Tiny Honeypot (thp) is a simple honey pot program based on iptables redirects and an xinetd listener. It listens on every TCP port not currently in use, logging all activity and providing some feedback to the attacker. The responders are entirely written in Perl, and provide just enough interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. With appropriate limits (default), thp can reside on production hosts with negligible impact on performance.
|Operating Systems||POSIX Linux|
Release Notes: More flexible time stamping was implemented and some logging enhancements were made. The shell now responds to cd, pwd, uname (-avsm), id, and wget, and a number of bugfixes were made.
Release Notes: Capture logs now include the source address and port of the attacker. Log entries can now be either on a single line, syslog style and suitable for machine parsing, or old style multi-line. HTTP functions are completely rewritten, achieving RFC 2616 compliance whenever possible. Other features include subroutines for errors 400, 414, and 501, correctly built HTTP return headers for several MIME types, a new "chameleon" mode which will change responses (if turned on) to emulate an IIS server when an attacker requests certain types of resources, regardless of the primary setting, and many other small tweaks and fixes.
Release Notes: Adjusted xinetd.d file port numbers and removed o-x from the config files. GOODNET and GOODSVCS were added to the INPUT chain, along with a section in iptables.rules to allow a multi-homed system to trust either an entire interface or a network. A test was added to bomb out if someone accidentaly ran iptables.rules directly. Escapes and array references were fixed in ftp(), as they were causing some versions of Perl to complain.
Release Notes: This release fixed an extra shell prompt on exit, added the GPL blurb to all files, and removed duplicate xinetd.d files from the tarball. The iptables script requires less post-install tweaking for hpot_svcs, and the port range for listeners was moved to 40k+ to avoid conflicts with fakerpc. Several other little tweaks and bugfixes were made.
Release Notes: Added session timeouts, simple HTTP emulation, a PID on the capture log start line (to allow correlation with xinetd logging), and xinetd per-source limits by default.