dkindlund / honeyclient

MITRE HoneyClient Project
http://www.honeyclient.org
GNU General Public License v2.0
8 stars 4 forks source link

Firewall reports there is another host using 10.0.0.254 #207

Closed dkindlund closed 14 years ago

dkindlund commented 14 years ago

To Whom it may concern, I have followed the install guide and searched the posts and have ran into 2 issues

The Firewall (v3) when it is booting and from the terminal reports that there is another host using 10.0.0.254. h

HOST {{{ eth1 Link encap:Ethernet HWaddr 00:18:4d:f0:8a:99
inet addr:10.0.8.82 Bcast:10.0.8.255 Mask:255.255.255.0 inet6 addr: fe80::218:4dff:fef0:8a99/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:295933 errors:0 dropped:0 overruns:0 frame:0 TX packets:184575 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:388406160 (388.4 MB) TX bytes:24218884 (24.2 MB) Interrupt:17 Base address:0xbc00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:200 errors:0 dropped:0 overruns:0 frame:0 TX packets:200 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:30704 (30.7 KB) TX bytes:30704 (30.7 KB)

vmnet1 Link encap:Ethernet HWaddr 00:50:56:c0:00:01
inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:122 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

vmnet8 Link encap:Ethernet HWaddr 00:50:56:c0:00:08
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::250:56ff:fec0:8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:121 errors:0 dropped:0 overruns:0 frame:0 TX packets:232 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) }}}

{{{ Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8 10.0.8.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1 0.0.0.0 10.0.8.1 0.0.0.0 UG 0 0 0 eth1 }}}

{{{ allow unknown-clients; default-lease-time 1800; # 30 minutes max-lease-time 7200; # 2 hours }}}

vmnet1 {{{ subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.128 10.0.0.253; option broadcast-address 10.0.0.255; option domain-name-servers 192.168.0.2; option domain-name "localdomain"; option routers 10.0.0.254; }}}

'''FIREWALL''' {{{ root@lab-desktop:/home/user/honeyclient# ssh roo@192.168.0.128

roo@192.168.0.128's password: Last login: Thu Nov 29 11:25:43 2007 [roo@HcHWALL ~]$ su - Password: [root@HcHWALL ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT) target prot opt source destination
}}}

{{{ [root@HcHWALL ~]# ifconfig eth0 Link encap:Ethernet HWaddr 00:0C:29:B5:87:44
inet addr:192.168.0.128 Bcast:192.168.0.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:53460 errors:0 dropped:0 overruns:0 frame:0 TX packets:25415 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:76853425 (73.2 MiB) TX bytes:1378123 (1.3 MiB) Interrupt:9 Base address:0x1080

eth1 Link encap:Ethernet HWaddr 00:0C:29:B5:87:4E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:120 (120.0 b) TX bytes:42 (42.0 b) Interrupt:10 Base address:0x1400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) }}}

{{{ [root@HcHWALL ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 192.168.0.2 0.0.0.0 UG 0 0 0 eth0 }}}

dkindlund commented 14 years ago

Author: kindlund Okay, I assume your firewall VM is connected to the vmnet1 network, as described in this diagram:

http://www.honeyclient.org/trac/attachment/wiki/Definitions/network_architecture.png

If that's the case, is there any other VM running that is also connected to vmnet1?

-- Darien

dkindlund commented 14 years ago

Author: lab8@ymail.com The first NIC (eth0) is connected to vmnet8 and the second NIC (eth1) is set to host only so that would be vmnet1. There is no other virtual machine running.

Thank you for responding, I have been so frustrated trying to get this to work. I am attempting to get this to work for my College Linux class final project.

Brendan

dkindlund commented 14 years ago

Author: kindlund Inside the firewall VM, as root, try issuing: "ifup eth1" and see if that assigns eth1 the address of 10.0.0.254. If that doesn't work, then I'm going to need a screenshot of the original error message where it said "another host is using 10.0.0.254", as I need to identify which daemon generated the error message.

-- Darien

dkindlund commented 14 years ago

Author: lab8@ymail.com [root@HcHWALL ~]# ifup eth1 Error, some other host already uses address 10.0.0.254. [root@HcHWALL ~]#

dkindlund commented 14 years ago

Author: kindlund I'm not sure why it thinks another host is using address 10.0.0.254. To troubleshoot, you'll probably want to issue the following commands on the host AND inside the firewall VM:

{{{ ping 10.0.0.254 arp -a }}}

With eth1 in the firewall VM down, see if 10.0.0.254 is pingable. Then, look for any entries that resolve to 10.0.0.254. Specifically, see if there are any MAC addresses that resolve to that IP address. Then, cross-reference the MAC address with any physical/virtual NIC you have to identify possible culprits.

If you can paste the output of these two commands to this ticket, I may be able to provide further troubleshooting.

-- Darien

dkindlund commented 14 years ago

Author: lab8@ymail.com root@lab-desktop:~# ping 10.0.0.254 PING 10.0.0.254 (10.0.0.254) 56(84) bytes of data. ^C --- 10.0.0.254 ping statistics --- 12 packets transmitted, 0 received, 100% packet loss, time 11025ms

root@lab-desktop:~# arp -a ? (10.0.8.196) at 00:1c:c0:33:06:90 [ether] on eth1 ? (192.168.0.128) at 00:0c:29:b5:87:44 [ether] on vmnet8 ? (10.0.0.254) at 00:50:56:f3:c5:e4 [ether] on vmnet1 Base-Station-335f51.local (10.0.8.1) at 00:16:cb:c2:8a:c3 [ether] on eth1 root@lab-desktop:~#

dkindlund commented 14 years ago

Author: kindlund Okay, so those commands were run from your host system, right? Can you also run the same command from inside the firewall VM?

Here's the key piece of data: {{{ (10.0.0.254) at 00:50:56:f3:c5:e4 [ether] on vmnet1 }}}

This means that somewhere on your vmnet1 network, there is a NIC with the MAC address of 00:50:56:f3:c5:e4 that already has the IP address of 10.0.0.254. Can you cross-reference ALL of your physical and virtual NICs to see if any of them have the MAC address of 00:50:56:f3:c5:e4?

From the 00:50:56 prefix, it looks like this NIC may be a VMware virtual NIC, but it doesn't look like any of the NICs you've mentioned.

-- Darien

dkindlund commented 14 years ago

Author: lab8@ymail.com Is this how vmnet8 should look?

subnet 192.168.0.0 netmask 255.255.255.0 { range 192.168.0.128 192.168.0.254; option broadcast-address 192.168.0.255; option domain-name-servers 192.168.0.2; option domain-name "localdomain"; option router 192.168.0.1; }

dkindlund commented 14 years ago

Author: kindlund Yeah, that looks right.

dkindlund commented 14 years ago

Author: lab8@ymail.com I checked both the host and firewall and there is no mac address that matches 00:50:56:f3:c5:e4 I also checked all of my other devices. It does look like a vmnet mac. Bewildered on what could be causing it. If I do have to start over, is there a preffered distro? With Ubuntu I am very familiar, some debian, red hat and fedora. I know it says Gentoo on the user guide, which distro? It would be nice to not have to start over. Although it wont take as long this time.

dkindlund commented 14 years ago

Author: lab8@ymail.com Well I am starting over again from scratch. I was hoping you could clarify for me if it is normal to have to force install Bundle::HoneyClient::Manager?, Howabout for some of the other Bundles or packages Thats what I have to do to get it to install all the way.

Thank You for your support I was about pulling my hair out and I was bummed ( I am not an expert at linux or coding) and I have been attempting to get your auesome project up and running for 6 weeks (while attending college)

Sincerely, Brendan Ferris

dkindlund commented 14 years ago

Author: kindlund No problem. Yes, it's possible you'll have to force install the Bundle::HoneyClient::* packages. Keep in mind that these bundles just refer to versions of publicly available libraries that have been packaged together for ease of installation.

That said, if you have any problems with the bundles, you should be able to manually install each sub-library from any remote CPAN repository and obtain a newer (perhaps better working) version of the sub-library.

-- Darien

dkindlund commented 14 years ago

Author: anonymous I had the same problem on openSUSE 10.2, with the same results from arp -a and ping. "/etc/init.d/vmware restart" fixed it. I had vmware workstation installed before I setting up honeyclient, maybe part of vmware didn't close completely?