webhoneypot is a DShield Web Application Honeypot offering this honeypot for users to capture automated web application exploits. It is a very simple “semi interactive” honeypot implemented in PHP.
webhoneypot project is used to develop the honeypot. Do not use this code to install a honeypot unless you are interested in helping development.
Prerequisitesfor installing webhoneypot.
- dshield.org account
- Publicly routable IP address that can receive requests on TCP port 80. Dynamic IP addresses are ok, but you should sign up with a dynamic dns provider like dyndns so that you can provide a constant hostname.
- Linux or Windows machine with a webserver, PHP5 support and the curl extension installed.
webhoneypot installation section should also be applicable to nearly any LAMP (Linux, Apache, MySQL, PHP) application platform, but the exact paths are taken from Fedora Core, and will need to be altered to match your environment.
Installation is very easy
- Extract the archive file honeypot.tgz ( webhoneypot ) to a temporary directory or into the directory for a virtual host that you plan to create.
- Edit etcconfig.local and edit the userid (userid=…) and password (password=…) to match your account information for your Dshield login; If you provide the password, the script automatically converts it into a hashed password replacing the password entry. Also, complete the full path to the location where you will be keeping your log files (logdir=…) if different from the default location logs/.
- Edit your apache configuration file /etc/httpd/httpd.conf ??
- Now copy the four folders and contents into the appropriate folders
- Set the appropriate permissions. The userid that your webserver runs under — usually apache — will need read permissions to the template folder. Use the chown command to make apache the owner of the templates folder, then use the chmod command to give the apache user read access to the files. (chmod + r) The apache user will also need write access to the logs folder. Once again change the owner to apache with the chown command and give apache write access with chmod + w.
- Test the site. Open a webbrowser and navigate to your webhoneypot site. You should be get back the default template which states that you are using the demo server and welcome to phpmyadmin. Try http://[webhoneypot ip or dns name]/robots.txt and you should get back template 104 which is a robots.txt file. If you get an error instead the most common problems are an incorrect path in one of your configuration files, a permissions problem writing to the logfile, or you did not install the curl extension that is required to post the results back to Dshield. You should be able to determine which one it is by the webpage returned from the server or your logfile if you have one.
- Check your logfile. If everything is operating properly, you should see the details of which templates are being matched, and the client request successfully posted to http://isc1.sans.org/weblogs/post.html.
- Once you have completed your testing list any operational honeypots under your DShield profile page.
- Log in to your account, go to the “my info” page and use the link provided to activate webhoneypot .
webhoneypot v0.1.r123 – webhoneypot.0.1.r123.tgz