JHoney is a honeypot tool for Linux written in Java. A honeypot is a system or service that looks vulnerable to the Internet. The purpose is to trick hackers to attack the honeypot system, and the honeypot could then take countermeasures against the attacker.
JHoney simulates network services by open servers at user specified ports on a network computer. The port/service appeares to be existing and open to an attacker or trojan. Once an attacker connects to the service, his IP address is logged and he could even be denied any access to the computer if the system uses a firewall that supports dynamic blacklisting.
JHoney has been developed to work with Shorewall, but should work with any firewall that has the ability to blacklist an IP address using a shell command or adding entries to text files. All attacks against JHoney are logged with time for the attack, attacker IP and attacker hostname.
JHoney has a built-in HTTP server which can be accessed with any webbrowser. From the webinterface you can control the honeypot daemon, view attacks, change configuration or generate attack statistics for a specific day. The server uses login so you can control the honeypot remotely. The webserver has extensive help information to get you started!
· Java runtime or JDK
· A firewall supporting dynamic blacklisting (optional).
1. Download the latest tar.gz release package
2. Unzip the package to any directory
3. Open a terminal and go to the unzipped jhoney directory
4. Open the jhserv script in an editor
5. The variable JAVAHOME points to your Java directory. If Java is installed to a different folder than /usr/java/jdk1.5.0 you need to change this to the correct directory.
6. Run the install script as root.
7. The files is now installed at /usr/local/jhoney.
HOW TO USE
Starting the webserver
Configuring and controlling JHoney is done using any webbrowser. First, start the HTTP server by executing the command jhserv start in a terminal. Open a webbrowser and browse to http://localhost:8333.
JHServ requires login. The default loginname is 'admin' and password 'admin'. To add a new user, open a terminal as root and run jhserv adduser uname pword. To remove a user, run jhserv removeuser uname pword.
Configuring the honeypot daemon
Before the daemon is started, you need to configure it. Read the help information under the Configuration menus to figure out what to do.
Starting the daemon
When you have finished configuring the scripts and config files, start the daemon by selecting the daemon/Start menu alternative. You will be notified if the daemon started correctly or if something went wrong. Read the help for information about the status messages.
Test if everything works
You can try if the honeypot is working by using a webbased port scanner. You can find one at www.pcflank.com. Select Advanced port scanner and TCP connect. Scan the ports JHoney is simulating services at. You will be notified that the ports are open. Examine the attacks log in the JHoney webinterface. You will now see a www.pcflank.com entry. If you have enabled automatic blacklisting, try to use PCFlank's portscanner once more. If the blacklisting works, you will now be notified that the ports are stealthed. A PCFlank entry should also have been added to the attacks log file.
What's New in This Release:
· A lot of buggy code has been completely rewritten.
· The HTTP Control Center has been rebuilt almost from scratch. Help messages are available for all menu alternatives, and it is also possible to change the colour theme.
· Some bugs in the user login has been corrected.
· Be sure to upgrade to this version if you use JHoney!