Install a debian stable/testing system (with X Desktop Environment) and install the following packages:
bridge-utils libsdl1.2-dev zlib1g-dev libdbd-pg-perl librrds-perl libdbi-perl gcc-3.4 gcc subversion make
Disable IPv6 Edit /etc/modprobe.d/blacklist and add the following line:
For Argos to work there needs to be a bridge because the host OS needs to be bridged with the guest OS.
Edit /etc/network/interfaces and configure the bridge. The gateway is the ip address of the ethernet device directly connected to the argos server.
auto eth0 iface eth0 inet manual auto br0 iface br0 inet static address ip address netmask netmask gateway gateway bridge_ports eth0 bridge_fd 1 bridge_stp off bridge_hello 1
Important!! Set the gateway to the ip address of the eth1 device of the tunnel server.
/download/directory$ tar zxvf qemu-0.9.1.tar.gz
/download/directory/qemu-0.9.1$ ./configure --target-list="i386-softmmu" --prefix=/opt/argos --cc=gcc-3.4
/download/directory/qemu-0.9.1$ make install
* [OPTIONAL] Configure the kernel accelerator by installing the kqemu package from source: The kernel accelerator needs the kernel sources. Check your kernel version with uname. Then install the corresponding kernel-headers.
uname -a apt-get install linux-headers-2.6.x-x-xxx apt-get install kqemu-source kqemu-common
Run “module-assistant” to compile and install the kernel module. In the ncurses wizard first choose “PREPARE” to prepare your system with all the required dependencies. Then choose “SELECT” and choose the “kqemu” module from the list. Then do the following steps the one after the other: “GET”, “BUILD” and “INSTALL”. When everything is done you can choose “BACK” and “EXIT”.
To test the kqemu module try modprobing the kqemu module.
If that succeeds without an error add “kqemu” to /etc/modules to load it at boot.
/download/directory$ tar zxvf argos-0.4.2-1.tar.gz
It will be installed in /opt/argos and the nettracker module will be enabled.
/download/directory/argos-0.4.2-1$ ./configure --enable-system --prefix=/opt/argos --cc=gcc-3.4 --enable-net-tracker --enable-lowmem
/download/directory/argos-0.4.2-1$ make && make install
Qemu provides the utility `qemu-img' for this purpose. The following example creates a 3 gigabytes hard disk image named `IMAGE.img' using Qemu's copy-on-write format:
mkdir /opt/argos/images cd /opt/argos/images /opt/argos/images$ ../bin/qemu-img create -f qcow IMAGE.img 3G
Always give an image the extension .img. The argos scripts need this.
We also need a hard disk that will operate as a file exchanger between the Guest OS and Host OS. We call it hddshare.img
/opt/argos/images$ ../bin/qemu-img create -f raw hddshare.img 100M
For more information on how to create a disk image consult Qemu's documentation on on disk images.
In the following examples `NNN' corresponds to the amount of virtual RAM (in megabytes) that Qemu will be run with. Also `-localtime' is optional. It sets Qemu's clock to local time instead of UTC.
Assuming that the CD-ROM device at the host can be found under `/dev/cdrom', and `IMAGE.img' is a disk image created using qemu-img, run Qemu as such:
qemu -cdrom /dev/cdrom -hda IMAGE.img -boot d -m NNN -localtime
Make sure that you have permissions to read `/dev/cdrom' before trying to run the above command.
Similarly, if `ISOIMAGE.iso' is the ISO image containing the OS you wish to install and `IMAGE.img' is a disk image created using qemu-img, run Qemu as such:
qemu -cdrom /path/to/iso/images/ISOIMAGE.iso -hda IMAGE.img -boot d -m NNN -localtime
Argos works with physical addresses. Unfortunatelly, this means that it cannot track virtual memory, and that you will have to disable virtual memory at the guest OS. In Linux, do not create (or activate) a swap partition during installation. In Windows you can disable paging after the installation completes.
A Windows operating system installed using the previous versions of Argos (earlier than 0.2.0), cannot be booted using the latest version (0.2.0). The reason behind this being that versions 0.2.0 and later emulated and different IDE driver, and as a result Windows installations based on older versions do not contain the appropriate driver.
When installing Windows 2000 you will have to enable the following option `-win2k-hack'. This is to overcome a Windows 2000 bug during installation, which causes a disk full problem. When the installation completes you do not need this option any more.
Some Windows XP versions install correctly but a security error when booting:
A problem is preventing Windows from accurately checking the license for this computer. Error code: 0x800703e6.
The only solution for now is to install Windows XP Service Pack 2. It is also possible that the installation procedure might freeze, so we strongly recommend that you also use the `-win2k-hack' even when installing Windows XP.
Start qemu in X!! otherwise you will get an error “Could not initialize SDL - exiting. Sometimes the mouse is not working. Execute the following command to fix this.
Insert the windows 2000 cdrom in the cdrom drive.
Installing Windows 2000 from cdrom on the qemu image “IMAGE.img” with 512 MB of RAM:
/opt/argos/images$../bin/qemu -cdrom /dev/cdrom -hda IMAGE.img -hdb hddshare.img -boot d -m 512 -localtime -win2k-hack
Partition the hddshare drive in the setup process because of an error with the disk manager.
If the guest OS is installed its wise to make a copy of the image so there is a clean image to fall back on.
The guest OS can be configured to your likening. But there are some configurations that are necessary.
/opt/argos/images$../bin/qemu -hda IMAGE.img -hdb hddshare.img -m 512 -localtime
Partition and Format (FAT) the exchange drive when you are in the guest OS.
The network configuration will be set through a script so leave the network configuration to standard.
Argos works with physical addresses. Unfortunately, this means that it cannot track virtual memory, and that you will have to disable virtual memory at the guest OS.
Format the exchange drive. So that file can be placed on there.
For Windows OSes there is a free perl distribution available. ActivePerl, when downloading select the AS install package. Because you don't have network connectivity in the Guest OS you can use the formatted hddshare drive for the exchanging.
To install ActivePerl Mount it and copy the files:
mount -oloop,offset=\$((63*512)) hddshare.img /mntpoint unzip activePerl***.zip -d /mntpoint touch netconf.bat cp netconf.bat /mntpoint touch snitch.pl cp snitch.pl /mntpoint umount /mntpoint
Start qemu again to have the files available.
/opt/argos/images$../bin/qemu -hda IMAGE.img -hdb hddshare.img -m 512 -localtime
Install ActivePerl with the default settings. After the installation delete the installation files on the exchange drive.
Create shortcuts of the snitch.pl and netconf.bat file on the hddshare drive and place them in the startup directory of the startmenu. Now these scripts will be booted the next time Argos start.
If you want to test the guest OS without corrupting the disk image we recommend that you use the `-snapshot' option. This forces Qemu and Argos to open the disk image as read-only, writing all changes to temporary files. This way you do not risk corrupting the disk image.
After installing the guest OS the Argos scripts are needed.
Checkout the argos subversion trunk tree in the install dir.
Extract the Cargos library source files.
/download/directory$ tar zxvf cargos-lib-0.1.1.tar.gz
Configure and compile.
./configure --prefix=/opt/argos make && make install
Sometimes you need to set the CC environment variable to gcc-3.x
/download/directory$ unzip openports.zip /download/directory$ cp openports.exe /opt/argos/
mv /opt/argos/argos-ifup /etc/argos-ifup
Argos-ifup should look like:
#!/bin/sh brctl addif br0 $1 ifconfig $1 0.0.0.0 promisc up echo 1 > /proc/sys/net/ipv4/ip_forward
Copy argos.conf.dist to argos.conf.
/opt/argos$ cp argos.conf.dist argos.conf
Edit argos.conf and change the following values
$pgsql_pass = 'enter_password'; $pgsql_host = "enter_ipaddress"; $listenip = "enter_ipaddress"; $gw = "enter_ipaddress";
Set the $pgsql_host to the IP address of the logserver where the DB is. Set the $gw and $listenip to the IP of the br0 device that's connected directly with the tunnel server.
Edit snitch.pl. Enter the ip address (same as the listenip in argos.conf) to the hostip variable.
my $hostip = "enter_ipaddress";
Add to /etc/crontab:
*/5 * * * * root /opt/argos/rrd_serverinfo.pl
Restart the cron daemon.
mkdir /var/run/argos mkdir /opt/argos/logs
NOTE: You will have to patch the kernel on your tunnel server as well, see Kernel Upgrade/Patch.
The argos server needs to have access to the DB. Edit pg_hba.conf and add the ip of the argosserver: !! Bear in mind that this ip address is different from the ip on the br0 interface on the host OS.
host all all enter_ipaddress md5
Log on to the webinterface as an administratis. Install the new image on the “argos template” page. Name: Enter a name. Example: Win2000withSP4andIIS Server IP: The ip address of the br0 interface on the host OS. Imagename on Server: name of the image. Eample: IMAGE.img OS: Choose win2k/winxp/linux OS Language: Choose between English and Dutch. Mac address: This mac address will be set to the guest OS. Organisation: Set to all organisations or set to one Organisation. If set to one organisation, the image will be only selectable by this organisation.
After adding the image it will be selectable on the Argos page. Add a sensor and select the argos image. Sensor: Select a sensor. Imagename: Select the just added image. Template: Select between
Timespan: This will select the timespan of the selected template.
To actually rederict ip's to the argosserver the rederict_argos script needs to be run. Edit the crontab:
*/5 * * * * root /opt/surfnetids/scripts/redirect_argos.pl >/dev/null
IP Virtual Server is needed to redirect ip's to the honeypot(s).
Add for each server an entry to the IPVS daemon. In this example nepenthes and argos are used so we need to add 2 realservers. The services also need to be added. Use Firewall mark 1 for nepenthes and 2 for argos. If nepenthes stays on the tunnel server just use 127.0.0.1 for the ipaddress_nepenthes.
Edit the ipvsadm.rules script and add:
-A -f 1 -s wlc -p 120 -a -f1 -r ipaddress_nepenthes:0 -g -w 1 -A -f 2 -s wlc -p 120 -a -f2 -r ipaddress_argos:0 -g -w 1
Now run the ipvsadm daemon.
To check if its correctly configured.
IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn FWM 1 wlc persistent 100 -> ipaddress_nepenthes:0 Local 1 1 7 FWM 2 wlc persistent 100 -> ipaddress_argos:0 Route 1 0 1
To start argos run start.pl
Check if all your network settings are correct!!!