================================= My-Honeynet HornyD LiveCD Project ================================= Objectives ---------- The objectives of the My-Honeynet LiveCD are as follows: 1. To aid rapid and easy deployment of low-interaction honeypot(s) for my-honeynet members. 2. To provide the necessary ready-to-use tools and software packages for the deployment of low-interaction honeypot(s). 3. To ease the burden of participating members in managing their honeypots. Since all the tools are already included in the LiveCD, members need to only install, configure and run them. Additional tasks such as sending logs to central server, log parsing, packet capturing, etc will be automatically done by the LiveCD. However, the level of control for these processes can also be configured by the user. 4. To create a honeypot-capable router for Streamyx users. This is primarily to target technical users who use Streamyx. Instead of relying on them to have additional machines to run honeypots, they can use the LiveCD as both a low-interaction honeypot and Steamyx broadband router. Features -------- Easy configuration ~~~~~~~~~~~~~~~~~~~ The LiveCD will come with scripts that will configure the honeypot. When the LiveCD boots up, the user will be able to select the following:: [1] Install to hard disk and configure later [2] Configure as broadband router only [3] Configure as broadband router and nepenthes sensor [4] Configure as broadband router and honeyd sensor [5] Configure as nepenthes nepenthes sensor [6] Configure as honeyd sensor [7] Run from LiveCD and configure later Option 1 will install to the hard disk. The installation process will be a standard FreeBSD installer script. Options 2 - 6 will configure the LiveCD based on the selection. This will not install the LiveCD into the hard disk, instead it will run the the CDROM. This is good for users who wants to try out the features of HornyD without installing to hard disk. Options 7 will just run HornyD normally, without any configuration. The only thing that the setup script will ask for is the hornyd user password, which can be used to log in to HornyD. **NOTE**: This menu can either be displayed after the boot-up process, or as part of the boot-up process. The former means that HornyD boots up properly up to the login prompt. Easy activation and deactivation of HornyD sensors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When the users select any of the options from 3 to 6, the selected sensor will be running. However, the sensors will not send data to the central My-Honeynet server. This means that the data will only be available only to the users themselves. When the sensor is 'activated' a configuration script will enable the sensor to connect and send logs to the central server. This script will have default values (such as logs are sent once a day), but the settings can be changed. Users can also choose to anonymize the data, or send it as it is. Once the hornyd sensor is in active mode, it will be began sending data. Any errors will be notified to user. The central server have no control of the sensor, it only receives data. At any time when the users choose not to participate in the my-honeynet project, they can 'deactivate' the sensor. This will stop the sending of logs. They can also choose to stop nepenthes or honeyd. **NOTE:** Stopping honeyd or nepenthes WITHOUT deactivating does not mean that the hornyd sensor is not part of the my-honeynet alliance - it simply means that the sensor is not running. Web-based reporting ~~~~~~~~~~~~~~~~~~~ HornyD will include a web-based reporting console. This report is generated daily and the users can view the activities of their sensors, including any error in sending logs (if they are part of the my-honeynet alliance). This report will be very basic as I do not want to spend too much effort in creating a feature-rich web application for users. Instead, we will rely on community contribution for this. Technically, this report will just report on log file statistics and activities, such as whether the files were successfully sent to log server, size, etc (see below). Overtime, and depending on community contribution and also the development of the central server, other information can be displayed, such as the honeypot activities (top attack, etc). Automatic archival and management of logs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One of the features of HornyD is the automatic archival and log management. There will be a web based console where the users can view the status of each log as they are transferred to the central log server. The status will be as follows:: Success Fail Resend Success means that the log files has been successfully sent to the log server, failed may indicate some failure such as network disconnectivity, in which case the user can choose to click 'Resend' to resend the particular log. Components ---------- Sensors ~~~~~~~ 1. honeyd 2. nepenthes 3. pf Activation/Deactivation ~~~~~~~~~~~~~~~~~~~~~~~ This components will be used to activate or deactivate the sensor. Roughly, the activation process will be as follows (roughly): 1. Generate a unique identifier for the sensor 2. Create a basic configuration template which will include the following information: 1. Log transfer interval 2. Log server to connect to 3. Generation of keys to encrypt the log files 3. After creating the necessary configuration, the sensor will attempt to establish connection to the log server to activate itself. Deactivation is simple: The sensor will stop sending logs to the central server. If the user choose to reactivate, the previous profile will be used. Configuration ~~~~~~~~~~~~~ This component will be used to configure the HornyD sensor. BSD Installer ~~~~~~~~~~~~~ This component will be used to install HornyD to the hard disk. Reporting and Archiving ~~~~~~~~~~~~~~~~~~~~~~~ This component will handle reporting and log archiving. Log submission ~~~~~~~~~~~~~~ This component will handle sending of log files. At the moment, I am not sure what is the best method to send the log files. It can either be through HTTPS, or SMTP over SSL. System monitoring ~~~~~~~~~~~~~~~~~ This is a basic system monitoring tool for the sensor. PPPoE setup/network setup ~~~~~~~~~~~~~~~~~~~~~~~~~ This component is used for setting up the sensor as broadband router. Firewall ~~~~~~~~ Firewall, of course. Specifications -------------- This section lists the specifications of the LiveCD. Operating System ~~~~~~~~~~~~~~~~ 1. FreeBSD (either 6.2 or 7.0) based on HeX [1] Software Tools/Applications ~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Honeyd 2. Nepenthes 3. pf Scripts ~~~~~~~ 1. Installation scripts 2. Configuration scripts 3. Reporting scripts 4. Log submission scripts 5. Activation/deactivation script 6. Monitoring scripts Timeline -------- * November 2007 - Ideas * December 2008 - Network and Software Architecture * January/February 2008 - Beta Release of HornyD * February 2008 - Configuration tool (sensor) * March 2008 - Reporting tool (sensor) * April 2008 - Log submission tool (sensor) * May 2008 - 1.0 RC 1 of HornyD * May 2008 - Beta version (private) of log server * June 2008 - Beta version (private) of web application Links/Resources --------------- To be added Project Members ---------------- 1. spoonfork 2. geek00l 3. chfl4gs