For these posts I’m going to cut the commentary and outline exactly what worked in an attempt to help any future readers avoid the same pitfalls while hopefully still receiving the same level of understanding. I consider figuring shit out ‘the hard way’ to be incredibly beneficial since you end up learning so much, but also incredibly frustrating since you have to figure it out yourself. Maybe I can strike a balance in the middle on this post.
vmware work comes first
I’m going to be updating this with some screenshots as I go along so if you’re reading an incomplete post it’s because I’m in the middle of documenting this. Check the section called ‘Rolling Up your Sleeves’ to see screenshots and actual progress =)
- [ ] enable a new virtual nic on your pfsense virtual server
- [x] create a new portgroup in vmware
- [X] create a new virtual switch in vmware
- [ ] assign the new nic to the new portgroup and the new portgroup to the new virtual switch
- [ ] create a new virtual server
- [ ] launch new virtual server and install ubuntu 14.04
- [ ] create new virtual server (x2)
- [ ] install ubuntu server 16.04 on those for suricata and bro
We’re creating an entirely new nic on the pfsense box so that we can fully segment this honeypot from all other hosts on our network. Ideally you would physically segment this on either a real physical firewall or a physical switch but since I don’t have that equipment we’re going to have to trust the software (vmware) to really route traffic appropriately.
Creating a new nic, portgroup, and virtual switch should all be outlined pretty neatly online in other documentation (like the official vmware site) so I’m not going to go over how to get it done here. Same thing goes for creating the virtual host.
pfsense work comes next
With a new NIC we have to configure all the subnet goodies.
- [ ] configure interface not to overlap with any others you have and then enable
- [ ] firewall rules: on all other interfaces block traffic from this subnet
- [ ] firewall rules: on this interface block any outbound traffic to an rfc1918 address (helps to create an alias for these, pfsense has nice documentation on how to do exactly this)
- [ ] firewall rules: on this interface allow outbound to any IP (comes with some risk, see below)
- [ ] firewall rules: configure port forwarding from whichever port you chose on your WAN to this device (22, 443, 21, 445, whatever sounds spicy)
- [ ] firewall rules: open that port on your WAN interface
The reason we fully segment this host off from all others is 1) we have a virtual pfsense box so we essentially have unlimited interfaces so why not and 2) we don’t want to have to run a bunch of iptables rules on every host on the subnet. Firewall rules won’t matter for any host on the same subnet since these devices will communicate on ARP/MAC rather than IP, thus they never pass a firewall.
You can allow outbound to any IP from the honeypot but remember that this means your public IP will be performing whatever activity your attackers instruct your honeypot to perform. This includes downloading child porn, being a bot in a DDoS, or even the unthinkable - giving fake clicks to Rachel Maddow’s news articles. This risk is for you to take and I assume no responsibility with whatever it is you’re doing.
rolling up your sleeves
In esxi head to networking -> virtual switches and ‘Add new virtual switch’
You can name your switch whatever you want and/or will remember but remember to kill the ‘uplink’ on it since we’re not connecting this to any physical port on your server. Also remember to ‘Accept’ promiscuous mode otherwise our IDS and network logs won’t work.
Then head to port groups and ‘Add port group’
Name it whatever you want but it’s probably a good idea to be fairly descriptive and there’s no reason not to be, really, since this is all virtual and you can create unlimited port groups and vswitches which means you’ll never have to worry about sharing this port group or vswitch with anything else!
Assign the new port group to the new vswitch you just made. I keep vlan IDs at 0 to keep things simple which will change at some point but I’ll post more on that later.