The base honeypot LAN server requires only a few software packages and very little configuration. LAN means local area network and honeypot refers to it being set up to route all network inquiries to its own services with no outside connections. This post is about the basic set of services needed for an isolated network that will serve up a local website. The first thing to do is to install the packages.
apt install hostapd, dnsmasq, nginx
A network has an interface, the hardware that makes the connection. Configuring this is done in the /etc/network/interfaces file. Here, I use eth0, the plug in cable connection as the standard outside network connection. wlan0, the wifi device, is defined to stand by itself as a “static” device with a fixed address and defined network parameters. The “auto lo” thing is how the computer refers to itself when it wants to use network protocols for internal communications.
auto lo
iface lo inet loopback
iface eth0 inet dhcp
allow-hotplug wlan0
iface wlan0 inet static
address 10.0.0.1
netmask 255.255.255.0
broadcast 255.0.0.0
# pre-up iptables-restore < /etc/iptables.rules
# allow-hotplug wlan1
# iface wlan1 inet manual
# wpa-conf /etc/wpasupplicant/wpasupplicant.conf
The wlan1 stuff is commented out here but left so I can later experiment with the possibility of using the wifi connection to connect to two distinct networks. As it is, if I am trying to use eth0 on one net, say to get upgrades, and wlan0 as another, say the honeypot LAN, there are issues. Somebody using a cell phone might have similar problems if they have the cell network up at the same time they are connected to the Rallynet.
The “pre-up iptables” item is for adding security later. iptables is used to control what kind of network information is allowed to go from where it came from to where it wants to go.
hostapd is the service that enables other computers to talk to the Rallynet computer. It provides the network ID and handles connection security. It is a good idea to make sure the startup script /etc/init.d/hostapd knows where the configuration file is. Look for the line that defines DAEMON_CONF and modify it or add it if missing so the file contains the line
set DAEMON_CONF=/etc/hostapd/hostapd.conf
For a simple hostapd configuration that has no security, you can use:
# file /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=SNU
channel=1
The driver clause is there because hostapd needs proper hardware support and a software interface to that hardware that supports access point (the ‘ap’) protocols. The ssid is the network name that shows on the list people will see to select when they want to connect to the Rallynet. Here it is “SNU”.
dnsmasq provides information to connecting computers so they have an address on the network and know how to find things.
#file /etc/dnsmasq.conf
address=/#/10.0.0.1
interface=wlan0
dhcp-range=10.0.0.50,10.0.0.150,12h
no-resolv
no-hosts
#log-queries
#log-dhcp
log-facility=/var/log/dnsmasq.log
The address= line specifies that anytime a computer looks for an address to go with a domain name it will get the honeypot address. This means that anyone looking for their favorite web site will get directed to the honeypot instead. I’ve had problems with this when other networks are connected or when browsers think you’ve entered a search term rather than a domain name (e.g. “rallynet” rather than “rallynet.com”). no-resolv and no-hosts are in there to make sure that the local rallynet computer routing instructions are not used by other computers on the Rallynet. If find it works best to issue a “sudo systemctl stop dnsmasq” when I am plugged in to the I’net in order to get updates or whatnot. This helps avoid confusion.
nginx is a modern alternative to the old standby APACHE. I use it because it is supposed to have a smaller footprint and, I’d hope, reflects some lessons learned in twenty years of web servers. It is full featured and able to serve many websites with all sorts of features so configuration can have a lot of complexities. My major problem was making sure the “;” end of statement markers didn’t get lost in cut and paste operations I used to consolidate a tree of configuration files into just one. This example still includes a lot of things that explicitly restate defaults that are aren’t really necessary for the Rallynet so some pruning is still possible.
#file /etc/nginx/nginx.conf
user www-data;
workerprocesses 4;
pid /run/nginx.pid;
events {
workerconnections 768;
}
http {
sendfile on;
tcpnopush on;
tcpnodelay on;
keepalivetimeout 65;
typeshashmaxsize 2048;
include /etc/nginx/mime.types;
defaulttype application/octet-stream;
sslprotocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE;
sslpreferserverciphers on;
accesslog /var/log/nginx/access.log;
errorlog /var/log/nginx/error.log;
gzip on;
gzipdisable “msie6”;
#include /etc/nginx/conf.d/.conf;
#include /etc/nginx/sites-enabled/;
server {
listen 80 defaultserver;
listen [::]:80 defaultserver;
root /home/www-data;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
tryfiles $uri $uri/ =404;
}
errorpage 404 /index.html;
}
}
The server section is where the customizing is really needed. I put the website in the /home directory rather than in /var as was the install default. The “location” and “error_page” statements work with the dnsmasq honeypot routing so that unknown pages on out of LAN domains will all route to the Rallynet home page.
Note the log statements in the configuration files. I uncomment them when I first start out so I can find errors. Note also that these services often have utilities that will check their configuration files to make sure they are valid. When I get everything working, I’ll comment out the log statements to avoid filling up the file system.
This CONF soup is just about as bare bones as I could get it. Now I can start adding security or other features a step at a time and keep the debugging simple.
Be sure to save the default configuration files! These are a good resource for the options available. The servers also have man pages you can reference to find out about the configuration options. Web searches are also good ways to find examples and explanations.