Figure 1.

General Architecture
1- Configure Honeywall:
Booting Up
1 .Start the Honeywall Virtual Machine and boot it with Honeywall CDROM. Boot loader with The Honeynet
Project slash screen should aear. !t this oint the syste" will #o into a ause$ lettin# you interact with the
installation rocess. %& you ress the 'nter button$ the syste" will o(erwrite the e)istin# hard dri(e and be#in the
installation rocess.
Hit Enter to install.
Once the installation be#ins it is a &ully auto"ated rocess$ there is no need to interact with the the installation
&ro" this oint on.
!&ter the installation is co"lete$ the syste" will auto"atically reboot. *hen it reboots$ alter the boot order +to
hard dri(e &irst$ then CD, or ta-e the CDROM out to re(ent another install cycle &ro" be#innin#. !&ter the
syste" reboots$ your installation is co"lete and will be resented with a co""and line lo#in ro"t. .our hard
dri(e now has a "ini"i/ed and hardened 0edora Core 1 oeratin# syste" with Honeywall &unctionality. !t this
oint you can lo#in and be#in the standard con&i#uration rocess. The Honeywall co"es with two de&ault
syste" accounts$ roo and root. Both share the sa"e de&ault assword honey$ which you will want to chan#e
ri#ht away. .ou cannot lo#in as root$ so you will ha(e to lo#in as roo then su -.
2 . First Login Message
*hen you lo#in to Honeywall &or the &irst ti"e$ it #i(es an alert sayin# that your Honeywall is not yet con&i#ured
and reco""ends usin# the Honeywall Con&i#uration otion on the "ain "enu. Select OK to roceed.

3- Honeywall Configuration :Main "enu allows you to #o throu#h Honeywall Con&i#uration. Select Honeywall
Con&i#uration otion &ro" the Main Menu and hit Enter.
4- Limitation of Liability Message
2i"itation o& 2iability "essa#e aears be&ore recedin# the installation. There are ris-s in(ol(ed in Honeynet
as well as Virtual Honeynet deloy"ent. !s we are deloyin# a Virtual Honeynet$ there can be ris-s in(ol(ed in
it. %& an attac-er is able to co"ro"ise the oeratin# syste" on which (irtuali/ation so&tware is runnin#$ he
would be able to control the whole syste". Secondly$ i& an attac-er co"ro"ises the syste" in your Virtual
Honeynet$ he "ay be able to detect that the syste" is runnin# in a (irtual en(iron"ent. .ou "i#ht want to try
VMware 0in#errintin# Counter Measure tool de(eloed by 0rench Honeynet Project which "a-es the VMware
detection di&&icult by "odi&yin# the de(ices na"es$ PC% (endor$ and de(ice %D. .ou can re&erence the 3now .our
'ne"y4 Honeynets aer &or learnin# "ore about the ris-s. Read and clic- es &or the ac-nowled#e"ent.

5- !nitial "etup Met#o$
%nitial Setu Method "enu allows you to select the installation "ethod. %t ro(ides three "ethods &or con&i#urin#
the Honeywall 5 0loy$ De&aults$ and %nter(iew.
Floppy "ethod &etches the Honeywall con&i#uration +honeywall.con&, &ro" the &loy dis-. This "ethod is use&ul
&or deloyin# lar#e nu"ber o& Honeywalls &aster.
%efaults "ethod restores the Honeywall to &actory de&ault con&i#uration. This uses the de&ault honeywall.con&
con&i#uration &ile that co"es with the syste".
!nter&iew "ethod as-s you series o& 6uestions &or con&i#urin# the Honeywall. %& you are con&i#urin# Honeywall
&or the &irst ti"e$ it is reco""ended to use this otion.
Select !nter&iew and hit Enter.

Read the !nitial "etup "essa#e and hit Enter to roceed.
6- Honeynet 'ubli( !' )$$resses

Tye the ublic %P addresses &or the honeyots. These are the %P addresses which attac-ers will attac-. Hit
Enter to roceed.

Tye the Honeynet networ- in C%DR +Classless %nter5Do"ain Routin#, notation. Hit Enter to roceed.

Tye the broadcast address &or honeyots ublic %P addresses. Hit Enter to roceed.

7- Select OK to roceed con&i#urin# re"ote "ana#e"ent.

8- Management !nterfa(e

Third inter&ace will be used &or re"ote "ana#e"ent. .ou will be able to re"otely "ana#e your Honeywall
throu#h SSH and *alleye web inter&ace.

Select es to con&i#ure "ana#e"ent inter&ace.

Honeywall will auto"atically detect et#* &or "ana#e"ent inter&ace. Hit Enter to roceed.

Tye the %P address o& the "ana#e"ent inter&ace and hit Enter.

Tye the networ- "as- o& the "ana#e"ent inter&ace %P and hit Enter.

Tye the de&ault #ateway &or the "ana#e"ent inter&ace %P and hit Enter.

Tye the D7S do"ain &or "ana#e"ent %P and hit Enter.

Tye the %P addresses o& D7S ser(er that "ana#e"ent inter&ace will use and hit Enter.

Select es to acti(ate "ana#e"ent inter&ace.

Select es to start "ana#e"ent inter&ace on ne)t boot.

9- Configure ""H

Select es to con&i#ure SSH.

Tye the ort on which you want SSHD to listen and hit Enter. By de&ault it listens on ort 88.

Tye in the user na"e you want to re"otely lo#in with. Hit Enter.

Select es to chan#e new user9s assword.

Tye in the new assword and hit Enter. %t will as- to enter it a#ain &or con&ir"ation.

Hit Enter to roceed.

Select es to chan#e root9s assword.

Tye in the new assword and hit Enter. %t will as- to enter it a#ain &or con&ir"ation.

Hit Enter to roceed.

SSHD autostart otion will let enable : disable to auto"atic startu o& SSHD at boot. Select es to enable the
SSH at startu and hit Enter.

Select es to co""it the chan#es and restart the SSHD.

'nter sace deli"ited list o& orts you want to allow &or inbound connections to the "ana#e"ent inter&ace. %t is
reco""ended to only allow ort 88 and ;;1 &or "ana#in# the Honeywall throu#h SSH and *eb. Tye the ort
and hit Enter.

'nter sace deli"ited list o& %P addresses or networ-s that can access the "ana#e"ent inter&ace. %t is
reco""ended to allow seci&ic trusted %P addresses &or "ana#in# the Honeywall. Tye the %P address and hit

Select es to enable *alleye *eb <=%. *alleye allows you to do Data !nalysis and Honeywall Mana#e"ent.

Restrict the &irewall &ro" "a-in# any outbound connections. Select es and hit Enter.

Seci&ically enter the TCP orts you want to allow &or outbound connections &ro" the "ana#e"ent inter&ace.
Tye the orts and hit Enter.

'nter the =DP orts you want to allow &or outbound connections &ro" the "ana#e"ent inter&ace. Tye the orts
and hit Enter.

10 - Select OK to roceed con&i#urin# outbound control li"its.

11- Configure Outboun$ Conne(tion Limits

!s you -now tyically we allow anythin# inbound to the honeyots$ but li"it outbound connections. The
connection li"itin# "enu will let you set the li"it &or outbound connections. So that once a li"it has been "et
&or outbound connections$ all &urther atte"ts are bloc-ed$ re(entin# the co"ro"ised honeyot &ro" har"in#
other syste"s.

Connection li"itin# otion #i(es you &i(e scales &or li"itin# outbound connections.

Second > er second ti"e scale will be alied on connection li"it.
Minute > er "inute ti"e scale will be alied on connection li"it.
Hour > er hour ti"e scale will be alied on connection li"it.
Day > er day ti"e scale will be alied on connection li"it.
Month > er "onth ti"e scale will be alied on connection li"it.

0or e)a"le i& you set TCP li"it to ? outbound connections er hour. This will allow an attac-er to "a-e ? TCP
outbound connections in an hour. Once this li"it is reached$ he won@t be able to "a-e any "ore connections.
The li"it will be reset a&ter an hour.

Tye the scale and hit Enter.

'nter the li"it &or TCP outbound connections and hit Enter.

Tye the li"it &or =DP outbound connections and hit Enter.

Tye the li"it &or %CMP outbound connections and hit Enter.

Tye the li"it &or other rotocols outbound connections and hit Enter.

12- Configure "nort !nline

Snort %nline lets you dro$ reject$ and relace -nown attac-s.

Select es to con&i#ure the &irewall to send ac-ets to snort inline and hit Enter.

Select action you want snort inline to ta-e on ac-ets that "atch the rules. Select %rop and hit Enter.

13- Configure Filtering

Honeywall o&&ers (arious ac-et &ilterin# &eatures$ which ro(ides &urther data control caabilities.

Blac- list > Dros %P addresses and C%DR bloc-s without lo##in#.
*hite list > !llows %P addresses and C%DR bloc-s without lo##in#.
0ence list > Protects %P addresses and C%DR bloc-s &ro" any honeyots #ettin# access to.
Roach "otel > Disallows all outbound tra&&ic &ro" honeyots.

Tye na"e o& &ile containin# blac-list and hit Enter.

Tye na"e o& &ile containin# whitelist and hit Enter.

Select es to enable Blac- list and *hite list &ilterin# and hit Enter.

Tye na"e o& &ile containin# &encelist and hit Enter.

2et9s not enable 0ence list &or now. Select +o to disable 0ence list &ilterin# and hit Enter.

2et9s not enable Roach "otel as well. Select +o to disable Roach "otel "ode bloc-in# and hit Enter.

14- Select OK to roceed con&i#urin# D7S acti(ity o& honeyots.

15- Configure Honeypots %+" )(ti&ity

D7S li"itin# will let you con&i#ure the D7S access &or your honeyots. .ou wouldn@t want your honeyots to
"a-e unli"ited D7S connections anywhere.

2et9s allow honeyots to ha(e unli"ited D7S access. Select es and hit Enter.

2et9s not restrict seci&ic honeyots to ha(e unli"ited access to an e)ternal D7S ser(er. Select +o and hit

But let@s restrict honeyots to ha(e unli"ited access to seci&ic e)ternal D7S ser(ers. Select es and hit Enter.

Tye D7S ser(ers to which you want honeyots to ha(e unli"ited access. Select es and hit Enter.

16- Select OK to roceed con&i#urin# re"ote alertin#.

17- Configure ,emote )lerting

'"ail alerts will noti&y you when so"eone brea-s into your honeyots.

Select es to enable e"ail alerts and hit Enter.

'nter an e"ail address to recei(e alerts and hit Enter.

Select es to enable alertin# to start auto"atically at boot and hit Enter.

18- Configure "ebe- .ariables

Sebe- is a data cature tool desi#ned to cature the attac-ers acti(ities on a honeyot. %t has two co"onents.
The &irst is a client that runs on the honeyots$ its urose is to cature all o& the attac-ers acti(ities
+-eystro-es$ &ile uloads$ asswords, then co(ertly send the data to the ser(er. The second co"onent is the
ser(er which collects the data &ro" the honeyots. The ser(er nor"ally runs on the Honeywall #ateway. The
new <en %%% Sebe- branch is co"atible with the new Roo Honewall CDROM. The latest Sebe- ser(er (ersion
1.A.1 has been inte#rated into it.

Select es to con&i#ure the Sebe- (ariables and hit Enter.

Since Sebe- ser(er runs on Honeywall$ it will auto"atically detect Sebe- ac-ets on the inter&ace. Tye
#ateway %P address &or destination %P address o& sebe- ac-ets and hit Enter.

'nter the Sebe- ser(er =DP ort and hit Enter. By de&ault its ort 11A1.

Select )((ept an$ Log and hit Enter.
19- Finis#ing Up

'nter the hostna"e o& your Honeywall and hit Enter.

Con#ratulationsB .ou ha(e just &inished the Honeywall setu. Select OK to reboot the syste".

.ou will see Honeywall loadin# (arious ser(ices.

Once ser(ices are loaded$ con&i#uration "enu will be aeared.

20- Maintaining the Honeywall Quan trong

After Honeywall is installed, key issue is to aintain it !ro!erly. "#e new Honeywall $i%es you t#ree
o!tions for &onfi$urin$ and aintainin$ your installation.
'ialo$ (enu ) *t is t#e &lassi& interfa&e to adinisterin$ t#e Honeywall +',-(. "#e new %ersion is
%ery siilar to t#e older one, e.&e!t it #as new features added. /e #a%e already &onfi$ured our
Honeywall usin$ 'ialo$ (enu in !er%ious ste!s. *t &an 0e loaded 0y ty!in$ enu on s#ell.
1 enu
H/+"2 ) *t is a !owerful &oand line utility t#at allows you to &onfi$ure t#e syste %aria0les used
0y %arious !ro$ras, and t#e a0ility to start3start ser%i&es. "#e ad%anta$e wit# t#is tool is you &an
si!ly odify t#e 0e#a%ior of t#e syste at t#e &oand line %ia lo&al or 44H a&&ess. 5ollowin$ are
soe e.a!les taken fro an file.
4#ow all %aria0les &urrently set wit# 67A(8 9 :A2;86 for <use -A if you don=t want t#e s!a&es>?
1 #w&tl -a
@ust !rint on standard out!ut t#e %alue of HwH-4"7A(8?
1 #w&tl -n HwH-4"7A(8
4et all four &onne&tion rate liits and restart any ser%i&es t#at de!end on t#ese %aria0les?
1 #w&tl -r Hw"+A,A"8920 Hw;'A,A"8910 Hw*+(A,A"8930 Hw-"H8,,A"8910
2oad a &o!lete new set of %aria0les fro 3et&3#oneywall.&onf and for&e a 6sto!6 0efore &#an$in$
%alues, and a 6start6 afterwards?
# hwctl -R-f /etc/honeywall.conf

/alleye ) *t is t#e B;* we0 0ased interfa&e &alled /alleye. "#e #oneywall runs a we0ser%er t#at &an
0e reotely &onne&ted to o%er a 442 &onne&tion on t#e ana$eent interfa&e. "#is B;* allows t#e
user to &onfi$ure and aintain t#e syste usin$ a si!le !oint and &li&k a!!roa&#. *t #as an e.!andin$
enu akin$ it easy to a&&ess and %isualiCe all t#e inforation. *t also &oes wit# ore in-de!t#
e.!lanations of t#e different o!tions. *t also #as different roles, allowin$ or$aniCations to &ontrol w#o
&an a&&ess w#at t#rou$# t#e B;* de!endin$ on t#e role t#ey #a%e 0een assi$ned. "#e !riary
ad%anta$e of /alleye is its u&# easier to use t#en t#e ot#er two o!tions. "#e disad%anta$e is it &annot
0e used lo&ally, 0ut reDuires a 3rd network interfa&e on t#e #oneywall used for reote &onne&tions.
"#e we0-0ased B;* &urrently su!!orts eit#er *nternet 8.!lorer or 5irefo. 0rowsers.
2et=s laun&# t#e 0rowser and !oint it to ana$eent interfa&e *A address, #tt!s?33ana$eenti!3.
Login with !er "a#e$ roo an% &a!!wor%$ honey.
*hen you lo#in to *alleye &or the &irst ti"e$ it will as- to chan#e assword.
Data !nalysis inter&ace will be dislayed a&ter you ha(e success&ully lo##ed in.
4yste Adin interfa&e lets you ana$e your Honeywall t#rou$# /e0.

2- '(i )*t +( c,u h-nh .e/e0 1 '(i )*t tr2n c3c Honey4ot5$
a5 '(i )*t
+#En$ ta t#F& #iGn &Hi IJt 4e0ek &lient trKn &L& #oney!ot n#M t#F& #iGn t#u
n#Nn &L& #Hn# IOn$ &Pa #a&ker trKn tQn$ #oney!ot.
+Hi IJt 4e0ek &lient trKn #G IiRu #Hn# /*7'-/4
- "Si tG! tin 4e0ek ) /in32 ) 3.0.4.Ci!
- BiSi nTn tG! tin %H &#Uy tG! &Hi IJt 4etu!.e.e
- 4au k#i &Hi IJt .on$, t#F& #iGn &Vu #Wn# t#Xn$ Dua &#YZn$ trWn#
+onfi$uration /inCard.e.e <&L& t#a s[ IY\& IR &N! ] !#^n &Vu #Wn#>
+Hi IJt 4e0ek &lient trKn #G IiRu #Hn# 2*7;_ ,8' HA" 9.0
- "Si tG! tin se0ek ) linu. ) 3.0.3.tar.$C
- "#F& #iGn DuL trWn# &Hi IJt
tar ).Cf se0ek-linu.-3.0.3.tar.$C
&d se0ek-linu.-3.0.3
ake install
- `uL trWn# &Hi IJt tUo ra tG! se0ek ) linu. ) 3.0.3 ) 0in.tar, t#F& #iGn tia!
%iG& &Hi IJt
"ar ).f se0ek-linu.-3.0.3-0in.tar
+d se0ek-linu.-3.0.3-0in
- bat t#E& DuL trWn# &Hi IJt, t#F& #iGn s#ell s0kcinstall.s#
Ch : "rYd& k#i t#F& #iGn s#ell s0kcinstall.s# &#En$ ta !#Si t#F& #iGn sea Ifi nOi
dun$ &Pa tG! nHy t#eo &L& t#a s[ &Hi IJt &#o 4e0ek &lient <trWn# 0Hy ] !#^n tia! t#eo>
/5 ',u h-nh
'Ydi Igy lH Ot s[ t#a s[ &Z 0Sn se dhn$ &Vu #Wn# &#o 4e0ek &lient
* Cu hnh trn Linux :
1----- '84"*7A"*-7c*A?
1----- sets destination *A for se0ek !a&kets
67.89"A89:";9&<=1>2.1?@.1.2AB= CDa chE n(y 4hFi trGng +Hi )Da chE
9& 0hai /3o I #Jc .e/e0 0hi c,u h-nh Honeywall
1----- '84"*7A"*-7c(A+?
1----- sets destination (A+ addr for se0ek !a&kets
67.89"A89:";MA'<=00$0'$2>$AK$7L$@1= CMy l( )Da chE MA'
cNa car% 9nternal1eth15 tr2n Honeywall .
1----- '84"*7A"*-7cA-,"?
1----- defines t#e destination ud! !ort se0ek sends to
* Cu hnh trn Windows :
Hnh 2.11- Cu hnh Sebek Client trn Windows

