Tiny Honeypot

More flexible time stamping was implemented and
some logging enhancements were made. The shell
now responds to cd, pwd, uname (-avsm), id, and
wget, and a number of bugfixes were made.

Capture logs now include the source address and port of the attacker. Log entries can now be either on a single line, syslog style and suitable for machine parsing, or old style multi-line. HTTP functions are completely rewritten, achieving RFC 2616 compliance whenever possible. Other features include subroutines for errors 400, 414, and 501, correctly built HTTP return headers for several MIME types, a new "chameleon" mode which will change responses (if turned on) to emulate an IIS server when an attacker requests certain types of resources, regardless of the primary setting, and many other small tweaks and fixes.

Adjusted xinetd.d file port numbers and removed o-x from the config files. GOODNET and GOODSVCS were added to the INPUT chain, along with a section in iptables.rules to allow a multi-homed system to trust either an entire interface or a network. A test was added to bomb out if someone accidentaly ran iptables.rules directly. Escapes and array references were fixed in ftp(), as they were causing some versions of Perl to complain.

This release fixed an extra shell prompt on exit, added the GPL blurb to all files, and removed duplicate xinetd.d files from the tarball. The iptables script requires less post-install tweaking for hpot_svcs, and the port range for listeners was moved to 40k+ to avoid conflicts with fakerpc. Several other little tweaks and bugfixes were made.

Added session timeouts, simple HTTP emulation, a PID on the capture log start line (to allow correlation with xinetd logging), and xinetd per-source limits by default.