Table of Contents
Honeypot ports
| Port | Amun | Nepenthes | Dionaea |
|---|---|---|---|
| 21 | ftpd | ftp | |
| 25 | imail | ||
| 42 | wins | wins | |
| 69 | tftp | ||
| 80 | http | asn1 | http |
| 105 | mercury | ||
| 110 | axigen, slmail, mdaemon | ||
| 135 | dcom | dcom | epmap |
| 139 | smb, ms06040, netdde | netbiosname, netdde | |
| 143 | lotusdomino | ||
| 443 | iis | iis | https |
| 445 | lsass, pnp, dnsv2, asn1, ms06070, ms08067, smb | asn1, dcom, lsass, ms08067, pnp | smb |
| 554 | helix | ||
| 587 | imail | ||
| 617 | arkeia | ||
| 1023 | sasserftpd | sasserftpd | |
| 1025 | msdtc | dcom, msdtc | |
| 1080 | mydoom | ||
| 1111 | tivoli | ||
| 1433 | mssql | ||
| 1434 | mssql | ||
| 1581 | tivoli | ||
| 1900 | arc | ||
| 2101 | msmq | ||
| 2103 | msmq | msmq | |
| 2105 | msmq | msmq | |
| 2107 | msmq | msmq | |
| 2380 | goodtech | ||
| 2555 | upnp | ||
| 2745 | bagle | bagle | |
| 2954 | hpopenview | ||
| 2967 | symantec | symantec | |
| 2968 | symantec | symantec | |
| 3127 | mydoom | mydoom | |
| 3128 | mydoom | ||
| 3140 | optix | ||
| 3268 | trend | ||
| 3306 | mysql | ||
| 3372 | msdtc | msdtc | |
| 3628 | trend | ||
| 5000 | upnp | upnp | |
| 5060 | sip | ||
| 5168 | trend | ||
| 5554 | sasserftpd | sasserftpd | |
| 6070 | arc | ||
| 6101 | veritas | ||
| 6129 | dameware | dameware | |
| 7144 | peercast | ||
| 8080 | tivoli | ||
| 9999 | maxdb | ||
| 10000 | veritas | ||
| 10203 | ca | ||
| 17300 | kuang2 | ||
| 27347 | sub7 | sub7 | |
| 38292 | symantec | ||
| 41523 | arc |
Example configuration
This section will show a configuration that will run all three honeypots on the same system for maximum detection.
In this case the priority of the honeypots is Dionaea > Nepenthes > Amun (with some exceptions).
Dionaea
In Dionaea, comment out the following modules:
- FTP
- HTTP
- HTTPS
- TFTP
These modules don't actually do much detection in Dionaea, hence we can use the modules of Nepenthes and/or Amun when appropriate.
Nepenthes
In Nepenthes, comment out the following modules:
- DCOM
- ASN1
- LSASS
- MS08067
- PNP
- Netbiosname
- NETDDE
Amun
In Amun, comment out the following modules:
- LSASS
- PNP
- DNSV2
- ASN1
- MS06070
- MS08067
- SasserFTPD
- MSDTC
- Bagle
- Dameware
- SUB7
- WINS
- HTTP
- IIS
Some of the modules from Amun are still usable, but we need to disable a few ports that are already in use by Nepenthes. In Amun, disable the following ports:
- SMB - port 445
- MS06040 - port 445
- MSMQ - port 2103, 2105, 2107
- Symantec - port 2967, 2968
- Mydoom - port 3127
- UPNP - port 5000
