Operating System:
• CentOS 5.4
Partitioning – 100GB hard drive
• / (system and scripts): 47Gb
• /vz (OpenVZ hosts): 50GB
IP Configuration
• eth0: Honeypots 10.0.1.[1-5]/16
• eth1: Management 10.1.1.[1-5]/16
• Default Gateway: 10.0.0.2
• DNS Server: 210.33.88.1
Administrator Account
• Login: root
• Password: admin123
OpenVZ Setup
1. Install OpenVZ:
yum install vzquota vzctl
2. Download the following OVZ Kernel:
http://download.openvz.org/kernel/branches/rhel5-2.6.18/028stab068.9/ovzkernel-2.6.18-164.15.1.el5.028stab068.9.i686.rpm
3. Install the OVZ Kernel
rpm –ivh ovzkernel-2.6.18-164.15.1.el5.028stab068.9.i686.rpm
4. Modify GRUB to make sure to boot the right kernel
OpenVZ Template
1. Download and copy in /vz/template/cache the template file fedora-12-x86.tar.gz:
http://download.openvz.org/template/precreated/unsupported/fedora-12-x86.tar.gz
To modify OpenVZ Template:
• Tar zxvf fedora-12-x86.tar.gz
• Modify filesystem…
• tar –numeric-owner –zcvf fedora-12-x86.tar.gz
• Place new file in /vz/template/cache
Sysctl (/etc/sysctl.conf)
• net.ipv4.ip_forward = 1
• net.ipv4.conf.default.proxy_arp = 0
• net.ipv4.conf.default.send_redirects = 1
• net.ipv4.conf.all.send_redirects = 0
• net.ipv4.icmp_echo_ignore_broadcasts = 1
• net.ipv4.conf.default.forwarding = 1
• kernel.panic = 1
Sebek
1. Untar archive , run sbk_install.sh and make sure to run it at boot
Sbk_install.sh contains the Sebek Server IP, MAC addresses and source/destination ports.
Scripts
• revert: Stop, back up and re-create honeypots. Sebek has to be disabled before!
• traffic_control: Apply traffic limitation on eth0
• install_ssh_key: Called during the honeypot deployment phase. Install the SSH keys to allow public key
Authentication from the Gateway to the honeypot. Used for the first session only.
o Copy authorized_keys in the honeypot’s user directory
• install_banner: Install the SSH banner to the honeypot. Called during the honeypot deployment phase.
o Copy one of the banner from ./banner directory to /etc/motd of the honeypot. Banner filename is the
honeypot type.
Crontab
## Every hour, update time with collector
0 * * * * /usr/sbin/ntpdate 10.1.0.1 2>&1
Autostart program
# Start Sebek Client
cd /cybercrime/sebek
./sbk_install.sh
# Start Traffic Contr
• CentOS 5.4
Partitioning – 100GB hard drive
• / (system and scripts): 47Gb
• /vz (OpenVZ hosts): 50GB
IP Configuration
• eth0: Honeypots 10.0.1.[1-5]/16
• eth1: Management 10.1.1.[1-5]/16
• Default Gateway: 10.0.0.2
• DNS Server: 210.33.88.1
Administrator Account
• Login: root
• Password: admin123
OpenVZ Setup
1. Install OpenVZ:
yum install vzquota vzctl
2. Download the following OVZ Kernel:
http://download.openvz.org/kernel/branches/rhel5-2.6.18/028stab068.9/ovzkernel-2.6.18-164.15.1.el5.028stab068.9.i686.rpm
3. Install the OVZ Kernel
rpm –ivh ovzkernel-2.6.18-164.15.1.el5.028stab068.9.i686.rpm
4. Modify GRUB to make sure to boot the right kernel
OpenVZ Template
1. Download and copy in /vz/template/cache the template file fedora-12-x86.tar.gz:
http://download.openvz.org/template/precreated/unsupported/fedora-12-x86.tar.gz
To modify OpenVZ Template:
• Tar zxvf fedora-12-x86.tar.gz
• Modify filesystem…
• tar –numeric-owner –zcvf fedora-12-x86.tar.gz
• Place new file in /vz/template/cache
Sysctl (/etc/sysctl.conf)
• net.ipv4.ip_forward = 1
• net.ipv4.conf.default.proxy_arp = 0
• net.ipv4.conf.default.send_redirects = 1
• net.ipv4.conf.all.send_redirects = 0
• net.ipv4.icmp_echo_ignore_broadcasts = 1
• net.ipv4.conf.default.forwarding = 1
• kernel.panic = 1
Sebek
1. Untar archive , run sbk_install.sh and make sure to run it at boot
Sbk_install.sh contains the Sebek Server IP, MAC addresses and source/destination ports.
Scripts
• revert: Stop, back up and re-create honeypots. Sebek has to be disabled before!
• traffic_control: Apply traffic limitation on eth0
• install_ssh_key: Called during the honeypot deployment phase. Install the SSH keys to allow public key
Authentication from the Gateway to the honeypot. Used for the first session only.
o Copy authorized_keys in the honeypot’s user directory
• install_banner: Install the SSH banner to the honeypot. Called during the honeypot deployment phase.
o Copy one of the banner from ./banner directory to /etc/motd of the honeypot. Banner filename is the
honeypot type.
Crontab
## Every hour, update time with collector
0 * * * * /usr/sbin/ntpdate 10.1.0.1 2>&1
Autostart program
# Start Sebek Client
cd /cybercrime/sebek
./sbk_install.sh
# Start Traffic Contr