Beeswarm honeypot on Ubuntu 14.04 LTS

December 2, 2014

This is a tutorial on installing and using Beeswarm on a series of three Ubuntu Server 14.04 LTS systems, one acting as the Beeswarm server and the remaining as Beeswarm drones. All systems are virtualized on VirtualBox servers. The Ubuntu systems are configured to automatically install software updates. The Beeswarm drones are allocated 192 MB of RAM and 2.5 GB of disk space, the Beeswarm server 256 MB of RAM and 4 GB of disk space.

Beeswarm is described as an active IDS system consisting of a Beeswarm server, drone clients, and drone honeypots. The drones are managed by the Beeswarm server. The drone clients communicate over the network with the drone honeypots and intentionally leak credentials when doing so. One of the goals is to see whether attackers who capture this network traffic then attempt to log into the honeypots using the same credentials. The image below illustrating this is taken from the Beeswarm web site:

For the sake of this tutorial we are creating all of the systems on the same VirtualBox server, however when deploying this in production you would want to have the drone clients distributed in different areas of your network. The Beeswarm server and the drone honeypot could potentially be on the same VirtualBox server, however the drone clients should be placed elsewhere on the network in such a way that the network traffic can be seen by the attackers.

Setup Ubuntu

Begin by going to the Ubuntu Alternative Downloads, then select "Download the network installer for 14.04 LTS". For the architecture we select i386, then on the following page we download the file mini.iso.

On the VirtualBox server we create the virtual machines (1 server, 2 drones). For the server we create a standard virtual system with 256 MB of RAM and a 4 GB HDD, specify Bridged Adapter for the Ethernet adapter. For the drones we do the same but specify 192 MB RAM and 2.5 GB HDD. This is a conservative amount of disk space and the minimum that we recommend. If you go below 1.5 GB beeswarm will likely fail to compile. Connect the mini.iso file to the virtual CD/DVD Drive and boot up the Ubuntu server.

At the Installer boot menu screen, select Install and proceed with a standard installation. When prompted to encrypt your home directory select No. For the disk partitioning select "Guided - use entire disk". Later on when prompted on whether you wish to have updates automatically deployed, select "Install security updates automatically".

Eventually you will reach the following screen:

For this tutorial we do not check anything although for you could potentially select OpenSSH server for the Beeswarm server and the drone clients. Note that if you select OpenSSH for the drone honeypot it will conflict with the SSH honeypot service should you choose to emulate SSH.

Select continue. Once the installation completes, remove the virtual CD-ROM, reboot and log into the system.

The first step is to assign a static IP address (assuming you installed Ubuntu on a network where it acquired its IP through DHCP during installation):

user@server1:~$ sudo nano /etc/network/interfaces

For the following section:

auto eth0
iface eth0 inet dhcp

We replace this with the appropriate settings for your network:

auto eth0
iface eth0 inet static

Restart the network interfaces:

user@server1:~$ sudo ifdown eth0
user@server1:~$ sudo ifup eth0

The next step is to install a NTP client. The reason being that if the time between the server and drones differs too much, the drones will refuse to connect with the error message "Timings found to be far off, shutting down drone".

user@server1:~$ sudo apt-get install ntp

Keep the Beeswarm server powered on and repeat the steps above (Setup Ubuntu) for each of the drones, but making sure not to repeat IP addresses. Once done with the drones, proceed to install Beeswarm.

Install Beeswarm

We begin with the server. Install the necessary prerequisites:

user@server1:~$ sudo apt-get install libffi-dev build-essential python-dev python-pip libssl-dev libxml2-dev libxslt1-dev
user@server1:~$ sudo pip install pydes --allow-external pydes --allow-unverified pydes

When you submit the second command above you will notice a warning message "pydes an externally hosted file and may be unreliable. pydes is potentially insecure and unverifiable". Unfortunately these are the current installation instructions as taken from the Beeswarm web site. You can append the option -v at the end of the command to make it more verbose and display both where the package is being downloaded from, and where it is copied to (should be /usr/local/lib/python2.7/dist-packages/).

Next we install Beeswsarm:

user@server1:~$ sudo pip install beeswarm

In our case we get an error message stating "The required version of setuptools (>=6.0.1) is not available, and can't be installed while this script is running. Please install a more recent version first, using 'easy_install -U setuptools'". And so we do exactly that, then proceed again to install Beeswarm. Note that this step can take a while to complete and produces a lot of verbose output. If it succeeds it should complete with a line that states "Successfully installed beeswarm pyzmq fs pycrypto [...]":

user@server1:~$ sudo easy_install -U setuptools
user@server1:~$ sudo pip install beeswarm

Repeat the steps above (Install Beeswarm) for each of the drones. Once done continue with configuring the Beeswarm server.

Configure Beeswarm

Perform the following steps on the server:

user@server1:~$ mkdir server_workdir
user@server1:~$ cd server_workdir
user@server1:~$ beeswarm --server --customize

You will be prompted with questions related to the SSL certificate for the Beeswarm server. Fill these out as appropriate for your environment. If unsure what information to provide, use your web browser to look at the certificate details of a web site you'd like to be similar to. For port you can either keep it as the default 5000 or set it to 443 (requires root privilege).

Next you will be prompted to enter the IP or hostname of the server. Once done it will give you the password to log into the Beeswarm admin interface. You should copy this password immediately as depending on your terminal window scrollback buffer the password may disappear off screen. Should you forget the password, one option is to delete everything in server_workdir and run "beeswarm --server --customize" again.

On each of the drones, create the following directory and change to it in preparation for upcoming steps:

user@drone1:~$ mkdir drone_workdir
user@drone1:~$ cd drone_workdir

Using a web browser on your computer, connect to the server IP through HTTPS over port 5000 (

For username enter admin, for password enter the password that you copied earlier. Once you log in you will be presented with the following screen:

Click on the +Drone menu item at the top. This will give you a URL that is only valid for 2 minutes. On one of the drones, enter the following command changing the URL below to the one that you received when you clicked on +Drone. Note that drone honeypots need to be started as root otherwise it will not be able to bind to ports that are lower than 1024, whereas drone clients can be started as an unprivileged user.

user@drone1:~/drone_workdir$ sudo beeswarm --config

If the command above fails to connect to the server, check that your URL is valid. If it still fails, go back on the Beeswarm web interface click on +Drone again to get a new URL and try entering this new one instead.

Once your drone has connected to the server, it needs to be configured. In the web interface click on Drones | Unassigned. You should see your drone appear here. Click on the blue wrench icon. If this is your first drone that you've connected, select Honeypot, then go through the list to enable and configure the services that you want to emulate. Once done click on the Generate button at the bottom.

Repeat these steps for your second drone, but configure it as a client instead of a honeypot.

Next click on the Bait button. We recommend deleting all of the default credentials and creating or keeping only those that suit your environment. Also make sure to also click on the Settings icon in the Beeswarm server menu bar to customize your setup as needed.

You should start seeing sessions between your drone clients and honeypots. Below as an example is a telnet session transcript. Follow our Tcpdump usage examples article if you wish to begin capturing session traffic:

Enable firewall

Once you've confirmed that your honeypot is working, enable a firewall on the Beeswarm server otherwise if somebody connects to its admin interface they'll be tipped off that you have deployed honeypots. Use ufw (Uncomplicated Firewall) on the Beeswarm server by entering the commands below, where <your-IP> is the IP of the system you use to access the Beeswarm web admin interface, <your-drone-IPs> is the IP addresses of your drones, and <beeswarm-server-ip> is the IP address of your Beeswarm server. If you remotely manage the Beeswarm server through SSH make sure to also add a rule allowing SSH access from your IP:

sudo ufw allow from <your-IP> to any port 5000 proto tcp
sudo ufw allow from <your-drone-IPs> to any port 5000,5712,5713 proto tcp
sudo ufw deny from any to <beeswarm-server-ip> port 5000,5712,5713 proto tcp
sudo ufw logging on
sudo ufw enable
sudo ufw status numbered

Configure unattended upgrades

When we first installed Ubuntu we selected "Install security updates automatically". To fine tune the settings, edit the following file:

user@drone1:~$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

For the configuration file above, you may wish to make the following changes. Remove the double slashes in front and change the InstallOnShutdown entry from true to false. This means it will install upgrades while the system is running instead of on shutdown:

Unattended-Upgrade::InstallOnShutdown "false";

Change the Automatic-Reboot entry from false to true so that it automatically reboots (if necessary) after an upgrade. When you set this to true, you also need to install update-notifier-common (sudo apt-get install update-notifier-common):

Unattended-Upgrade::Automatic-Reboot "true";

Next edit the file 10periodic:

user@drone1:~$ sudo nano /etc/apt/apt.conf.d/10periodic

Populate this file with the following:

APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";

The unattended upgrade logs are stored in /var/log/unattended-upgrades/. For more information on this topic see this page or review the man pages:

user@drone1:~$ man unattended-upgrade

Optional: Configure automatic startup

The steps below are a simple way to have Beeswarm start up automatically whenever the system boots up. Begin by changing to root (sudo su) and creating a script in /root called Give it 700 file permissions then populate it with the following, replacing "user" with the proper name for your user account. Alternatively you could create a separate account dedicated to run Beeswarm instead of using your user account. The entry below is for the Beeswarm server:

su - user -c "/usr/local/bin/beeswarm --server --workdir /home/user/server_workdir"

This entry is for the drone client:

su - user -c "/usr/local/bin/beeswarm --workdir /home/user/drone_workdir"

This entry is for the drone honeypot (we need to run as root - as such it would be better to have drone_workdir in /root/ but in this tutorial we keep it in /home/user for simplicity):

/usr/local/bin/beeswarm --workdir /home/user/drone_workdir

Now modify the file /etc/rc.local. The last row in this file is "exit 0". Above this row add the following line:

/root/ > /dev/null 2>&1 &

If you wish to see the usual log output of the drone which will no longer be shown on the console, you can tail the file beeswarm.log.

If you messed something up in rc.local and your Ubuntu system stays stuck upon bootup, you can recover it by rebooting again, holding the left shift key early during bootup, then selecting "Advanced options for Ubuntu" | "Recovery mode". After this select fsck (to easily mount the file system), then root (to gain a shell and make the corrections to /etc/rc.local).


To upgrade beeswarm when new versions are released:

user@server1:~$ sudo pip install --upgrade beeswarm --allow-external pydes --allow-unverified pydes

Time sync issues

If you virtualize these systems and keep them running for an extended period of time you may end up with systems that will cease connecting to the Beeswarm server because there is too much of a difference in time even though you have installed a NTP client. There are different strategies you can take for this. One is to modify /etc/ntp.conf and appending to the server entries low minpoll and maxpoll values to make your NTP client poll the NTP servers more frequently. This is what worked best for us. Below is an example. Setting both minpoll and maxpoll to 4 makes it poll every 16 seconds. Setting it to 5 make it poll every 32 seconds, setting it to 6 every 64 seconds and so on. You can use the command sudo tcpdump -nn -v port 123 to see the NTP traffic in action.

server minpoll 6 maxpoll 6

A second option is to create a regular cron job that forces an immediate instead of gradual synchronization of time:

/etc/init.d/ntp stop
/etc/init.d/ntp start

The last is to install or tweak vmware/virtualbox guest additions to manipulate time synchronization with the host.