[置顶] 从僵尸网络追踪到入侵检测 第2章 检测环境
检测Honeyd软件
1、环境拓扑图
![[置顶] 从僵尸网络追踪到入侵检测 第2章 检测环境_第1张图片](http://img.e-com-net.com/image/info5/35f58724e7614d908194ace1ac87e5e4.jpg)
2、配置Honeyd文件
[root@MIGUANG honeyd]# pwd
/usr/local/share/honeyd
[root@MIGUANG honeyd]# vim honeyd.conf
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
##/*以上三行模拟防火墙设置*/
create honeypot-template
set honeypot-template ethernet "00:0c:19:0b:cf:3a"
##/*设置MAC地址,黑客首先扫描是否有这个地址*/
set honeypot-template personality "Microsoft Windows NT 4.0 SP3"
##/*模拟一个windows NT 4.0系统*/
set honeypot-template uptime 1234567
##/*模拟时间戳*/
set honeypot-template default tcp action reset
##/*用tcp端口不可到达应答你*/
set honeypot-template default udp action reset
set honeypot-template default icmp action open
##/*icmp端口开放*/
add honeypot-template tcp port 135 open
add honeypot-template tcp port 139 open
add honeypot-template tcp port 445 open
add honeypot-template tcp port 3389 block
add honeypot-template tcp port 53 proxy 221.5.88.88:53
##/*添加模拟端口135、139、445、3389、53,ping3389端口拒绝,53端口代理设置虚拟IP*/
bind 10.10.10.180 honeypot-template
bind 10.10.10.181 honeypot-template
##/*绑定虚拟IP*/
3、虚拟出来的10.10.10.180 和10.10.10.181
[root@MIGUANG honeyd]# arpd 10.10.10.180-10.10.10.181
arpd[2606]: listening on eth0: arp and (dst 10.10.10.180-10.10.10.181) and not ether src 00:0c:29:0b:cf:2a
4、运行Honeyd程序
[root@MIGUANG bin]# honeyd -d -f /usr/local/share/honeyd/honeyd.conf 10.10.10.180-10.10.10.181
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[2622]: started with -d -f /usr/local/share/honeyd/honeyd.conf 10.10.10.180-10.10.10.181
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[2622]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (host 10.10.10.180-10.10.10.181))) and not ether src 00:0c:29:0b:cf:2a
honeyd[2622]: Demoting process privileges to uid 99, gid 99
5、Windows攻击系统通过工具进行扫描
![[置顶] 从僵尸网络追踪到入侵检测 第2章 检测环境_第2张图片](http://img.e-com-net.com/image/info5/71ed052e3f624af884adba2e1c62aa24.jpg)
