Honeypots on pfSense and VMware

An experiment in getting your home network fully compromised.

Tim Webster

2 minute read

I’m going to start setting up at least one honeypot on my home lab which is just a Dell c1100, VMware/ESXi, and pfSense. I plan to isolate the honeypot by creating a new virtual NIC on the pfSense guest, setting the vswitch to promiscuous, tapping Bro or Moloch for pcap and Suricata for IDS, and for the actual honeypot we’re going to run Artillery on Ubuntu.

Foreword

It’s funny how time consuming these things are and experiencing these issues first hand really m akes me appreciate cloud service providers like Azure or AWS because they take a lot of the pain out of the process. Though I’m sure most of the ‘legit’ providers would shut your account down swiftly if they found out you’re running honeypots so maybe some level of effort is required.

Even deploying this web host had several bumps along the way despite my deployment of many servers in my home lab.

  • create new firewall rules so I can ssh from my lan to this dmz host
  • create a new virtual machine and point to an iso I’d used a hundred times before – iso fails to load – why – delete and recreate virtual machine just to make sure I didn’t screw up somewhere – still broken – reupload exact same iso from storage into vmware – works – why
  • get host working, confirm IP pulls from DHCP pool
  • configure pfsense DHCP reservation
  • configure pfsense DNS resolution
  • test firewall rules, DNS lookup, IP addy – IP addy fails, reboot
  • everything works
  • download hugo
  • scp dev site to new host
  • run
  • works, after 20 minutes site fails
  • oh yea, I need to run the service in the background
$ [ctrl + z]
$ disown -h %1
$ bg 1
  • works
  • https isn’t available on hugo, sucks
  • caddy allegedly runs https and has hugo integration
  • can’t figure it out
  • why
  • screw it, host only with http
  • configure pfsense for port forwarding
  • configure pfsense WAN firewall rules to allow inbound on port 80
  • site runs now!

I considered hugo documentation to be fairly decent, too.

And even after all that I still have to learn a lot of lessons on how to get posts to update and appear without having to restart the service.

On With The Show

Anyway we’re about to document our step-by-step for running Artillery on Ubuntu and for this we’re going to use Ubuntu 14.04 (trusty) and this digital ocean guide on setting up Artillery

Tune in for part 2 (link needed) coming soon!