About UML Honeypots
Warning: Do not use these images unless you know what you are doing.
They are designed to be compromised, therefore you need to ensure that you can monitor and stop abuse.
How this image was built
This image was built from a Slackware 4.0/7.0.
Since it is based on slackware, please refer to the Slackware image for more information.
The full installation log is very straightforward.
The network is not configured.
The Images
Slackware 4.0
This reiserfs image uses 512MB of disk space (last updated on the 14-11-2005)
root_fs
(~14MB)
MD5
-
SHA
Slackware 7.0
This reiserfs image uses 512MB of disk space (last updated on the 14-11-2005)
This image is being rebuilt, please come back later.
Improving It
There are obvious signs that an attacker can use to figure out
that this is a UML instance (as opposed to a real host system),
most script kiddies wouldn't know but they aren't
exactly the most interresting attackers to observe...
Refer to the UML site for advice on using hppfs to simulate /proc
and other ways of hiding the real nature of this system.
Try to make it a little bit more difficult, and try to use a network of instances to simulate a honeynet...
To maximise the chances of attacks, use iptables redirection - possibly in combination with a scanner detection
tool - to redirect potential attackers to the honeypot.
Vulnerable Packages Installed
The exact vulerabilities are not listed here, suffice to say that all the software that is listening on network ports
will have at least one remotely exploitable vulnerability (if possible, giving a full system compromise).
- telnet (and ssh on the 7.0 image)
- bind
- sendmail
- apache
There are easily guessable user accounts which will be found by most automatic scanners,
the passwords have been left empty... or easily guessable.
There are also numerous ways of getting higher (root) privileges once logged/broken in.