modem roshen.chandran (Dec 16)
- Re: honeyd and cable modem if0ff () softhome net (Dec 17)
- <Possible follow-ups>
- RE: honeyd and cable modem Craig Sharp (Dec 17)
- RE: honeyd and cable modem Christian Kreibich (Dec 19)
- RE: honeyd and cable modem Roshen Chandran (Dec 17)
- RE: honeyd and cable modem Craig Sharp (Dec 17)