HOACD v. 1.1 Thu Dec 2 12:05:45 GMT 2004 Copyright (c) 2004 Lucio Henrique Franco 1. License Information HOACD is a free software. Any other software that compose this CD is distributed with its license. 2. What is HOACD? HOACD is the implementation of a low-interaction honeypot, based on honeyd (http://www.honeyd.org), that runs directly from a CD and stores its logs and configuration files on a hard disk. The CD is bootable and uses: the OpenBSD/i386 operating system (http://www.openbsd.org); the low-interaction honeypot honeyd; and the user-space arp daemon. The honeypot configuration is based on procedures developed by Klaus Steding-Jessen and adapted by Lucio H. Franco. 3. What does HOACD mean? HOACD means Honeyd+OpenBSD+Arpd in a CD. 4. System base CD v1.1 uses: - honeyd v.0.8b - OpenBSD v.3.6 - arpd v.0.2 The author plans to announce new HOACD releases when new versions of OpenBSD or honeyd become available or some critical vulnerability that affects its components is discovered. 5. Requirements HARDWARE REQUIREMENTS: ---------------------- - Pentium 150MHz or higher - IDE or SCSI hard disk (minimal size: 512MB) - 64MB RAM or higher - 1 CD-ROM Drive - 1 NIC SYSTEM REQUIREMENTS: -------------------- - Set BIOS clock to GMT - Partitions (Essential: /, swap, /etc, /dev, /tmp and /var) - Size of each partition Suggestions: - / 10MB - swap 2*RAM - /etc 10MB - /dev 100MB - /tmp 64MB - /var Rest of disk - A *strong* root password Suggestions: - size >= 8 characters - use special characters and numbers - An e-mail for root alias HONEYPOT REQUIREMENTS: ---------------------- - Network information used by honeypot: ------------------------------------- - 2 Valid IP Addresses - 1 for the real system; it will be used only for administration (eg: 10.0.0.1) - 1 for honeyd; it will emulate one operating system (Windows XP) (eg: 10.0.0.5) - Network address (eg: 255.255.255.0) - Broadcast address (eg: 10.0.0.255) - Gateway address (eg: 10.0.0.254) - DNS Server IP address (eg: 10.1.1.2) - NTP Server address for system clock synchronization (eg: 10.3.3.1) - Honeypot name Suggestions: - Don't use "honeypot" or "hp" - Choose a name pattern that you already use in your network - Domain name (eg: localdomain) - Network and/or IP addresses that can start ssh connections to administrate the honeypot (eg: 10.10.10.0/24, 10.10.20.5/32) - Network range or IP address which the honeypot will claim (eg: 10.0.0.0/24 or 10.0.0.5/32) 6. Features - Easy deployment, use and monitoring; - Interactive configuration; - Based on the Brazilian Distributed Honeypots Network configuration standards; - Uses small amount of disk space; 7. Usage IMPORTANT: It is NOT recommended running this system in your desktop. Use a dedicated machine. The installation and configuration consist of several steps, namely: a) Boot from CD. b) Choose between the following options: (I)nstall or (U)pgrade If you chose the (U)pgrade option, which means that you have already installed an older version of HOACD and want to upgrade to the new one, follow the instructions in the UPGRADE file. It is part of this CD. If you chose the (I)nstall option, follow the instructions below. c) Read all the text that is being presented to you and continue only if you have the required information. d) Choose the hard disk that will be you main disk. Type "wd0" for IDE hard disk, or "sd0" for SCSI hard disk. If this is the first time you install HOACD or if you want to install it from scratch, type "y" (yes) for the "Would you like to erase all hard disk information?" question and execute the following procedures: - Reboot the system after erasing the disk; - Choose the (I)nstall option; - Choose the hard disk that will be you main disk; - Type "n" (no) for the "Would you like to erase all hard disk information?" question. f) Perform the disk partition. Follow the instructions in the text that is being presented to you. For more information about disk partition and disklabel, see: http://www.openbsd.org/faq/faq4.html#Disks g) Provide the answers to the questions that will be presented on this step, observing the suggestions provided. h) Check the installation parameters and exit -- after checking some configuration data, the system will be automatically rebooted. IMPORTANT: *Do not* remove the CD-ROM from the drive. i) Choose the (N)ormal initialization option, or wait for the timeout. j) Welcome to the HOACD! k) The system will ask you to create a user for managing the honeypot remotely. IMPORTANT: It is strongly *recommended* to answer "Y" for this question. l) After user creation, the system will continue the boot process. m) Login as root. n) Execute the following command to learn more about the system: # man afterboot 8. Recommendations and other information - We do not recommend running this system in your desktop; you might loose all your data; - The user accounts are created under /var/users/ directory; - Firewall rules are specified in /etc/pf.conf file. For more information about pf, see: http://www.openbsd.org/faq/pf/index.html - If you change the pf rules, you will have to restart the firewall with the command: # pfctl -f /etc/pf.conf - If your machine is not capable of booting from a CD, you will have to create a bootable floppy disk. You will find the bootable image file floppyHOACD.fs in the CD. So, write the image file to floopy, with the following command: # dd if=/path/to/floppyHOACD.fs of=/dev/rfd0c bs=32k Boot from the floppy and keep the CD-ROM in the drive. - Information about honeyd and arpd are available throught the commands: "man honeyd" and "man arpd". - The main directory for honeyd is /var/honeyd. There you will find the logs (/var/honeyd/log/), the configuration files (/var/honeyd/conf/), the management script (/var/honeyd/honeydctl) and other information. 9. Limitations HOACD is experimental. At this time it has some limitations such as: a) Supports only the i386 architecture; b) Might not recognize all devices; c) Does not allow the creation of several disk partitions; d) Does not easily allow the installation of additional software. 10. Obtaining this CD The CD image is available at: http://www.honeynet.org.br/tools/ 11. Reports and questions For bug reports, suggestions and information, please contact: Lucio Henrique Franco (hoacd@honeynet.org.br) 12. Acknowledgments Special thanks to: - The OpenBSD Project; - Niels Provos, for developing honeyd; - Klaus Steding-Jessen, for developing system configuration procedures; - Antonio Montes, for discussions; - Honeynet.BR Team, for tests and suggestions. This work was financed by Hewlett-Packard Brazil (http://www.hp.com.br). ### README ends here.