Get a copy of Debian and install it.
Download Nepenthes http://nepenthes.carnivore.it/download
Once the base install of Debian has finished, it would be a good idea to set a static IP address on the main network adaptor (eth0 in my case); to do this open up /etc/network/interfaces with nano:
# nano /etc/networking/interfaces
Change the line:
iface eth0 inet dhcp
To:
iface eth0 inet static
Add the static IP information underneath that line:
address 192.168.0.240
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Obviously you may want to adjust these to suit your own network; it’s worth double checking /etc/resolv.conf to see that the correct DNS server is in place. Make the changes live with:
# /etc/init.d/networking restart
# ifup eth0
Now make sure the system is up to date:
# apt-get update
# apt-get upgrade
Remove the exim4 MTU as this will stop the honeypot from listening on port 25:
# apt-get remove exim4
And install Nepenthes with its associated dependencies:
# apt-get install nepenthes
Once Nepenthes is installed there is actually very little configuration to be done to get things up and running. First of all, open up /etc/nepenthes/nepenthes.conf and see that the following lines are not commented out:
"submitfile.so" "submit-file.conf"
"submitnorman.so" "submit-norman.conf"
"logdownload.so" "log-download.conf"
Also change replace_local_ips to 0.
Now check the configuration files above-they are all found in the /etc/nepenthes directory.
Inside submit-file.conf, you will find the path to a directory in your filesystem. This is where downloaded malware will be stored.
Norman sandbox is an automated malware analyser. Enter a valid e-mail address in submit-norman.conf; malware captured by your honeypot will be submitted to the Norman analyser and reports on the analysis will be sent to this address.
The file log-download.conf specifies the location of log files that will list downloaded malware and malware submissions.
Now restart Nepenthes with the updated configuration (the installation may have started it with the default config:
# /etc/init.d/nepenthes restart
The last step very much depends on the router/firewall in use. In my case, I’m using a Netgear ADSL router; this allows me to set a DMZ destination. The router then passes all incoming traffic to this address if there is no other rule defined for that particular port. If your router does not have a DMZ feature, you can manually redirect incoming connections on interesting ports to the Nepenthes collector.
Found it quite alarming how quickly Nepenthes has started to collect information about attempted break-ins and automated malware downloads! It’s very interesting to see the large number of entries for ‘Unknown DCOM Shellcode’.
