http://sites.google.com/site/webhoneypotsite/home/installation-of-the-webhoneypot

Supported Operating Systems

The Webhoneypot should work on all operating systems with a Webserver capable of PHP and something like mod_rewrite or mod_alias and PHP5 including commandline-support

Packages

Packages are available for some operatingsystems

Debian:

Install Debian

Ubuntu:

Install Debian

First Thoughts

The first thing you need to decide is if you wish to install it on a dedicate domain (using virtual hosts) or in a subdirectory. Recommendation is to use a dedicated domain.

There are several considerations:

• adding a new virtual host usually requires administrative privileges for the server (this might not always be the case, since in some cases you might have the ability to add new virtual hosts trough a web interface like cPanel).
• adding a new virtual host requires you to posess a given domain. You can circumvent this requirement by using a dynamic DNS provider (which gives you a free DNS name) or by using a subdomain
• using the honeypot in a subdirectory is a security risk. While we try our best to make sure that our code is secure, you might want to reconsider deploying it in a production environment. One risk you might expose yourself to is XSS vulnerabilities in the served up templates. Even though we try hard to remove exploitable code from the templates, some things might slip through. This is also relevant to the subdomain scenario.

Prerequisites

Mandatory

• a Webserver capable of PHP and something like mod_rewrite or mod_alias
• PHP5 with commandline-support

This guide supposes that you already have functional webserver and PHP set up with your webserver. If you don't have PHP set up, please refer to the documentation of your webserver (or the documentation of PHP - http://www.php.net/install) on how to do so.

Optional

A dshield account. This can be configured after installation.

Installation from source (tar or svn)

The installation from the tarball is the most flexible version - but most things must be done manually. All installation tasks must normally be done as root/Administrator.

*nix:

Dedicated Domain

1. Unpack the archive (tar -xzf <tarfile>, unzip <zip>) e.g. to /opt/webhoneypot
   For security reasons, the honeypot checks if the used directories (templates, lib, log, etc) are outside of the document root. Keep this in mind when extracting it (ie. you should extract it somewhere other than the document root for your webserver)
2. Set the appropriate permissions (see table below)
3. Configure your webserver with the document root pointing to the html-directory or copy the index.php file to the present document root. Modify $sBaseDir if needed: see here.
4. Configure your Rewrite Rules:
   • Apache with mod_rewrite here
   • Apache with mod_alias here
   • lighttpd here
   • nginx here
5. Run lib/config.php

Filessystem Linux (e.g. below /opt/webhoneypot):

Directory	Contents	Description
Html	index.php	This directory is the DOCUMENT_ROOT
Logs	Logfiles	This Directory may be linked e.g. to /var/log/webhoneypot or configured with config.local (see below)
Etc	config.local	This Directory may be linked to /etc/webhoneypot
templates	template files and directories
Lib	config.php common_functions.php update-client.php
updates	update files

Permissions

owner:group	permissions
all directories # all files Exceptions: logs html/index.php	root:root root:root www:www www:www	755 644 640 440

Subdirectory, Subdomain

Remember the webhoneypot is optimized for virtual host usecase.

Copy index.php from the "html" directory to the directory where you want to use it (you might also want to rename it to something else). Note: on systems which they support it, you might want to use a symlink to the original file, so that you can update it in one place and you don't have to remember updating it in all the places you've copied it to.

Modify $sBaseDir: see here

Installation IIS

Dedicated domain

It is recommended that you install the free IIS 7 URL rewriting module from Microsoft (http://blogs.iis.net/ruslany/archive/2008/11/10/url-rewrite-module-release-to-web.aspx ). It will work even without it, but having it installed can give a much more authentic looking result.

Subdirectory

Remember the webhoneypot is optimized for virtual host usecase.

Add a virtual directory pointing to the html directory of the honeypot

If you don't have the URL rewriting module installed, the URL will look like this: http://example.com/wh/index.php/PHPBB (where wh is assumed to be the name of the virtual directory)

If you have URL rewriting, add the following rule: pattern: .*, rewrite url: /wh/index.php

Modify $sBaseDir: see here

Subdomain

Remember the webhoneypot is optimized for virtual host usecase.

Add a new site with the physical path set to the html directory

If you have URL rewriting, add the same rules as above

Modify $sBaseDir: see here

Non-Regular Base-Dir

Edit it and replace the $sBaseDir=realpath(dirname(__FILE__) . '/../'); line with the absolute path of your webhoneypot directory (the parent directory of html, lib, logs, etc). For example:
$sBaseDir=”/opt/webhoneypot”; //for *nix $sBaseDir=”c://weboneypot”; //for windows

Configuration

Webhoneyport config.local

All user-configuration is done with etc/config.local. The syntax is as follows:

# this is a comment
[config]
# dshield username - mandatory
userid=<dshield username (Email-Adress)>
# password of user - one entry is mandatory - if password is provided the hash will be computed
# and written to the log-file. copy it from the logfile to config.local and remove the
# password-entry
password=<password>
hashpassword=<hashofpassoword>
# path to logfiles (default:logs)
logdir=<path to logdirectory>
# loglevel (default: 1)
# 1: error
# 9: DEBUG
loglevel=<loglevel>

Rewrite Rules

Configuration of various Webservers.

Apache with mod_rewrite

Make sure that mod_rewrite is loaded (in many configuration it is not by default). You should see a line like the following in your apache configuration file: LoadModule rewrite_module modules/mod_rewrite.so

Add the following configuration options for mod_rewrite. They can be placed either in your apache configuration file directly or in a .htaccess file:

RewriteEngine on

RewriteRule ^(?!index.php)(.*)
index.php/$1

Apache with mod_alias

Mod_alias has the advantage of being enabled by default on more servers, however it cannot be configured from the .htaccess file (configuration must be done directly in the Apache configuration files), which makes this solution unfeasible if you don't have access to the configuration files. The needed configuration directive is:

AliasMatch ^/.* /opt/webhoneypot/html/index.php # unix
AliasMatch ^/.* C:/webhoneypot/html/index.php # windows

lighttpd

Enable the mod_rewrite module (make sure that it is present in the server.modules list and not commented out). Add the following configuration line:

url.rewrite-once = ( "(.*.)" => "/index.php/$1" )

nginx

Quick tip: if you get "no input file specified" with nginx + fastcgi + PHP, check that fastcgi_param is set correctly. It should be set like this:

fastcgi_param  SCRIPT_FILENAME /var/www/nginx-default$fastcgi_script_name;

where /var/www/nginx-default is the document root for the particular site

Add the following rewrite rule:

rewrite ^/.* /index.php last;

IIS +mod-rewrite

Troubleshooting

No URL rewriting available

If URL rewriting is not available for your webserver, you still might be able to use the honeypot, because most webservers will traverse the path up until they find a part which is actionable. So for example, given the following url: http://example.com/wh.php/PHPBB/index.php, the webserver goes up the path until it arrives to wh.php and executes it. The honeypot is coded to handle this situation

Permission Problems

If the user who extracted/installed the webhoneypot is not the same as the one the webserver is running under, you need the following permissions for the webserver user:

• read on etc
• read on html/index.php
• read on lib
• read/write on logs
• read on templates