Re: Honeyd on a single host...

[oudot <oudot () rstack org>]

Peter Bates a écrit:
> Hello all...
>
> I just thought I'd ask here, to see if anyone else 
> had a working configuration for anything similar.
>
> I have a Linux box... ppp0 is the outside world,
> eth0 is 192.168.1.0/24 for some internal hosts
> (which are then masqueraded with iptables), and 
> also an eth1 in the machine, that isn't connected or being used.
>
> eth0 provides DHCP services, so I'm trying to avoid arpd,
> but I obviously need to run honeyd on eth0 (or eth1) as it
> coughs on trying to bind to ppp0.
>
> So, I run it bound to eth0 or eth1, and then try 
>
> iptables -t nat -I PREROUTING  -p tcp --dport !22 -i ppp0
> -j DNAT --to-destination 192.168.1.200
>
> (I've configured honeyd to 'pretend' to be 192.168.1.200)
>
> The traffic appears to come in, but never gets anywhere near
> honeyd ...

Your gateway should be adviced about where is the honeyd.
While trying to reach 192.168.1.200, the gateway will try to send ARP 
request on this address, but honeyd's job is not to answer to such requests.
So here are small propositions from a simple guy :
- either you try to hard code honeyd's host MAC address in the MAC table 
of the gateway : "arp -s 192.168.1.200 ether_addr_of_the_honeyd_host 
permanent" (man arp)
- or you can use arpd aiming just the honeyd IP address 192.168.1.200 
(man arpd)

If it does not work, please try to tcpdump your LAN to look at the ARP 
traffic between the GW and the un-found honeyd.

try hard.

my 2 cents.

laurent

> Before I start reconsidering and just redirecting traffic to my 
> home machine to my working honey(d)net, does anyone have
> a working configuration like the above that they are using?
>
> I can get things working if I use a second box attached to eth0,
> but I'm trying to avoid having my home littered with computers :)

hmmmm ?

> Thanks...
>
>
>
>
> --------------------------------------------------------------------------------------------------->
> Peter Bates, Systems Support Officer, Network Support Team.
> London School of Hygiene & Tropical Medicine.
> Telephone:0207-958 8353 / Fax: 0207- 636 9838