I’ve just completed a new Nepenthes installation, and found the process far simpler than my first attempt as I didn’t compile from source.
Running on a Debian 5.0/Lenny server the install was both quick and easy, ‘apt-get install nepenthes’ handles install and dependencies nicely. The only issue I encountered was the permissions of files and directories within /var/log/nepenthes/. The contents had owner and group settings as root:root, as the nepenthes process should (and does under the default init.d script) drop permissions after initialisation this meant that the process was unable write to some of it’s logfiles, reducing the amount and quality of collected information. Thankfully this is easily fixed with a simple ‘chown -R nepenthes:nepenthes /var/log/nepenthes/*’.
I’ve frequently seen complaints/queries on the Nepenthes development mailing list that there are issues with Nepenthes’ hexdump functionality. While it isn’t enabled by default, using this install method works perfectly after uncommenting the “loghexdump.so” line from /etc/nepenthes/nepenthes.conf, depositing collected dumps in /var/lib/nepenthes/hexdumps/.
Initial testing shows the system working nicely (not bad for 30 minutes work) and is beginning to collect new binaries and attack statistics. Next step is some integration with Honeyd to provide the start of a combined honeynet environment, more to come later.
— Andrew Waite
Leave a comment
Hi,
I am running also Debian Lenny but for me the permissions were set automatically to nepenthes user and group with apt-get. Unfortunately I have only get four binaries (SDBot) in three days, maybe my class A network is less polluted 🙂
I really like your blog as I am also interested in honeypots after reading Virtual Honeypots one year ago. Currently I am using SNORT in inline mode to scan the honeypot traffic and to know more about rules. If something interesting happens I will let you know!
Hi Miguel,
thanks for the comment. I did think that the permissions issue was a strange one to be missed, and from a quick search online couldn’t find any other reference to it. Guess it must have been an oddity with my system, although I honestly have no idea what makes my setup unique.
I’m surprised with the low number of binaries you’re seeing, when I terminated my previous Nepenthes installation I was averaging 7 a day running on a single IP address, if you’re running on a /8 I’d expect a MUCH higher hit count.
Running Snort in conjuntion with my honeynet is still on my (ever increasing) to-do list, if you hit anything interesting I’d definitely be interested in your findings, might provide some motivation to bump Snort to the top of my list.
— Andrew
Hi Andrew,
I have only compiled Nepenthes once and it wasn’t a great experience.. especially for someone who was new to Debian at the time. These days I use good old apt-get and it sorts me out. I have also just set up a new Nepenthes system, have had 19 binaries in 2 and a bit days. I set this system up mainly to test the routing in ESXi and vyatta.
Very keen to hear how you go with integrating Honeyd, keep us posted 🙂
– Cooper