Creating a honeypot
This is a simple guide to setting up a honeypot. A honeypot is a device that captures all traffic. It's usuable for example when you need to quarantaine people on a network or if you have a network without internet and you need to redirect users to a specific website no matter which site they try to visit.
This guide is based on a clean minimal Debian installation.
First we'll install the necessary software packages.
apt-get install apache2 php5 dokuwiki dnsmasq
Select apache2 if Dokuwiki install asks for it. Accept all other default answers.
Apache configuration
We'll create a virtualhost for the site we want users to be directed to. This site runs a dokuwiki installation as an example:
<VirtualHost *:80>
ServerAdmin postmaster@exmaple.org
ServerName honeypot.example.org
DocumentRoot /usr/share/dokuwiki
</VirtualHost>
Next we'll create a catchall site. This configuration will attempt to redirect all requests to our honeypot site:
<VirtualHost *:80>
ServerAdmin postmaster@exmaple.org
DocumentRoot /var/www/
RewriteEngine on
RewriteRule (.*) http://honeypot.example.org [R,L]
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature Off
</VirtualHost>
now let's enable these sites, the needed modules and disable the default site:
a2enmod rewrite
a2ensite honeypot catchall
a2dissite default
/etc/init.d/apache2 restart
DNSMasq configuration
This honeypot also serves as a DHCP and DNS server. We'll use Dnsmasq to do this and also to do a catchall on DNS requests.
Backup the default configuration and create a new file containing a clean config.
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
address=/#/[ipaddress-of this-server]
domain=honeypot.example.org
dhcp-authoritative
dhcp-lease-max=512
#example networks 10.1.138.0/23 and 10.2.138.0/23
#DHCP range 10.1.139.1 - 10.1.139.254 netmask 255.255.254.0
dhcp-range=net1,10.1.139.1,10.1.139.254,255.255.254.0,1h
#router for 10.1.138.0/23 network
dhcp-option=net1,3,10.1.138.1
dhcp-range=net2,10.2.139.1,10.2.139.254,255.255.254.0,1h
dhcp-option=net2,3,10.2.138.1
The 'address=/#/' line is the most important. It is a wildcard for all dns request and it will reply with the ipaddress you fill in there. This ipaddress should the address of your honeypot server obviously.
If you need more options see 'man dnsmasq'
Dokuwiki configuration
Dokuwiki will work out of the box. However you need to remember you can only access it through the right domain name. Since the honeypot will redirect all requests to the url you have filled in in the apache configuration. This can be a bit puzzling if you didn't set it up right.
Some versions of Debian ship dokuwiki which is only accessible from localhost. To fix this change /etc/apache2/conf.d/dokuwiki.conf to:
Alias /dokuwiki /usr/share/dokuwiki
<Directory /usr/share/dokuwiki/>
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
To add some configuration to dokuwiki use this as an example:
$conf['title'] = 'Honeypot Portal';
$conf['lang'] = 'en';
$conf['useacl'] = 1;
$conf['disableactions'] = 'backlink,recent,revisions,register,resendpwd,profile,check,subscribe,unsubscrribe,source,export_raw';
$conf['htmlok'] = 1;
$conf['updatecheck'] = 0;